ID: 310318 Sample Name: x64.exe Cookbook: default.jbs Time: 12:39:09 Date: 06/11/2020 Version: 31.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report x64.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Memory Dumps 4 Sigma Overview 5 System Summary: 5 Signature Overview 5 System Summary: 5 Boot Survival: 5 Mitre Att&ck Matrix 6 Behavior Graph 6 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 8 Domains 8 URLs 8 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 9 General Information 9 Simulations 10 Behavior and APIs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Created / dropped Files 10 Static File Info 12 General 12 File Icon 12 Static PE Info 12 General 12 Entrypoint Preview 12 Data Directories 14 Sections 14 Imports 14 Network Behavior 15 Code Manipulations 15 Statistics 15 Behavior 15 System Behavior 15 Analysis Process: x64.exe PID: 6720 Parent PID: 5692 15

Copyright null 2020 Page 2 of 27 General 15 File Activities 16 File Written 16 File Read 17 Analysis Process: conhost.exe PID: 6736 Parent PID: 6720 17 General 17 Analysis Process: cmd.exe PID: 6788 Parent PID: 6720 17 General 17 File Activities 17 Analysis Process: whoami.exe PID: 6812 Parent PID: 6788 17 General 18 File Activities 18 Analysis Process: cmd.exe PID: 6840 Parent PID: 6720 18 General 18 File Activities 18 Analysis Process: powershell.exe PID: 6852 Parent PID: 6840 18 General 18 File Activities 19 File Created 19 File Deleted 20 File Written 20 File Read 21 Analysis Process: cmd.exe PID: 5848 Parent PID: 6720 26 General 26 File Activities 26 Analysis Process: whoami.exe PID: 5460 Parent PID: 5848 26 General 26 File Activities 26 Analysis Process: findstr.exe PID: 6228 Parent PID: 5848 26 General 26 File Activities 27 File Read 27 Disassembly 27 Code Analysis 27

Copyright null 2020 Page 3 of 27 Analysis Report x64.exe

Overview

General Information Detection Signatures Classification

Sample x64.exe Name: SSiiiggmaa ddeettteeccttteedd::: Whhooaamiii EExxeeccuutttiiioonn

Analysis ID: 310318 USUsisgeemss a ww dhheootaaemctiiei ccdoo: mWmhaoanandmd lilli iinEneex etttoocouolltl ittotoon qq… MD5: 5daea8be23ce52… CUCosonentsttaa wiiinnhsso fffauumnncci tttciiioonnmaamllliiitttyay n tttodo oloipnpeen nt o aao plp toorrr tttq…

SHA1: ba0b53de1b9e9d… Ransomware CCoonntttaaiiinnss llflouonngcg t sisollleneeaeplpistsy ( ((t>>o== o 33p emniii nna))) port Miner Spreading SHA256: a0ff195e6d1d602… CCroreenaattateeinss s aa l oppnrrogoc cseelsesses piinns ss(u>us=sp p3ee nmnddiened)d moo CCrrreeaattteess aa pprrroocceessss iiinn ssuussppeennddeedd moo… mmaallliiiccciiioouusss Most interesting Screenshot: malicious Evader Phishing

sssuusssppiiiccciiioouusss DCDereettteaectcettteesd da p ppoortttoeecnnetttiisiaaslll cicnrrry yspputttoso p fffueunncdcttetiiiodon nmo suspicious

cccllleeaann

clean EDEnenataebbcllleteessd dd peeobbtuueggn tppiarrriiliv vciiillrleeyggpeetoss function

Exploiter Banker FEFonouaunbndlde asa hdhieiiggbhhu ngnu upmribvbeielerrr g ooefff s Wiiinnddooww /// UUss…

FFoouunndd iiainn llhliiinnigeehdd nnuoompp biiinnessrtt trroruufc cWtttiiiooinndsso (((wllliiikk /ee Ulllyys… Spyware Trojan / Bot

Adware FFoouunndd llilanarrlriggnee daa mnoopuu nninttt s ootfrff u nncootnino---neesxx ee(clcikuuettteelydd… Score: 48 Range: 0 - 100 FFoouunndd plpaoortgtteeenn tattiiiamalll ossutttrrrniiinnt ggo fdd neeoccrnrryy-pepttxtiiioeoncn u /// t aea…d

Whitelisted: false MFoaauyyn ssdllle epeeoppt e (((neetvviaalss siiivvterei n lllogoo odppessc))) r tyttoop hthioiiinnndd e/e rarr … Confidence: 100% QMuaueyerr risiieeless e ttthphe e( e vvvooalllusumivee liiionnofffooprrrsm) aatotttiii oohnnin (((dnneaarm …

SQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem…

USUsasemessp clceoo dedexe e oocbbufffutuiosscnca astttitiioonpn s ttte ewcchhinnleiiiqq puureeossc e(((… Startup YUYasarreraas ssciiigogndnaeat ttuourbrreefu mscaaatttctcihohn techniques (

Yara signature match System is w10x64 x64.exe (PID: 6720 cmdline: 'C:\Users\user\Desktop\x64.exe' MD5: 5DAEA8BE23CE520DBCCE5A346E87DE35) conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cmd.exe (PID: 6788 cmdline: C:\Windows\system32\cmd.exe /c whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F) whoami.exe (PID: 6812 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701) cmd.exe (PID: 6840 cmdline: C:\Windows\system32\cmd.exe /c powershell.exe 'Get-ExecutionPolicy ;stop-process -Id $PID' ;exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) powershell.exe (PID: 6852 cmdline: powershell.exe 'Get-ExecutionPolicy ;stop-process -Id $PID' ;exit MD5: 95000560239032BC68B4C2FDFCDEF913) cmd.exe (PID: 5848 cmdline: C:\Windows\system32\cmd.exe /c whoami /priv |findstr 'SeImpersonatePrivilege seAssignPrimaryPrivilege SeDebugPrivilege SeLoadDrive rPrivilege SeTcbPrivilege SeBackupPrivilege SeRestorePrivilege SeCreateTokenPrivilege SeTakeOwnershipPrivilege ' MD5: 4E2ACF4F8A396486AB4268C94A6A245F) whoami.exe (PID: 5460 cmdline: whoami /priv MD5: AA18BE1AD24DE09417C1A7459F5C1701) findstr.exe (PID: 6228 cmdline: findstr 'SeImpersonatePrivilege seAssignPrimaryPrivilege SeDebugPrivilege SeLoadDriverPrivilege SeTcbPrivilege SeBackupPrivilege S eRestorePrivilege SeCreateTokenPrivilege SeTakeOwnershipPrivilege ' MD5: BCC8F29B929DABF5489C9BE6587FF66D) cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source Rule Description Author Strings 00000000.00000002.276626953.00000001000C Recon_Commands_Windo Detects a set of Florian Roth 0x1098:$s1: netstat -an E000.00000002.00020000.sdmp ws_Gen1 reconnaissance 0x2310:$s3: net user commands on 0x1b10:$s4: whoami Windows systems 0x1ba0:$s4: whoami 0x2338:$s4: whoami 0x2df:$s6: systeminfo 0x14e8:$s6: systeminfo 0x1450:$s10: tasklist /svc

