Automated Malware Analysis Report for Reset

ID: 231166 Sample Name: Reset- WindowsUpdate.ps1 Cookbook: default.jbs Time: 19:45:59 Date: 18/05/2020 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report Reset-WindowsUpdate.ps1 5 Overview 5 General Information 5 Detection 5 Confidence 6 Classification Spiderchart 6 Analysis Advice 7 Mitre Att&ck Matrix 7 Signature Overview 8 Networking: 8 DDoS: 8 System Summary: 8 Data Obfuscation: 9 Hooking and other Techniques for Hiding and Protection: 9 Malware Analysis System Evasion: 9 Anti Debugging: 9 HIPS / PFW / Operating System Protection Evasion: 9 Language, Device and Operating System Detection: 9 Malware Configuration 9 Behavior Graph 9 Simulations 10 Behavior and APIs 10 Antivirus, Machine Learning and Genetic Malware Detection 10 Initial Sample 10 Dropped Files 10 Unpacked PE Files 10 Domains 10 URLs 11 Yara Overview 11 Initial Sample 11 PCAP (Network Traffic) 11 Dropped Files 11 Memory Dumps 11 Unpacked PEs 11 Sigma Overview 11 System Summary: 11 Joe Sandbox View / Context 11 IPs 11 Domains 11 ASN 11 JA3 Fingerprints 11 Dropped Files 11 Screenshots 12 Thumbnails 12 Startup 12 Created / dropped Files 13 Domains and IPs 15 Contacted Domains 15 URLs from Memory and Binaries 15 Contacted IPs 15 Static File Info 15 General 15 File Icon 16 Network Behavior 16 Code Manipulations 16

Copyright Joe Security LLC 2020 Page 2 of 39 Statistics 16 Behavior 16 System Behavior 17 Analysis Process: powershell.exe PID: 5172 Parent PID: 5340 17 General 17 File Activities 17 File Created 17 File Deleted 19 File Moved 19 File Written 19 File Read 23 Analysis Process: conhost.exe PID: 5156 Parent PID: 5172 27 General 27 Analysis Process: regsvr32.exe PID: 624 Parent PID: 5172 27 General 27 Analysis Process: regsvr32.exe PID: 3576 Parent PID: 5172 28 General 28 Registry Activities 28 Analysis Process: regsvr32.exe PID: 2436 Parent PID: 5172 28 General 28 Analysis Process: regsvr32.exe PID: 3720 Parent PID: 5172 28 General 28 Analysis Process: regsvr32.exe PID: 3812 Parent PID: 5172 29 General 29 Analysis Process: regsvr32.exe PID: 2788 Parent PID: 5172 29 General 29 Registry Activities 29 Analysis Process: regsvr32.exe PID: 612 Parent PID: 5172 29 General 29 Analysis Process: regsvr32.exe PID: 4996 Parent PID: 5172 30 General 30 File Activities 30 Registry Activities 30 Key Created 30 Key Value Created 30 Key Value Modified 30 Analysis Process: regsvr32.exe PID: 3012 Parent PID: 5172 31 General 31 Analysis Process: regsvr32.exe PID: 1536 Parent PID: 5172 31 General 31 Analysis Process: regsvr32.exe PID: 4136 Parent PID: 5172 31 General 31 Analysis Process: regsvr32.exe PID: 5532 Parent PID: 5172 31 General 32 Registry Activities 32 Analysis Process: regsvr32.exe PID: 5524 Parent PID: 5172 32 General 32 Analysis Process: regsvr32.exe PID: 5508 Parent PID: 5172 32 General 32 Analysis Process: regsvr32.exe PID: 5512 Parent PID: 5172 32 General 33 File Activities 33 Analysis Process: regsvr32.exe PID: 5568 Parent PID: 5172 33 General 33 File Activities 33 Analysis Process: regsvr32.exe PID: 5564 Parent PID: 5172 33 General 33 Analysis Process: regsvr32.exe PID: 5544 Parent PID: 5172 33 General 34 Analysis Process: regsvr32.exe PID: 5648 Parent PID: 5172 34 General 34 Analysis Process: regsvr32.exe PID: 5664 Parent PID: 5172 34 General 34 Analysis Process: regsvr32.exe PID: 5660 Parent PID: 5172 34 General 34 Analysis Process: regsvr32.exe PID: 5608 Parent PID: 5172 35 General 35 Analysis Process: regsvr32.exe PID: 5584 Parent PID: 5172 35 General 35 Analysis Process: regsvr32.exe PID: 5708 Parent PID: 5172 35 Copyright Joe Security LLC 2020 Page 3 of 39 General 35 Analysis Process: regsvr32.exe PID: 5600 Parent PID: 5172 35 General 35 Analysis Process: regsvr32.exe PID: 5716 Parent PID: 5172 36 General 36 Analysis Process: regsvr32.exe PID: 5832 Parent PID: 5172 36 General 36 Analysis Process: regsvr32.exe PID: 5972 Parent PID: 5172 36 General 36 Analysis Process: regsvr32.exe PID: 5700 Parent PID: 5172 36 General 36 Analysis Process: regsvr32.exe PID: 5688 Parent PID: 5172 37 General 37 Analysis Process: regsvr32.exe PID: 5668 Parent PID: 5172 37 General 37 Analysis Process: regsvr32.exe PID: 5992 Parent PID: 5172 37 General 37 Analysis Process: regsvr32.exe PID: 6016 Parent PID: 5172 37 General 38 Analysis Process: regsvr32.exe PID: 5052 Parent PID: 5172 38 General 38 Analysis Process: regsvr32.exe PID: 5828 Parent PID: 5172 38 General 38 Analysis Process: regsvr32.exe PID: 5812 Parent PID: 5172 38 General 38 Analysis Process: reg.exe PID: 5820 Parent PID: 5172 39 General 39 Disassembly 39 Code Analysis 39

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 231166 Start date: 18.05.2020 Start time: 19:45:59 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 33s Hypervisor based Inspection enabled: false Report type: light Sample file name: Reset-WindowsUpdate.ps1 Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 40 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: SUS Classification: sus28.winPS1@82/7@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .ps1 Stop behavior analysis, all processes terminated

Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 28 0 - 100 false

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 3 0 - 5 true

Classification Spiderchart

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Valid Windows Winlogon Process Masquerading 1 1 Credential Virtualization/Sandbox Application Email Data Data Accounts Management Helper DLL Injection 1 1 Dumping Evasion 4 Deployment Collection 1 Compressed Obfuscation Instrumentation 1 1 Software

Replication Regsvr32 1 Port Accessibility Modify Registry 1 Network Process Discovery 1 Remote Data from Exfiltration Fallback Through Monitors Features Sniffing Services Removable Over Other Channels Removable Media Network Media Medium

Copyright Joe Security LLC 2020 Page 7 of 39 Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control External Windows Accessibility Path Virtualization/Sandbox Input Capture Application Window Windows Data from Automated Custom Remote Management Features Interception Evasion 4 Discovery 1 Remote Network Exfiltration Cryptographic Services Instrumentation Management Shared Protocol Drive Drive-by Scheduled Task System DLL Search Process Credentials in Security Software Logon Input Data Multiband Compromise Firmware Order Injection 1 1 Files Discovery 1 1 Scripts Capture Encrypted Communication Hijacking Exploit Public- Command-Line Shortcut File System Regsvr32 1 Account File and Directory Shared Data Staged Scheduled Standard Facing Interface Modification Permissions Manipulation Discovery 1 Webroot Transfer Cryptographic Application Weakness Protocol

Spearphishing Graphical User Modify New Service File Deletion 1 Brute Force System Information Third-party Screen Data Commonly Link Interface Existing Discovery 1 2 Software Capture Transfer Used Port Service Size Limits Spearphishing Scripting Path Scheduled DLL Side-Loading 1 Two-Factor Network Sniffing Pass the Email Exfiltration Uncommonly Attachment Interception Task Authentication Hash Collection Over Used Port Interception Command and Control Channel

Signature Overview

• Networking • DDoS • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

Networking:

Found strings which match to known social media urls

Urls found in memory or binary data

DDoS:

