ID: 111362 Sample Name: KIX32.EXE Cookbook: default.jbs Time: 10:11:50 Date: 19/02/2019 Version: 25.0.0 Tiger's Eye Table of Contents
Table of Contents 2 Analysis Report KIX32.EXE 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Mitre Att&ck Matrix 6 Signature Overview 6 Spreading: 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 Spam, unwanted Advertisements and Ransom Demands: 6 System Summary: 6 Data Obfuscation: 7 Persistence and Installation Behavior: 7 Hooking and other Techniques for Hiding and Protection: 7 Malware Analysis System Evasion: 7 Anti Debugging: 7 HIPS / PFW / Operating System Protection Evasion: 7 Language, Device and Operating System Detection: 7 Remote Access Functionality: 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Screenshots 9 Thumbnails 9 Startup 10 Created / dropped Files 10 Domains and IPs 11 Contacted Domains 11 Contacted IPs 11 Static File Info 11 General 11 File Icon 11 Static PE Info 11 General 11 Entrypoint Preview 12 Rich Headers 12 Data Directories 12 Sections 13
Copyright Joe Security LLC 2019 Page 2 of 16 Resources 13 Imports 13 Version Infos 14 Possible Origin 14 Network Behavior 14 Code Manipulations 14 Statistics 14 Behavior 14 System Behavior 15 Analysis Process: KIX32.EXE PID: 4620 Parent PID: 1896 15 General 15 File Activities 15 File Written 15 Analysis Process: conhost.exe PID: 1832 Parent PID: 4620 16 General 16 Disassembly 16 Code Analysis 16
Copyright Joe Security LLC 2019 Page 3 of 16 Analysis Report KIX32.EXE
Overview
General Information
Joe Sandbox Version: 25.0.0 Tiger's Eye Analysis ID: 111362 Start date: 19.02.2019 Start time: 10:11:50 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 49s Hypervisor based Inspection enabled: false Report type: light Sample file name: KIX32.EXE Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 7 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: SUS Classification: sus27.rans.winEXE@2/1@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 50% (good quality ratio 44.7%) Quality average: 66.3% Quality standard deviation: 31.5% HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Found application associated with file extension: .EXE Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
Detection
Strategy Score Range Reporting Whitelisted Detection
Threshold 27 0 - 100 Report FP / FN false
Confidence
Strategy Score Range Further Analysis Required? Confidence
Copyright Joe Security LLC 2019 Page 4 of 16 Strategy Score Range Further Analysis Required? Confidence
Threshold 4 0 - 5 false
Classification
Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Analysis Advice
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Copyright Joe Security LLC 2019 Page 5 of 16 Mitre Att&ck Matrix
Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Graphical User Winlogon Process Process Input System Application Input Capture 1 Data Standard Interface 1 Helper DLL Injection 1 Injection 1 Capture 1 Information Deployment Compressed Cryptographic Discovery 2 3 Software Protocol 1 Replication Service Port Monitors Accessibility Indicator Network Application Remote Services Data from Exfiltration Over Fallback Through Execution Features Removal on Sniffing Window Removable Other Network Channels Removable Host 1 Discovery Media Medium Media Drive-by Windows Accessibility Path Obfuscated Files Input Query Registry Windows Data from Automated Custom Compromise Management Features Interception or Capture Remote Network Shared Exfiltration Cryptographic Instrumentation Information 2 Management Drive Protocol
Signature Overview
• Spreading • Key, Mouse, Clipboard, Microphone and Screen Capturing • Spam, unwanted Advertisements and Ransom Demands • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Remote Access Functionality
Click to jump to signature section
Spreading:
Contains functionality to enumerate / list files inside a directory
Key, Mouse, Clipboard, Microphone and Screen Capturing:
Creates a DirectInput object (often for capturing keystrokes)
Spam, unwanted Advertisements and Ransom Demands:
Contains functionalty to change the wallpaper
System Summary:
Contains functionality to shutdown / reboot the system
Creates mutexes
Detected potential crypto function
Found potential string decryption / allocating functions
Tries to load missing DLLs
