ID: 295709 Sample Name: RFQ.exe Cookbook: default.jbs Time: 11:10:56 Date: 09/10/2020 Version: 30.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report RFQ.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 5 Malware Configuration 5 Yara Overview 5 Memory Dumps 5 Unpacked PEs 6 Sigma Overview 6 Signature Overview 6 AV Detection: 6 Networking: 6 System Summary: 6 Data Obfuscation: 7 Malware Analysis System Evasion: 7 HIPS / PFW / Operating System Protection Evasion: 7 Stealing of Sensitive Information: 7 Remote Access Functionality: 7 Mitre Att&ck Matrix 7 Behavior Graph 8 Screenshots 8 Thumbnails 8 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Domains and IPs 11 Contacted Domains 11 Contacted URLs 11 URLs from Memory and Binaries 11 Contacted IPs 14 Public 14 General Information 14 Simulations 16 Behavior and APIs 16 Joe Sandbox View / Context 16 IPs 16 Domains 16 ASN 17 JA3 Fingerprints 17 Dropped Files 17 Created / dropped Files 17 Static File Info 18 General 18 File Icon 19 Static PE Info 19 General 19 Entrypoint Preview 19 Data Directories 21 Sections 21

Copyright null 2020 Page 2 of 34 Resources 21 Imports 21 Version Infos 21 Network Behavior 22 Network Port Distribution 22 TCP Packets 22 UDP Packets 22 DNS Queries 23 DNS Answers 23 HTTP Request Dependency Graph 24 HTTP Packets 24 Code Manipulations 25 Statistics 25 Behavior 25 System Behavior 25 Analysis Process: RFQ.exe PID: 3148 Parent PID: 5684 25 General 25 File Activities 26 File Created 26 File Read 26 Registry Activities 27 Key Created 27 Analysis Process: powershell.exe PID: 5284 Parent PID: 3148 27 General 27 File Activities 28 File Created 28 File Deleted 28 File Written 28 File Read 30 Analysis Process: conhost.exe PID: 6180 Parent PID: 5284 33 General 33 Disassembly 33 Code Analysis 33

Copyright null 2020 Page 3 of 34 Analysis Report RFQ.exe

Overview

General Information Detection Signatures Classification

Sample RFQ.exe Name: Maallliiicciiioouuss ssaampplllee ddeettteeccttteedd (((ttthhrrroouugghh …

Analysis ID: 295709 Muaulllttiticii AiAoVuV s SS sccaaamnnnpneleerrr ddeettteecctttieiioodnn ( fftfohorrr o ssuugbbhm … MD5: e483f3e062560f3… YMYaaurrrlatai dAdeeVttte eScccttteaednd n AAennrt ttidiiVVeMte__c33tion for subm SHA1: 29be5983a4575f2… YYaarrraa ddeettteeccttteedd MAnaatssiVssLMLoo_gg3ggeerrr RRAATT SHA256: 2d9767641256c4… ..Y.NNaEEraTT dsseootuuerrrcctee dcc ooMddaees ccsooLnnotttgaagiiinnessr pRpooAttteTenntttiiiaa… Tags: exe A.ANddEddTss asa o dduiiirrrececectt tocororryyd eex xcccolllunustsaiiiooinns tt topo o Wteiiinndtdioao… Most interesting Screenshot: MAdaadccshh iiiann eed iLLreecaatrrronnriiiynn gge xddceeltutteescciotttiiionon nt o fffo oWrrr sisnaadmopp…

Maaycy h ccihnheec cLkke tttahhreen ioonnnglll iiindnee t IeIIPPc t aiaoddndd rfrreoesrs ss a oomfff …p

MassLogger RAT QMuaueyerr riciieehsse scseken ntshsiieitttii ivvoeen lvviniiiddeee IooP d daeedvvdiiiccree s iiinsn fffoofrrr m… Score: 100 Range: 0 - 100 TQTrrruiiieessr i tettoos ddseetttneesccittt i svsaean nvddidbbeoooxxe edsse avanincdde oointtthfhoeerrrrm…

Whitelisted: false TTrrriiieess tttoo hdhaearrtrvevecests ttst aanndd b ssotttexeaealsll b barrrnoodww sosetehrrr e iiinrn… Confidence: 100% TTrrriiieess tttoo shsttateeraavllel Msta aaiiillln ccdrrr eesddteeannltt tiibiaarlllsos w (((vvsiiieaar f ffiiilnll…

YTYarairerraas ddtoee tttseetcectttaeeld dM CCaooils scttturuerrrada e AAnsstsisaeelms (bbvlllyiya L Lfoiol…

AYAVaVr papr rrdooecceteesscsst e ssdtttrr riCiinngogss t fuffooruaun nAdds ((s(ooeffftmtteenbn l yuu ssLeeo…

CAChVhe epccrkkossc ieiifff s AAsn nstttiitivrviiinrrruugss/// AAfonnutttiinissdpp yy(wowfataerrrene// /FuFisiirrree…

CChheecckkss iiifff ttAthhneet icvcuiurrrurrrrese/nnAttt n pptrirrsoopccyeewsssas riiises / bFbeieriieinn…

CCohonenttctaakiiinsn ssif lllotohnnegg c ssulllerereeppnsst p(((>>ro==c 3e3 s msi iinins))) bein

CCrroreenaattatteeinss s aa l oDDniiirgrree csctltteIIInneppuusttt (oo>bb=jjje e3cc ttmt (((oionffft)tteenn fffoo…

CCrrreeaattteess aa pDprrrioroeccceetssInss p iiinun t s souubssjpepecentn d(doeefdtde mn ofoo…

DCDereettteaectcettteesd da p ppoortttoeecnnetttiisiaaslll cicnrrry yspputttoso p fffueunncdcttetiiiodon nmo

EDEnenataebbcllleteessd dd peeobbtuueggn tppiarrriiliv vciiillrleeyggpeetoss function

FEFonouaunbndlde asa hdhieiiggbhhu ngnu upmribvbeielerrr g ooefff s Wiiinnddooww /// UUss…

HFHoTTuTTnPPd G aE EhTTig ohorr r n PPuOmSSbTTe r ww oiiittfth hWoouuinttt d aao uwuss e/e rrUr …s

IIHIPPT aaTddPdd rGrreeEsssTs ssoeere ePnnO iiinnS cTco ownnnintheeocctuttiiioto nan wuwsiiitttehhr oo…

MIPaa ayyd ssdlllereeeespps ( ((seeevveaanssi iivivnee c lllooonopnpses))c) tttoio nhh iiinwndditeherr r o …

Moaonyni iittstoolerrrsse pcce e(rrertttavaaiiinns irrrveeegg iilisosttotrrrypy s kk)ee tyyoss h /// i nvvadalelluur…

PMPEEo n fffiiilltleeo rccsoo cnnetttaartiiinansisn s srttetrrraganinsggtreey rrrkeeessyoosuu rr/rc cveeasslu

QPEuue efrirrliiiee ssc ossenentnassiiniitttisiivv ese t prparrronocgcees srsseoosrrro iiiunnrfffocoerrrms aa…

Quueerrriiieess ttsthheeen pspirrrtoiovddeuu cpctrtt o IIIDcDe oosffsf Wori iininnddfoowrwmssa

Quueerrriiieess ttthhee vpvoroollluudmuceet iiiInnDfffo oorrrmf Waatttiiinioodnno (((wnnasam…

SQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem…

SSaampplllee ffefiiillxleee iicissu ddtiiioiffffffnee rrrseetnonttpt ttsthh awannh ioloerrri iigpgiirinnoaacllel …

YSYaarrmraa p sslieiigg nfnialaettt uuisrrre ed miffaeatrttcechnht than original

Yara signature match

Copyright null 2020 Page 4 of 34 Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Startup

System is w10x64 RFQ.exe (PID: 3148 cmdline: 'C:\Users\user\Desktop\RFQ.exe' MD5: E483F3E062560F3BFC1E1B6BF258AF69) powershell.exe (PID: 5284 cmdline: 'powershell' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RFQ.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10) conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source Rule Description Author Strings 00000000.00000002.503999630.0000000004FE Quasar_RAT_1 Detects Quasar Florian Roth 0xbcd48:$op1: 04 1E FE 02 04 16 FE 01 60 B000.00000004.00000001.sdmp RAT 0xbcc0b:$op2: 00 17 03 1F 20 17 19 15 28 0xbd574:$op3: 00 04 03 69 91 1B 40 0xbe7a1:$op3: 00 04 03 69 91 1B 40