Too many similar processes found

System Summary:

Creates files inside the system directory

Deletes files inside the Windows folder

Searches for the Microsoft Outlook file path

Tries to load missing DLLs

Uses reg.exe to modify the Windows registry

Classification label

Creates files inside the user directory

Creates mutexes

Creates temporary files

Parts of this applications are using the .NET runtime (Probably coded in C#) Copyright Joe Security LLC 2020 Page 8 of 39 Queries process information (via WMI, Win32_Process)

Reads ini files

Reads software policies

Spawns processes

Uses Microsoft Silverlight

Data Obfuscation:

Registers a DLL

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Queries a list of all running processes

Anti Debugging:

Enables debug privileges

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Malware Configuration

No configs have been found

Behavior Graph

ID: 231166 Created File

Sample: Reset-WindowsUpdate.ps1 DNS/IP Info

Startdate: 18/05/2020 Is Dropped Architecture: WINDOWS Is Windows Process

Score: 28 Number of created Registry Values

Number of created Files

Visual Basic

Sigma detected: Regsvr32 Delphi started Anomaly Java

.Net C# or VB.NET

C, C++ or other language

powershell.exe Is malicious Internet

started started started

regsvr32.exe regsvr32.exe regsvr32.exe

35 other processes

Simulations

Behavior and APIs

Time Type Description 19:46:25 API Interceptor 62x Sleep call for process: powershell.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link Reset-WindowsUpdate.ps1 2% Virustotal Browse Reset-WindowsUpdate.ps1 0% Metadefender Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Source Detection Scanner Label Link www.geekyryan.com 0% Virustotal Browse www.geekyryan.com 0% Avira URL Cloud safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

System Summary:

Sigma detected: Regsvr32 Anomaly

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

Copyright Joe Security LLC 2020 Page 12 of 39 System is w10x64 powershell.exe (PID: 5172 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\Reset- WindowsUpdate.ps1' MD5: 95000560239032BC68B4C2FDFCDEF913) conhost.exe (PID: 5156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) regsvr32.exe (PID: 624 cmdline: 'C:\Windows\system32\regsvr32.exe' /s atl.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 3576 cmdline: 'C:\Windows\system32\regsvr32.exe' /s urlmon.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 2436 cmdline: 'C:\Windows\system32\regsvr32.exe' /s mshtml.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 3720 cmdline: 'C:\Windows\system32\regsvr32.exe' /s shdocvw.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 3812 cmdline: 'C:\Windows\system32\regsvr32.exe' /s browseui.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 2788 cmdline: 'C:\Windows\system32\regsvr32.exe' /s jscript.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 612 cmdline: 'C:\Windows\system32\regsvr32.exe' /s vbscript.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 4996 cmdline: 'C:\Windows\system32\regsvr32.exe' /s scrrun.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 3012 cmdline: 'C:\Windows\system32\regsvr32.exe' /s msxml.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 1536 cmdline: 'C:\Windows\system32\regsvr32.exe' /s msxml3.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 4136 cmdline: 'C:\Windows\system32\regsvr32.exe' /s msxml6.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5532 cmdline: 'C:\Windows\system32\regsvr32.exe' /s actxprxy.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5524 cmdline: 'C:\Windows\system32\regsvr32.exe' /s softpub.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5508 cmdline: 'C:\Windows\system32\regsvr32.exe' /s wintrust.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5512 cmdline: 'C:\Windows\system32\regsvr32.exe' /s dssenh.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5568 cmdline: 'C:\Windows\system32\regsvr32.exe' /s rsaenh.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5564 cmdline: 'C:\Windows\system32\regsvr32.exe' /s gpkcsp.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5544 cmdline: 'C:\Windows\system32\regsvr32.exe' /s sccbase.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5648 cmdline: 'C:\Windows\system32\regsvr32.exe' /s slbcsp.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5664 cmdline: 'C:\Windows\system32\regsvr32.exe' /s cryptdlg.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5660 cmdline: 'C:\Windows\system32\regsvr32.exe' /s oleaut32.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5608 cmdline: 'C:\Windows\system32\regsvr32.exe' /s ole32.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5584 cmdline: 'C:\Windows\system32\regsvr32.exe' /s shell32.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5708 cmdline: 'C:\Windows\system32\regsvr32.exe' /s initpki.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5600 cmdline: 'C:\Windows\system32\regsvr32.exe' /s wuapi.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5716 cmdline: 'C:\Windows\system32\regsvr32.exe' /s wuaueng.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5832 cmdline: 'C:\Windows\system32\regsvr32.exe' /s wuaueng1.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5972 cmdline: 'C:\Windows\system32\regsvr32.exe' /s wucltui.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5700 cmdline: 'C:\Windows\system32\regsvr32.exe' /s wups.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5688 cmdline: 'C:\Windows\system32\regsvr32.exe' /s wups2.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5668 cmdline: 'C:\Windows\system32\regsvr32.exe' /s wuweb.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5992 cmdline: 'C:\Windows\system32\regsvr32.exe' /s qmgr.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 6016 cmdline: 'C:\Windows\system32\regsvr32.exe' /s qmgrprxy.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5052 cmdline: 'C:\Windows\system32\regsvr32.exe' /s wucltux.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5828 cmdline: 'C:\Windows\system32\regsvr32.exe' /s muweb.dll MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5812 cmdline: 'C:\Windows\system32\regsvr32.exe' /s wuwebv.dll MD5: D78B75FC68247E8A63ACBA846182740E) reg.exe (PID: 5820 cmdline: 'C:\Windows\system32\reg.exe' DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f MD5: E3DACF0B31841FA02064B4457D44B357) cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: data Size (bytes): 11606 Entropy (8bit): 4.883977562702998 Encrypted: false MD5: 1F1446CE05A385817C3EF20CBD8B6E6A SHA1: 1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D SHA-256: 2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE SHA-512: 252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C5 14 Malicious: false Preview: PSMODULECACHE...... P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1...... Uninstall-Module...... inmo...... fimo ...... Install-Module...... New-ScriptFileInfo...... Publish-Module...... Install-Script...... Update-Script...... Find-Command...... Update-ModuleManifest...... Find-DscRe source...... Save-Module...... Save-Script...... upmo...... Uninstall-Script...... Get-InstalledScript...... Update-Module...... Register-PSRepository...... Find-Script...... Unregister-PSRepository...... pumo...... Test-ScriptFileInfo...... Update-ScriptFileInfo...... Set-PSRepository...... Get-PSRepository...... Get-InstalledModule...... Find- Module...... Find-RoleCapability...... Publish-Script...... 7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1...... Describe...... Get-TestDriv eItem...... New-Fixture...... In...... Invoke-Mock...... InModuleScope...... Mock...... SafeGetCommand...... Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: data Size (bytes): 1724 Entropy (8bit): 5.502141415640318

Copyright Joe Security LLC 2020 Page 13 of 39 C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Encrypted: false MD5: C06F159F787580E8531CB6950EF51F27 SHA1: 858474216B62927CDA3F6C14B3E2C0A58A58A55B SHA-256: E493BCED18805E26AE9A9B80B2A24C109EA9437AAA7DA2C0C80738386093A62E SHA-512: EE2714F32F0E734335D3D7B317B7E929B28C3174A9BF315657EE7138CEF2CAEF68137F07ADF48F44EB752871AEF907A72F58E991B7A98DDC2DFC02BB3A6B2854 Malicious: false Preview: @...e...... J...... @...... \...... ,.h.G.M..\t.F...... 2.Microsoft.BackgroundIntelligentTransfer.Management..H...... ]....E..Jqp...... Micro soft.PowerShell.ConsoleHost0...... G-.o...A...4B...... System..4...... A:.(.D...... System.Core.D...... N..o.H...1.w...... System.Management.Automatio nL...... 7.....J@...... ~...... #.Microsoft.Management.Infrastructure.<...... H..QN.Y.f...... System.Management...@...... Lo...QN......

