Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RvC3HdKbs2.exe

Overview

General Information

Sample Name:RvC3HdKbs2.exe
Analysis ID:724055
MD5:5af168c69f8a1724c43e2d9da5aa6a46
SHA1:4ad5f4fd58840e8a500c0ba60fe3d4b0765dfe96
SHA256:b3eba1fcd0633a5ba27ba2715ad1e38943c2bf5e6e4182298a3bf39492f8eca4
Tags:Arechclient2exe
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
.NET source code contains very large array initializations
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Machine Learning detection for sample
Potential dropper URLs found in powershell memory
.NET source code contains potential unpacker
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Binary contains a suspicious time stamp
Detected potential crypto function
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • RvC3HdKbs2.exe (PID: 792 cmdline: C:\Users\user\Desktop\RvC3HdKbs2.exe MD5: 5AF168C69F8A1724C43E2D9DA5AA6A46)
    • powershell.exe (PID: 496 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5672 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.544247967.0000000005290000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_zgRATDetects zgRATditekSHen
  • 0x1a4844:$s1: file:///
  • 0x1a4754:$s2: {11111-22222-10009-11112}
  • 0x1a47d4:$s3: {11111-22222-50001-00000}
  • 0x19d6c3:$s4: get_Module
  • 0x193023:$s5: Reverse
  • 0x1a2fba:$s6: BlockCopy
  • 0x1a4115:$s7: ReadByte
  • 0x1a4856:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.2.RvC3HdKbs2.exe.5290000.3.raw.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
  • 0x1a4844:$s1: file:///
  • 0x1a4754:$s2: {11111-22222-10009-11112}
  • 0x1a47d4:$s3: {11111-22222-50001-00000}
  • 0x19d6c3:$s4: get_Module
  • 0x193023:$s5: Reverse
  • 0x1a2fba:$s6: BlockCopy
  • 0x1a4115:$s7: ReadByte
  • 0x1a4856:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.RvC3HdKbs2.exe.5290000.3.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
  • 0x1a2a44:$s1: file:///
  • 0x1a2954:$s2: {11111-22222-10009-11112}
  • 0x1a29d4:$s3: {11111-22222-50001-00000}
  • 0x19b8c3:$s4: get_Module
  • 0x191223:$s5: Reverse
  • 0x1a11ba:$s6: BlockCopy
  • 0x1a2315:$s7: ReadByte
  • 0x1a2a56:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.RvC3HdKbs2.exe.3c0e760.2.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
  • 0x1a2a44:$s1: file:///
  • 0x1a2954:$s2: {11111-22222-10009-11112}
  • 0x1a29d4:$s3: {11111-22222-50001-00000}
  • 0x19b8c3:$s4: get_Module
  • 0x191223:$s5: Reverse
  • 0x1a11ba:$s6: BlockCopy
  • 0x1a2315:$s7: ReadByte
  • 0x1a2a56:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.RvC3HdKbs2.exe.3e33590.0.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
  • 0x1a2a44:$s1: file:///
  • 0x1a2954:$s2: {11111-22222-10009-11112}
  • 0x1a29d4:$s3: {11111-22222-50001-00000}
  • 0x19b8c3:$s4: get_Module
  • 0x191223:$s5: Reverse
  • 0x1a11ba:$s6: BlockCopy
  • 0x1a2315:$s7: ReadByte
  • 0x1a2a56:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.RvC3HdKbs2.exe.40583b0.1.raw.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
  • 0x1a4844:$s1: file:///
  • 0x1a4754:$s2: {11111-22222-10009-11112}
  • 0x1a47d4:$s3: {11111-22222-50001-00000}
  • 0x19d6c3:$s4: get_Module
  • 0x193023:$s5: Reverse
  • 0x1a2fba:$s6: BlockCopy
  • 0x1a4115:$s7: ReadByte
  • 0x1a4856:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 3 entries