Copyright null 2020 Page 5 of 34 Source Rule Description Author Strings 00000000.00000002.503999630.0000000004FE JoeSecurity_MassLogger Yara detected Joe Security B000.00000004.00000001.sdmp MassLogger RAT 00000000.00000002.509144159.0000000007FB Quasar_RAT_1 Detects Quasar Florian Roth 0xa00:$op1: 04 1E FE 02 04 16 FE 01 60 0000.00000004.00000001.sdmp RAT 0x8c3:$op2: 00 17 03 1F 20 17 19 15 28 0x122c:$op3: 00 04 03 69 91 1B 40 0x2459:$op3: 00 04 03 69 91 1B 40 00000000.00000002.509144159.0000000007FB JoeSecurity_MassLogger Yara detected Joe Security 0000.00000004.00000001.sdmp MassLogger RAT Process Memory Space: RFQ.exe PID: 3148 JoeSecurity_AntiVM_3 Yara detected Joe Security AntiVM_3 Click to see the 2 entries

Unpacked PEs

Source Rule Description Author Strings 0.2.RFQ.exe.7fb0000.5.unpack JoeSecurity_MassLogger Yara detected Joe Security MassLogger RAT 0.2.RFQ.exe.7fb0000.5.raw.unpack Quasar_RAT_1 Detects Quasar Florian Roth 0xa00:$op1: 04 1E FE 02 04 16 FE 01 60 RAT 0x8c3:$op2: 00 17 03 1F 20 17 19 15 28 0x122c:$op3: 00 04 03 69 91 1B 40 0x2459:$op3: 00 04 03 69 91 1B 40 0.2.RFQ.exe.7fb0000.5.raw.unpack JoeSecurity_MassLogger Yara detected Joe Security MassLogger RAT

Sigma Overview

No Sigma rule has matched

Signature Overview

• AV Detection • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings • Stealing of Sensitive Information • Remote Access Functionality

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Networking:

May check the online IP address of the machine

System Summary:

Malicious sample detected (through community Yara rule) Copyright null 2020 Page 6 of 34 Data Obfuscation:

.NET source code contains potential unpacker

Yara detected Costura Assembly Loader

Malware Analysis System Evasion:

Yara detected AntiVM_3

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

HIPS / PFW / Operating System Protection Evasion:

Adds a directory exclusion to Windows Defender

Stealing of Sensitive Information:

Yara detected MassLogger RAT

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Remote Access Functionality:

Yara detected MassLogger RAT

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Valid Windows Management Path Process Masquerading 1 OS Query Registry 1 Remote Email Exfiltration Encrypted Accounts Instrumentation 1 2 1 Interception Injection 1 2 Credential Services Collection 1 Over Other Channel 1 Dumping 1 Network Medium Default Scheduled Task/Job Boot or Boot or Logon Virtualization/Sandbox Input Security Software Remote Input Exfiltration Ingress Tool Accounts Logon Initialization Evasion 1 4 Capture 1 Discovery 2 4 1 Desktop Capture 1 Over Transfer 1 Initialization Scripts Protocol Bluetooth Scripts Domain At (Linux) Logon Script Logon Script Disable or Modify Security Virtualization/Sandbox SMB/Windows Archive Automated Non- Accounts (Windows) (Windows) Tools 1 1 Account Evasion 1 4 Admin Shares Collected Exfiltration Application Manager Data 1 Layer Protocol 2 Local At (Windows) Logon Script Logon Script Process NTDS Process Discovery 2 Distributed Data from Scheduled Application Accounts (Mac) (Mac) Injection 1 2 Component Local Transfer Layer Object Model System 1 Protocol 2 Cloud Cron Network Network Obfuscated Files or LSA Application Window SSH Keylogging Data Fallback Accounts Logon Script Logon Script Information 1 Secrets Discovery 1 Transfer Channels Size Limits

Replication Launchd Rc.common Rc.common Software Cached Remote System VNC GUI Input Exfiltration Multiband Through Packing 1 2 Domain Discovery 1 Capture Over C2 Communication Removable Credentials Channel Media External Scheduled Task Startup Startup Items Compile After DCSync System Network Windows Web Portal Exfiltration Commonly Remote Items Delivery Configuration Remote Capture Over Used Port Services Discovery 1 Management Alternative Protocol Drive-by Command and Scripting Scheduled Scheduled Indicator Removal Proc System Information Shared Credential Exfiltration Application Compromise Interpreter Task/Job Task/Job from Tools Filesystem Discovery 2 5 Webroot API Hooking Over Layer Protocol Symmetric Encrypted Non-C2 Protocol

Copyright null 2020 Page 7 of 34 Behavior Graph

Hide Legend

Behavior Graph Legend: ID: 295709 Process Sample: RFQ.exe

Startdate: 09/10/2020 Signature Architecture: WINDOWS Created File Score: 100 DNS/IP Info Is Dropped Malicious sample detected Multi AV Scanner detection Yara detected MassLogger (through community Yara 7 other signatures started for submitted file RAT rule) Is Windows Process

Number of created Registry Values

Number of created Files RFQ.exe Visual Basic

15 2 Delphi

Java

elb097307-934924932.us-east-1.elb.amazonaws.com .Net C# or VB.NET

54.235.83.248, 49733, 80 nagano-19599.herokussl.com api.ipify.org C, C++ or other language AMAZON-AESUS United States Is malicious

Internet started

Queries sensitive video Tries to harvest and device information (via Tries to steal Mail steal browser information Adds a directory exclusion WMI, Win32_VideoController, credentials (via file (history, passwords, to Windows Defender often done to detect access) etc) virtual machines)

powershell.exe

25

started

conhost.exe

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright null 2020 Page 8 of 34 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link RFQ.exe 17% ReversingLabs Win32.Trojan.Generic RFQ.exe 100% Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link www.founder.com.cn/cn/bThe 1% Virustotal Browse www.founder.com.cn/cn/bThe 0% URL Reputation safe www.founder.com.cn/cn/bThe 0% URL Reputation safe

Copyright null 2020 Page 9 of 34 Source Detection Scanner Label Link www.founder.com.cn/cn/bThe 0% URL Reputation safe www.carterandcone.comes 0% Avira URL Cloud safe www.jiyu-kobo.co.jp/jp/Q3 0% Avira URL Cloud safe www.carterandcone.comtsm 0% Avira URL Cloud safe www.fontbureau.comedta 0% Avira URL Cloud safe www.tiro.com 0% URL Reputation safe www.tiro.com 0% URL Reputation safe www.tiro.com 0% URL Reputation safe api.ipify8 0% URL Reputation safe api.ipify8 0% URL Reputation safe api.ipify8 0% URL Reputation safe www.fontbureau.comessed 0% URL Reputation safe www.fontbureau.comessed 0% URL Reputation safe www.fontbureau.comessed 0% URL Reputation safe www.goodfont.co.kr 0% URL Reputation safe www.goodfont.co.kr 0% URL Reputation safe www.goodfont.co.kr 0% URL Reputation safe www.sajatypeworks.com 0% URL Reputation safe www.sajatypeworks.com 0% URL Reputation safe www.sajatypeworks.com 0% URL Reputation safe www.typography.netD 0% URL Reputation safe www.typography.netD 0% URL Reputation safe www.typography.netD 0% URL Reputation safe www.founder.com.cn/cn/cThe 0% URL Reputation safe www.founder.com.cn/cn/cThe 0% URL Reputation safe www.founder.com.cn/cn/cThe 0% URL Reputation safe www.galapagosdesign.com/staff/dennis.htm 0% URL Reputation safe www.galapagosdesign.com/staff/dennis.htm 0% URL Reputation safe www.galapagosdesign.com/staff/dennis.htm 0% URL Reputation safe fontfabrik.com 0% URL Reputation safe fontfabrik.com 0% URL Reputation safe fontfabrik.com 0% URL Reputation safe www.jiyu-kobo.co.jp/8 0% Avira URL Cloud safe api.ipify.orgD 0% URL Reputation safe api.ipify.orgD 0% URL Reputation safe api.ipify.orgD 0% URL Reputation safe www.galapagosdesign.com/p 0% Avira URL Cloud safe www.galapagosdesign.com/DPlease 0% URL Reputation safe www.galapagosdesign.com/DPlease 0% URL Reputation safe www.galapagosdesign.com/DPlease 0% URL Reputation safe www.jiyu-kobo.co.jp/s_tr 0% Avira URL Cloud safe www.fonts.comp 0% Avira URL Cloud safe www.ascendercorp.com/typedesigners.html 0% URL Reputation safe www.ascendercorp.com/typedesigners.html 0% URL Reputation safe www.ascendercorp.com/typedesigners.html 0% URL Reputation safe www.sandoll.co.kr 0% URL Reputation safe www.sandoll.co.kr 0% URL Reputation safe www.sandoll.co.kr 0% URL Reputation safe www.urwpp.deDPlease 0% URL Reputation safe www.urwpp.deDPlease 0% URL Reputation safe www.urwpp.deDPlease 0% URL Reputation safe www.zhongyicts.com.cn 0% URL Reputation safe www.zhongyicts.com.cn 0% URL Reputation safe www.zhongyicts.com.cn 0% URL Reputation safe www.sakkal.com 0% URL Reputation safe www.sakkal.com 0% URL Reputation safe www.sakkal.com 0% URL Reputation safe www.jiyu-kobo.co.jp/Q3 0% Avira URL Cloud safe www.jiyu-kobo.co.jp/adnl3 0% Avira URL Cloud safe www.galapagosdesign.com/ 0% URL Reputation safe www.galapagosdesign.com/ 0% URL Reputation safe www.galapagosdesign.com/ 0% URL Reputation safe www.agfamonotype. 0% Avira URL Cloud safe www.jiyu-kobo.co.jp/C3 0% Avira URL Cloud safe