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qqnaemoc.zpq.psm1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: ASCII text, with no line terminators Size (bytes): 80 Entropy (8bit): 4.617459215777256 Encrypted: false MD5: CD3BFBFB5D68B806BE437A7CD60DBF57 SHA1: D0FDF0CAF3F436FF71EABAE2A586CD4009734B8F SHA-256: 77ED95BA3C88E188596EF8EAAD0A9EF3F63A030D9A8809E6847F6DC2623939D6 SHA-512: 0ED51C73BB237CE152C5EC4618067BF6C7005E4D813DE23157EC10846BD64691393EE4F9643536790AA7716C0E2928710815991C42339498AAB720E1587E5305 Malicious: false Preview: # PowerShell test file to determine AppLocker lockdown mode 5/18/2020 7:46:25 PM

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xhk5nbxs.2ql.ps1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: ASCII text, with no line terminators Size (bytes): 80 Entropy (8bit): 4.617459215777256 Encrypted: false MD5: CD3BFBFB5D68B806BE437A7CD60DBF57 SHA1: D0FDF0CAF3F436FF71EABAE2A586CD4009734B8F SHA-256: 77ED95BA3C88E188596EF8EAAD0A9EF3F63A030D9A8809E6847F6DC2623939D6 SHA-512: 0ED51C73BB237CE152C5EC4618067BF6C7005E4D813DE23157EC10846BD64691393EE4F9643536790AA7716C0E2928710815991C42339498AAB720E1587E5305 Malicious: false Preview: # PowerShell test file to determine AppLocker lockdown mode 5/18/2020 7:46:25 PM

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3I1C40YSNDXGTQCCQ6XR.temp Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: data Size (bytes): 6205 Entropy (8bit): 3.7185562468528954 Encrypted: false MD5: 1A784A4C5CC7B50D38C38B7954E82708 SHA1: E101814449170C5CC9B008478D412E01B956E191 SHA-256: ACA9E40C96B7EC8F35F77E1BE513360AB3EAD8B605EDB09AA85DACF843EE46DA SHA-512: AB6A193EA5CD5EFF1176F4A3A7B7DCDE6C2165AB4BA45569C6CDDE963EC9600ABCD7E28554B3D4A286C3455488E7947EF963A35A441E083F31584DCB5B24D9 43 Malicious: false Preview: ...... FL...... F."...... -=L...... \...... :..DG..Yr?.D..U..k0.&...&...... 3L.....#O!....[y..-...... t...CFSF..1.....vM....AppData...t.Y^...H.g.3..(. ....gVA.G..k...@...... vM...P...... nM...... n..A.p.p.D.a.t.a...B.V.1...... N...Roaming.@...... vM...P...... M...... e.s.R.o.a.m.i.n.g.....\.1.....vM....MICROS~1..D...... vM...P...... N...... U..M.i.c.r.o.s.o.f.t.....V.1...... N...Windows.@...... vM...N...... N...... 2(..W.i.n.d.o.w.s...... 1.....vM....STARTM~1..n...... vM...N...... N...... D...... cg.S.t.a.r.t. [email protected].,.-.2.1.7.8.6...... 1...... N...Programs..j...... vM...N...... N...... @...... *[email protected].,.-.2.1.7.8.2. ....n.1...... L...WINDOW~1..V...... vM...N!...... N...... T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2...... L.. .WINDOW~1.LNK..^...... vM..vM...... N......

C:\Users\user\Documents\20200518\PowerShell_transcript.878411.iQyF8wyR.20200518194625.txt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 4799 Entropy (8bit): 5.379730978711428 Encrypted: false MD5: C8C4F1861FDC932B7F84289E4977CD25

Copyright Joe Security LLC 2020 Page 14 of 39 C:\Users\user\Documents\20200518\PowerShell_transcript.878411.iQyF8wyR.20200518194625.txt SHA1: D236778A604DCD6FC040F418E7E9D977F41B53EE SHA-256: BC57A228343F6582AC5679C465BA7635599FDA93F7735F19B18E5455CDEA34A9 SHA-512: CEA7DB35D9BD294284C966CA61EB39C843C72CD93EC89E9AD864BF2C1B83363E7DD83344747235AB8EE64501CBFA54154A82DAD7B76BD83D50B53306F480D6 C1 Malicious: false Preview: .**********************..Windows PowerShell transcript start..Start time: 20200518194625..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 878411 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noLogo -ExecutionPolicy unrestricted -file C:\Users\user\Desktop\Reset-WindowsUpdate.ps1..Process ID: 5172..PSVersion: 5.1.17134.165..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3. 0, 4.0, 5.0, 5.1.17134.165..BuildVersion: 10.0.17134.165..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVers ion: 1.1.0.1..**********************..**********************..Command start time: 20200518194625..**********************..PS>CommandInvocation(Reset-WindowsUpdate.ps1): " Reset-WindowsUpdate.ps1"..1. Stopping Windows Update Services.....2. Remove QMGR Data file.....3. Renaming the Software Distribution and CatRoot Folder.....4. R emoving old Windows Upd

C:\Windows\System32\catroot2\dberr.txt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 536 Entropy (8bit): 4.841495045569307 Encrypted: false MD5: 30BCF16D1EAE81F11C59EEF2AE89246E SHA1: C962613263CCBBAB982DB85462E33F4A530E52C4 SHA-256: A23BB64603F925BBC249E208183D3ABAC0F7BF659147D73C7541AC03A15FE0ED SHA-512: 0F47F4FB047B63E3A17F463B41B26E350BB00B2FCF53FBC0604C428FB46E77DCA44963ADB78239318EFBE584CFA632BD3DD3853AB3C552B2D7D5F8C00FC6041 9 Malicious: false Preview: CatalogDB: 7:46:39 PM 5/18/2020: catdbcli.cpp at line #624 encountered error 0x000006b5..CatalogDB: 7:46:39 PM 5/18/2020: catadnew.cpp at line #2396 encountered error 0x000006b5..CatalogDB: 7:46:39 PM 5/18/2020: catadnew.cpp at line #925 encountered error 0x000006b5..CatalogDB: 7:46:39 PM 5/18/2020: catdbcli.cpp at line #624 encountered error 0x000006b5..CatalogDB: 7:46:39 PM 5/18/2020: catadnew.cpp at line #2396 encountered error 0x000006b5..CatalogDB: 7:46:39 PM 5/18/2020: catadnew.cpp at line #925 encountered error 0x000006b5..

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation https://twitter.com/geeky_ryan Reset-WindowsUpdate.ps1 false high https://github.com/rnemeth90 Reset-WindowsUpdate.ps1 false high https://www.linkedin.com/in/ryan-nemeth-b0b1504b/ Reset-WindowsUpdate.ps1 false high www.geekyryan.com Reset-WindowsUpdate.ps1 false 0%, Virustotal, Browse unknown Avira URL Cloud: safe

Contacted IPs

No contacted IP infos

Static File Info

General File type: UTF-8 Unicode (with BOM) text, with CRLF line term inators Entropy (8bit): 5.384537086240632 TrID: Text - UTF-8 encoded (3003/1) 100.00% File name: Reset-WindowsUpdate.ps1 File size: 4061 MD5: 43b85dc5522e32f2471e03df437b1caa SHA1: 48ea02697f7fce702d5a8d112db22ab7183ec7c9

Copyright Joe Security LLC 2020 Page 15 of 39 General SHA256: f30ac9f7a085ccee6c4ee6e7bb9fc8a59ef4db4da51b986 e1be547fe9df539ae SHA512: a5e40de0def6516b20a0953dfb0d264b634913c9a9f90c0 25f1239abe4f999b1c916456dd94fbda5fe0156f147626e9 3e9f6d1d7085b62d3a74d5290bc138782 SSDEEP: 96:ipIYt0q6GkoZ+BazbFB7FqqYdfIwXx9IZ+5/Vd2rBtD NYnnMwn1lz7cjVUj8jBxH:ieYqWMBm7kldgwXx9IZ+5/V dQBtDann4 File Content Preview: ...<#...SYNOPSIS..Reset-WindowsUpdate.ps1 - Resets the Windows Update components.....DESCRIPTION ..T his script will reset all of the Windows Updates compon ents to DEFAULT SETTINGS...... OUTPUTS..Results ar e printed to the console. Future releases will supp

