ID: 111362 Sample Name: KIX32.EXE Cookbook: default.jbs Time: 10:11:50 Date: 19/02/2019 Version: 25.0.0 Tiger's Eye Table of Contents

Table of Contents 2 Analysis Report KIX32.EXE 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Mitre Att&ck Matrix 6 Signature Overview 6 Spreading: 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 Spam, unwanted Advertisements and Ransom Demands: 6 System Summary: 6 Data Obfuscation: 7 Persistence and Installation Behavior: 7 Hooking and other Techniques for Hiding and Protection: 7 Malware Analysis System Evasion: 7 Anti Debugging: 7 HIPS / PFW / Operating System Protection Evasion: 7 Language, Device and Operating System Detection: 7 Remote Access Functionality: 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Screenshots 9 Thumbnails 9 Startup 10 Created / dropped Files 10 Domains and IPs 11 Contacted Domains 11 Contacted IPs 11 Static File Info 11 General 11 File Icon 11 Static PE Info 11 General 11 Entrypoint Preview 12 Rich Headers 12 Data Directories 12 Sections 13

Copyright Joe Security LLC 2019 Page 2 of 16 Resources 13 Imports 13 Version Infos 14 Possible Origin 14 Network Behavior 14 Code Manipulations 14 Statistics 14 Behavior 14 System Behavior 15 Analysis Process: KIX32.EXE PID: 4620 Parent PID: 1896 15 General 15 File Activities 15 File Written 15 Analysis Process: conhost.exe PID: 1832 Parent PID: 4620 16 General 16 Disassembly 16 Code Analysis 16

Copyright Joe Security LLC 2019 Page 3 of 16 Analysis Report KIX32.EXE

Overview

General Information

Joe Sandbox Version: 25.0.0 Tiger's Eye Analysis ID: 111362 Start date: 19.02.2019 Start time: 10:11:50 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 49s Hypervisor based Inspection enabled: false Report type: light Sample file name: KIX32.EXE Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 7 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: SUS Classification: sus27.rans.winEXE@2/1@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 50% (good quality ratio 44.7%) Quality average: 66.3% Quality standard deviation: 31.5% HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Found application associated with file extension: .EXE Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 27 0 - 100 Report FP / FN false

Confidence

Strategy Score Range Further Analysis Required? Confidence

Copyright Joe Security LLC 2019 Page 4 of 16 Strategy Score Range Further Analysis Required? Confidence

Threshold 4 0 - 5 false

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Copyright Joe Security LLC 2019 Page 5 of 16 Mitre Att&ck Matrix

Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Graphical User Winlogon Process Process Input System Application Input Capture 1 Data Standard Interface 1 Helper DLL Injection 1 Injection 1 Capture 1 Information Deployment Compressed Cryptographic Discovery 2 3 Software Protocol 1 Replication Service Port Monitors Accessibility Indicator Network Application Remote Services Data from Exfiltration Over Fallback Through Execution Features Removal on Sniffing Window Removable Other Network Channels Removable Host 1 Discovery Media Medium Media Drive-by Windows Accessibility Path Obfuscated Files Input Query Registry Windows Data from Automated Custom Compromise Management Features Interception or Capture Remote Network Shared Exfiltration Cryptographic Instrumentation Information 2 Management Drive Protocol

Signature Overview

• Spreading • Key, Mouse, Clipboard, Microphone and Screen Capturing • Spam, unwanted Advertisements and Ransom Demands • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Remote Access Functionality

Click to jump to signature section

Spreading:

Contains functionality to enumerate / list files inside a directory

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Spam, unwanted Advertisements and Ransom Demands:

Contains functionalty to change the wallpaper

System Summary:

Contains functionality to shutdown / reboot the system

Creates mutexes

Detected potential crypto function

Found potential string decryption / allocating functions

Tries to load missing DLLs

Classification label

Contains functionality for error logging

Contains functionality to adjust token privileges (e.g. debug / backup)

Contains functionality to check free disk space

Copyright Joe Security LLC 2019 Page 6 of 16 Contains functionality to instantiate COM classes

PE file has an executable .text section and no other executable section

Reads software policies

Spawns processes

Data Obfuscation:

Contains functionality to dynamically determine API calls

Uses code obfuscation techniques (call, push, ret)

Persistence and Installation Behavior:

Contains functionality to read ini properties file for application configuration

Hooking and other Techniques for Hiding and Protection:

Contains functionality to clear windows event logs (to hide its activities)

Malware Analysis System Evasion:

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Contains functionality to enumerate / list files inside a directory

Contains functionality to query system information

Anti Debugging:

Contains functionality to dynamically determine API calls

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to simulate keystroke presses

Contains functionality to create a new security descriptor

May try to detect the Windows Explorer process (often used for injection)