Copyright null 2020 Page 4 of 27 Source Rule Description Author Strings 00000000.00000000.237038759.00000001000C Recon_Commands_Windo Detects a set of Florian Roth 0x1098:$s1: netstat -an E000.00000002.00020000.sdmp ws_Gen1 reconnaissance 0x2310:$s3: net user commands on 0x1b10:$s4: whoami Windows systems 0x1ba0:$s4: whoami 0x2338:$s4: whoami 0x2df:$s6: systeminfo 0x14e8:$s6: systeminfo 0x1450:$s10: tasklist /svc Process Memory Space: x64.exe PID: 6720 Recon_Commands_Windo Detects a set of Florian Roth 0xd7f:$s1: netstat -an ws_Gen1 reconnaissance 0x16e42:$s1: netstat -an commands on 0x62d08:$s1: netstat -an Windows systems 0x3c58:$s3: net user 0x1ae63:$s3: net user 0x64306:$s3: net user 0x4063:$s4: whoami 0xdd22:$s4: whoami 0xe63a:$s4: whoami 0x1949c:$s4: whoami 0x1965e:$s4: whoami 0x1b043:$s4: whoami 0x58b59:$s4: whoami 0x58c77:$s4: whoami 0x58d76:$s4: whoami 0x5ab33:$s4: whoami 0x5ac32:$s4: whoami 0x63929:$s4: whoami 0x639c4:$s4: whoami 0x6431c:$s4: whoami 0x905f2:$s4: whoami

Sigma Overview

System Summary:

Sigma detected: Whoami Execution

Signature Overview

• Spreading • Software Vulnerabilities • Networking • System Summary • Data Obfuscation • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Remote Access Functionality

Click to jump to signature section

System Summary:

Boot Survival:

Uses whoami command line tool to query computer and username

Copyright null 2020 Page 5 of 27 Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Command Path Process Masquerading 1 OS System Time Remote Archive Exfiltration Encrypted Eavesdrop on Accounts and Scripting Interception Injection 1 1 Credential Discovery 1 Services Collected Over Other Channel 1 Insecure Interpreter 2 Dumping Data 1 Network Network Medium Communication Default Scheduled Boot or Boot or Logon Virtualization/Sandbox LSASS Security Software Remote Data from Exfiltration Ingress Tool Exploit SS7 to Accounts Task/Job Logon Initialization Evasion 2 Memory Discovery 1 Desktop Removable Over Transfer 1 Redirect Phone Initialization Scripts Protocol Media Bluetooth Calls/SMS Scripts Domain At (Linux) Logon Script Logon Script Process Security Virtualization/Sandbox SMB/Windows Data from Automated Steganography Exploit SS7 to Accounts (Windows) (Windows) Injection 1 1 Account Evasion 2 Admin Shares Network Exfiltration Track Device Manager Shared Location Drive Local At (Windows) Logon Script Logon Script Deobfuscate/Decode NTDS Process Discovery 1 Distributed Input Scheduled Protocol SIM Card Accounts (Mac) (Mac) Files or Information 1 Component Capture Transfer Impersonation Swap Object Model Cloud Cron Network Network Obfuscated Files or LSA Application Window SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Script Information 3 Secrets Discovery 1 Transfer Channels Device Size Limits Communication

Replication Launchd Rc.common Rc.common Steganography Cached File and Directory VNC GUI Input Exfiltration Multiband Jamming or Through Domain Discovery 1 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media External Scheduled Startup Startup Items Compile After DCSync System Information Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Remote Task Items Delivery Discovery 1 1 3 Remote Capture Over Used Port Access Points Services Management Alternative Protocol

Behavior Graph

Hide Legend Legend:

Behavior Graph Process ID: 310318 Signature Sample: x64.exe Created File Startdate: 06/11/2020 Architecture: WINDOWS DNS/IP Info Score: 48 Is Dropped

Is Windows Process

Uses whoami command Sigma detected: Whoami Number of created Registry Values line tool to query computer started Execution and username Number of created Files

Visual Basic

x64.exe Delphi Java

1 .Net C# or VB.NET C, C++ or other language started started started started Is malicious

cmd.exe cmd.exe cmd.exe Internet conhost.exe

1 1 1

Uses whoami command line tool to query computer started started started started and username

whoami.exe findstr.exe whoami.exe powershell.exe

1 1 1 20

Copyright null 2020 Page 6 of 27 Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link x64.exe 0% Virustotal Browse x64.exe 2% ReversingLabs

Dropped Files

No Antivirus matches Copyright null 2020 Page 7 of 27 Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link pesterbdd.com/images/Pester.png 0% Virustotal Browse pesterbdd.com/images/Pester.png 0% Avira URL Cloud safe https://go.microX 0% Avira URL Cloud safe https://go.micro 0% Avira URL Cloud safe https://0xsp.com 0% Avira URL Cloud safe https://contoso.com/License 0% Avira URL Cloud safe https://contoso.com/Icon 0% Avira URL Cloud safe https://contoso.com/ 0% Avira URL Cloud safe https://oneget.orgX 0% Avira URL Cloud safe https://oneget.orgformat.ps1xmlagement.dll2040.missionsand 0% Avira URL Cloud safe https://go.m 0% Avira URL Cloud safe https://oneget.org 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation nuget.org/NuGet.exe powershell.exe, 00000005.00000 false high 002.264568819.000001E4347A4000 .00000004.00000001.sdmp www.apache.org/licenses/LICENSE-2.0 powershell.exe, 00000005.00000 false high 002.255244091.000001E4258E5000 .00000004.00000001.sdmp pesterbdd.com/images/Pester.png powershell.exe, 00000005.00000 false 0%, Virustotal, Browse unknown 002.256247324.000001E425B25000 Avira URL Cloud: safe .00000004.00000001.sdmp schemas.xmlsoap.org/soap/encoding/ powershell.exe, 00000005.00000 false high 002.252327855.000001E424D98000 .00000004.00000001.sdmp https://go.microX powershell.exe, 00000005.00000 false Avira URL Cloud: safe unknown 002.253280552.000001E425460000 .00000004.00000001.sdmp www.apache.org/licenses/LICENSE-2.0.html powershell.exe, 00000005.00000 false high 002.256247324.000001E425B25000 .00000004.00000001.sdmp https://go.micro powershell.exe, 00000005.00000 false Avira URL Cloud: safe unknown 002.260802345.000001E426E81000 .00000004.00000001.sdmp https://0xsp.com x64.exe false Avira URL Cloud: safe unknown https://github.com/SecWi x64.exe false high https://contoso.com/License powershell.exe, 00000005.00000 false Avira URL Cloud: safe unknown 002.264568819.000001E4347A4000 .00000004.00000001.sdmp https://contoso.com/Icon powershell.exe, 00000005.00000 false Avira URL Cloud: safe unknown 002.264568819.000001E4347A4000 .00000004.00000001.sdmp https://github.com/Fuz x64.exe false high https://github.com/foxglovesec/RottenPotato x64.exe false high https://github.com/Pester/Pester powershell.exe, 00000005.00000 false high 002.256247324.000001E425B25000 .00000004.00000001.sdmp https://github.com/SecWiki/windows-kern x64.exe false high Copyright null 2020 Page 8 of 27 Name Source Malicious Antivirus Detection Reputation schemas.xmlsoap.org/wsdl/ powershell.exe, 00000005.00000 false high 002.252327855.000001E424D98000 .00000004.00000001.sdmp https://contoso.com/ powershell.exe, 00000005.00000 false Avira URL Cloud: safe unknown 002.264568819.000001E4347A4000 .00000004.00000001.sdmp https://nuget.org/nuget.exe powershell.exe, 00000005.00000 false high 002.264568819.000001E4347A4000 .00000004.00000001.sdmp https://oneget.orgX powershell.exe, 00000005.00000 false Avira URL Cloud: safe unknown 002.255244091.000001E4258E5000 .00000004.00000001.sdmp https://github.com/FuzzySecurity/PSKernel- x64.exe false high Primitives/tree/master/Sa powershell.exe, 00000005.00000 false Avira URL Cloud: safe unknown https://oneget.orgformat.ps1xmlagement.dll2040.missionsand 002.255244091.000001E4258E5000 .00000004.00000001.sdmp schemas.xmlsoap.org/ws/2005/05/identity/claims/name powershell.exe, 00000005.00000 false high 002.251515489.000001E424741000 .00000004.00000001.sdmp https://github.com/SecWiki/wi x64.exe false high https://go.m powershell.exe, 00000005.00000 false Avira URL Cloud: safe unknown 002.265833047.000001E43D014000 .00000004.00000001.sdmp https://oneget.org powershell.exe, 00000005.00000 false Avira URL Cloud: safe unknown 002.255244091.000001E4258E5000 .00000004.00000001.sdmp