File Icon

Icon Hash: 72f2d6fef6f6dae4

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• powershell.exe • conhost.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe Copyright Joe Security LLC 2020 Page 16 of 39 • reg.exe

Click to jump to process

System Behavior

Analysis Process: powershell.exe PID: 5172 Parent PID: 5340

General

Start time: 19:46:23 Start date: 18/05/2020 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\Reset-WindowsUpdate.ps1' Imagebase: 0x7ff6c9b30000 File size: 447488 bytes MD5 hash: 95000560239032BC68B4C2FDFCDEF913 Has administrator privileges: false Programmed in: .Net C# or VB.NET Reputation: high

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user read data or list device directory file | object name collision 1 7FF85910EA15 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list device directory file | object name collision 1 7FF85910EA15 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot read data or list device directory file | object name collision 1 7FF855250A4C unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list device directory file | object name collision 1 7FF855250A4C unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\__PSscr read attributes | device sequential only | success or wait 1 7FF857F36FFD CreateFileW iptPolicyTest_xhk5nbxs.2ql.ps1 synchronize | synchronous io generic write non alert | non directory file | open no recall C:\Users\user\AppData\Local\Temp\__PSscr read attributes | device sequential only | success or wait 1 7FF857F36FFD CreateFileW iptPolicyTest_qqnaemoc.zpq.psm1 synchronize | synchronous io generic write non alert | non directory file | open no recall C:\Users\user\Documents\20200518 read data or list device directory file | success or wait 1 7FF857F3F37D CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Copyright Joe Security LLC 2020 Page 17 of 39 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\Documents\20200518\PowerShell_transcr read attributes | device synchronous io success or wait 1 7FF857F36FFD CreateFileW ipt.878411.iQyF8wyR.20200518194625.txt synchronize | non alert | non generic read | directory file | generic write open no recall C:\Windows\system32\catroot read data or list device directory file | object name collision 3 7FF855250A4C unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list device directory file | object name collision 3 7FF855250A4C unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot read data or list device directory file | object name collision 2 7FF855250A4C unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list device directory file | object name collision 2 7FF855250A4C unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot read data or list device directory file | object name collision 1 7FF855250A4C unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list device directory file | object name collision 1 7FF855250A4C unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot read data or list device directory file | object name collision 1 7FF855250A4C unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list device directory file | object name collision 1 7FF855250A4C unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\Mod read attributes | device synchronous io success or wait 1 7FF857F36FFD CreateFileW uleAnalysisCache synchronize | non alert | non generic read | directory file | generic write open no recall C:\Windows\system32\catroot read data or list device directory file | object name collision 1 7FF855250A4C unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list device directory file | success or wait 1 7FF855250A4C unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\System32\CatRoot2\dberr.txt read attributes | device synchronous io success or wait 1 7FF855250A4C unknown synchronize | non alert | non generic read | directory file generic write C:\Windows\system32\catroot read data or list device directory file | object name collision 1 7FF855250A4C unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Copyright Joe Security LLC 2020 Page 18 of 39 Source File Path Access Attributes Options Completion Count Address Symbol C:\Windows\system32\catroot2 read data or list device directory file | object name collision 1 7FF855250A4C unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot read data or list device directory file | object name collision 1 7FF855250A4C unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list device directory file | object name collision 1 7FF855250A4C unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\__PSscriptPolicyTest_xhk5nbxs.2ql.ps1 success or wait 1 7FF857F3F290 DeleteFileW C:\Users\user\AppData\Local\Temp\__PSscriptPolicyTest_qqnaemoc.zpq.psm1 success or wait 1 7FF857F3F290 DeleteFileW C:\Windows\WindowsUpdate.log success or wait 1 7FF857F3F290 DeleteFileW

File Moved

Source Old File Path New File Path Completion Count Address Symbol C:\Windows\SoftwareDistribution C:\Windows\SoftwareDistribution.bak success or wait 1 7FF857F3EB1C MoveFileW C:\Windows\System32\catroot2 C:\Windows\System32\catroot2.bak. success or wait 1 7FF857F3EB1C MoveFileW

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\__PSscr unknown 80 23 20 50 6f 77 65 72 # PowerShell test file to success or wait 1 7FF857F3B546 WriteFile iptPolicyTest_xhk5nbxs.2ql.ps1 53 68 65 6c 6c 20 74 determine AppLocker 65 73 74 20 66 69 6c lockdown mode 5/18/2020 65 20 74 6f 20 64 65 7:46:25 PM 74 65 72 6d 69 6e 65 20 41 70 70 4c 6f 63 6b 65 72 20 6c 6f 63 6b 64 6f 77 6e 20 6d 6f 64 65 20 35 2f 31 38 2f 32 30 32 30 20 37 3a 34 36 3a 32 35 20 50 4d C:\Users\user\AppData\Local\Temp\__PSscr unknown 80 23 20 50 6f 77 65 72 # PowerShell test file to success or wait 1 7FF857F3B546 WriteFile iptPolicyTest_qqnaemoc.zpq.psm1 53 68 65 6c 6c 20 74 determine AppLocker 65 73 74 20 66 69 6c lockdown mode 5/18/2020 65 20 74 6f 20 64 65 7:46:25 PM 74 65 72 6d 69 6e 65 20 41 70 70 4c 6f 63 6b 65 72 20 6c 6f 63 6b 64 6f 77 6e 20 6d 6f 64 65 20 35 2f 31 38 2f 32 30 32 30 20 37 3a 34 36 3a 32 35 20 50 4d C:\Users\user\Documents\20200518\PowerShell_transcr unknown 3 ef bb bf ... success or wait 1 7FF857F3B546 WriteFile ipt.878411.iQyF8wyR.20200518194625.txt

Copyright Joe Security LLC 2020 Page 19 of 39 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\Documents\20200518\PowerShell_transcr unknown 682 2a 2a 2a 2a 2a 2a 2a **********************..Windo success or wait 48 7FF857F3B546 WriteFile ipt.878411.iQyF8wyR.20200518194625.txt 2a 2a 2a 2a 2a 2a 2a ws PowerShell transcript 2a 2a 2a 2a 2a 2a 2a start..Start time: 2a 0d 0a 57 69 6e 64 20200518194625..Userna 6f 77 73 20 50 6f 77 me: user-PC\user..RunAs 65 72 53 68 65 6c 6c User: user- 20 74 72 61 6e 73 63 PC\user..Configuration 72 69 70 74 20 73 74 Name: ..Machine: 878411 61 72 74 0d 0a 53 74 (Microsoft Windows NT 61 72 74 20 74 69 6d 10.0.17134.0)..Host 65 3a 20 32 30 32 30 Application: 30 35 31 38 31 39 34 C:\Windows\System32 36 32 35 0d 0a 55 73 65 72 6e 61 6d 65 3a 20 47 55 43 43 49 2d 50 43 5c 47 75 63 63 69 0d 0a 52 75 6e 41 73 20 55 73 65 72 3a 20 47 55 43 43 49 2d 50 43 5c 47 75 63 63 69 0d 0a 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 4e 61 6d 65 3a 20 0d 0a 4d 61 63 68 69 6e 65 3a 20 38 37 38 34 31 31 20 28 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 2e 31 37 31 33 34 2e 30 29 0d 0a 48 6f 73 74 20 41 70 70 6c 69 63 61 74 69 6f 6e 3a 20 43 3a 5c 57 69 6e 64 6f 77 73 5c 53 79 73 74 65 6d 33 32 C:\Users\user\AppData\Local\Mi unknown 4096 50 53 4d 4f 44 55 4c PSMODULECACHE...... P. success or wait 1 7FF857F3B546 WriteFile crosoft\Windows\PowerShell\ModuleAnalysisCache 45 43 41 43 48 45 01 e....S...C:\Program 0f 00 00 00 c0 50 d5 Files\WindowsPowerS 65 ca 9f d5 08 53 00 hell\Modules\PowerShellG 00 00 43 3a 5c 50 72 et\1.0 6f 67 72 61 6d 20 46 .0.1\PowerShellGet.psd1... 69 6c 65 73 5c 57 69 .....Uninstall- 6e 64 6f 77 73 50 6f Module...... inmo. 77 65 72 53 68 65 6c ...... fimo...... Install-Mod 6c 5c 4d 6f 64 75 6c ule...... New-scr 65 73 5c 50 6f 77 65 iptFileInfo...... Publish- 72 53 68 65 6c 6c 47 Module...... Install- 65 74 5c 31 2e 30 2e script.. 30 2e 31 5c 50 6f 77 65 72 53 68 65 6c 6c 47 65 74 2e 70 73 64 31 1d 00 00 00 10 00 00 00 55 6e 69 6e 73 74 61 6c 6c 2d 4d 6f 64 75 6c 65 02 00 00 00 04 00 00 00 69 6e 6d 6f 01 00 00 00 04 00 00 00 66 69 6d 6f 01 00 00 00 0e 00 00 00 49 6e 73 74 61 6c 6c 2d 4d 6f 64 75 6c 65 02 00 00 00 12 00 00 00 4e 65 77 2d 53 63 72 69 70 74 46 69 6c 65 49 6e 66 6f 02 00 00 00 0e 00 00 00 50 75 62 6c 69 73 68 2d 4d 6f 64 75 6c 65 02 00 00 00 0e 00 00 00 49 6e 73 74 61 6c 6c 2d 53 63 72 69 70 74 02 00