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: RvC3HdKbs2.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: RvC3HdKbs2.exeReversingLabs: Detection: 80%
Source: RvC3HdKbs2.exeVirustotal: Detection: 60%Perma Link
Machine Learning detection for sample
Source: RvC3HdKbs2.exeJoe Sandbox ML: detected
Source: RvC3HdKbs2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: RvC3HdKbs2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

barindex
Potential dropper URLs found in powershell memory
Source: powershell.exe, 0000000F.00000002.522891272.00000000049F9000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData
Source: powershell.exe, 0000000F.00000002.513035326.0000000002945000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RvC3HdKbs2.exe, 00000000.00000002.517113506.0000000002AAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
Source: powershell.exe, 0000000F.00000002.522891272.00000000049F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: RvC3HdKbs2.exe, 00000000.00000002.521304873.0000000002C84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.517132952.0000000004751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000F.00000002.522891272.00000000049F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: RvC3HdKbs2.exe, 00000000.00000002.517264506.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, RvC3HdKbs2.exe, 00000000.00000002.517113506.0000000002AAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
Source: RvC3HdKbs2.exe, 00000000.00000002.521355552.00000000039E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: RvC3HdKbs2.exe, 00000000.00000002.521355552.00000000039E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.RvC3HdKbs2.exe.5290000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.RvC3HdKbs2.exe.5290000.3.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.RvC3HdKbs2.exe.3c0e760.2.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.RvC3HdKbs2.exe.3e33590.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.RvC3HdKbs2.exe.40583b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.RvC3HdKbs2.exe.40583b0.1.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.RvC3HdKbs2.exe.3e33590.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.RvC3HdKbs2.exe.3c0e760.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
Source: 00000000.00000002.544247967.0000000005290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
.NET source code contains very large array initializations
Source: RvC3HdKbs2.exe, WindowsFormsApp66/Hire.csLarge array initialization: Sir: array initializer size 2248208
Source: RvC3HdKbs2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 0.2.RvC3HdKbs2.exe.5290000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.RvC3HdKbs2.exe.5290000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.RvC3HdKbs2.exe.3c0e760.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.RvC3HdKbs2.exe.3e33590.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.RvC3HdKbs2.exe.40583b0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.RvC3HdKbs2.exe.40583b0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.RvC3HdKbs2.exe.3e33590.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.RvC3HdKbs2.exe.3c0e760.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000000.00000002.544247967.0000000005290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: RvC3HdKbs2.exe, 00000000.00000002.521355552.00000000039E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLyqmdlybyfyapgilka.dll" vs RvC3HdKbs2.exe
Source: RvC3HdKbs2.exeBinary or memory string: OriginalFilenameEpzzaOnE.exe" vs RvC3HdKbs2.exe
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_0293AA800_2_0293AA80
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_04EF79900_2_04EF7990
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_04EF3FA00_2_04EF3FA0
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_04EF3FB00_2_04EF3FB0
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_04EF79310_2_04EF7931
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_04EF3B1D0_2_04EF3B1D
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_04EF3B180_2_04EF3B18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07C10AAB15_2_07C10AAB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07C10AB015_2_07C10AB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CAE30815_2_07CAE308
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CAF10015_2_07CAF100
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CA409015_2_07CA4090
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CAC96015_2_07CAC960
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07D1878815_2_07D18788
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07D1076815_2_07D10768
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07D1962015_2_07D19620
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07D1462815_2_07D14628
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_02BE6AB815_2_02BE6AB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_02BE6AAA15_2_02BE6AAA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_02BEAE7815_2_02BEAE78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_02BEAE6815_2_02BEAE68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07C1BE1915_2_07C1BE19
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CB004015_2_07CB0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CB002315_2_07CB0023
Source: RvC3HdKbs2.exeReversingLabs: Detection: 80%
Source: RvC3HdKbs2.exeVirustotal: Detection: 60%
Source: RvC3HdKbs2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: RvC3HdKbs2.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\RvC3HdKbs2.exe C:\Users\user\Desktop\RvC3HdKbs2.exe
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==Jump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==Jump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4648:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2620:120:WilError_01
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1vwlvyp.1s2.ps1Jump to behavior
Source: classification engineClassification label: mal88.troj.evad.winEXE@7/6@0/0
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: RvC3HdKbs2.exeStatic file information: File size 2290176 > 1048576
Source: RvC3HdKbs2.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: RvC3HdKbs2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: RvC3HdKbs2.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x226000
Source: RvC3HdKbs2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: RvC3HdKbs2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