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Contains functionality to query CPU information (cpuid)

Contains functionality to query local / system time

Contains functionality to query windows version

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Behavior Graph

Copyright Joe Security LLC 2019 Page 7 of 16 Hide Legend Legend: Process

Behavior Graph Signature Created File ID: 111362 DNS/IP Info Sample: KIX32.EXE Is Dropped Startdate: 19/02/2019 Architecture: WINDOWS Is Windows Process Score: 27 Number of created Registry Values

Number of created Files

started Visual Basic

Delphi

KIX32.EXE Java

.Net C# or VB.NET

C, C++ or other language 1 Is malicious

Contains functionalty started to change the wallpaper

conhost.exe

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

Source Detection Scanner Label Link KIX32.EXE 0% virustotal Browse KIX32.EXE 0% metadefender Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Copyright Joe Security LLC 2019 Page 8 of 16 No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2019 Page 9 of 16 Startup

System is w10x64 KIX32.EXE (PID: 4620 cmdline: 'C:\Users\user\Desktop\KIX32.EXE' MD5: B04F07D4737AB5CC459DA8C0AB2F5F6D) conhost.exe (PID: 1832 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cleanup

Created / dropped Files

\Device\ConDrv Process: C:\Users\user\Desktop\KIX32.EXE File Type: ASCII text, with CRLF line terminators Size (bytes): 443 Entropy (8bit): 4.9752427323550545 Encrypted: false MD5: A06D12FD4950BDCF3EF2B1FB965376D7 SHA1: D2B3C2CC0F47DBB87CC040179EB9C6C5A8CDAC86 SHA-256: CA9C6AAAF5B8A3790315B40FB20F023B4B008885ECCE9FC297CEC1BC21E9DD73 SHA-512: B9291EC0CDE04EF89F93E6F844584D64600F797ED04456F702A42601C6903C7A6C56D3E20A31E14466BA92F21B8 B2749F3861C739D117046303839826BA20038 Malicious: false Reputation: low

Copyright Joe Security LLC 2019 Page 10 of 16 Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General File type: PE32 executable (console) Intel 80386, for MS Wind ows Entropy (8bit): 6.146542976449072 TrID: Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: KIX32.EXE File size: 241664 MD5: b04f07d4737ab5cc459da8c0ab2f5f6d SHA1: 7c926e648f9a5d739755f063804be4d54a0a63b8 SHA256: 035e61f16a1082f4161a56019ffb1762b849e2b28dcaed6 c717df1ca4cc6028e SHA512: 51211d97454a8df52cffc2834cd2de9af20c88943c2dd5d 552f508c085ef404a108c32863627dd58fa34be4fc7cbc8 01b0d94cb3b21261654b20b06814794846 SSDEEP: 3072:iDhF08Z9H2YkDb3vaQTVewEkwxI6pNh7D+heaa vmZW7Y/EJPo8V63AdN58:iD8LYeDVZewTqhGEQ403 AdN File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... `j|.3j|.3 j|.3.`.3`|.3.c.3k|.3.`.3w|.3.c.3.|.3j|.3n|.3

File Icon

Icon Hash: 00828e8e8686b000

Static PE Info

General Entrypoint: 0x422378 Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows cui Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED DLL Characteristics: Time Stamp: 0x3FAA6F29 [Thu Nov 6 15:56:25 2003 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Copyright Joe Security LLC 2019 Page 11 of 16 General Subsystem Version Minor: 0 Import Hash: 0ea4dad2297eedf71b3f279ec5fa2638

Entrypoint Preview

Instruction push ebp mov ebp, esp push FFFFFFFFh push 0042D4E0h push 0041F54Ch mov eax, dword ptr fs:[00000000h] push eax mov dword ptr fs:[00000000h], esp sub esp, 10h push ebx push esi push edi mov dword ptr [ebp-18h], esp call dword ptr [0042D1F8h] xor edx, edx mov dl, ah mov dword ptr [0043A4B0h], edx mov ecx, eax and ecx, 000000FFh mov dword ptr [0043A4ACh], ecx shl ecx, 08h add ecx, edx mov dword ptr [0043A4A8h], ecx shr eax, 10h mov dword ptr [0043A4A4h], eax push 00000000h call 00007F9B71B48D30h pop ecx test eax, eax jne 00007F9B71B4668Ah push 0000001Ch call 00007F9B71B4671Fh pop ecx and dword ptr [ebp-04h], 00000000h call 00007F9B71B4B05Ch call dword ptr [0042D1FCh] mov dword ptr [0045440Ch], eax call 00007F9B71B4D96Ch mov dword ptr [0043A65Ch], eax call 00007F9B71B4D715h call 00007F9B71B4D657h call 00007F9B71B43899h mov eax, dword ptr [0043A4C0h] mov dword ptr [0043A4C4h], eax push eax push dword ptr [0043A4B8h] push dword ptr [0043A4B4h] call 00007F9B71B26489h add esp, 0Ch mov dword ptr [ebp-1Ch], eax push eax call 00007F9B71B4389Eh