Copyright Joe Security LLC 2020 Page 20 of 39 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Mi unknown 4096 00 53 74 6f 70 2d 50 .Stop- success or wait 1 7FF857F3B546 WriteFile crosoft\Windows\PowerShell\ModuleAnalysisCache 72 6f 63 65 73 73 08 Process...... Restart-S 00 00 00 0f 00 00 00 ervice...... Restore- 52 65 73 74 61 72 74 Computer...... Convert- 2d 53 65 72 76 69 63 Path...... Start- 65 08 00 00 00 10 00 Transaction...... Get-Tim 00 00 52 65 73 74 6f eZone...... Copy-Item...... 72 65 2d 43 6f 6d 70 Remove- 75 74 65 72 08 00 00 EventLog...... Set-Con 00 0c 00 00 00 43 6f tent...... New-Service...... 6e 76 65 72 74 2d 50 .Get-HotFix...... Test- 61 74 68 08 00 00 00 Connection...... Get 11 00 00 00 53 74 61 72 74 2d 54 72 61 6e 73 61 63 74 69 6f 6e 08 00 00 00 0c 00 00 00 47 65 74 2d 54 69 6d 65 5a 6f 6e 65 08 00 00 00 09 00 00 00 43 6f 70 79 2d 49 74 65 6d 08 00 00 00 0f 00 00 00 52 65 6d 6f 76 65 2d 45 76 65 6e 74 4c 6f 67 08 00 00 00 0b 00 00 00 53 65 74 2d 43 6f 6e 74 65 6e 74 08 00 00 00 0b 00 00 00 4e 65 77 2d 53 65 72 76 69 63 65 08 00 00 00 0a 00 00 00 47 65 74 2d 48 6f 74 46 69 78 08 00 00 00 0f 00 00 00 54 65 73 74 2d 43 6f 6e 6e 65 63 74 69 6f 6e 08 00 00 00 0f 00 00 00 47 65 74 C:\Users\user\AppData\Local\Mi unknown 3414 2d 50 65 73 74 65 72 -PesterOption...... Invoke- success or wait 1 7FF857F3B546 WriteFile crosoft\Windows\PowerShell\ModuleAnalysisCache 4f 70 74 69 6f 6e 02 Pester...... ResolveTestscr 00 00 00 0d 00 00 00 ipts...... Set-scriptBlockScope...... w.e... 50 65 73 74 65 72 02 .a...C:\Program Files 00 00 00 12 00 00 00 (x86)\Win 52 65 73 6f 6c 76 65 dowsPowerShell\Modules\ 54 65 73 74 53 63 72 Package 69 70 74 73 02 00 00 Management\1.0.0.1\Pack 00 14 00 00 00 53 65 ageMana 74 2d 53 63 72 69 70 gement.psd1...... Set- 74 42 6c 6f 63 6b 53 Package 63 6f 70 65 02 00 00 Source...... Unregister- 00 00 00 00 00 f8 77 Packag dc 65 ca 9f d5 08 61 00 00 00 43 3a 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 20 28 78 38 36 29 5c 57 69 6e 64 6f 77 73 50 6f 77 65 72 53 68 65 6c 6c 5c 4d 6f 64 75 6c 65 73 5c 50 61 63 6b 61 67 65 4d 61 6e 61 67 65 6d 65 6e 74 5c 31 2e 30 2e 30 2e 31 5c 50 61 63 6b 61 67 65 4d 61 6e 61 67 65 6d 65 6e 74 2e 70 73 64 31 0d 00 00 00 11 00 00 00 53 65 74 2d 50 61 63 6b 61 67 65 53 6f 75 72 63 65 08 00 00 00 18 00 00 00 55 6e 72 65 67 69 73 74 65 72 2d 50 61 63 6b 61 67 C:\Windows\System32\catroot2\dberr.txt unknown 89 43 61 74 61 6c 6f 67 CatalogDB: 7:46:39 PM success or wait 1 7FF855250A4C unknown 44 42 3a 20 37 3a 34 5/18/2020: catdbcli.cpp at 36 3a 33 39 20 50 4d line #624 encountered 20 35 2f 31 38 2f 32 error 0x000006b5.. 30 32 30 3a 20 63 61 74 64 62 63 6c 69 2e 63 70 70 20 61 74 20 6c 69 6e 65 20 23 36 32 34 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 65 72 72 6f 72 20 30 78 30 30 30 30 30 36 62 35 0d 0a Copyright Joe Security LLC 2020 Page 21 of 39 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Windows\System32\catroot2\dberr.txt unknown 90 43 61 74 61 6c 6f 67 CatalogDB: 7:46:39 PM success or wait 1 7FF855250A4C unknown 44 42 3a 20 37 3a 34 5/18/2020: catadnew.cpp 36 3a 33 39 20 50 4d at line #2396 encountered 20 35 2f 31 38 2f 32 error 0x000006b5.. 30 32 30 3a 20 63 61 74 61 64 6e 65 77 2e 63 70 70 20 61 74 20 6c 69 6e 65 20 23 32 33 39 36 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 65 72 72 6f 72 20 30 78 30 30 30 30 30 36 62 35 0d 0a C:\Windows\System32\catroot2\dberr.txt unknown 89 43 61 74 61 6c 6f 67 CatalogDB: 7:46:39 PM success or wait 1 7FF855250A4C unknown 44 42 3a 20 37 3a 34 5/18/2020: catadnew.cpp 36 3a 33 39 20 50 4d at line #925 encountered 20 35 2f 31 38 2f 32 error 0x000006b5.. 30 32 30 3a 20 63 61 74 61 64 6e 65 77 2e 63 70 70 20 61 74 20 6c 69 6e 65 20 23 39 32 35 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 65 72 72 6f 72 20 30 78 30 30 30 30 30 36 62 35 0d 0a C:\Windows\System32\catroot2\dberr.txt unknown 89 43 61 74 61 6c 6f 67 CatalogDB: 7:46:39 PM success or wait 1 7FF855250A4C unknown 44 42 3a 20 37 3a 34 5/18/2020: catdbcli.cpp at 36 3a 33 39 20 50 4d line #624 encountered 20 35 2f 31 38 2f 32 error 0x000006b5.. 30 32 30 3a 20 63 61 74 64 62 63 6c 69 2e 63 70 70 20 61 74 20 6c 69 6e 65 20 23 36 32 34 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 65 72 72 6f 72 20 30 78 30 30 30 30 30 36 62 35 0d 0a C:\Windows\System32\catroot2\dberr.txt unknown 90 43 61 74 61 6c 6f 67 CatalogDB: 7:46:39 PM success or wait 1 7FF855250A4C unknown 44 42 3a 20 37 3a 34 5/18/2020: catadnew.cpp 36 3a 33 39 20 50 4d at line #2396 encountered 20 35 2f 31 38 2f 32 error 0x000006b5.. 30 32 30 3a 20 63 61 74 61 64 6e 65 77 2e 63 70 70 20 61 74 20 6c 69 6e 65 20 23 32 33 39 36 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 65 72 72 6f 72 20 30 78 30 30 30 30 30 36 62 35 0d 0a C:\Windows\System32\catroot2\dberr.txt unknown 89 43 61 74 61 6c 6f 67 CatalogDB: 7:46:39 PM success or wait 1 7FF855250A4C unknown 44 42 3a 20 37 3a 34 5/18/2020: catadnew.cpp 36 3a 33 39 20 50 4d at line #925 encountered 20 35 2f 31 38 2f 32 error 0x000006b5.. 30 32 30 3a 20 63 61 74 61 64 6e 65 77 2e 63 70 70 20 61 74 20 6c 69 6e 65 20 23 39 32 35 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 65 72 72 6f 72 20 30 78 30 30 30 30 30 36 62 35 0d 0a C:\Users\user\AppData\Local\Mi unknown 64 40 00 00 01 65 00 00 @...e...... J...... success or wait 1 7FF85952FC88 WriteFile crosoft\Windows\PowerShell\StartupProfileData- 00 00 00 00 00 13 00 ...... @...... NonInteractive 00 00 4a 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 14 00 ee 02 0f 00 00 00 00 00 00 00 00 00 00 00 04 40 00 80 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Mi unknown 40 5c 00 00 02 0a 00 00 \...... ,.h.G..M..\t.F success or wait 19 7FF85952FC88 WriteFile crosoft\Windows\PowerShell\StartupProfileData- 00 00 00 00 00 01 00 ...... 2. NonInteractive 00 00 2c dc 68 e1 47 da 90 4d a0 86 5c 74 ae 46 01 e3 05 00 00 00 0e 00 32 00