Classification label
Contains functionality for error logging
Contains functionality to adjust token privileges (e.g. debug / backup)
Contains functionality to check free disk space
Copyright Joe Security LLC 2019 Page 6 of 16 Contains functionality to instantiate COM classes
PE file has an executable .text section and no other executable section
Reads software policies
Spawns processes
Data Obfuscation:
Contains functionality to dynamically determine API calls
Uses code obfuscation techniques (call, push, ret)
Persistence and Installation Behavior:
Contains functionality to read ini properties file for application configuration
Hooking and other Techniques for Hiding and Protection:
Contains functionality to clear windows event logs (to hide its activities)
Malware Analysis System Evasion:
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Contains functionality to enumerate / list files inside a directory
Contains functionality to query system information
Anti Debugging:
Contains functionality to dynamically determine API calls
HIPS / PFW / Operating System Protection Evasion:
Contains functionality to simulate keystroke presses
Contains functionality to create a new security descriptor
May try to detect the Windows Explorer process (often used for injection)
Language, Device and Operating System Detection:
Contains functionality locales information (e.g. system language)
Contains functionality to query CPU information (cpuid)
Contains functionality to query local / system time
Contains functionality to query windows version
Remote Access Functionality:
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Behavior Graph
Copyright Joe Security LLC 2019 Page 7 of 16 Hide Legend Legend: Process
Behavior Graph Signature Created File ID: 111362 DNS/IP Info Sample: KIX32.EXE Is Dropped Startdate: 19/02/2019 Architecture: WINDOWS Is Windows Process Score: 27 Number of created Registry Values
Number of created Files
started Visual Basic
Delphi
KIX32.EXE Java
.Net C# or VB.NET
C, C++ or other language 1 Is malicious
Contains functionalty started to change the wallpaper
conhost.exe
Simulations
Behavior and APIs
No simulations
Antivirus Detection
Initial Sample
Source Detection Scanner Label Link KIX32.EXE 0% virustotal Browse KIX32.EXE 0% metadefender Browse
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Copyright Joe Security LLC 2019 Page 8 of 16 No Antivirus matches
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright Joe Security LLC 2019 Page 9 of 16 Startup
System is w10x64 KIX32.EXE (PID: 4620 cmdline: 'C:\Users\user\Desktop\KIX32.EXE' MD5: B04F07D4737AB5CC459DA8C0AB2F5F6D) conhost.exe (PID: 1832 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cleanup
Created / dropped Files
\Device\ConDrv Process: C:\Users\user\Desktop\KIX32.EXE File Type: ASCII text, with CRLF line terminators Size (bytes): 443 Entropy (8bit): 4.9752427323550545 Encrypted: false MD5: A06D12FD4950BDCF3EF2B1FB965376D7 SHA1: D2B3C2CC0F47DBB87CC040179EB9C6C5A8CDAC86 SHA-256: CA9C6AAAF5B8A3790315B40FB20F023B4B008885ECCE9FC297CEC1BC21E9DD73 SHA-512: B9291EC0CDE04EF89F93E6F844584D64600F797ED04456F702A42601C6903C7A6C56D3E20A31E14466BA92F21B8 B2749F3861C739D117046303839826BA20038 Malicious: false Reputation: low
Copyright Joe Security LLC 2019 Page 10 of 16 Domains and IPs
Contacted Domains
No contacted domains info
Contacted IPs
No contacted IP infos
Static File Info
General File type: PE32 executable (console) Intel 80386, for MS Wind ows Entropy (8bit): 6.146542976449072 TrID: Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: KIX32.EXE File size: 241664 MD5: b04f07d4737ab5cc459da8c0ab2f5f6d SHA1: 7c926e648f9a5d739755f063804be4d54a0a63b8 SHA256: 035e61f16a1082f4161a56019ffb1762b849e2b28dcaed6 c717df1ca4cc6028e SHA512: 51211d97454a8df52cffc2834cd2de9af20c88943c2dd5d 552f508c085ef404a108c32863627dd58fa34be4fc7cbc8 01b0d94cb3b21261654b20b06814794846 SSDEEP: 3072:iDhF08Z9H2YkDb3vaQTVewEkwxI6pNh7D+heaa vmZW7Y/EJPo8V63AdN58:iD8LYeDVZewTqhGEQ403 AdN File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... `j|.3j|.3 j|.3.`.3`|.3.c.3k|.3.`.3w|.3.c.3.