barindex
.NET source code contains potential unpacker
Source: RvC3HdKbs2.exe, WindowsFormsApp66/Air.cs.Net Code: OnBuffer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_04EF6DEC push eax; ret 0_2_04EF6DED
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_04EF5699 push B80A4288h; iretd 0_2_04EF56B0
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_050210E6 push ebp; iretd 0_2_050210E7
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_050214E8 push ebx; retf 0_2_050214E9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07C1370B push eax; iretd 15_2_07C13711
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07C1369B push es; ret 15_2_07C136A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07C13653 pushfd ; iretd 15_2_07C13659
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07C1359B pushad ; iretd 15_2_07C135A1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07C1AAE0 push es; ret 15_2_07C1AAF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CA5F44 push esp; ret 15_2_07CA5F69
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CA6F35 push FFFFFF8Bh; iretd 15_2_07CA6F3A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CA7E63 pushfd ; ret 15_2_07CA7E79
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CA6CE1 push FFFFFF8Bh; iretd 15_2_07CA6CE6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CA48EF push es; ret 15_2_07CA4900
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CBC100 push eax; mov dword ptr [esp], edx15_2_07CBC2FC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CB76C0 push es; ret 15_2_07CB76D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CBC2E8 push eax; mov dword ptr [esp], edx15_2_07CBC2FC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CB8EC0 push es; ret 15_2_07CB8ED0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CB8CE1 push es; ret 15_2_07CB8CF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07D11FD0 push es; ret 15_2_07D11FE0
Source: RvC3HdKbs2.exeStatic PE information: 0xBA632941 [Sat Feb 2 20:00:01 2069 UTC]
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RvC3HdKbs2.exe, 00000000.00000002.517264506.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
Source: RvC3HdKbs2.exe, 00000000.00000002.517264506.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, RvC3HdKbs2.exe, 00000000.00000002.517113506.0000000002AAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL1SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9473Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7822Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3780Thread sleep time: -9223372036854770s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2400Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 0000000F.00000002.520148360.000000000488B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: RvC3HdKbs2.exe, 00000000.00000002.517113506.0000000002AAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen-Infinity
Source: RvC3HdKbs2.exe, 00000000.00000002.517264506.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
Source: RvC3HdKbs2.exe, 00000000.00000002.517113506.0000000002AAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Encrypted powershell cmdline option found
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess created: Base64 decoded Start-Sleep -Seconds 50
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess created: Base64 decoded Start-Sleep -Seconds 10; Set-MpPreference -ExclusionPath 'C:\'
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess created: Base64 decoded Start-Sleep -Seconds 50Jump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess created: Base64 decoded Start-Sleep -Seconds 10; Set-MpPreference -ExclusionPath 'C:\'Jump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==Jump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==Jump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeQueries volume information: C:\Users\user\Desktop\RvC3HdKbs2.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
PowerShell		Path Interception11
Process Injection		1
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
Virtualization/Sandbox Evasion		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Obfuscated Files or Information		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items1
Software Packing		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
Timestomp		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 724055 Sample: RvC3HdKbs2.exe Startdate: 17/10/2022 Architecture: WINDOWS Score: 88 18 Malicious sample detected (through community Yara rule) 2->18 20 Antivirus / Scanner detection for submitted sample 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 5 other signatures 2->24 7 RvC3HdKbs2.exe 3 2->7         started        process3 signatures4 26 Encrypted powershell cmdline option found 7->26 10 powershell.exe 19 7->10         started        12 powershell.exe 16 7->12         started        process5 process6 14 conhost.exe 10->14         started        16 conhost.exe 12->16         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
RvC3HdKbs2.exe81%ReversingLabsByteCode-MSIL.Downloader.RedLineStealer
RvC3HdKbs2.exe61%VirustotalBrowse
RvC3HdKbs2.exe100%AviraHEUR/AGEN.1246866
RvC3HdKbs2.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.0.RvC3HdKbs2.exe.300000.0.unpack100%AviraHEUR/AGEN.1246866Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://james.newtonking.com/projects/json0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://www.nuget.org/packages/Newtonsoft.Json.BsonRvC3HdKbs2.exe, 00000000.00000002.521355552.00000000039E1000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    https://api.telegram.org/botRvC3HdKbs2.exe, 00000000.00000002.517264506.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, RvC3HdKbs2.exe, 00000000.00000002.517113506.0000000002AAC000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000F.00000002.522891272.00000000049F9000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRvC3HdKbs2.exe, 00000000.00000002.521304873.0000000002C84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.517132952.0000000004751000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://james.newtonking.com/projects/jsonRvC3HdKbs2.exe, 00000000.00000002.517113506.0000000002AAC000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000F.00000002.522891272.00000000049F9000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://www.newtonsoft.com/jsonschemaRvC3HdKbs2.exe, 00000000.00000002.521355552.00000000039E1000.00000004.00000800.00020000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox Version:36.0.0 Rainbow Opal
              Analysis ID:724055
              Start date and time:2022-10-17 02:26:07 +02:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 7m 54s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:RvC3HdKbs2.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:24
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal88.troj.evad.winEXE@7/6@0/0
              EGA Information:
              • Successful, ratio: 50%
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 97%
              • Number of executed functions: 158
              • Number of non-executed functions: 5
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 20.190.159.23, 20.190.159.64, 40.126.31.73, 40.126.31.71, 20.190.159.71, 40.126.31.67, 20.190.159.68, 20.190.159.4, 20.42.65.92, 20.82.228.9, 20.82.154.241
              • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, eudb.ris.api.iris.microsoft.com, www.tm.a.prd.aadg.akadns.net, arc.msn.com, login.msa.msidentity.com, neus1c-displaycatalog.frontdoor.bigcatalog.commerce.microsoft.com, ris.api.iris.microsoft.com, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, prda.aadg.msidentity.com, onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, neus2c-displaycatalog.frontdoor.bigcatalog.commerce.microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net
              • Execution Graph export aborted for target powershell.exe, PID 5672 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              02:27:05API Interceptor99x Sleep call for process: powershell.exe modified
              02:29:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Xtvuh "C:\Users\user\AppData\Roaming\Hritsd\Xtvuh.exe"