Copyright Joe Security LLC 2020 Page 22 of 39 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Mi unknown 50 4d 69 63 72 6f 73 6f Microsoft.BackgroundIntelli success or wait 19 7FF85952FC88 WriteFile crosoft\Windows\PowerShell\StartupProfileData- 66 74 2e 42 61 63 6b gentTransfer.Management NonInteractive 67 72 6f 75 6e 64 49 6e 74 65 6c 6c 69 67 65 6e 74 54 72 61 6e 73 66 65 72 2e 4d 61 6e 61 67 65 6d 65 6e 74 C:\Users\user\AppData\Local\Mi unknown 2 00 00 .. success or wait 13 7FF85952FC88 WriteFile crosoft\Windows\PowerShell\StartupProfileData- NonInteractive C:\Users\user\AppData\Local\Mi unknown 4 80 01 00 03 .... success or wait 1 7FF85952FC88 WriteFile crosoft\Windows\PowerShell\StartupProfileData- NonInteractive C:\Users\user\AppData\Local\Mi unknown 380 01 0e 80 00 02 0e 80 ...... success or wait 1 7FF85952FC88 WriteFile crosoft\Windows\PowerShell\StartupProfileData- 00 03 0e 80 00 04 0e ...... NonInteractive 80 00 05 0e 80 00 06 ...... [email protected][email protected].@... 0e 80 00 07 0e 80 00 [email protected][email protected][email protected].@.>.@.,. 08 0e 80 00 09 0e 80 @.&.@. 00 0a 0e 80 00 0b 0c (.@...@.)[email protected][email protected][email protected]. 80 00 0c 0e 80 00 0d @[email protected]. 0e 80 00 0e 0e 80 00 @.I.@._.@.^[email protected][email protected].@.. 0f 0c 80 00 10 0e 80 .@...@. 00 11 0e 80 00 12 0c ..@...@...@...@...@...@... 80 00 00 0e 80 00 63 @... 00 40 00 52 00 40 00 @...@...@...@...@.*[email protected]. 55 00 40 00 12 0d 80 @...@. .@.!.@.".@.#.@ 00 33 00 40 12 34 00 40 12 32 00 40 12 36 00 40 12 3e 00 40 12 2c 00 40 12 26 00 40 12 28 00 40 12 19 00 40 12 29 00 40 12 4f 00 40 12 4d 00 40 12 4c 00 40 12 4a 00 40 12 48 00 40 12 49 00 40 12 5f 00 40 12 5e 00 40 12 56 00 40 12 54 00 40 12 05 00 40 12 06 00 40 12 08 00 40 12 09 00 40 12 0e 00 40 12 0f 00 40 12 10 00 40 12 11 00 40 12 12 00 40 12 13 00 40 12 14 00 40 12 15 00 40 12 17 00 40 12 18 00 40 12 2a 00 40 12 50 00 40 12 1f 00 40 12 20 00 40 12 21 00 40 12 22 00 40 12 23 00 40

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 7FF85901C00D unknown C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 7FF85901C00D unknown C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 7FF85901C00D unknown C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 7FF85901C00D unknown C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 7FF85901C00D unknown C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 7FF85901C00D unknown C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 7FF85901C00D unknown C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818 unknown 176 success or wait 1 7FF858FD6C5B ReadFile 384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll.aux C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 7FF859023025 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 7FF859023025 ReadFile C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 7FF859023025 ReadFile C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 7FF859023025 ReadFile C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 7FF859023025 ReadFile C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 7FF859023025 ReadFile C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 7FF859023025 ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb3 unknown 1248 success or wait 1 7FF858FD6C5B ReadFile 78ec07#\16f355aec7c0ddbf07e4ba8ea04da1c5\Microsoft.PowerShell.ConsoleHost.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System\ecad7a unknown 620 success or wait 1 7FF858FD6C5B ReadFile e388cef8593aaf80bd2e354c40\System.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\c unknown 900 success or wait 1 7FF858FD6C5B ReadFile 79ff69b8e787a0eab7528231903f272\System.Core.ni.dll.aux

Copyright Joe Security LLC 2020 Page 23 of 39 Source File Path Offset Length Completion Count Address Symbol C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa5 unknown 2764 success or wait 1 7FF858FD6C5B ReadFile 7fc8cc#\c4851b03ba8d98b41d55d4782c8e58b6\System.Management.Automation.ni.dll.aux C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 7FF85901C00D unknown C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 7FF85901C00D unknown C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 7FF85901C00D unknown C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 7FF85901C00D unknown C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf4 unknown 748 success or wait 1 7FF858FD6C5B ReadFile 9f6405#\fd09ca11fde550312ac2f945d0e1b88d\Microsoft.Management.Infrastructure.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manage unknown 764 success or wait 1 7FF858FD6C5B ReadFile ment\1a9dc87a16846dec37edcec452d3af68\System.Management.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired1 unknown 752 success or wait 1 7FF858FD6C5B ReadFile 3b18a9#\c73e2a86060033c34fd87b7cabedb2ae\System.DirectoryServices.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\1b unknown 748 success or wait 1 7FF858FD6C5B ReadFile 1d43ddf8ad426d8b63cfc742d9fc5e\System.Xml.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numeri unknown 300 success or wait 1 7FF858FD6C5B ReadFile cs\4f7e7c29596d1fb8414f1220e627d94c\System.Numerics.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numeri unknown 300 success or wait 1 7FF858FD6C5B ReadFile cs\6c33a9c412951355e66c5772ed21f2ce\System.Numerics.ni.dll.aux C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 7FF85901C00D unknown C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 7FF85901C00D unknown C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 7FF85901C00D unknown C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4098 success or wait 2 7FF85901C00D unknown C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 7FF85901C00D unknown C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4121 success or wait 1 7FF85901C00D unknown C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4253 success or wait 1 7FF85901C00D unknown C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 8171 end of file 1 7FF85901C00D unknown C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\0 unknown 1540 success or wait 1 7FF858FD6C5B ReadFile 94c2a9cbf04eb358e5edf7e617159de\System.Data.ni.dll.aux C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive unknown 64 success or wait 1 7FF85902C9BB ReadFile C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive unknown 1300 success or wait 1 7FF85902CA99 ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f unknown 1268 success or wait 1 7FF858FD6C5B ReadFile 792626#\5298d54f2f3b904351a8b2fcd6977f4c\Microsoft.PowerShell.Security.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Config unknown 864 success or wait 1 7FF858FD6C5B ReadFile uration\e2a9148f660974bf6dd220e59c0c8dfc\System.Configuration.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Config unknown 864 success or wait 1 7FF858FD6C5B ReadFile uration\e2a9148f660974bf6dd220e59c0c8dfc\System.Configuration.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Transa unknown 924 success or wait 1 7FF858FD6C5B ReadFile ctions\3923669024c3ad21b1f628926196e1af\System.Transactions.ni.dll.aux C:\Users\user\Desktop\Reset-WindowsUpdate.ps1 unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Users\user\Desktop\Reset-WindowsUpdate.ps1 unknown 35 end of file 1 7FF857F3B546 ReadFile C:\Users\user\Desktop\Reset-WindowsUpdate.ps1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.P unknown 4096 success or wait 1 7FF857F3B546 ReadFile owerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.P unknown 492 end of file 1 7FF857F3B546 ReadFile owerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.P unknown 4096 end of file 1 7FF857F3B546 ReadFile owerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PackageMana unknown 4096 success or wait 1 7FF857F3B546 ReadFile gement\1.0.0.1\PackageManagement.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PackageMana unknown 774 end of file 1 7FF857F3B546 ReadFile gement\1.0.0.1\PackageManagement.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PackageMana unknown 4096 end of file 1 7FF857F3B546 ReadFile gement\1.0.0.1\PackageManagement.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 682 end of file 1 7FF857F3B546 ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellG unknown 4096 success or wait 1 7FF857F3B546 ReadFile et\1.0.0.1\PowerShellGet.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellG unknown 289 end of file 1 7FF857F3B546 ReadFile et\1.0.0.1\PowerShellGet.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellG unknown 4096 end of file 1 7FF857F3B546 ReadFile et\1.0.0.1\PowerShellGet.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellG unknown 4096 success or wait 1 7FF857F3B546 ReadFile et\1.0.0.1\PowerShellGet.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellG unknown 289 end of file 1 7FF857F3B546 ReadFile et\1.0.0.1\PowerShellGet.psd1