Copyright null 2020 Page 10 of 34 Source Detection Scanner Label Link www.founder.com.cn/cnR;ON- 0% Avira URL Cloud safe www.jiyu-kobo.co.jp/jp/ 0% URL Reputation safe www.jiyu-kobo.co.jp/jp/ 0% URL Reputation safe www.jiyu-kobo.co.jp/jp/ 0% URL Reputation safe www.jiyu-kobo.co.jp/s_trd3 0% Avira URL Cloud safe www.fontbureau.comd 0% URL Reputation safe www.fontbureau.comd 0% URL Reputation safe www.fontbureau.comd 0% URL Reputation safe www.carterandcone.coml 0% URL Reputation safe www.carterandcone.coml 0% URL Reputation safe www.carterandcone.coml 0% URL Reputation safe www.fontbureau.comk 0% Avira URL Cloud safe www.founder.com.cn/cn 0% URL Reputation safe www.founder.com.cn/cn 0% URL Reputation safe www.founder.com.cn/cn 0% URL Reputation safe www.jiyu-kobo.co.jp/J3 0% Avira URL Cloud safe www.fontbureau.come.com23 0% Avira URL Cloud safe www.jiyu-kobo.co.jp/%3 0% Avira URL Cloud safe www.fontbureau.comm 0% URL Reputation safe www.fontbureau.comm 0% URL Reputation safe www.fontbureau.comm 0% URL Reputation safe www.jiyu-kobo.co.jp/ 0% URL Reputation safe www.jiyu-kobo.co.jp/ 0% URL Reputation safe www.jiyu-kobo.co.jp/ 0% URL Reputation safe www.fontbureau.comrsiva 0% Avira URL Cloud safe www.fontbureau.como 0% URL Reputation safe www.fontbureau.como 0% URL Reputation safe www.fontbureau.como 0% URL Reputation safe www.fontbureau.comB.TTFX3 0% Avira URL Cloud safe www.jiyu-kobo.co.jp/23 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation elb097307-934924932.us-east- 54.235.83.248 true false high 1.elb.amazonaws.com api.ipify.org unknown unknown false high

Contacted URLs

Name Malicious Antivirus Detection Reputation api.ipify.org/ false high

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation www.fontbureau.com/designersG RFQ.exe, 00000000.00000002.507 false high 824680.0000000006310000.000000 02.00000001.sdmp www.fontbureau.com/designers/? RFQ.exe, 00000000.00000002.507 false high 824680.0000000006310000.000000 02.00000001.sdmp www.founder.com.cn/cn/bThe RFQ.exe, 00000000.00000002.507 false 1%, Virustotal, Browse unknown 824680.0000000006310000.000000 URL Reputation: safe 02.00000001.sdmp URL Reputation: safe URL Reputation: safe www.carterandcone.comes RFQ.exe, 00000000.00000003.210 false Avira URL Cloud: safe unknown 429459.0000000006229000.000000 04.00000001.sdmp www.fontbureau.com/designers? RFQ.exe, 00000000.00000002.507 false high 824680.0000000006310000.000000 02.00000001.sdmp

Copyright null 2020 Page 11 of 34 Name Source Malicious Antivirus Detection Reputation www.jiyu-kobo.co.jp/jp/Q3 RFQ.exe, 00000000.00000003.208 false Avira URL Cloud: safe unknown 739393.000000000622F000.000000 04.00000001.sdmp www.carterandcone.comtsm RFQ.exe, 00000000.00000003.208 false Avira URL Cloud: safe unknown 739393.000000000622F000.000000 04.00000001.sdmp www.fontbureau.comedta RFQ.exe, 00000000.00000003.211 false Avira URL Cloud: safe unknown 520429.000000000622C000.000000 04.00000001.sdmp api.ipify.org/p RFQ.exe, 00000000.00000002.498 false high 025372.0000000003366000.000000 04.00000001.sdmp www.tiro.com RFQ.exe, 00000000.00000002.507 false URL Reputation: safe unknown 824680.0000000006310000.000000 URL Reputation: safe 02.00000001.sdmp, RFQ.exe, 000 URL Reputation: safe 00000.00000003.208096023.00000 00006234000.00000004.00000001. sdmp api.ipify.org/Pj RFQ.exe, 00000000.00000002.498 false high 025372.0000000003366000.000000 04.00000001.sdmp elb097307-934924932.us-east-1.elb.amazonaws.com RFQ.exe, 00000000.00000002.498 false high 394320.0000000003376000.000000 04.00000001.sdmp www.fontbureau.com/designers RFQ.exe, 00000000.00000002.507 false high 824680.0000000006310000.000000 02.00000001.sdmp api.ipify8 RFQ.exe, 00000000.00000002.498 false URL Reputation: safe unknown 198991.0000000003371000.000000 URL Reputation: safe 04.00000001.sdmp URL Reputation: safe www.fontbureau.comessed RFQ.exe, 00000000.00000003.211 false URL Reputation: safe unknown 520429.000000000622C000.000000 URL Reputation: safe 04.00000001.sdmp URL Reputation: safe www.goodfont.co.kr RFQ.exe, 00000000.00000002.507 false URL Reputation: safe unknown 824680.0000000006310000.000000 URL Reputation: safe 02.00000001.sdmp URL Reputation: safe www.sajatypeworks.com RFQ.exe, 00000000.00000002.507 false URL Reputation: safe unknown 824680.0000000006310000.000000 URL Reputation: safe 02.00000001.sdmp URL Reputation: safe www.typography.netD RFQ.exe, 00000000.00000002.507 false URL Reputation: safe unknown 824680.0000000006310000.000000 URL Reputation: safe 02.00000001.sdmp URL Reputation: safe www.founder.com.cn/cn/cThe RFQ.exe, 00000000.00000002.507 false URL Reputation: safe unknown 824680.0000000006310000.000000 URL Reputation: safe 02.00000001.sdmp URL Reputation: safe www.galapagosdesign.com/staff/dennis.htm RFQ.exe, 00000000.00000003.216 false URL Reputation: safe unknown 193604.000000000622C000.000000 URL Reputation: safe 04.00000001.sdmp, RFQ.exe, 000 URL Reputation: safe 00000.00000002.507824680.00000 00006310000.00000002.00000001. sdmp fontfabrik.com RFQ.exe, 00000000.00000002.507 false URL Reputation: safe unknown 824680.0000000006310000.000000 URL Reputation: safe 02.00000001.sdmp URL Reputation: safe

www.jiyu-kobo.co.jp/8 RFQ.exe, 00000000.00000003.208 false Avira URL Cloud: safe unknown 869552.0000000006228000.000000 04.00000001.sdmp api.ipify.orgD RFQ.exe, 00000000.00000002.503 false URL Reputation: safe unknown 091064.000000000379F000.000000 URL Reputation: safe 04.00000001.sdmp URL Reputation: safe www.galapagosdesign.com/p RFQ.exe, 00000000.00000003.215 false Avira URL Cloud: safe unknown 268868.0000000006257000.000000 04.00000001.sdmp www.galapagosdesign.com/DPlease RFQ.exe, 00000000.00000002.507 false URL Reputation: safe unknown 824680.0000000006310000.000000 URL Reputation: safe 02.00000001.sdmp URL Reputation: safe www.jiyu-kobo.co.jp/s_tr RFQ.exe, 00000000.00000003.208 false Avira URL Cloud: safe unknown 659778.000000000622B000.000000 04.00000001.sdmp www.fonts.comp RFQ.exe, 00000000.00000003.206 false Avira URL Cloud: safe unknown 937102.000000000185C000.000000 04.00000001.sdmp www.ascendercorp.com/typedesigners.html RFQ.exe, 00000000.00000003.210 false URL Reputation: safe unknown 197974.0000000006229000.000000 URL Reputation: safe 04.00000001.sdmp URL Reputation: safe www.fonts.com RFQ.exe, 00000000.00000002.507 false high 824680.0000000006310000.000000 02.00000001.sdmp