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):5829
              Entropy (8bit):4.8968676994158
              Encrypted:false
              SSDEEP:96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
              MD5:36DE9155D6C265A1DE62A448F3B5B66E
              SHA1:02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
              SHA-256:8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
              SHA-512:C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
              Malicious:false
              Reputation:high, very likely benign file
              Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):16452
              Entropy (8bit):5.554670343313662
              Encrypted:false
              SSDEEP:384:jte/Rq0tnDZ3+SxGYSjnmu9FiJ9g6SJ3uzp1cYv:QDoSwYomu9p6cutv
              MD5:4F1D7FC3207E9579199A65B8F9FEAA63
              SHA1:35CCB7975485DA18CF7D534EA1890B25C4133B2B
              SHA-256:21F290E610E139965F3F1E81160405EB39EA48556365E321D87B31EB4586780D
              SHA-512:AA5B2963BF425279D13DAB340FC52A86607BA9EB87633DFF05C9A0D6B8AA9379DEF177FCCC6ED9DC0841676A49B3B4CEB04E1AA40CDB8CCAEA94D269982241C9
              Malicious:false
              Reputation:low
              Preview:@...e.......................#...G...:.n..............@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1so3dngn.lq3.psm1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Reputation:high, very likely benign file
              Preview:1

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b1uz1jtf.y13.psm1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Reputation:high, very likely benign file
              Preview:1

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ezjfoak3.wze.ps1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview:1

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1vwlvyp.1s2.ps1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview:1

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):7.994353588943491
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              • Win32 Executable (generic) a (10002005/4) 49.78%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Generic Win/DOS Executable (2004/3) 0.01%
              • DOS Executable Generic (2002/1) 0.01%
              File name:RvC3HdKbs2.exe
              File size:2290176
              MD5:5af168c69f8a1724c43e2d9da5aa6a46
              SHA1:4ad5f4fd58840e8a500c0ba60fe3d4b0765dfe96
              SHA256:b3eba1fcd0633a5ba27ba2715ad1e38943c2bf5e6e4182298a3bf39492f8eca4
              SHA512:ba8f9cafe64c603b48ae504bc602db9827978e5d12b2d0a7ba75844d431113c567182bd2f114b4be8d96348b5845ab7b73d764448aa67b2e1a86a424d50e78a5
              SSDEEP:49152:fqtZFHW20mQB2o/jeu6y515peidernF2CqWssW5:fqbFLFDo16y5zpeuVtWssW5
              TLSH:86B533D4DB80C950E6DDC774C4AC870A2DD0FC59BA6908E8014AF1FFEAFC4675A9AC61
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A)c...............0..`".........:1... ...."...@.. .......................@#...........`................................