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 31.0.0 Red Diamond Analysis ID: 310318 Start date: 06.11.2020 Start time: 12:39:09 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 6m 29s Hypervisor based Inspection enabled: false Report type: light Sample file name: x64.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 29 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal48.winEXE@16/4@0/0 EGA Information: Successful, ratio: 50% HDC Information: Successful, ratio: 30.1% (good quality ratio 29.2%) Quality average: 89.1% Quality standard deviation: 22.3% HCA Information: Failed

Copyright null 2020 Page 9 of 27 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Execution Graph export aborted for target powershell.exe, PID 6852 because it is empty Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time Type Description 12:40:08 API Interceptor 26x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ev2ouhla.4oq.psm1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B

Copyright null 2020 Page 10 of 27 C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ev2ouhla.4oq.psm1 SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Reputation: high, very likely benign file Preview: 1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmxz4tuy.3o3.ps1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Reputation: high, very likely benign file Preview: 1

C:\Users\user\Documents\20201106\PowerShell_transcript.549163.wJgmzCQx.20201106124007.txt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Category: dropped Size (bytes): 759 Entropy (8bit): 5.243508653656881 Encrypted: false SSDEEP: 12:57DtSA6NvAiTH3fBTj5oUOzx2DOzzsnY0dqpYU7zWo8nPw6jewGxMKjX4CIymgSD:BxSAw5DvBBnOzx2DOXijdE7zWznHjeTe MD5: FC4D417479925055681D46D9A5CEFFFB SHA1: AD9E31120197403C28D5B760612D75067FBBB9EE SHA-256: 7556C72FBB6A2654F830E2BA6232D08D8A7D50C9A0F1DFDE131918AC8F00A411 SHA-512: ABE3BE3D3A7136E33A14FF29AB54C22BCFD0DAFB9E70194CB544C58EFBDE8B3B51BE2AE7CFB164B65B2C97DA4D7A50B6CCF9C0C49B6E1EF083D52A944B8B B1EC Malicious: false Reputation: low Preview: .**********************..Windows PowerShell transcript start..Start time: 20201106124007..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 549163 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell.exe Get-ExecutionPolicy ;stop-process -Id $PID ;exit..Process ID: 6852..PS Version: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..W SManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201106124007.. **********************..PS>Get-ExecutionPolicy ;stop-process -Id $PID ;exit..Restricted..

\Device\ConDrv Process: C:\Users\user\Desktop\x64.exe File Type: ASCII text, with CRLF line terminators Category: dropped Size (bytes): 459 Entropy (8bit): 5.182953112024989 Encrypted: false SSDEEP: 12:tPLeM2YaJ+wwiXM2bf7gZeJm6+aR55Y1nQIpaAwYP6:tOdcD471HLatQLAwYP6 MD5: F859EDF712F5184D5EEAEDB9D07EF966 SHA1: 926D6AB09407C09287496ED534448BDDB27D9A77 SHA-256: 726AD55BD028FCED36082626CB3BEDF84641C0B995EDE2A59A207C71A3D5291D SHA-512: CEE705D564741A3C8E745EF0DD900B41AEB1E92405034FB75A26AC5A9BF7EF18292195AF47BBE1FE419E30694D32BF048CF7A8FDB2F547846EF8DCDABBC15A C5 Malicious: false Reputation: low Preview: ..[->] 0xsp Mongoose Windows Red 2.1.0(x64) ..[>] Lawrence Amer(@zux0x3a) ..[>] https://0xsp.com....^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^..[+] Power Shell Status : Restricted....[+] is it vulnerable to Rotten Or Juciy Potato ? YES , Vulnerable..[+] Current System Path : C:\Windows\system32..[+] Current User : compute r\user....[*]Major version : Windows 10..[*]Minor version : 0..[*]Build number : 17134..[*]Free/Checked : Free build..

Copyright null 2020 Page 11 of 27 Static File Info

General File type: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows Entropy (8bit): 6.332937021464225 TrID: Win64 Executable (generic) (12005/4) 74.80% Generic Win/DOS Executable (2004/3) 12.49% DOS Executable Generic (2002/1) 12.47% VXD Driver (31/22) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04% File name: x64.exe File size: 1145856 MD5: 5daea8be23ce520dbcce5a346e87de35 SHA1: ba0b53de1b9e9dfa44823ae5b3b9065282f47495 SHA256: a0ff195e6d1d6020a7072a692e08f0331a807ed5f457813 5ea6c891363bd00f0 SHA512: 66f6c028ed769868f9e03d4309178f8d261df7145cf76be1 fbcd593885bbf6084134c38ef6926e16fe2ab5f39a1aaa9a e79a78f7cb88eccccf51551c45b271f8 SSDEEP: 24576:xQs5eTN0PEqDGDgav6ARXu5x/g1DPvjThjl4j:v 5eTNPqy6WuDgRPC File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... PE..d...... /...... t....:......