Copyright null 2020 Page 12 of 34 Name Source Malicious Antivirus Detection Reputation www.sandoll.co.kr RFQ.exe, 00000000.00000002.507 false URL Reputation: safe unknown 824680.0000000006310000.000000 URL Reputation: safe 02.00000001.sdmp URL Reputation: safe www.urwpp.deDPlease RFQ.exe, 00000000.00000002.507 false URL Reputation: safe unknown 824680.0000000006310000.000000 URL Reputation: safe 02.00000001.sdmp URL Reputation: safe www.zhongyicts.com.cn RFQ.exe, 00000000.00000002.507 false URL Reputation: safe unknown 824680.0000000006310000.000000 URL Reputation: safe 02.00000001.sdmp URL Reputation: safe schemas.xmlsoap.org/ws/2005/05/identity/claims/name RFQ.exe, 00000000.00000002.498 false high 025372.0000000003366000.000000 04.00000001.sdmp www.sakkal.com RFQ.exe, 00000000.00000002.507 false URL Reputation: safe unknown 824680.0000000006310000.000000 URL Reputation: safe 02.00000001.sdmp URL Reputation: safe www.jiyu-kobo.co.jp/Q3 RFQ.exe, 00000000.00000003.209 false Avira URL Cloud: safe unknown 118816.0000000006229000.000000 04.00000001.sdmp www.jiyu-kobo.co.jp/adnl3 RFQ.exe, 00000000.00000003.208 false Avira URL Cloud: safe unknown 739393.000000000622F000.000000 04.00000001.sdmp www.apache.org/licenses/LICENSE-2.0 RFQ.exe, 00000000.00000002.507 false high 824680.0000000006310000.000000 02.00000001.sdmp www.fontbureau.com RFQ.exe, 00000000.00000002.507 false high 824680.0000000006310000.000000 02.00000001.sdmp www.galapagosdesign.com/ RFQ.exe, 00000000.00000003.215 false URL Reputation: safe unknown 268868.0000000006257000.000000 URL Reputation: safe 04.00000001.sdmp URL Reputation: safe www.agfamonotype. RFQ.exe, 00000000.00000002.507 false Avira URL Cloud: safe unknown 739902.0000000006226000.000000 04.00000001.sdmp www.jiyu-kobo.co.jp/C3 RFQ.exe, 00000000.00000003.210 false Avira URL Cloud: safe unknown 429459.0000000006229000.000000 04.00000001.sdmp www.founder.com.cn/cnR;ON- RFQ.exe, 00000000.00000003.208 false Avira URL Cloud: safe unknown 096023.0000000006234000.000000 04.00000001.sdmp www.jiyu-kobo.co.jp/jp/ RFQ.exe, 00000000.00000003.210 false URL Reputation: safe unknown 429459.0000000006229000.000000 URL Reputation: safe 04.00000001.sdmp URL Reputation: safe www.jiyu-kobo.co.jp/s_trd3 RFQ.exe, 00000000.00000003.208 false Avira URL Cloud: safe unknown 537659.0000000006222000.000000 04.00000001.sdmp www.fontbureau.comd RFQ.exe, 00000000.00000003.211 false URL Reputation: safe unknown 520429.000000000622C000.000000 URL Reputation: safe 04.00000001.sdmp URL Reputation: safe www.carterandcone.coml RFQ.exe, 00000000.00000003.209 false URL Reputation: safe unknown 118816.0000000006229000.000000 URL Reputation: safe 04.00000001.sdmp, RFQ.exe, 000 URL Reputation: safe 00000.00000002.507824680.00000 00006310000.00000002.00000001. sdmp api.ipify.org RFQ.exe, 00000000.00000002.498 false high 394320.0000000003376000.000000 04.00000001.sdmp www.fontbureau.com/designers/cabarga.htmlN RFQ.exe, 00000000.00000002.507 false high 824680.0000000006310000.000000 02.00000001.sdmp www.fontbureau.comk RFQ.exe, 00000000.00000003.211 false Avira URL Cloud: safe unknown 520429.000000000622C000.000000 04.00000001.sdmp www.founder.com.cn/cn RFQ.exe, 00000000.00000002.507 false URL Reputation: safe unknown 824680.0000000006310000.000000 URL Reputation: safe 02.00000001.sdmp URL Reputation: safe www.fontbureau.com/designers/frere-jones.html RFQ.exe, 00000000.00000002.507 false high 824680.0000000006310000.000000 02.00000001.sdmp www.jiyu-kobo.co.jp/J3 RFQ.exe, 00000000.00000003.210 false Avira URL Cloud: safe unknown 197974.0000000006229000.000000 04.00000001.sdmp www.fontbureau.come.com23 RFQ.exe, 00000000.00000003.218 false Avira URL Cloud: safe unknown 748320.000000000622C000.000000 04.00000001.sdmp www.jiyu-kobo.co.jp/%3 RFQ.exe, 00000000.00000003.208 false Avira URL Cloud: safe unknown 739393.000000000622F000.000000 04.00000001.sdmp

Copyright null 2020 Page 13 of 34 Name Source Malicious Antivirus Detection Reputation www.fontbureau.comm RFQ.exe, 00000000.00000003.218 false URL Reputation: safe unknown 748320.000000000622C000.000000 URL Reputation: safe 04.00000001.sdmp URL Reputation: safe www.jiyu-kobo.co.jp/ RFQ.exe, 00000000.00000003.209 false URL Reputation: safe unknown 118816.0000000006229000.000000 URL Reputation: safe 04.00000001.sdmp, RFQ.exe, 000 URL Reputation: safe 00000.00000003.208739393.00000 0000622F000.00000004.00000001. sdmp www.fontbureau.comrsiva RFQ.exe, 00000000.00000003.218 false Avira URL Cloud: safe unknown 748320.000000000622C000.000000 04.00000001.sdmp www.fontbureau.como RFQ.exe, 00000000.00000003.218 false URL Reputation: safe unknown 748320.000000000622C000.000000 URL Reputation: safe 04.00000001.sdmp URL Reputation: safe www.fontbureau.com/designers8 RFQ.exe, 00000000.00000002.507 false high 824680.0000000006310000.000000 02.00000001.sdmp https://www.youtube.com/watch?v=Qxk6cu21JSg RFQ.exe, 00000000.00000002.503 false high 091064.000000000379F000.000000 04.00000001.sdmp www.fontbureau.comB.TTFX3 RFQ.exe, 00000000.00000003.211 false Avira URL Cloud: safe unknown 520429.000000000622C000.000000 04.00000001.sdmp www.jiyu-kobo.co.jp/23 RFQ.exe, 00000000.00000003.208 false Avira URL Cloud: safe unknown 739393.000000000622F000.000000 04.00000001.sdmp

Contacted IPs

No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 54.235.83.248 United States 14618 AMAZON-AESUS false

General Information

Joe Sandbox Version: 30.0.0 Red Diamond

Copyright null 2020 Page 14 of 34 Analysis ID: 295709 Start date: 09.10.2020 Start time: 11:10:56 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 8m 28s Hypervisor based Inspection enabled: false Report type: light Sample file name: RFQ.exe Cookbook file name: default.jbs Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 20 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal100.troj.spyw.evad.winEXE@4/4@2/1 EGA Information: Failed HDC Information: Successful, ratio: 0.2% (good quality ratio 0.1%) Quality average: 51% Quality standard deviation: 32.8% HCA Information: Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.255.148.73, 13.88.21.125, 51.104.144.132, 80.239.148.32, 80.239.152.136, 92.122.144.200, 67.27.157.126, 67.26.139.254, 8.248.133.254, 8.248.115.254, 8.248.147.254, 51.103.5.159, 51.104.139.180, 20.54.26.129 Excluded domains from analysis (whitelisted): client.wns.windows.com, arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcoleus07.cloudapp.net, a1449.dscg2.akamai.net, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, wns.notify.windows.com.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, par02p.wns.notify.windows.com.akadns.net, umwatsonrouting.trafficmanager.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, img-prod-cms-rt- microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.n et, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net, au-bg- shim.trafficmanager.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Copyright null 2020 Page 15 of 34 Simulations

Behavior and APIs

Time Type Description 11:11:52 API Interceptor 873x Sleep call for process: RFQ.exe modified 11:12:13 API Interceptor 43x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 54.235.83.248 2020-10-08_22-34-41.exe Get hash malicious Browse api.ipify.org/? format=xml Halkbank_Ekstre_20201007_073608_299078.exe Get hash malicious Browse api.ipify.org/ fHkKqT7NSq10OIH.exe Get hash malicious Browse api.ipify.org/ ozZol3SGEy.exe Get hash malicious Browse api.ipify.org/ NOt8cBpr93.exe Get hash malicious Browse api.ipify.org/ M8IZhJVt5b.exe Get hash malicious Browse api.ipify.org/ KINO.exe Get hash malicious Browse api.ipify.org/ IO8dtcaCaG.exe Get hash malicious Browse api.ipify.org/ zldL3kYGZw.exe Get hash malicious Browse api.ipify.org/ k9KRg82vmC.exe Get hash malicious Browse api.ipify.org/ sSQ1r2KRD8.exe Get hash malicious Browse api.ipify.org/ SOA SWIFT COPY_PDF______Get hash malicious Browse api.ipify.org/ ______.exe DWt2Cucit3.exe Get hash malicious Browse api.ipify.org/ 1eX56OMq9z.exe Get hash malicious Browse api.ipify.org/ 9ykoZmxUMR.exe Get hash malicious Browse api.ipify.org/ 1ytFUALwsA.exe Get hash malicious Browse api.ipify.org/ PgOZ4IaC8b.exe Get hash malicious Browse api.ipify.org/ SecuriteInfo.com.BackDoor.QuasarNET.1.21320.exe Get hash malicious Browse api.ipify.org/ L1axj9Gh5C.exe Get hash malicious Browse api.ipify.org/ dd5Q83zBCc.exe Get hash malicious Browse api.ipify.org/