Rich Headers

Programming Language: [EXP] VC++ 6.0 SP5 build 8804

Data Directories

Copyright Joe Security LLC 2019 Page 12 of 16 Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x2e28c 0xdc .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x56000 0x400 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x2d000 0x3cc .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x2b834 0x2c000 False 0.504283558239 data 6.4214339588 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x2d000 0x2772 0x3000 False 0.361083984375 data 4.87872656335 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .data 0x30000 0x25434 0xa000 False 0.309130859375 data 4.35474085074 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0x56000 0x400 0x1000 False 0.1201171875 data 1.0701788753 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_VERSION 0x56060 0x39c data English United States

Imports

DLL Import NETAPI32.dll Netbios MPR.dll WNetGetUserA, WNetOpenEnumA, WNetEnumResourceA, WNetCloseEnum, WNetCancelConnection2A, WNetUseConnectionA WINMM.dll PlaySoundA, sndPlaySoundA KERNEL32.dll CreateDirectoryA, GetFileAttributesA, FindFirstFileA, ReadFile, RemoveDirectoryA, CreateProcessA, SetEnvironmentVariableA, GetExitCodeProcess, WaitForSingleObject, Sleep, MultiByteToWideChar, Beep, SetConsoleCtrlHandler, FlushConsoleInputBuffer, SetConsoleCursorPosition, FillConsoleOutputAttribute, FillConsoleOutputCharacterA, GetConsoleScreenBufferInfo, SetConsoleTitleA, GetCurrentProcessId, GetConsoleTitleA, WriteConsoleW, SetConsoleMode, GetConsoleMode, WriteFile, SetConsoleTextAttribute, SetConsoleCursorInfo, GetConsoleCursorInfo, FreeLibrary, GetProcAddress, LocalFree, FormatMessageA, LoadLibraryExA, WriteProfileStringA, GetProfileStringA, WritePrivateProfileStringA, GetPrivateProfileStringA, GetCurrentThreadId, SetLastError, SetSystemPowerState, GetCurrentProcess, SetFilePointer, GlobalMemoryStatus, GetDiskFreeSpaceA, CompareFileTime, GetFileTime, FileTimeToDosDateTime, FindNextFileA, SystemTimeToFileTime, GetSystemTime, GetComputerNameA, GetSystemDirectoryA, GetShortPathNameA, GetEnvironmentVariableW, lstrcatW, lstrcpyW, SetSystemTime, SetLocalTime, GetUserDefaultLCID, GetSystemDefaultLCID, GetLocalTime, GetFullPathNameA, WideCharToMultiByte, LoadLibraryA, FlushFileBuffers, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, SetStdHandle, SetEndOfFile, RaiseException, GetStartupInfoA, SetHandleCount, GetOEMCP, GetACP, GetStringTypeW, GetStringTypeA, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetModuleHandleA, EnumSystemLocalesA, IsValidCodePage, FindClose, IsValidLocale, GetCPInfo, LCMapStringW, LCMapStringA, GetVersion, GetCommandLineA, HeapReAlloc, HeapAlloc, GetFileType, GetNumberOfConsoleInputEvents, PeekConsoleInputA, ReadConsoleInputA, HeapFree, TerminateProcess, MoveFileA, CopyFileA, SetCurrentDirectoryA, WriteConsoleA, GetStdHandle, ReadConsoleA, GetTickCount, GetVersionExA, GetLocaleInfoA, GetLastError, GetModuleFileNameA, GetEnvironmentVariableA, GetTempPathA, GetWindowsDirectoryA, CreateFileA, GetFileSize, CloseHandle, DeleteFileA, GetCurrentDirectoryA, SetFileAttributesA, GetSystemInfo, GetLocaleInfoW, ExitProcess, FileTimeToLocalFileTime, RtlUnwind USER32.dll RemoveMenu, ExitWindowsEx, SendMessageTimeoutA, ShowWindow, MapVirtualKeyA, FindWindowA, GetSystemMenu, CharToOemA, SetWindowPos, GetWindowRect, SetForegroundWindow, SendMessageA, SystemParametersInfoA, SetFocus, AttachThreadInput, VkKeyScanA, keybd_event, GetSystemMetrics, DdeClientTransaction, DdeDisconnect, DdeInitializeA, DdeCreateStringHandleA, DdeConnect, DdeFreeStringHandle, DdeUninitialize, OemToCharA, GetActiveWindow, EndDialog, SetTimer, MessageBoxA, KillTimer, EnumWindows, EnumChildWindows, GetWindowTextA, GetWindowThreadProcessId WINSPOOL.DRV AddPrinterConnectionA, DeletePrinterConnectionA