File Icon

Icon Hash: 00828e8e8686b000

Static PE Info

General Entrypoint: 0x100019d90 Entrypoint Section: .text Digitally signed: false Imagebase: 0x100000000 Subsystem: windows cui Image File Characteristics: LOCAL_SYMS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED DLL Characteristics: Time Stamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC] TLS Callbacks: 0x19110, 0x1 CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: 04a47624b9207c2cf7cd56d3b7246739

Entrypoint Preview

Instruction dec eax lea esp, dword ptr [esp-28h] mov byte ptr [00069734h], 00000001h mov eax, FFFFFFF6h mov ecx, eax call 00007F6DF4BC563Dh dec eax mov ecx, eax dec eax Copyright null 2020 Page 12 of 27 Instruction lea edx, dword ptr [000FF66Eh] call 00007F6DF4BC579Eh dec eax lea eax, dword ptr [00102252h] dec eax lea eax, dword ptr [0010223Bh] dec eax lea eax, dword ptr [0006A024h] call 00007F6DF4BDD7E4h nop dec eax lea esp, dword ptr [esp+28h] ret add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al push ebx dec eax lea esp, dword ptr [esp-20h] dec eax mov ecx, 00000000h add byte ptr [eax], al add byte ptr [eax], al call 00007F6DF4BC5660h dec eax mov ebx, eax dec eax mov ecx, 00000000h add byte ptr [eax], al add byte ptr [eax], al call 00007F6DF4BC564Eh dec eax arpl word ptr [eax+3Ch], ax dec eax lea eax, dword ptr [ebx+eax] dec eax mov eax, dword ptr [eax+60h] nop dec eax lea esp, dword ptr [esp+20h] pop ebx ret add byte ptr [eax], al add byte ptr [eax], al add byte ptr [ebx+48h], dl lea esp, dword ptr [esp-20h] mov eax, 00000000h dec eax mov ecx, 01000000h add byte ptr [eax], al add byte ptr [eax], al call 00007F6DF4BDE2CBh dec eax mov ebx, eax dec eax mov eax, dword ptr [001004ECh] dec eax test eax, eax je 00007F6DF4BDE32Ch mov ecx, dword ptr [000FF411h] call eax jmp 00007F6DF4BDE329h dec eax

Copyright null 2020 Page 13 of 27 Instruction lea eax, dword ptr [0000F40Eh]

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x11d000 0xf0 .idata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x0 0x0 IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x10f000 0x8c4c .pdata IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x83df0 0x28 .data IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x11d6e8 0x5f8 .idata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x81a80 0x81c00 False 0.396367714355 data 5.84819359996 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .data 0x83000 0x4a574 0x4a600 False 0.754648109244 data 7.37640332835 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rdata 0xce000 0x40aa8 0x40c00 False 0.197703004344 data 4.33013793783 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .pdata 0x10f000 0x8c4c 0x8e00 False 0.496121258803 data 5.82053257358 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .bss 0x118000 0x3ad8 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED _DATA, IMAGE_SCN_MEM_READ .CRT 0x11c000 0x28 0x200 False 0.03515625 data 0.0776331623432 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .idata 0x11d000 0x19de 0x1a00 False 0.285306490385 data 4.25692671856 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Imports

DLL Import advapi32.dll CreateProcessWithLogonW, EnumServicesStatusA, OpenSCManagerA, AllocateAndInitializeSid, FreeSid, CloseServiceHandle, CheckTokenMembership kernel32.dll GetLastError, SetLastError, GetTickCount, ExitProcess, GetStartupInfoA, GetStdHandle, GetCommandLineA, GetCurrentProcessId, GetCurrentThreadId, GetCurrentProcess, ReadProcessMemory, GetModuleFileNameA, GetModuleHandleA, WriteFile, ReadFile, CloseHandle, SetFilePointer, SetEndOfFile, FreeLibrary, GetSystemInfo, LoadLibraryA, GetProcAddress, DeleteFileW, CreateFileW, GetFileAttributesW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, GetConsoleMode, GetConsoleOutputCP, GetOEMCP, GetProcessHeap, HeapAlloc, HeapFree, TlsAlloc, TlsGetValue, TlsSetValue, CreateThread, ExitThread, LocalAlloc, LocalFree, Sleep, SuspendThread, ResumeThread, TerminateThread, WaitForSingleObject, SetThreadPriority, GetThreadPriority, CreateEventA, ResetEvent, SetEvent, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, RaiseException, MultiByteToWideChar, WideCharToMultiByte, GetACP, GetConsoleCP, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, RtlUnwindEx, EnumResourceTypesA, EnumResourceNamesA, EnumResourceLanguagesA, FindResourceA, FindResourceExA, LoadResource, SizeofResource, LockResource, FreeResource, GetEnvironmentStringsA, FreeEnvironmentStringsA, GetLogicalDriveStringsA, GetSystemDirectoryA, GetWindowsDirectoryA, CreateProcessA, GetVersionExA, CompareStringA, GetLocaleInfoA, GetDateFormatA, EnumCalendarInfoA, FormatMessageW, LoadLibraryW, GetModuleFileNameW, GetCommandLineW, FindFirstFileW, FindNextFileW, CompareStringW, GetLocaleInfoW, TerminateProcess, GetExitCodeProcess, FindClose, DuplicateHandle, GetLocalTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, CreatePipe, SetNamedPipeHandleState, PeekNamedPipe, QueryPerformanceCounter, QueryPerformanceFrequency, GetThreadLocale, SetThreadLocale, GetUserDefaultLCID, SetConsoleTextAttribute oleaut32.dll SysAllocStringLen, SysFreeString, SysReAllocStringLen, SafeArrayCreate, SafeArrayRedim, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayGetElement, SafeArrayPutElement, SafeArrayPtrOfIndex, VariantChangeTypeEx, VariantClear, VariantCopy, VariantInit user32.dll MessageBoxA, CharUpperBuffW, CharLowerBuffW, CharUpperA, CharUpperBuffA, CharLowerA, CharLowerBuffA, GetSystemMetrics, MessageBeep ole32.dll CoUninitialize, CoCreateInstance, CLSIDFromProgID, CoInitialize, GetErrorInfo

Copyright null 2020 Page 14 of 27 DLL Import wsock32.dll closesocket, connect, ioctlsocket, htons, inet_addr, inet_ntoa, recv, send, socket, gethostbyaddr, gethostbyname, gethostname, WSAStartup, WSACleanup, WSAGetLastError version.dll GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA mpr.dll WNetOpenEnumA, WNetEnumResourceA, WNetCloseEnum ntdll.dll RtlGetNtVersionNumbers iphlpapi.dll SendARP ws2_32.dll closesocket, connect, getsockopt, recv, send, setsockopt, shutdown, socket, WSAStartup, WSACleanup, WSAGetLastError

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• x64.exe • conhost.exe • cmd.exe • whoami.exe • cmd.exe • powershell.exe • cmd.exe • whoami.exe • findstr.exe