Domains

Match Associated Sample Name / URL SHA 256 Detection Link Context elb097307-934924932.us-east- Draft_Shipping Instruction,PDF.exe Get hash malicious Browse 174.129.214.20 1.elb.amazonaws.com sSEwBGBodS.exe Get hash malicious Browse 23.21.252.4 YT9LAdcY75.exe Get hash malicious Browse 54.204.14.42 IMG_000924677656765_0025676544.exe Get hash malicious Browse 23.21.126.66 REMITTANCE REFERENCE COPY - 20201008#U00 Get hash malicious Browse 54.204.14.42 7ePDF.exe Shipping Document PL&BL Draft.exe Get hash malicious Browse 54.204.14.42 20201008.exe Get hash malicious Browse 54.235.83.248 AGENT APPOINTMENT.xlsm Get hash malicious Browse 54.235.169.38 Interested items with pictures, specification & Quantity#U00 Get hash malicious Browse 23.21.126.66 7ePDF.exe SD94598686_pdf.exe Get hash malicious Browse 54.225.195.221 TNT Original Invoice.exe Get hash malicious Browse 23.21.126.66 38756363po78656.exe Get hash malicious Browse 50.19.252.36 Tact 08_10_2020 FAC-1&2.exe Get hash malicious Browse 23.21.109.69 3cEEOFOFHe.exe Get hash malicious Browse 23.21.252.4 BILL OF LANDING DRAFT COMMERCIAL INVOICE & ISO Get hash malicious Browse 184.73.247.141 CERTIFICATE PO-RTM54379326.PDF.exe Payment copy SOA.exe Get hash malicious Browse 54.235.169.38 payment Invoice.exe Get hash malicious Browse 54.235.169.38 #U00dcR#U00dcN KATALO#U011eU TALEB#U0130.exe Get hash malicious Browse 54.235.169.38 Order_List_PO# 081928.pdf.exe Get hash malicious Browse 54.235.83.248

Copyright null 2020 Page 16 of 34 Match Associated Sample Name / URL SHA 256 Detection Link Context 2020-10-08_22-34-41.exe Get hash malicious Browse 54.235.83.248

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context AMAZON-AESUS Draft_Shipping Instruction,PDF.exe Get hash malicious Browse 174.129.214.20 club.chicacircle.com Get hash malicious Browse 54.173.186.55 sSEwBGBodS.exe Get hash malicious Browse 23.21.252.4 YT9LAdcY75.exe Get hash malicious Browse 54.204.14.42 IMG_000924677656765_0025676544.exe Get hash malicious Browse 23.21.126.66 https://au-admin.eventscloud.com/emarketing/go.php? Get hash malicious Browse 107.22.223.92 i=100320678&e=amFja2llLmV2ZXJpdHRAYWpnLmNvbS5hd Q==&l=https://au.eventscloud.com/ehome/100204501|A| REMITTANCE REFERENCE COPY - 20201008#U00 Get hash malicious Browse 54.204.14.42 7ePDF.exe New Purchase Order 50,689$.exe Get hash malicious Browse 3.233.171.147 Shipping Document PL&BL Draft.exe Get hash malicious Browse 54.204.14.42 20201008.exe Get hash malicious Browse 54.235.83.248 AGENT APPOINTMENT.xlsm Get hash malicious Browse 54.235.169.38 Interested items with pictures, specification & Quantity#U00 Get hash malicious Browse 23.21.126.66 7ePDF.exe SD94598686_pdf.exe Get hash malicious Browse 54.225.195.221 simplehat.clicker.apk Get hash malicious Browse 52.203.218.184 202010074 - AccountStatements502 - Holt.html Get hash malicious Browse 18.209.113.161 TNT Original Invoice.exe Get hash malicious Browse 23.21.126.66 Document2-85.exe Get hash malicious Browse 3.235.164.215 38756363po78656.exe Get hash malicious Browse 50.19.252.36 x56T6i1VaX.exe Get hash malicious Browse 54.162.201.128 Tact 08_10_2020 FAC-1&2.exe Get hash malicious Browse 23.21.109.69

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: data Size (bytes): 22164 Entropy (8bit): 5.605188272930951 Encrypted: false MD5: 22DC9B33D4236B58EC4AB781CFBE54A1 SHA1: E478991E5266CE9B3ABC55AE9879AA158270CD89 SHA-256: 0119E557B4C37CC1DFD7828AF495282BE183DC7B7C00257F0C4CF1BC5279A1E2 SHA-512: 8B22673E150EA738785B7F073E138389ABE15C8A0CE37335651F68A90B36CED024EB7CECC48269C7FA77C432E4F459DE971C2EDE952A91B62CF67A0F829D4098 Malicious: false Reputation: low Preview: @...e...... ]...... `...... R...... H...... <@.^.L."My...::...... Microsoft.PowerShell.ConsoleHostD...... fZve...F.....x.)...... System.Management.Automati on4...... [...{a.C..%6..h...... System.Core.0...... G-.o...A...4B...... System..4...... Zg5..:O..g..q...... System.Xml..L...... 7.....J@...... ~...... #.Microso ft.Management.Infrastructure.8...... '....L..}...... System.Numerics.@...... Lo...QN...... ..m...... System.Trans actions.<...... ):gK..G...$.1.q...... System.ConfigurationP...... /.C..J..%...]...... %.Microsoft.PowerShell.Commands.Utility...D...... -.D.F.<;.nt.1...... Sy stem.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ko345qzo.t3c.ps1 Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Size (bytes): 1 Entropy (8bit): 0.0 Copyright null 2020 Page 17 of 34 C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ko345qzo.t3c.ps1 Encrypted: false MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Reputation: high, very likely benign file Preview: 1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vuejk1fd.n3x.psm1 Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Reputation: high, very likely benign file Preview: 1

C:\Users\user\Documents\20201009\PowerShell_transcript.928100.dM25s6_K.20201009111211.txt Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 5512 Entropy (8bit): 5.391427342346374 Encrypted: false MD5: F4BD347A1CC22392438FA845B197272E SHA1: 285B31688697C1ACBF1D98926E9C9B1A336DFF90 SHA-256: E0AF8F59195D8BC6622CCB67F64C18F224A3BFE80FD4E725A6F7E4F7A8138E5A SHA-512: 04113A7B13DB26B92EEC02E436ED397CEF69AEDB22D36A538955DB68C1832C2EE8842B7398621F9DE5C98132AC7068B9D8FE07291A59D32E95889EBE787AE2C 0 Malicious: false Reputation: low Preview: .**********************..Windows PowerShell transcript start..Start time: 20201009111213..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RFQ.exe'..Process ID: 5284..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.303 19.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201 009111213..**********************..PS>Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RFQ.exe'..**********************..Windows PowerShell transcript start..Start time: 20201009111217..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134

Static File Info

General File type: PE32 executable (GUI) Intel 80386 Mono/.Net assemb ly, for MS Windows Entropy (8bit): 7.644190818198052 TrID: Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: RFQ.exe File size: 1106432 MD5: e483f3e062560f3bfc1e1b6bf258af69 SHA1: 29be5983a4575f2e6f0cf5ec8692413af660521b

Copyright null 2020 Page 18 of 34 General SHA256: 2d9767641256c44bceb6d6c684e76d72245750d1174408 ef34e5d35185d4cadb SHA512: 8735ea545801b0591d3395c97bcd0c42b814ad336afdd0 45cd6d396ee7bccb517ee23f626bafdae58db05acf216a5 266359b8e091b1d5d7d3d51ca103102f0af SSDEEP: 24576:e1Tq1WIPm4mJJYiLoZv+PPRaysgK9V5s:OTqd KJ2hJ+3RUzC File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... PE..L...... _...... ^...... >}...... @...... @......