|.3j|.3n|.3 File Icon Icon Hash: 00828e8e8686b000 Static PE Info General Entrypoint: 0x422378 Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows cui Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED DLL Characteristics: Time Stamp: 0x3FAA6F29 [Thu Nov 6 15:56:25 2003 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Copyright Joe Security LLC 2019 Page 11 of 16 General Subsystem Version Minor: 0 Import Hash: 0ea4dad2297eedf71b3f279ec5fa2638 Entrypoint Preview Instruction push ebp mov ebp, esp push FFFFFFFFh push 0042D4E0h push 0041F54Ch mov eax, dword ptr fs:[00000000h] push eax mov dword ptr fs:[00000000h], esp sub esp, 10h push ebx push esi push edi mov dword ptr [ebp-18h], esp call dword ptr [0042D1F8h] xor edx, edx mov dl, ah mov dword ptr [0043A4B0h], edx mov ecx, eax and ecx, 000000FFh mov dword ptr [0043A4ACh], ecx shl ecx, 08h add ecx, edx mov dword ptr [0043A4A8h], ecx shr eax, 10h mov dword ptr [0043A4A4h], eax push 00000000h call 00007F9B71B48D30h pop ecx test eax, eax jne 00007F9B71B4668Ah push 0000001Ch call 00007F9B71B4671Fh pop ecx and dword ptr [ebp-04h], 00000000h call 00007F9B71B4B05Ch call dword ptr [0042D1FCh] mov dword ptr [0045440Ch], eax call 00007F9B71B4D96Ch mov dword ptr [0043A65Ch], eax call 00007F9B71B4D715h call 00007F9B71B4D657h call 00007F9B71B43899h mov eax, dword ptr [0043A4C0h] mov dword ptr [0043A4C4h], eax push eax push dword ptr [0043A4B8h] push dword ptr [0043A4B4h] call 00007F9B71B26489h add esp, 0Ch mov dword ptr [ebp-1Ch], eax push eax call 00007F9B71B4389Eh Rich Headers Programming Language: [EXP] VC++ 6.0 SP5 build 8804 Data Directories Copyright Joe Security LLC 2019 Page 12 of 16 Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x2e28c 0xdc .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x56000 0x400 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x2d000 0x3cc .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0 Sections Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x2b834 0x2c000 False 0.504283558239 data 6.4214339588 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x2d000 0x2772 0x3000 False 0.361083984375 data 4.87872656335 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .data 0x30000 0x25434 0xa000 False 0.309130859375 data 4.35474085074 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0x56000 0x400 0x1000 False 0.1201171875 data 1.0701788753 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ Resources Name RVA Size Type Language Country RT_VERSION 0x56060 0x39c data English United States Imports DLL Import NETAPI32.dll Netbios MPR.dll WNetGetUserA, WNetOpenEnumA, WNetEnumResourceA, WNetCloseEnum, WNetCancelConnection2A, WNetUseConnectionA WINMM.dll PlaySoundA, sndPlaySoundA KERNEL32.dll CreateDirectoryA, GetFileAttributesA, FindFirstFileA, ReadFile, RemoveDirectoryA, CreateProcessA, SetEnvironmentVariableA, GetExitCodeProcess, WaitForSingleObject, Sleep, MultiByteToWideChar, Beep, SetConsoleCtrlHandler, FlushConsoleInputBuffer, SetConsoleCursorPosition, FillConsoleOutputAttribute, FillConsoleOutputCharacterA, GetConsoleScreenBufferInfo, SetConsoleTitleA, GetCurrentProcessId, GetConsoleTitleA, WriteConsoleW, SetConsoleMode, GetConsoleMode, WriteFile, SetConsoleTextAttribute, SetConsoleCursorInfo, GetConsoleCursorInfo, FreeLibrary, GetProcAddress, LocalFree, FormatMessageA, LoadLibraryExA, WriteProfileStringA, GetProfileStringA, WritePrivateProfileStringA, GetPrivateProfileStringA, GetCurrentThreadId, SetLastError, SetSystemPowerState, GetCurrentProcess, SetFilePointer, GlobalMemoryStatus, GetDiskFreeSpaceA, CompareFileTime, GetFileTime, FileTimeToDosDateTime, FindNextFileA, SystemTimeToFileTime, GetSystemTime, GetComputerNameA, GetSystemDirectoryA, GetShortPathNameA, GetEnvironmentVariableW, lstrcatW, lstrcpyW, SetSystemTime, SetLocalTime, GetUserDefaultLCID, GetSystemDefaultLCID, GetLocalTime, GetFullPathNameA, WideCharToMultiByte, LoadLibraryA, FlushFileBuffers, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, SetStdHandle, SetEndOfFile, RaiseException, GetStartupInfoA, SetHandleCount, GetOEMCP, GetACP, GetStringTypeW, GetStringTypeA, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetModuleHandleA, EnumSystemLocalesA, IsValidCodePage, FindClose, IsValidLocale, GetCPInfo, LCMapStringW, LCMapStringA, GetVersion, GetCommandLineA, HeapReAlloc, HeapAlloc, GetFileType, GetNumberOfConsoleInputEvents, PeekConsoleInputA, ReadConsoleInputA, HeapFree, TerminateProcess, MoveFileA, CopyFileA, SetCurrentDirectoryA, WriteConsoleA, GetStdHandle, ReadConsoleA, GetTickCount, GetVersionExA, GetLocaleInfoA, GetLastError, GetModuleFileNameA, GetEnvironmentVariableA, GetTempPathA, GetWindowsDirectoryA, CreateFileA, GetFileSize, CloseHandle, DeleteFileA, GetCurrentDirectoryA, SetFileAttributesA, GetSystemInfo, GetLocaleInfoW, ExitProcess, FileTimeToLocalFileTime, RtlUnwind