Click to jump to process

System Behavior

Analysis Process: x64.exe PID: 6720 Parent PID: 5692

General

Start time: 12:40:04 Start date: 06/11/2020 Path: C:\Users\user\Desktop\x64.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\Desktop\x64.exe' Imagebase: 0x100000000 File size: 1145856 bytes MD5 hash: 5DAEA8BE23CE520DBCCE5A346E87DE35 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Copyright null 2020 Page 15 of 27 Yara matches: Rule: Recon_Commands_Windows_Gen1, Description: Detects a set of reconnaissance commands on Windows systems, Source: 00000000.00000002.276626953.00000001000CE000.00000002.00020000.sdmp, Author: Florian Roth Rule: Recon_Commands_Windows_Gen1, Description: Detects a set of reconnaissance commands on Windows systems, Source: 00000000.00000000.237038759.00000001000CE000.00000002.00020000.sdmp, Author: Florian Roth Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol \Device\ConDrv unknown 151 0d 0a 5b 2d 3e 5d 20 ..[->] 0xsp Mongoose success or wait 1 1000163B6 WriteFile 30 78 73 70 20 4d 6f Windows Red 2.1.0(x64) .. 6e 67 6f 6f 73 65 20 57 [>] Lawrence A 69 6e 64 6f 77 73 20 mer(@zux0x3a) ..[>] 52 65 64 20 32 2e 31 https://0x 2e 30 28 78 36 34 29 sp.com....^^^^^^^^^^^^^^^^ 20 0d 0a 5b 3e 5d 20 ^^^^ 4c 61 77 72 65 6e 63 ^^^^^^^^^^^^^^^^^^^^^^^^^^ 65 20 41 6d 65 72 28 ^^^.. 40 7a 75 78 30 78 33 61 29 20 0d 0a 5b 3e 5d 20 68 74 74 70 73 3a 2f 2f 30 78 73 70 2e 63 6f 6d 0d 0a 0d 0a 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 0d 0a \Device\ConDrv unknown 38 5b 2b 5d 20 50 6f 77 [+] PowerShell Status : success or wait 1 1000163B6 WriteFile 65 72 53 68 65 6c 6c Restricted.... 20 53 74 61 74 75 73 20 3a 20 52 65 73 74 72 69 63 74 65 64 0d 0a 0d 0a \Device\ConDrv unknown 67 5b 2b 5d 20 69 73 20 [+] is it vulnerable to success or wait 1 1000163B6 WriteFile 69 74 20 76 75 6c 6e Rotten Or Juciy Potato ? 65 72 61 62 6c 65 20 YES , Vulnerable.. 74 6f 20 52 6f 74 74 65 6e 20 4f 72 20 4a 75 63 69 79 20 50 6f 74 61 74 6f 20 3f 20 59 45 53 20 2c 20 56 75 6c 6e 65 72 61 62 6c 65 0d 0a \Device\ConDrv unknown 47 5b 2b 5d 20 43 75 72 [+] Current System Path : success or wait 1 1000163B6 WriteFile 72 65 6e 74 20 53 79 C:\Windows\system32.. 73 74 65 6d 20 50 61 74 68 20 3a 20 43 3a 5c 57 69 6e 64 6f 77 73 5c 73 79 73 74 65 6d 33 32 0d 0a \Device\ConDrv unknown 46 5b 2b 5d 20 43 75 72 [+] Current User : success or wait 1 1000163B6 WriteFile 72 65 6e 74 20 55 73 computer\user.... 65 72 20 20 3a 20 64 65 73 6b 74 6f 70 2d 37 31 36 74 37 37 31 5c 61 6c 66 6f 6e 73 0d 0a 0d 0a \Device\ConDrv unknown 31 5b 2a 5d 4d 61 6a 6f [*]Major version : Windows success or wait 1 1000163B6 WriteFile 72 20 76 65 72 73 69 10.. 6f 6e 20 3a 20 57 69 6e 64 6f 77 73 20 31 30 0d 0a \Device\ConDrv unknown 22 5b 2a 5d 4d 69 6e 6f [*]Minor version : 0.. success or wait 1 1000163B6 WriteFile 72 20 76 65 72 73 69 6f 6e 20 3a 20 30 0d 0a

Copyright null 2020 Page 16 of 27 Source File Path Offset Length Value Ascii Completion Count Address Symbol \Device\ConDrv unknown 26 5b 2a 5d 42 75 69 6c [*]Build number : 17134.. success or wait 1 1000163B6 WriteFile 64 20 20 6e 75 6d 62 65 72 20 3a 20 31 37 31 33 34 0d 0a \Device\ConDrv unknown 31 5b 2a 5d 46 72 65 65 [*]Free/Checked : Free success or wait 1 1000163B6 WriteFile 2f 43 68 65 63 6b 65 build.. 64 20 20 3a 20 46 72 65 65 20 62 75 69 6c 64 0d 0a

File Read

Source File Path Offset Length Completion Count Address Symbol unknown unknown 24 success or wait 1 100034798 ReadFile unknown unknown 2048 success or wait 1 100034798 ReadFile unknown unknown 2048 pipe broken 1 100034798 ReadFile unknown unknown 714 success or wait 1 100034798 ReadFile

Analysis Process: conhost.exe PID: 6736 Parent PID: 6720

General

Start time: 12:40:04 Start date: 06/11/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: cmd.exe PID: 6788 Parent PID: 6720

General

Start time: 12:40:05 Start date: 06/11/2020 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /c whoami Imagebase: 0x7ff7eef80000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: whoami.exe PID: 6812 Parent PID: 6788 Copyright null 2020 Page 17 of 27 General

Start time: 12:40:05 Start date: 06/11/2020 Path: C:\Windows\System32\whoami.exe Wow64 process (32bit): false Commandline: whoami Imagebase: 0x7ff6cbb20000 File size: 70144 bytes MD5 hash: AA18BE1AD24DE09417C1A7459F5C1701 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: cmd.exe PID: 6840 Parent PID: 6720

General

Start time: 12:40:06 Start date: 06/11/2020 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /c powershell.exe 'Get-ExecutionPolicy ;stop-process -Id $PID' ;exit Imagebase: 0x7ff7eef80000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: powershell.exe PID: 6852 Parent PID: 6840

General

Start time: 12:40:06 Start date: 06/11/2020 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Commandline: powershell.exe 'Get-ExecutionPolicy ;stop-process -Id $PID' ;exit Imagebase: 0x7ff617cb0000 File size: 447488 bytes MD5 hash: 95000560239032BC68B4C2FDFCDEF913 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: high