File Icon

Icon Hash: 0d1509265a660701

Static PE Info

General Entrypoint: 0x4d7d3e Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE DLL Characteristics: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x5F7FBCF6 [Fri Oct 9 01:29:26 2020 UTC] TLS Callbacks: CLR (.Net) Version: v4.0.30319 OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction jmp dword ptr [00402000h] add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al

Copyright null 2020 Page 19 of 34 Instruction add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al

Copyright null 2020 Page 20 of 34 Instruction add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0xd7ce4 0x57 .text IMAGE_DIRECTORY_ENTRY_RESOURCE 0xd8000 0x38000 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x110000 0xc .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x2000 0x8 .text IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x2008 0x48 .text IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x2000 0xd5d44 0xd5e00 False 0.972918797487 data 7.97244782832 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rsrc 0xd8000 0x38000 0x38000 False 0.134416852679 data 4.81563597364 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0x110000 0xc 0x200 False 0.044921875 data 0.101910425663 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_DISCARDABLE , IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_ICON 0xd81f0 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0xd8658 0x988 data RT_ICON 0xd8fe0 0x10a8 dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295 RT_ICON 0xda088 0x25a8 dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294967295, next used block 4294967295 RT_ICON 0xdc630 0x3334c data RT_GROUP_ICON 0x10f97c 0x4c data RT_VERSION 0x10f9c8 0x3e0 data RT_MANIFEST 0x10fda8 0x1ea XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL Import mscoree.dll _CorExeMain

Version Infos

Copyright null 2020 Page 21 of 34 Description Data Translation 0x0000 0x04b0 LegalCopyright Microsoft Corporation. All rights reserved. Assembly Version 9.9.0.1 InternalName jP.exe FileVersion 9.09.0.1 CompanyName Microsoft Corporation LegalTrademarks Comments Microsoft Managed D3DX ProductName Microsoft.DirectX.Direct3DX ProductVersion 9.09.0.1 FileDescription Microsoft.DirectX.Direct3DX OriginalFilename jP.exe

Network Behavior

Network Port Distribution

Total Packets: 24 • 53 (DNS) • 80 (HTTP)

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Oct 9, 2020 11:12:08.808037043 CEST 49733 80 192.168.2.3 54.235.83.248 Oct 9, 2020 11:12:09.023650885 CEST 80 49733 54.235.83.248 192.168.2.3 Oct 9, 2020 11:12:09.024049044 CEST 49733 80 192.168.2.3 54.235.83.248 Oct 9, 2020 11:12:09.026232004 CEST 49733 80 192.168.2.3 54.235.83.248 Oct 9, 2020 11:12:09.201559067 CEST 80 49733 54.235.83.248 192.168.2.3 Oct 9, 2020 11:12:09.201626062 CEST 80 49733 54.235.83.248 192.168.2.3 Oct 9, 2020 11:12:09.419729948 CEST 49733 80 192.168.2.3 54.235.83.248 Oct 9, 2020 11:13:08.430923939 CEST 80 49733 54.235.83.248 192.168.2.3 Oct 9, 2020 11:13:08.431323051 CEST 49733 80 192.168.2.3 54.235.83.248 Oct 9, 2020 11:13:49.242296934 CEST 49733 80 192.168.2.3 54.235.83.248 Oct 9, 2020 11:13:49.345386028 CEST 80 49733 54.235.83.248 192.168.2.3

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP Oct 9, 2020 11:11:39.876719952 CEST 49563 53 192.168.2.3 8.8.8.8 Oct 9, 2020 11:11:39.909558058 CEST 53 49563 8.8.8.8 192.168.2.3 Oct 9, 2020 11:11:40.752698898 CEST 51352 53 192.168.2.3 8.8.8.8 Oct 9, 2020 11:11:40.785290956 CEST 53 51352 8.8.8.8 192.168.2.3 Oct 9, 2020 11:11:41.473745108 CEST 59349 53 192.168.2.3 8.8.8.8 Oct 9, 2020 11:11:41.498163939 CEST 53 59349 8.8.8.8 192.168.2.3 Oct 9, 2020 11:11:42.198786020 CEST 57084 53 192.168.2.3 8.8.8.8 Oct 9, 2020 11:11:42.223133087 CEST 53 57084 8.8.8.8 192.168.2.3 Oct 9, 2020 11:11:43.480302095 CEST 58823 53 192.168.2.3 8.8.8.8 Copyright null 2020 Page 22 of 34 Timestamp Source Port Dest Port Source IP Dest IP Oct 9, 2020 11:11:43.512715101 CEST 53 58823 8.8.8.8 192.168.2.3 Oct 9, 2020 11:11:44.341101885 CEST 57568 53 192.168.2.3 8.8.8.8 Oct 9, 2020 11:11:44.365281105 CEST 53 57568 8.8.8.8 192.168.2.3 Oct 9, 2020 11:11:45.050685883 CEST 50540 53 192.168.2.3 8.8.8.8 Oct 9, 2020 11:11:45.074919939 CEST 53 50540 8.8.8.8 192.168.2.3 Oct 9, 2020 11:11:46.121565104 CEST 54366 53 192.168.2.3 8.8.8.8 Oct 9, 2020 11:11:46.145813942 CEST 53 54366 8.8.8.8 192.168.2.3 Oct 9, 2020 11:11:46.912383080 CEST 53034 53 192.168.2.3 8.8.8.8 Oct 9, 2020 11:11:46.936734915 CEST 53 53034 8.8.8.8 192.168.2.3 Oct 9, 2020 11:12:02.080467939 CEST 57762 53 192.168.2.3 8.8.8.8 Oct 9, 2020 11:12:02.104813099 CEST 53 57762 8.8.8.8 192.168.2.3 Oct 9, 2020 11:12:08.724162102 CEST 55435 53 192.168.2.3 8.8.8.8 Oct 9, 2020 11:12:08.749577999 CEST 53 55435 8.8.8.8 192.168.2.3 Oct 9, 2020 11:12:08.762809038 CEST 50713 53 192.168.2.3 8.8.8.8 Oct 9, 2020 11:12:08.787529945 CEST 53 50713 8.8.8.8 192.168.2.3 Oct 9, 2020 11:12:08.825228930 CEST 56132 53 192.168.2.3 8.8.8.8 Oct 9, 2020 11:12:08.867876053 CEST 53 56132 8.8.8.8 192.168.2.3 Oct 9, 2020 11:12:15.749783039 CEST 58987 53 192.168.2.3 8.8.8.8 Oct 9, 2020 11:12:15.782382011 CEST 53 58987 8.8.8.8 192.168.2.3 Oct 9, 2020 11:12:29.470088959 CEST 56579 53 192.168.2.3 8.8.8.8 Oct 9, 2020 11:12:29.494463921 CEST 53 56579 8.8.8.8 192.168.2.3 Oct 9, 2020 11:12:30.631263971 CEST 60633 53 192.168.2.3 8.8.8.8 Oct 9, 2020 11:12:30.663768053 CEST 53 60633 8.8.8.8 192.168.2.3 Oct 9, 2020 11:12:32.455601931 CEST 61292 53 192.168.2.3 8.8.8.8 Oct 9, 2020 11:12:32.480470896 CEST 53 61292 8.8.8.8 192.168.2.3 Oct 9, 2020 11:12:49.862576008 CEST 63619 53 192.168.2.3 8.8.8.8 Oct 9, 2020 11:12:49.895761967 CEST 53 63619 8.8.8.8 192.168.2.3

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Oct 9, 2020 11:12:08.724162102 CEST 192.168.2.3 8.8.8.8 0x9e60 Standard query api.ipify.org A (IP address) IN (0x0001) (0) Oct 9, 2020 11:12:08.762809038 CEST 192.168.2.3 8.8.8.8 0x5406 Standard query api.ipify.org A (IP address) IN (0x0001) (0)

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Oct 9, 2020 8.8.8.8 192.168.2.3 0x9e60 No error (0) api.ipify.org nagano- CNAME IN (0x0001) 11:12:08.749577999 19599.herokussl.com (Canonical CEST name) Oct 9, 2020 8.8.8.8 192.168.2.3 0x9e60 No error (0) nagano-195 elb097307- CNAME IN (0x0001) 11:12:08.749577999 99.herokus 934924932.us-east- (Canonical CEST sl.com 1.elb.amazonaws.com name) Oct 9, 2020 8.8.8.8 192.168.2.3 0x9e60 No error (0) elb097307- 54.235.83.248 A (IP address) IN (0x0001) 11:12:08.749577999 934924932.us- CEST east-1. elb.amazon aws.com Oct 9, 2020 8.8.8.8 192.168.2.3 0x9e60 No error (0) elb097307- 54.225.169.28 A (IP address) IN (0x0001) 11:12:08.749577999 934924932.us- CEST east-1. elb.amazon aws.com Oct 9, 2020 8.8.8.8 192.168.2.3 0x9e60 No error (0) elb097307- 23.21.126.66 A (IP address) IN (0x0001) 11:12:08.749577999 934924932.us- CEST east-1. elb.amazon aws.com Oct 9, 2020 8.8.8.8 192.168.2.3 0x9e60 No error (0) elb097307- 184.73.247.141 A (IP address) IN (0x0001) 11:12:08.749577999 934924932.us- CEST east-1. elb.amazon aws.com Oct 9, 2020 8.8.8.8 192.168.2.3 0x9e60 No error (0) elb097307- 50.19.252.36 A (IP address) IN (0x0001) 11:12:08.749577999 934924932.us- CEST east-1. elb.amazon aws.com