Copyright Joe Security LLC 2019 Page 13 of 16 DLL Import ADVAPI32.dll RegDeleteKeyA, LookupAccountSidW, RegConnectRegistryA, RegLoadKeyA, RegUnLoadKeyA, RegQueryInfoKeyA, RegEnumKeyExA, RegSaveKeyA, GetSidIdentifierAuthority, GetSidSubAuthorityCount, GetSidSubAuthority, GetTokenInformation, RegEnumValueA, RegDeleteValueA, RegSetValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey, RegQueryValueExA, AllocateAndInitializeSid, LookupAccountSidA, FreeSid, ClearEventLogA, OpenEventLogA, BackupEventLogA, RegisterEventSourceA, ReportEventA, DeregisterEventSource, InitiateSystemShutdownA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegRestoreKeyA, RegEnumKeyA ole32.dll BindMoniker, CLSIDFromProgID, OleInitialize, MkParseDisplayName, CreateBindCtx, OleBuildVersion, CoCreateInstance OLEAUT32.dll SafeArrayCreate, VariantChangeType, SafeArrayGetDim, SafeArrayPtrOfIndex, SysAllocStringLen, LHashValOfNameSys, SysAllocStringByteLen, VariantCopy, VariantClear, VariantInit, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayRedim, SysFreeString, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound VERSION.dll GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Version Infos

Description Data LegalCopyright Copyright Ruud van Velsen 2003 InternalName KIX32 FileVersion 4, 22, 0, 0 CompanyName Ruud van Velsen (Microsoft) SpecialBuild Build 139 LegalTrademarks Comments KiXtart 2001 CareWare ProductName KiXtart 2001 ProductVersion 4.22 FileDescription KiXtart main executable OriginalFilename KIX32.EXE Translation 0x0409 0x04b0

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• KIX32.EXE • conhost.exe

Copyright Joe Security LLC 2019 Page 14 of 16 Click to jump to process

System Behavior

Analysis Process: KIX32.EXE PID: 4620 Parent PID: 1896

General

Start time: 10:12:35 Start date: 19/02/2019 Path: C:\Users\user\Desktop\KIX32.EXE Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\KIX32.EXE' Imagebase: 0x400000 File size: 241664 bytes MD5 hash: B04F07D4737AB5CC459DA8C0AB2F5F6D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Copyright Joe Security LLC 2019 Page 15 of 16 Source File Path Offset Length Value Ascii Completion Count Address Symbol \Device\ConDrv unknown 443 4b 69 58 74 61 72 74 KiXtart 2001 4.22 success or wait 1 42704C WriteFile 20 32 30 30 31 20 34 (Copyright Ruud van 2e 32 32 20 28 43 6f 70 Velsen 2003)..Microsoft 79 72 69 67 68 74 20 Windows (logon) script 52 75 75 64 20 76 61 processor.....Note: KiXtart 6e 20 56 65 6c 73 65 is CareWare, please 6e 20 32 30 30 33 29 consult the manual for full 0d 0a 4d 69 63 72 6f 73 details..on distribution 6f 66 74 20 57 69 6e 64 and licensing.....Usage : 6f 77 73 20 28 6c 6f 67 ....KIX32 [script1] 6f 6e 29 20 73 63 72 69 [...] [$var=123] [/f[:y 70 74 20 70 72 6f 63 65 73 73 6f 72 2e 0d 0a 0d 0a 4e 6f 74 65 3a 20 4b 69 58 74 61 72 74 20 69 73 20 43 61 72 65 57 61 72 65 2c 20 70 6c 65 61 73 65 20 63 6f 6e 73 75 6c 74 20 74 68 65 20 6d 61 6e 75 61 6c 20 66 6f 72 20 66 75 6c 6c 20 64 65 74 61 69 6c 73 0d 0a 6f 6e 20 64 69 73 74 72 69 62 75 74 69 6f 6e 20 61 6e 64 20 6c 69 63 65 6e 73 69 6e 67 2e 0d 0a 0d 0a 55 73 61 67 65 20 3a 20 0d 0a 0d 0a 4b 49 58 33 32 20 5b 73 63 72 69 70 74 31 5d 20 5b 2e 2e 2e 5d 20 5b 24 76 61 72 3d 31 32 33 5d 20 5b 2f 66 5b 3a 79

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: conhost.exe PID: 1832 Parent PID: 4620

General

Start time: 10:12:36 Start date: 19/02/2019 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0x4 Imagebase: 0x7ff601f50000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Disassembly

Code Analysis

Copyright Joe Security LLC 2019 Page 16 of 16