Copyright null 2020 Page 18 of 27 File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user read data or list device directory file | object name collision 1 7FFA75B1F1E9 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list device directory file | object name collision 1 7FFA75B1F1E9 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot read data or list device directory file | object name collision 1 7FFA71C603FC unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list device directory file | object name collision 1 7FFA71C603FC unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\__PSscr read attributes | device sequential only | success or wait 1 7FFA74946FDD CreateFileW iptPolicyTest_qmxz4tuy.3o3.ps1 synchronize | synchronous io generic write non alert | non directory file | open no recall C:\Users\user\AppData\Local\Temp\__PSscr read attributes | device sequential only | success or wait 1 7FFA74946FDD CreateFileW iptPolicyTest_ev2ouhla.4oq.psm1 synchronize | synchronous io generic write non alert | non directory file | open no recall C:\Users\user\Documents\20201106 read data or list device directory file | success or wait 1 7FFA7494F35D CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\Documents\20201106\PowerShell_transcr read attributes | device synchronous io success or wait 1 7FFA74946FDD CreateFileW ipt.549163.wJgmzCQx.20201106124007.txt synchronize | non alert | non generic read | directory file | generic write open no recall C:\Windows\system32\catroot read data or list device directory file | object name collision 8 7FFA71C603FC unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list device directory file | object name collision 9 7FFA71C603FC unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list device directory file | object name collision 1 7FFA71C603FC unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot read data or list device directory file | object name collision 3 7FFA71C603FC unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list device directory file | object name collision 3 7FFA71C603FC unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Copyright null 2020 Page 19 of 27 Source File Path Access Attributes Options Completion Count Address Symbol C:\Windows\system32\catroot read data or list device directory file | object name collision 1 7FFA71C603FC unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list device directory file | object name collision 1 7FFA71C603FC unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot read data or list device directory file | object name collision 3 7FFA71C603FC unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list device directory file | object name collision 3 7FFA71C603FC unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot read data or list device directory file | object name collision 1 7FFA71C603FC unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list device directory file | object name collision 1 7FFA71C603FC unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\__PSscriptPolicyTest_qmxz4tuy.3o3.ps1 success or wait 1 7FFA7494F270 DeleteFileW C:\Users\user\AppData\Local\Temp\__PSscriptPolicyTest_ev2ouhla.4oq.psm1 success or wait 1 7FFA7494F270 DeleteFileW

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\__PSscr unknown 1 31 1 success or wait 1 7FFA7494B526 WriteFile iptPolicyTest_qmxz4tuy.3o3.ps1 C:\Users\user\AppData\Local\Temp\__PSscr unknown 1 31 1 success or wait 1 7FFA7494B526 WriteFile iptPolicyTest_ev2ouhla.4oq.psm1 C:\Users\user\Documents\20201106\PowerShell_transcr unknown 3 ef bb bf ... success or wait 1 7FFA7494B526 WriteFile ipt.549163.wJgmzCQx.20201106124007.txt

Copyright null 2020 Page 20 of 27 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\Documents\20201106\PowerShell_transcr unknown 607 2a 2a 2a 2a 2a 2a 2a **********************..Windo success or wait 6 7FFA7494B526 WriteFile ipt.549163.wJgmzCQx.20201106124007.txt 2a 2a 2a 2a 2a 2a 2a ws PowerShell transcript 2a 2a 2a 2a 2a 2a 2a start..Start time: 2a 0d 0a 57 69 6e 64 20201106124007..Userna 6f 77 73 20 50 6f 77 me: computer\user..RunAs 65 72 53 68 65 6c 6c User: 20 74 72 61 6e 73 63 computer\user..Configurati 72 69 70 74 20 73 74 on Name: ..Machine: 61 72 74 0d 0a 53 74 549163 (Microsoft 61 72 74 20 74 69 6d Windows NT 65 3a 20 32 30 32 30 10.0.17134.0)..Host 31 31 30 36 31 32 34 Application: pow 30 30 37 0d 0a 55 73 65 72 6e 61 6d 65 3a 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 61 6c 66 6f 6e 73 0d 0a 52 75 6e 41 73 20 55 73 65 72 3a 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 61 6c 66 6f 6e 73 0d 0a 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 4e 61 6d 65 3a 20 0d 0a 4d 61 63 68 69 6e 65 3a 20 35 34 39 31 36 33 20 28 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 2e 31 37 31 33 34 2e 30 29 0d 0a 48 6f 73 74 20 41 70 70 6c 69 63 61 74 69 6f 6e 3a 20 70 6f 77

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 7FFA759EB9DD unknown C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 7FFA759EB9DD unknown C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 7FFA759EB9DD unknown C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 7FFA759EB9DD unknown C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26 unknown 176 success or wait 1 7FFA75AC12E7 ReadFile e2af62f23e37e645b5e44068a025\mscorlib.ni.dll.aux C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 7FFA759F2625 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 7FFA759F2625 ReadFile C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 7FFA759F2625 ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb3 unknown 1248 success or wait 1 7FFA75AC12E7 ReadFile 78ec07#\58553ff4dedf0b1dd22a283773a566fc\Microsoft.PowerShell.ConsoleHost.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a171 unknown 620 success or wait 1 7FFA75AC12E7 ReadFile 39182a9efd561f01fada9688a5\System.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4 unknown 900 success or wait 1 7FFA75AC12E7 ReadFile e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa5 unknown 2764 success or wait 1 7FFA75AC12E7 ReadFile 7fc8cc#\8b2774850bdc17a926dc650317d86b33\System.Management.Automation.ni.dll.aux C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 7FFA759EB9DD unknown C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 7FFA759EB9DD unknown C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 7FFA759EB9DD unknown C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 7FFA759EB9DD unknown C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 7FFA759EB9DD unknown C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 8171 end of file 1 7FFA759EB9DD unknown C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive unknown 64 success or wait 1 7FFA759D62DB ReadFile C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive unknown 21272 success or wait 1 7FFA759D63B9 ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\9 unknown 1540 success or wait 1 7FFA75AC12E7 ReadFile 9a190301066e9665ec15a1f355a928e\System.Data.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\f2 unknown 748 success or wait 1 7FFA75AC12E7 ReadFile e3165e3c718b7ac302fea40614c984\System.Xml.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manage unknown 764 success or wait 1 7FFA75AC12E7 ReadFile ment\d0f4eb5b1d0857aabc3e7dd079735875\System.Management.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf4 unknown 748 success or wait 1 7FFA75AC12E7 ReadFile 9f6405#\dfef7a1e85e28d0ba698946b7fc68a28\Microsoft.Management.Infrastructure.ni.dll.aux