Copyright null 2020 Page 23 of 34 Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Oct 9, 2020 8.8.8.8 192.168.2.3 0x9e60 No error (0) elb097307- 54.225.195.221 A (IP address) IN (0x0001) 11:12:08.749577999 934924932.us- CEST east-1. elb.amazon aws.com Oct 9, 2020 8.8.8.8 192.168.2.3 0x9e60 No error (0) elb097307- 174.129.214.20 A (IP address) IN (0x0001) 11:12:08.749577999 934924932.us- CEST east-1. elb.amazon aws.com Oct 9, 2020 8.8.8.8 192.168.2.3 0x9e60 No error (0) elb097307- 54.235.182.194 A (IP address) IN (0x0001) 11:12:08.749577999 934924932.us- CEST east-1. elb.amazon aws.com Oct 9, 2020 8.8.8.8 192.168.2.3 0x5406 No error (0) api.ipify.org nagano- CNAME IN (0x0001) 11:12:08.787529945 19599.herokussl.com (Canonical CEST name) Oct 9, 2020 8.8.8.8 192.168.2.3 0x5406 No error (0) nagano-195 elb097307- CNAME IN (0x0001) 11:12:08.787529945 99.herokus 934924932.us-east- (Canonical CEST sl.com 1.elb.amazonaws.com name) Oct 9, 2020 8.8.8.8 192.168.2.3 0x5406 No error (0) elb097307- 184.73.247.141 A (IP address) IN (0x0001) 11:12:08.787529945 934924932.us- CEST east-1. elb.amazon aws.com Oct 9, 2020 8.8.8.8 192.168.2.3 0x5406 No error (0) elb097307- 54.235.182.194 A (IP address) IN (0x0001) 11:12:08.787529945 934924932.us- CEST east-1. elb.amazon aws.com Oct 9, 2020 8.8.8.8 192.168.2.3 0x5406 No error (0) elb097307- 23.21.252.4 A (IP address) IN (0x0001) 11:12:08.787529945 934924932.us- CEST east-1. elb.amazon aws.com Oct 9, 2020 8.8.8.8 192.168.2.3 0x5406 No error (0) elb097307- 174.129.214.20 A (IP address) IN (0x0001) 11:12:08.787529945 934924932.us- CEST east-1. elb.amazon aws.com Oct 9, 2020 8.8.8.8 192.168.2.3 0x5406 No error (0) elb097307- 54.225.66.103 A (IP address) IN (0x0001) 11:12:08.787529945 934924932.us- CEST east-1. elb.amazon aws.com Oct 9, 2020 8.8.8.8 192.168.2.3 0x5406 No error (0) elb097307- 50.19.252.36 A (IP address) IN (0x0001) 11:12:08.787529945 934924932.us- CEST east-1. elb.amazon aws.com Oct 9, 2020 8.8.8.8 192.168.2.3 0x5406 No error (0) elb097307- 54.235.83.248 A (IP address) IN (0x0001) 11:12:08.787529945 934924932.us- CEST east-1. elb.amazon aws.com Oct 9, 2020 8.8.8.8 192.168.2.3 0x5406 No error (0) elb097307- 54.235.169.38 A (IP address) IN (0x0001) 11:12:08.787529945 934924932.us- CEST east-1. elb.amazon aws.com

HTTP Request Dependency Graph

api.ipify.org

HTTP Packets

Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.3 49733 54.235.83.248 80 C:\Users\user\Desktop\RFQ.exe

kBytes Timestamp transferred Direction Data Oct 9, 2020 188 OUT GET / HTTP/1.1 11:12:09.026232004 CEST Host: api.ipify.org Connection: Keep-Alive

Copyright null 2020 Page 24 of 34 kBytes Timestamp transferred Direction Data Oct 9, 2020 189 IN HTTP/1.1 200 OK 11:12:09.201626062 CEST Server: Cowboy Connection: keep-alive Content-Type: text/plain Vary: Origin Date: Fri, 09 Oct 2020 09:12:09 GMT Content-Length: 11 Via: 1.1 vegur Data Raw: 38 34 2e 31 37 2e 35 32 2e 31 30 Data Ascii: 84.17.52.10

Code Manipulations

Statistics

Behavior

• RFQ.exe • powershell.exe • conhost.exe

Click to jump to process

System Behavior

Analysis Process: RFQ.exe PID: 3148 Parent PID: 5684

General

Start time: 11:11:45 Start date: 09/10/2020 Path: C:\Users\user\Desktop\RFQ.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\RFQ.exe' Imagebase: 0xca0000 File size: 1106432 bytes MD5 hash: E483F3E062560F3BFC1E1B6BF258AF69 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET

Copyright null 2020 Page 25 of 34 Yara matches: Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000000.00000002.503999630.0000000004FEB000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.503999630.0000000004FEB000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000000.00000002.509144159.0000000007FB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.509144159.0000000007FB0000.00000004.00000001.sdmp, Author: Joe Security

Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user read data or list device directory file | object name collision 1 6E11CF06 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list device directory file | object name collision 1 6E11CF06 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6E0F5705 unknown C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152 unknown 176 success or wait 1 6E0503DE ReadFile fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E0FCA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6E0FCA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6E0FCA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6E0FCA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6E0FCA54 ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7e unknown 620 success or wait 1 6E0503DE ReadFile efa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Config unknown 864 success or wait 1 6E0503DE ReadFile uration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f unknown 900 success or wait 1 6E0503DE ReadFile 1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b2 unknown 748 success or wait 1 6E0503DE ReadFile 19d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 2 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4121 success or wait 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4253 success or wait 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 2 6CF61B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 2 6CF61B4F ReadFile

Copyright null 2020 Page 26 of 34 Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6CF61B4F ReadFile C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data unknown 40960 success or wait 1 6CF61B4F ReadFile

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\17.0\Outlook success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\17.0\Outlook\Profiles success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\18.0 success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\18.0\Outlook success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\18.0\Outlook\Profiles success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\19.0 success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\19.0\Outlook success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\19.0\Outlook\Profiles success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\20.0 success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\20.0\Outlook success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\20.0\Outlook\Profiles success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem success or wait 1 6CF65F3C RegCreateKeyExW \Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles success or wait 1 6CF65F3C RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3 success or wait 1 6CF65F3C RegCreateKeyExW B88A00104B2A6676

Source Key Path Name Type Data Completion Count Address Symbol

Analysis Process: powershell.exe PID: 5284 Parent PID: 3148

General

Start time: 11:12:10 Start date: 09/10/2020 Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): true Commandline: 'powershell' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RFQ.exe' Imagebase: 0x830000 File size: 430592 bytes MD5 hash: DBA3E6449E97D4E3DF64527EF7012A10

Copyright null 2020 Page 27 of 34 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: high

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user read data or list device directory file | object name collision 1 6E11CF06 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list device directory file | object name collision 1 6E11CF06 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot read data or list device directory file | object name collision 1 6CEC5B28 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list device directory file | object name collision 1 6CEC5B28 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\__PSscr read attributes | device sequential only | success or wait 1 6CF61E60 CreateFileW iptPolicyTest_ko345qzo.t3c.ps1 synchronize | synchronous io generic write non alert | non directory file | open no recall C:\Users\user\AppData\Local\Temp\__PSscr read attributes | device sequential only | success or wait 1 6CF61E60 CreateFileW iptPolicyTest_vuejk1fd.n3x.psm1 synchronize | synchronous io generic write non alert | non directory file | open no recall C:\Users\user\Documents\20201009 read data or list device directory file | success or wait 1 6CF6BEFF CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\Documents\20201009\PowerShell_transcr read attributes | device synchronous io success or wait 1 6CF61E60 CreateFileW ipt.928100.dM25s6_K.20201009111211.txt synchronize | non alert | non generic read | directory file | generic write open no recall

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\__PSscriptPolicyTest_ko345qzo.t3c.ps1 success or wait 1 6CF66A95 DeleteFileW C:\Users\user\AppData\Local\Temp\__PSscriptPolicyTest_vuejk1fd.n3x.psm1 success or wait 1 6CF66A95 DeleteFileW

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\__PSscr unknown 1 31 1 success or wait 1 6CF61B4F WriteFile iptPolicyTest_ko345qzo.t3c.ps1 C:\Users\user\AppData\Local\Temp\__PSscr unknown 1 31 1 success or wait 1 6CF61B4F WriteFile iptPolicyTest_vuejk1fd.n3x.psm1 C:\Users\user\Documents\20201009\PowerShell_transcr unknown 3 ef bb bf ... success or wait 1 6CF61B4F WriteFile ipt.928100.dM25s6_K.20201009111211.txt