USER32.dll RemoveMenu, ExitWindowsEx, SendMessageTimeoutA, ShowWindow, MapVirtualKeyA, FindWindowA, GetSystemMenu, CharToOemA, SetWindowPos, GetWindowRect, SetForegroundWindow, SendMessageA, SystemParametersInfoA, SetFocus, AttachThreadInput, VkKeyScanA, keybd_event, GetSystemMetrics, DdeClientTransaction, DdeDisconnect, DdeInitializeA, DdeCreateStringHandleA, DdeConnect, DdeFreeStringHandle, DdeUninitialize, OemToCharA, GetActiveWindow, EndDialog, SetTimer, MessageBoxA, KillTimer, EnumWindows, EnumChildWindows, GetWindowTextA, GetWindowThreadProcessId WINSPOOL.DRV AddPrinterConnectionA, DeletePrinterConnectionA Copyright Joe Security LLC 2019 Page 13 of 16 DLL Import ADVAPI32.dll RegDeleteKeyA, LookupAccountSidW, RegConnectRegistryA, RegLoadKeyA, RegUnLoadKeyA, RegQueryInfoKeyA, RegEnumKeyExA, RegSaveKeyA, GetSidIdentifierAuthority, GetSidSubAuthorityCount, GetSidSubAuthority, GetTokenInformation, RegEnumValueA, RegDeleteValueA, RegSetValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey, RegQueryValueExA, AllocateAndInitializeSid, LookupAccountSidA, FreeSid, ClearEventLogA, OpenEventLogA, BackupEventLogA, RegisterEventSourceA, ReportEventA, DeregisterEventSource, InitiateSystemShutdownA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegRestoreKeyA, RegEnumKeyA ole32.dll BindMoniker, CLSIDFromProgID, OleInitialize, MkParseDisplayName, CreateBindCtx, OleBuildVersion, CoCreateInstance OLEAUT32.dll SafeArrayCreate, VariantChangeType, SafeArrayGetDim, SafeArrayPtrOfIndex, SysAllocStringLen, LHashValOfNameSys, SysAllocStringByteLen, VariantCopy, VariantClear, VariantInit, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayRedim, SysFreeString, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound VERSION.dll GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA Version Infos Description Data LegalCopyright Copyright Ruud van Velsen 2003 InternalName KIX32 FileVersion 4, 22, 0, 0 CompanyName Ruud van Velsen (Microsoft) SpecialBuild Build 139 LegalTrademarks Comments KiXtart 2001 CareWare ProductName KiXtart 2001 ProductVersion 4.22 FileDescription KiXtart main executable OriginalFilename KIX32.EXE Translation 0x0409 0x04b0 Possible Origin Language of compilation system Country where language is spoken Map English United States Network Behavior No network behavior found Code Manipulations Statistics Behavior • KIX32.EXE • conhost.exe Copyright Joe Security LLC 2019 Page 14 of 16 Click to jump to process System Behavior Analysis Process: KIX32.EXE PID: 4620 Parent PID: 1896 General Start time: 10:12:35 Start date: 19/02/2019 Path: C:\Users\user\Desktop\KIX32.EXE Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\KIX32.EXE' Imagebase: 0x400000 File size: 241664 bytes MD5 hash: B04F07D4737AB5CC459DA8C0AB2F5F6D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low File Activities Source File Path Access Attributes Options Completion Count Address Symbol File Written Source File Path Offset Length Value Ascii Completion Count Address Symbol Copyright Joe Security LLC 2019 Page 15 of 16 Source File Path Offset Length Value Ascii Completion Count Address Symbol \Device\ConDrv unknown 443 4b 69 58 74 61 72 74 KiXtart 2001 4.22 success or wait 1 42704C WriteFile 20 32 30 30 31 20 34 (Copyright Ruud van 2e 32 32 20 28 43 6f 70 Velsen 2003)..Microsoft 79 72 69 67 68 74 20 Windows (logon) script 52 75 75 64 20 76 61 processor.....Note: KiXtart 6e 20 56 65 6c 73 65 is CareWare, please 6e 20 32 30 30 33 29 consult the manual for full 0d 0a 4d 69 63 72 6f 73 details..on distribution 6f 66 74 20 57 69 6e 64 and licensing.....Usage : 6f 77 73 20 28 6c 6f 67 ....KIX32 [scr Source File Path Offset Length Completion Count Address Symbol Analysis Process: conhost.exe PID: 1832 Parent PID: 4620 General Start time: 10:12:36 Start date: 19/02/2019 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0x4 Imagebase: 0x7ff601f50000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high Disassembly Code Analysis Copyright Joe Security LLC 2019 Page 16 of 16