Copyright null 2020 Page 21 of 27 Source File Path Offset Length Completion Count Address Symbol C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired1 unknown 752 success or wait 1 7FFA75AC12E7 ReadFile 3b18a9#\78d6ee2fdd35fdb45b3d78d899e481ea\System.DirectoryServices.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired1 unknown 752 success or wait 1 7FFA75AC12E7 ReadFile 3b18a9#\78d6ee2fdd35fdb45b3d78d899e481ea\System.DirectoryServices.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f unknown 1268 success or wait 1 7FFA75AC12E7 ReadFile 792626#\e64755e76f85a3062b9f5a99a62dcabb\Microsoft.PowerShell.Security.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Transa unknown 924 success or wait 1 7FFA75AC12E7 ReadFile ctions\773cde8eca09561aeac8ad051c091203\System.Transactions.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Config unknown 864 success or wait 1 7FFA75AC12E7 ReadFile uration\e82398e9ff6885d617e4b97e31fb4f02\System.Configuration.ni.dll.aux C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.P unknown 4096 success or wait 1 7FFA7494B526 ReadFile owerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.P unknown 492 end of file 1 7FFA7494B526 ReadFile owerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.P unknown 4096 end of file 1 7FFA7494B526 ReadFile owerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PackageMana unknown 4096 success or wait 1 7FFA7494B526 ReadFile gement\1.0.0.1\PackageManagement.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PackageMana unknown 774 end of file 1 7FFA7494B526 ReadFile gement\1.0.0.1\PackageManagement.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PackageMana unknown 4096 end of file 1 7FFA7494B526 ReadFile gement\1.0.0.1\PackageManagement.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 4096 success or wait 3 7FFA7494B526 ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 682 end of file 1 7FFA7494B526 ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellG unknown 4096 success or wait 1 7FFA7494B526 ReadFile et\1.0.0.1\PowerShellGet.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellG unknown 289 end of file 1 7FFA7494B526 ReadFile et\1.0.0.1\PowerShellGet.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellG unknown 4096 end of file 1 7FFA7494B526 ReadFile et\1.0.0.1\PowerShellGet.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellG unknown 4096 success or wait 1 7FFA7494B526 ReadFile et\1.0.0.1\PowerShellGet.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellG unknown 289 end of file 1 7FFA7494B526 ReadFile et\1.0.0.1\PowerShellGet.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 4096 success or wait 126 7FFA7494B526 ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 993 end of file 1 7FFA7494B526 ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerSh unknown 4096 success or wait 1 7FFA7494B526 ReadFile ell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerSh unknown 492 end of file 1 7FFA7494B526 ReadFile ell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerSh unknown 4096 end of file 1 7FFA7494B526 ReadFile ell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files\WindowsPowerShell\Modules\PackageManagement unknown 4096 success or wait 1 7FFA7494B526 ReadFile \1.0.0.1\PackageManagement.psd1 C:\Program Files\WindowsPowerShell\Modules\PackageManagement unknown 774 end of file 1 7FFA7494B526 ReadFile \1.0.0.1\PackageManagement.psd1 C:\Program Files\WindowsPowerShell\Modules\PackageManagement unknown 4096 end of file 1 7FFA7494B526 ReadFile \1.0.0.1\PackageManagement.psd1 C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 success or wait 2 7FFA7494B526 ReadFile C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 success or wait 2 7FFA7494B526 ReadFile C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 4096 success or wait 2 7FFA7494B526 ReadFile C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 682 end of file 1 7FFA7494B526 ReadFile C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 289 end of file 1 7FFA7494B526 ReadFile C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 289 end of file 1 7FFA7494B526 ReadFile C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 4096 success or wait 129 7FFA7494B526 ReadFile C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 993 end of file 1 7FFA7494B526 ReadFile C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\PSReadline.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile

Copyright null 2020 Page 22 of 27 Source File Path Offset Length Completion Count Address Symbol C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\PSReadline.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 1 7FFA7494B526 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 637 end of file 1 7FFA7494B526 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 end of file 1 7FFA7494B526 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 1 7FFA7494B526 ReadFile .PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 534 end of file 1 7FFA7494B526 ReadFile .PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 end of file 1 7FFA7494B526 ReadFile .PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppBackgr unknown 4096 success or wait 1 7FFA7494B526 ReadFile oundTask\AppBackgroundTask.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppBackgr unknown 4096 end of file 1 7FFA7494B526 ReadFile oundTask\AppBackgroundTask.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 990 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 990 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa5 unknown 2764 success or wait 1 7FFA75AC12E7 ReadFile 7fc8cc#\8b2774850bdc17a926dc650317d86b33\System.Management.Automation.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a171 unknown 620 success or wait 1 7FFA75AC12E7 ReadFile 39182a9efd561f01fada9688a5\System.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4 unknown 900 success or wait 1 7FFA75AC12E7 ReadFile e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf4 unknown 748 success or wait 1 7FFA75AC12E7 ReadFile 9f6405#\dfef7a1e85e28d0ba698946b7fc68a28\Microsoft.Management.Infrastructure.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M87 unknown 328 success or wait 1 7FFA75AC12E7 ReadFile 0d558a#\bdd4597948110f06927727604f2c3ce3\Microsoft.Managemen t.Infrastructure.Native.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M87 unknown 328 success or wait 1 7FFA75AC12E7 ReadFile 0d558a#\bdd4597948110f06927727604f2c3ce3\Microsoft.Managemen t.Infrastructure.Native.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired1 unknown 752 success or wait 1 7FFA75AC12E7 ReadFile 3b18a9#\78d6ee2fdd35fdb45b3d78d899e481ea\System.DirectoryServices.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manage unknown 764 success or wait 1 7FFA75AC12E7 ReadFile ment\d0f4eb5b1d0857aabc3e7dd079735875\System.Management.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\f2 unknown 748 success or wait 1 7FFA75AC12E7 ReadFile e3165e3c718b7ac302fea40614c984\System.Xml.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Transa unknown 924 success or wait 1 7FFA75AC12E7 ReadFile ctions\773cde8eca09561aeac8ad051c091203\System.Transactions.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Config unknown 864 success or wait 1 7FFA75AC12E7 ReadFile uration\e82398e9ff6885d617e4b97e31fb4f02\System.Configuration.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\9 unknown 1540 success or wait 1 7FFA75AC12E7 ReadFile 9a190301066e9665ec15a1f355a928e\System.Data.ni.dll.aux C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 7FFA759EB9DD unknown C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 7FFA759EB9DD unknown C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Appx\Appx.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Appx\Appx.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AssignedA unknown 4096 success or wait 1 7FFA7494B526 ReadFile ccess\AssignedAccess.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AssignedA unknown 4096 end of file 1 7FFA7494B526 ReadFile ccess\AssignedAccess.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 368 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 368 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 770 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 1 7FFA7494B526 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 637 end of file 1 7FFA7494B526 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 Copyright null 2020 Page 23 of 27 Source File Path Offset Length Completion Count Address Symbol C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P52 unknown 2264 success or wait 1 7FFA75AC12E7 ReadFile 1220ea#\3fead9bee9d7ca09b54c4ee7c5ed0848\Microsoft.PowerShel l.Commands.Utility.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe6 unknown 1260 success or wait 1 7FFA75AC12E7 ReadFile 4a9051#\b7f41bbfe8914f994b68b89a23570901\System.Configuration.Install.ni.dll.aux C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 8 7FFA7494B526 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 128 end of file 1 7FFA7494B526 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 end of file 1 7FFA7494B526 ReadFile .PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 7FFA759EB9DD unknown C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 7FFA759EB9DD unknown C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 368 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 4096 success or wait 3 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 770 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 unknown 4096 success or wait 74 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 unknown 104 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 unknown 522 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 unknown 358 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 unknown 160 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ConfigCI\ConfigCI.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ConfigCI\ConfigCI.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 699 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DeliveryO unknown 4096 success or wait 1 7FFA7494B526 ReadFile ptimization\DeliveryOptimization.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DeliveryO unknown 999 end of file 1 7FFA7494B526 ReadFile ptimization\DeliveryOptimization.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DeliveryO unknown 4096 end of file 1 7FFA7494B526 ReadFile ptimization\DeliveryOptimization.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DirectAcc unknown 4096 success or wait 1 7FFA7494B526 ReadFile essClientComponents\DirectAccessClientComponents.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DirectAcc unknown 916 end of file 1 7FFA7494B526 ReadFile essClientComponents\DirectAccessClientComponents.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DirectAcc unknown 4096 end of file 1 7FFA7494B526 ReadFile essClientComponents\DirectAccessClientComponents.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psd1 unknown 832 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsClient\DnsClient.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsClient\DnsClient.psd1 unknown 343 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsClient\DnsClient.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\EventTrac unknown 4096 success or wait 1 7FFA7494B526 ReadFile ingManagement\EventTracingManagement.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\EventTrac unknown 595 end of file 1 7FFA7494B526 ReadFile ingManagement\EventTracingManagement.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\EventTrac unknown 4096 end of file 1 7FFA7494B526 ReadFile ingManagement\EventTracingManagement.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\EventTrac unknown 4096 success or wait 1 7FFA7494B526 ReadFile ingManagement\EventTracingManagement.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\EventTrac unknown 595 end of file 1 7FFA7494B526 ReadFile ingManagement\EventTracingManagement.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\EventTrac unknown 4096 success or wait 2 7FFA7494B526 ReadFile ingManagement\MSFT_EtwTraceSession_v1.0.cdxml C:\Windows\System32\WindowsPowerShell\v1.0\Modules\EventTrac unknown 351 end of file 1 7FFA7494B526 ReadFile ingManagement\MSFT_EtwTraceSession_v1.0.cdxml C:\Windows\System32\WindowsPowerShell\v1.0\Modules\EventTrac unknown 4096 end of file 1 7FFA7494B526 ReadFile ingManagement\MSFT_EtwTraceSession_v1.0.cdxml