Copyright null 2020 Page 28 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\Documents\20201009\PowerShell_transcr unknown 617 2a 2a 2a 2a 2a 2a 2a **********************..Windo success or wait 44 6CF61B4F WriteFile ipt.928100.dM25s6_K.20201009111211.txt 2a 2a 2a 2a 2a 2a 2a ws PowerShell transcript 2a 2a 2a 2a 2a 2a 2a start..Start time: 2a 0d 0a 57 69 6e 64 20201009111213..Userna 6f 77 73 20 50 6f 77 me: computer\user..RunAs 65 72 53 68 65 6c 6c User: 20 74 72 61 6e 73 63 computer\user..Configurati 72 69 70 74 20 73 74 on Name: ..Machine: 61 72 74 0d 0a 53 74 928100 (Microsoft 61 72 74 20 74 69 6d Windows NT 65 3a 20 32 30 32 30 10.0.17134.0)..Host 31 30 30 39 31 31 31 Application: power 32 31 33 0d 0a 55 73 65 72 6e 61 6d 65 3a 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 0d 0a 52 75 6e 41 73 20 55 73 65 72 3a 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 0d 0a 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 4e 61 6d 65 3a 20 0d 0a 4d 61 63 68 69 6e 65 3a 20 39 32 38 31 30 30 20 28 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 2e 31 37 31 33 34 2e 30 29 0d 0a 48 6f 73 74 20 41 70 70 6c 69 63 61 74 69 6f 6e 3a 20 70 6f 77 65 72 C:\Users\user\AppData\Local\Mi unknown 64 40 00 00 01 65 00 00 @...e...... ]...... success or wait 1 6E3E76FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-NonInteractive 00 00 00 00 00 11 00 ..`...... R...... 00 00 5d 14 00 00 19 00 00 00 80 11 cf 06 b0 0a a1 0a 60 09 00 00 00 00 d7 0b a3 00 52 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Mi unknown 40 48 00 00 02 03 00 00 H...... <@.^...L."My.. success or wait 17 6E3E76FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-NonInteractive 00 00 00 00 00 01 00 .::...... 00 00 3c 40 b0 5e e7 8d bf 4c b2 22 4d 79 98 9c a7 3a 3a 00 00 00 0e 00 20 00 C:\Users\user\AppData\Local\Mi unknown 32 4d 69 63 72 6f 73 6f Microsoft.PowerShell.Cons success or wait 17 6E3E76FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-NonInteractive 66 74 2e 50 6f 77 65 oleHost 72 53 68 65 6c 6c 2e 43 6f 6e 73 6f 6c 65 48 6f 73 74 C:\Users\user\AppData\Local\Mi unknown 1 00 . success or wait 11 6E3E76FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Users\user\AppData\Local\Mi unknown 4 00 08 00 03 .... success or wait 11 6E3E76FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-NonInteractive

Copyright null 2020 Page 29 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Mi unknown 2044 00 0e 80 00 01 0e 80 ...... success or wait 11 6E3E76FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-NonInteractive 00 02 0e 80 00 03 0e ...... T.@..>@[email protected][email protected] 80 00 04 0e 80 00 05 [email protected].@. 0e 80 00 06 0e 80 00 [[email protected]@[email protected]@..S@. 07 0e 80 00 08 0e 80 [email protected] 00 09 0c 80 00 54 01 @[email protected]@.\[email protected]@..T@. 40 00 f9 3e 40 01 cb @X@.?X@. 00 40 00 56 01 40 00 [email protected]@[email protected]@[email protected] 48 01 40 00 58 01 40 [email protected]@..T 00 5b 01 40 00 4e 54 @[email protected]@.:M@."M@. 40 01 48 54 40 01 f4 M@.!M@.;M@. 53 40 01 8b 53 40 01 [email protected]@.@M@..;@..;@..; 68 54 40 01 91 53 40 @..<@..<@.. 01 fa 53 40 01 82 53 <@[email protected][email protected]@. 40 01 5c 01 40 00 00

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6E0F5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6E0F5705 unknown C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152 unknown 176 success or wait 1 6E0503DE ReadFile fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll.aux C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6E0FCA54 ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6E0FCA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E0FCA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6E0FCA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6E0FCA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6E0FCA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6E0FCA54 ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f unknown 900 success or wait 1 6E0503DE ReadFile 1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7e unknown 620 success or wait 1 6E0503DE ReadFile efa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6E0F5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6E0F5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6E0F5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6E0F5705 unknown C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b2 unknown 748 success or wait 1 6E0503DE ReadFile 19d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf4 unknown 748 success or wait 1 6E0503DE ReadFile 9f6405#\ccc7c82770f93d1392abde4be3a80378\Microsoft.Management.Infrastructure.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 2 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6E0F5705 unknown

Copyright null 2020 Page 30 of 34 Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4121 success or wait 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4253 success or wait 1 6E0F5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6E0F5705 unknown C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive unknown 64 success or wait 1 6E101F73 ReadFile C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive unknown 21268 success or wait 1 6E10203F ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Config unknown 864 success or wait 1 6E0503DE ReadFile uration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation unknown 4096 success or wait 1 6CF61B4F ReadFile \1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation unknown 492 end of file 1 6CF61B4F ReadFile \1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation unknown 4096 end of file 1 6CF61B4F ReadFile \1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PackageMana unknown 4096 success or wait 1 6CF61B4F ReadFile gement\1.0.0.1\PackageManagement.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PackageMana unknown 774 end of file 1 6CF61B4F ReadFile gement\1.0.0.1\PackageManagement.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PackageMana unknown 4096 end of file 1 6CF61B4F ReadFile gement\1.0.0.1\PackageManagement.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 success or wait 2 6CF61B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 4096 success or wait 7 6CF61B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 682 end of file 1 6CF61B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 289 end of file 1 6CF61B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 289 end of file 1 6CF61B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 4096 success or wait 129 6CF61B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 993 end of file 1 6CF61B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 success or wait 1 6CF61B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 637 end of file 1 6CF61B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 end of file 1 6CF61B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 1 6CF61B4F ReadFile .PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft unknown 534 end of file 1 6CF61B4F ReadFile .PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 end of file 1 6CF61B4F ReadFile .PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppBackgr unknown 4096 success or wait 1 6CF61B4F ReadFile oundTask\AppBackgroundTask.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppBackgr unknown 4096 end of file 1 6CF61B4F ReadFile oundTask\AppBackgroundTask.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 990 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 990 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf4 unknown 748 success or wait 1 6E0503DE ReadFile 9f6405#\ccc7c82770f93d1392abde4be3a80378\Microsoft.Management.Infrastructure.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f unknown 900 success or wait 1 6E0503DE ReadFile 1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7e unknown 620 success or wait 1 6E0503DE ReadFile efa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b2 unknown 748 success or wait 1 6E0503DE ReadFile 19d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll.aux Copyright null 2020 Page 31 of 34 Source File Path Offset Length Completion Count Address Symbol C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Config unknown 864 success or wait 1 6E0503DE ReadFile uration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6E0F5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6E0F5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Appx\Appx.psd1 unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Appx\Appx.psd1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedA unknown 4096 success or wait 1 6CF61B4F ReadFile ccess\AssignedAccess.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedA unknown 4096 end of file 1 6CF61B4F ReadFile ccess\AssignedAccess.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 368 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 368 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 770 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 success or wait 1 6CF61B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 637 end of file 1 6CF61B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 end of file 1 6CF61B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 success or wait 7 6CF61B4F ReadFile PowerShell.Utility.psm1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 128 end of file 1 6CF61B4F ReadFile PowerShell.Utility.psm1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 end of file 1 6CF61B4F ReadFile PowerShell.Utility.psm1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6E0F5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6E0F5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 368 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 4096 success or wait 3 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 770 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 unknown 4096 success or wait 71 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 unknown 104 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 unknown 522 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 unknown 358 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 unknown 160 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 699 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 699 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\ unknown 4096 success or wait 1 6CF61B4F ReadFile MSFT_MpComputerStatus.cdxml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\ unknown 4096 end of file 1 6CF61B4F ReadFile MSFT_MpComputerStatus.cdxml C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 2 6CF61B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6CF61B4F ReadFile

Copyright null 2020 Page 32 of 34 Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 2 6CF61B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpPreference.cdxml unknown 4096 success or wait 12 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpPreference.cdxml unknown 764 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpPreference.cdxml unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpThreat.cdxml unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpThreat.cdxml unknown 617 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpThreat.cdxml unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\ unknown 4096 end of file 1 6CF61B4F ReadFile MSFT_MpThreatCatalog.cdxml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\ unknown 4096 success or wait 1 6CF61B4F ReadFile MSFT_MpThreatDetection.cdxml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\ unknown 4096 end of file 1 6CF61B4F ReadFile MSFT_MpThreatDetection.cdxml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpScan.cdxml unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpScan.cdxml unknown 227 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpScan.cdxml unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpSignature.cdxml unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpSignature.cdxml unknown 243 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpSignature.cdxml unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpWDOScan.cdxml unknown 4096 success or wait 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpWDOScan.cdxml unknown 4096 end of file 1 6CF61B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 success or wait 2 6CF61B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 637 end of file 1 6CF61B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 end of file 1 6CF61B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 success or wait 16 6CF61B4F ReadFile PowerShell.Utility.psm1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 128 end of file 2 6CF61B4F ReadFile PowerShell.Utility.psm1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 end of file 2 6CF61B4F ReadFile PowerShell.Utility.psm1

Analysis Process: conhost.exe PID: 6180 Parent PID: 5284

General

Start time: 11:12:11 Start date: 09/10/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff6b2800000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Disassembly

Code Analysis

Copyright null 2020 Page 33 of 34 Copyright null 2020 Page 34 of 34