Copyright Joe Security LLC 2020 Page 24 of 39 Source File Path Offset Length Completion Count Address Symbol C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellG unknown 4096 end of file 1 7FF857F3B546 ReadFile et\1.0.0.1\PowerShellGet.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 4096 success or wait 136 7FF857F3B546 ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 993 end of file 1 7FF857F3B546 ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerSh unknown 4096 success or wait 1 7FF857F3B546 ReadFile ell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerSh unknown 492 end of file 1 7FF857F3B546 ReadFile ell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerSh unknown 4096 end of file 1 7FF857F3B546 ReadFile ell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files\WindowsPowerShell\Modules\PackageManagement unknown 4096 success or wait 1 7FF857F3B546 ReadFile \1.0.0.1\PackageManagement.psd1 C:\Program Files\WindowsPowerShell\Modules\PackageManagement unknown 774 end of file 1 7FF857F3B546 ReadFile \1.0.0.1\PackageManagement.psd1 C:\Program Files\WindowsPowerShell\Modules\PackageManagement unknown 4096 end of file 1 7FF857F3B546 ReadFile \1.0.0.1\PackageManagement.psd1 C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 success or wait 2 7FF857F3B546 ReadFile C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 success or wait 2 7FF857F3B546 ReadFile C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 4096 success or wait 5 7FF857F3B546 ReadFile C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 682 end of file 1 7FF857F3B546 ReadFile C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 289 end of file 1 7FF857F3B546 ReadFile C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 289 end of file 1 7FF857F3B546 ReadFile C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 4096 success or wait 126 7FF857F3B546 ReadFile C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 993 end of file 1 7FF857F3B546 ReadFile C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\PSReadline.psd1 unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\PSReadline.psd1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 1 7FF857F3B546 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 637 end of file 1 7FF857F3B546 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 end of file 1 7FF857F3B546 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 1 7FF857F3B546 ReadFile .PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 534 end of file 1 7FF857F3B546 ReadFile .PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 end of file 1 7FF857F3B546 ReadFile .PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 1 7FF857F3B546 ReadFile .PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 534 end of file 1 7FF857F3B546 ReadFile .PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 end of file 1 7FF857F3B546 ReadFile .PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae unknown 3148 success or wait 1 7FF858FD6C5B ReadFile 3498d9#\ab74b99cc92b19ec3406d00087574b0d\Microsoft.PowerShel l.Commands.Management.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe6 unknown 1260 success or wait 1 7FF858FD6C5B ReadFile 4a9051#\d4126cede928fd84ab289493035ec27c\System.Configuration.Install.ni.dll.aux C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 1 7FF857F3B546 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 637 end of file 1 7FF857F3B546 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 end of file 1 7FF857F3B546 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P52 unknown 2264 success or wait 1 7FF858FD6C5B ReadFile 1220ea#\93e1697e7e205a939433cd71f5f6f973\Microsoft.PowerShel l.Commands.Utility.ni.dll.aux C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 8 7FF857F3B546 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 128 end of file 1 7FF857F3B546 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psm1

Copyright Joe Security LLC 2020 Page 25 of 39 Source File Path Offset Length Completion Count Address Symbol C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 end of file 1 7FF857F3B546 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv75 unknown 932 success or wait 1 7FF858FD6C5B ReadFile 9bfb78#\06858623225338594516678a2392a73b\System.ServiceProcess.ni.dll.aux C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppBackgr unknown 4096 success or wait 1 7FF857F3B546 ReadFile oundTask\AppBackgroundTask.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppBackgr unknown 4096 end of file 1 7FF857F3B546 ReadFile oundTask\AppBackgroundTask.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 990 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 990 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa5 unknown 2764 success or wait 1 7FF858FD6C5B ReadFile 7fc8cc#\c4851b03ba8d98b41d55d4782c8e58b6\System.Management.Automation.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System\ecad7a unknown 620 success or wait 1 7FF858FD6C5B ReadFile e388cef8593aaf80bd2e354c40\System.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\c unknown 900 success or wait 1 7FF858FD6C5B ReadFile 79ff69b8e787a0eab7528231903f272\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf4 unknown 748 success or wait 1 7FF858FD6C5B ReadFile 9f6405#\fd09ca11fde550312ac2f945d0e1b88d\Microsoft.Management.Infrastructure.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M87 unknown 328 success or wait 1 7FF858FD6C5B ReadFile 0d558a#\0b1985c89516fe82de5d1844b247d46e\Microsoft.Managemen t.Infrastructure.Native.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M87 unknown 328 success or wait 1 7FF858FD6C5B ReadFile 0d558a#\0b1985c89516fe82de5d1844b247d46e\Microsoft.Managemen t.Infrastructure.Native.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\1b unknown 748 success or wait 1 7FF858FD6C5B ReadFile 1d43ddf8ad426d8b63cfc742d9fc5e\System.Xml.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired1 unknown 752 success or wait 1 7FF858FD6C5B ReadFile 3b18a9#\c73e2a86060033c34fd87b7cabedb2ae\System.DirectoryServices.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manage unknown 764 success or wait 1 7FF858FD6C5B ReadFile ment\1a9dc87a16846dec37edcec452d3af68\System.Management.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numeri unknown 300 success or wait 1 7FF858FD6C5B ReadFile cs\4f7e7c29596d1fb8414f1220e627d94c\System.Numerics.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numeri unknown 300 success or wait 1 7FF858FD6C5B ReadFile cs\6c33a9c412951355e66c5772ed21f2ce\System.Numerics.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Config unknown 864 success or wait 1 7FF858FD6C5B ReadFile uration\e2a9148f660974bf6dd220e59c0c8dfc\System.Configuration.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Transa unknown 924 success or wait 1 7FF858FD6C5B ReadFile ctions\3923669024c3ad21b1f628926196e1af\System.Transactions.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\0 unknown 1540 success or wait 1 7FF858FD6C5B ReadFile 94c2a9cbf04eb358e5edf7e617159de\System.Data.ni.dll.aux C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 7FF85901C00D unknown C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 7FF85901C00D unknown C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Appx\Appx.psd1 unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Appx\Appx.psd1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AssignedA unknown 4096 success or wait 1 7FF857F3B546 ReadFile ccess\AssignedAccess.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AssignedA unknown 4096 end of file 1 7FF857F3B546 ReadFile ccess\AssignedAccess.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 368 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 368 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 4096 success or wait 2 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 770 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 7FF85901C00D unknown C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 7FF85901C00D unknown C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 368 end of file 1 7FF857F3B546 ReadFile