Copyright null 2020 Page 24 of 27 Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae unknown 3148 success or wait 1 7FFA75AC12E7 ReadFile 3498d9#\03aa8bc6b99490176793256632e8342e\Microsoft.PowerShel l.Commands.Management.ni.dll.aux C:\Windows\System32\WindowsPowerShell\v1.0\Modules\EventTrac unknown 4096 success or wait 2 7FFA7494B526 ReadFile ingManagement\MSFT_EtwTraceProvider_v1.0.cdxml C:\Windows\System32\WindowsPowerShell\v1.0\Modules\EventTrac unknown 267 end of file 1 7FFA7494B526 ReadFile ingManagement\MSFT_EtwTraceProvider_v1.0.cdxml C:\Windows\System32\WindowsPowerShell\v1.0\Modules\EventTrac unknown 4096 end of file 1 7FFA7494B526 ReadFile ingManagement\MSFT_EtwTraceProvider_v1.0.cdxml C:\Windows\System32\WindowsPowerShell\v1.0\Modules\EventTrac unknown 4096 success or wait 3 7FFA7494B526 ReadFile ingManagement\MSFT_AutologgerConfig_v1.0.cdxml C:\Windows\System32\WindowsPowerShell\v1.0\Modules\EventTrac unknown 4096 end of file 1 7FFA7494B526 ReadFile ingManagement\MSFT_AutologgerConfig_v1.0.cdxml C:\Windows\System32\WindowsPowerShell\v1.0\Modules\International\International.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\International\International.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\International\International.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\International\International.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ISE\ise.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ISE\ise.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Kds\Kds.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Kds\Kds.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Kds\Kds.psd1 unknown 4096 success or wait 1 7FFA7494B526 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Kds\Kds.psd1 unknown 4096 end of file 1 7FFA7494B526 ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd5 unknown 504 success or wait 1 7FFA75AC12E7 ReadFile 8820a5#\0fde81ace4e20af44c29dfe6fb19ede2\Microsoft.KeyDistri butionService.Cmdlets.ni.dll.aux C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 1 7FFA7494B526 ReadFile .PowerShell.Archive\Microsoft.PowerShell.Archive.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 end of file 1 7FFA7494B526 ReadFile .PowerShell.Archive\Microsoft.PowerShell.Archive.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 1 7FFA7494B526 ReadFile .PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 end of file 1 7FFA7494B526 ReadFile .PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 1 7FFA7494B526 ReadFile .PowerShell.Host\Microsoft.PowerShell.Host.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 end of file 1 7FFA7494B526 ReadFile .PowerShell.Host\Microsoft.PowerShell.Host.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 1 7FFA7494B526 ReadFile .PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 980 end of file 1 7FFA7494B526 ReadFile .PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 end of file 1 7FFA7494B526 ReadFile .PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 1 7FFA7494B526 ReadFile .PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 980 end of file 1 7FFA7494B526 ReadFile .PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 1 7FFA7494B526 ReadFile .PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 980 end of file 1 7FFA7494B526 ReadFile .PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 2 7FFA7494B526 ReadFile .PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 706 end of file 1 7FFA7494B526 ReadFile .PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 end of file 1 7FFA7494B526 ReadFile .PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 1 7FFA7494B526 ReadFile .PowerShell.Security\Microsoft.PowerShell.Security.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 end of file 1 7FFA7494B526 ReadFile .PowerShell.Security\Microsoft.PowerShell.Security.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 1 7FFA7494B526 ReadFile .PowerShell.Security\Microsoft.PowerShell.Security.psd1

Copyright null 2020 Page 25 of 27 Source File Path Offset Length Completion Count Address Symbol C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 end of file 1 7FFA7494B526 ReadFile .PowerShell.Security\Microsoft.PowerShell.Security.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 1 7FFA7494B526 ReadFile .PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft unknown 534 end of file 1 7FFA7494B526 ReadFile .PowerShell.Management\Microsoft.PowerShell.Management.psd1

Analysis Process: cmd.exe PID: 5848 Parent PID: 6720

General

Start time: 12:40:20 Start date: 06/11/2020 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /c whoami /priv |findstr 'SeImpersonatePrivilege seA ssignPrimaryPrivilege SeDebugPrivilege SeLoadDriverPrivilege SeTcbPrivilege SeBa ckupPrivilege SeRestorePrivilege SeCreateTokenPrivilege SeTakeOwnershipPrivilege ' Imagebase: 0x7ff7eef80000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: whoami.exe PID: 5460 Parent PID: 5848

General

Start time: 12:40:20 Start date: 06/11/2020 Path: C:\Windows\System32\whoami.exe Wow64 process (32bit): false Commandline: whoami /priv Imagebase: 0x7ff6cbb20000 File size: 70144 bytes MD5 hash: AA18BE1AD24DE09417C1A7459F5C1701 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: findstr.exe PID: 6228 Parent PID: 5848

General

Start time: 12:40:21

Copyright null 2020 Page 26 of 27 Start date: 06/11/2020 Path: C:\Windows\System32\findstr.exe Wow64 process (32bit): false Commandline: findstr 'SeImpersonatePrivilege seAssignPrimaryPrivilege SeDebugPrivilege SeLoadDriverPri vilege SeTcbPrivilege SeBackupPrivilege SeRestorePrivilege SeCreateTokenPrivilege SeTakeOwnershipPrivilege ' Imagebase: 0x7ff6988f0000 File size: 34304 bytes MD5 hash: BCC8F29B929DABF5489C9BE6587FF66D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

File Read

Source File Path Offset Length Completion Count Address Symbol stdin unknown 8192 success or wait 1 7FF6988F3AB7 ReadFile stdin unknown 8192 pipe broken 1 7FF6988F3C9E ReadFile

Disassembly

Code Analysis

Copyright null 2020 Page 27 of 27