              File Icon

              Icon Hash:9ea2d4d8caa6f000

              Static PE Info

              General

              Entrypoint:0x40313a
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0xBA632941 [Sat Feb 2 20:00:01 2069 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add dword ptr [edx], eax
              add eax, dword ptr [18080706h+eax]
              mov esp, BA17C966h
              stosd
              in eax, dx
              pop ss
              cwde
              jnp 00007F38F0B4B2A2h
              jno 00007F38F0B4B216h
              jmp 00007F393EBA69F8h
              push es
              jnl 00007F38F0B4B2CAh
              lodsb
              push es
              jno 00007F38F0B4B2E4h
              push 04BDBD9Ch
              cdq
              or ecx, dword ptr [esi+41h]
              mov al, dh
              or ch, byte ptr [ebx]
              sahf
              popfd
              sbb al, 07h
              movsb
              retf
              mov al, BCh
              ffree st(4)
              add al, 5Ah
              adc dword ptr [ebp+03h], ebp
              clc
              lodsb
              mov ebx, 590DC593h
              mov bl, E7h
              mov word ptr [ebx+1B4AC724h], fs
              call eax
              adc ah, byte ptr [esi+04h]
              int 86h
              cld
              or ch, al
              jmp 00007F38F0B4B266h
              wait
              cmp byte ptr [ecx], ah
              pushfd
              sbb byte ptr [eax+ebx*8], dl
              insd
              and byte ptr [edi+ecx*8-3BAB4C00h], ch
              pushfd
              jns 00007F38F0B4B24Eh
              in al, dx
              je 00007F38F0B4B208h
              ror dword ptr [edx], 34h
              loope 00007F38F0B4B281h
              sbb eax, AFDB29FFh
              cmp eax, 644A9252h
              mov ebx, dword ptr [eax]
              mov ah, B5h
              pop ecx
              clc
              fcom qword ptr [esi-79948738h]
              test eax, A0BCBCE5h
              jo 00007F38F0B4B2D1h
              inc edx
              jnc 00007F38F0B4B285h
              inc ebx
              sbb byte ptr [eax+58124E72h], ah
              xchg eax, edi
              xchg eax, esp
              adc esp, edi
              loope 00007F38F0B4B2E4h
              in eax, dx
              xchg eax, ebp
              dec ebp
              imul ecx, dword ptr [esi-48h], 67D4068Ch
              inc edx
              fstp dword ptr [esi]
              fimul word ptr [edi-0D7B15FEh]
              nop
              inc edi
              lss eax, dword ptr [ecx+6CE98518h]

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x30e80x4f.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2280000x8da0.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x2320000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x30cc0x1c.text
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x225f580x226000unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rsrc0x2280000x8da00x8e00False0.3467209507042254data5.43369944036272IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x2320000xc0x200False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x2281800x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896
              RT_ICON0x22c3b80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600
              RT_ICON0x22e9700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224
              RT_ICON0x22fa280x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400
              RT_ICON0x2303c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088
              RT_GROUP_ICON0x2308380x4cdata
              RT_VERSION0x2308940x30adata
              RT_MANIFEST0x230bb00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Network Behavior

              No network behavior found

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:02:26:57
              Start date:17/10/2022
              Path:C:\Users\user\Desktop\RvC3HdKbs2.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\RvC3HdKbs2.exe
              Imagebase:0x300000
              File size:2290176 bytes
              MD5 hash:5AF168C69F8A1724C43E2D9DA5AA6A46
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.544247967.0000000005290000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
              Reputation:low

              General

              Target ID:1
              Start time:02:27:03
              Start date:17/10/2022
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
              Imagebase:0xe0000
              File size:430592 bytes
              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:high

              General

              Target ID:2
              Start time:02:27:03
              Start date:17/10/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff745070000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:15
              Start time:02:27:56
              Start date:17/10/2022
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
              Imagebase:0xe0000
              File size:430592 bytes
              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:high

              General

              Target ID:16
              Start time:02:27:56
              Start date:17/10/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff745070000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Disassembly

              Reset < >