Copyright Joe Security LLC 2020 Page 26 of 39 Source File Path Offset Length Completion Count Address Symbol C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 4096 success or wait 3 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 770 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 unknown 4096 success or wait 72 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 unknown 104 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 unknown 522 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 unknown 522 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTrans unknown 4096 success or wait 2 7FF857F3B546 ReadFile fer\BitsTransfer.Format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTrans unknown 791 end of file 1 7FF857F3B546 ReadFile fer\BitsTransfer.Format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTrans unknown 4096 end of file 1 7FF857F3B546 ReadFile fer\BitsTransfer.Format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 1 7FF857F3B546 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 637 end of file 1 7FF857F3B546 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 end of file 1 7FF857F3B546 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 7 7FF857F3B546 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 128 end of file 1 7FF857F3B546 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 end of file 1 7FF857F3B546 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4096 success or wait 2 7FF857F3B546 ReadFile C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4096 success or wait 2 7FF857F3B546 ReadFile C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4096 end of file 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 4096 success or wait 1 7FF857F3B546 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 4096 end of file 1 7FF857F3B546 ReadFile

Analysis Process: conhost.exe PID: 5156 Parent PID: 5172

General

Start time: 19:46:24 Start date: 18/05/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7c77e0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

Analysis Process: regsvr32.exe PID: 624 Parent PID: 5172

General

Copyright Joe Security LLC 2020 Page 27 of 39 Start time: 19:46:27 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s atl.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 3576 Parent PID: 5172

General

Start time: 19:46:27 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s urlmon.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: regsvr32.exe PID: 2436 Parent PID: 5172

General

Start time: 19:46:27 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s mshtml.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 3720 Parent PID: 5172

General

Copyright Joe Security LLC 2020 Page 28 of 39 Start time: 19:46:27 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s shdocvw.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 3812 Parent PID: 5172

General

Start time: 19:46:28 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s browseui.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 2788 Parent PID: 5172

General

Start time: 19:46:28 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s jscript.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Analysis Process: regsvr32.exe PID: 612 Parent PID: 5172

General

Start time: 19:46:28 Start date: 18/05/2020

Copyright Joe Security LLC 2020 Page 29 of 39 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s vbscript.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 4996 Parent PID: 5172

General

Start time: 19:46:28 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s scrrun.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Classes\aspfile success or wait 1 7FF8510D6471 RegCreateKeyA

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Cl NULL unicode {0CF774D0-F077-11D1-B1BC- success or wait 1 7FF8510D64FC RegSetValueA asses\htmlfile\scriptHostEncode 00C04F86C324} HKEY_LOCAL_MACHINE\SOFTWARE\Cl NULL unicode {0CF774D1-F077-11D1-B1BC- success or wait 1 7FF8510D64FC RegSetValueA asses\aspfile\scriptHostEncode 00C04F86C324} HKEY_LOCAL_MACHINE\SOFTWARE\Cl NULL unicode {85131630-480C-11D2-B1F9-00C04 success or wait 1 7FF8510D64FC RegSetValueA asses\JSFile\scriptHostEncode F86C324} HKEY_LOCAL_MACHINE\SOFTWARE\Cl NULL unicode {85131631-480C-11D2-B1F9-00C04 success or wait 1 7FF8510D64FC RegSetValueA asses\VBSFile\scriptHostEncode F86C324}

Key Value Modified

Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOF NULL unicode C:\Windows\System32\scrrun.dl C:\Windows\system32\scrrun.dll access denied 1 7FF8510D6E43 RegSetValueA TWARE\Classes\CLSID\ l {EE09B103-97E0-11CF-978F- 00A02463E06F}\InprocSer ver32 HKEY_LOCAL_MACHINE\SOF NULL unicode C:\Windows\System32\scrrun.dl C:\Windows\system32\scrrun.dll access denied 1 7FF8510D6E43 RegSetValueA TWARE\Classes\CLSID\ l {0D43FE01-F093-11CF-8940- 00A0C9054228}\InprocSer ver32

Copyright Joe Security LLC 2020 Page 30 of 39 Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOF NULL unicode C:\Windows\System32\scrrun.dl C:\Windows\system32\scrrun.dll access denied 1 7FF8510D6E43 RegSetValueA TWARE\Classes\CLSID\ l {32DA2B15-CFED-11D1-B747- 00C04FC2B085}\InprocSer ver32

Analysis Process: regsvr32.exe PID: 3012 Parent PID: 5172

General

Start time: 19:46:29 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s msxml.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 1536 Parent PID: 5172

General

Start time: 19:46:29 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s msxml3.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 4136 Parent PID: 5172

General

Start time: 19:46:29 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s msxml6.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 5532 Parent PID: 5172

Start time: 19:46:29 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s actxprxy.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: regsvr32.exe PID: 5524 Parent PID: 5172

General

Start time: 19:46:30 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s softpub.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 5508 Parent PID: 5172

General

Start time: 19:46:30 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s wintrust.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 5512 Parent PID: 5172

Start time: 19:46:30 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s dssenh.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: regsvr32.exe PID: 5568 Parent PID: 5172

General

Start time: 19:46:30 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s rsaenh.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: regsvr32.exe PID: 5564 Parent PID: 5172

General

Start time: 19:46:31 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s gpkcsp.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 5544 Parent PID: 5172

Start time: 19:46:31 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s sccbase.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 5648 Parent PID: 5172

General

Start time: 19:46:31 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s slbcsp.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 5664 Parent PID: 5172

General

Start time: 19:46:32 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s cryptdlg.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 5660 Parent PID: 5172

General

Start time: 19:46:32 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s oleaut32.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false

Analysis Process: regsvr32.exe PID: 5608 Parent PID: 5172

General

Start time: 19:46:32 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s ole32.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 5584 Parent PID: 5172

General

Start time: 19:46:33 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s shell32.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 5708 Parent PID: 5172

General

Start time: 19:46:33 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s initpki.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 5600 Parent PID: 5172

General

Start time: 19:46:33 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s wuapi.dll Copyright Joe Security LLC 2020 Page 35 of 39 Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 5716 Parent PID: 5172

General

Start time: 19:46:33 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s wuaueng.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 5832 Parent PID: 5172

General

Start time: 19:46:34 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s wuaueng1.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 5972 Parent PID: 5172

General

Start time: 19:46:34 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s wucltui.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 5700 Parent PID: 5172

General

Start time: 19:46:34 Copyright Joe Security LLC 2020 Page 36 of 39 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s wups.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 5688 Parent PID: 5172

General

Start time: 19:46:34 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s wups2.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 5668 Parent PID: 5172

General

Start time: 19:46:35 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s wuweb.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 5992 Parent PID: 5172

General

Start time: 19:46:35 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s qmgr.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 6016 Parent PID: 5172 Copyright Joe Security LLC 2020 Page 37 of 39 General

Start time: 19:46:35 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s qmgrprxy.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 5052 Parent PID: 5172

General

Start time: 19:46:36 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s wucltux.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 5828 Parent PID: 5172

General

Start time: 19:46:36 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s muweb.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 5812 Parent PID: 5172

General

Start time: 19:46:36 Start date: 18/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\regsvr32.exe' /s wuwebv.dll Imagebase: 0x7ff685a70000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language

General

Start time: 19:46:36 Start date: 18/05/2020 Path: C:\Windows\System32\reg.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\reg.exe' DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVers ion\WindowsUpdate /v AccountDomainSid /f Imagebase: 0x7ff7b2ac0000 File size: 72704 bytes MD5 hash: E3DACF0B31841FA02064B4457D44B357 Has administrator privileges: false Programmed in: C, C++ or other language

Disassembly

Code Analysis