Automated Malware Analysis Report for Thxifi5gu4

ID: 291701 Sample Name: tHxifI5gu4 Cookbook: default.jbs Time: 17:04:18 Date: 30/09/2020 Version: 30.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report tHxifI5gu4 5 Overview 5 General Information 5 Detection 5 Signatures 5 Classification 5 Startup 6 Malware Configuration 6 Yara Overview 7 Memory Dumps 7 Unpacked PEs 7 Sigma Overview 7 System Summary: 7 Signature Overview 8 AV Detection: 8 Key, Mouse, Clipboard, Microphone and Screen Capturing: 8 E-Banking Fraud: 8 System Summary: 8 Persistence and Installation Behavior: 8 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 8 HIPS / PFW / Operating System Protection Evasion: 8 Lowering of HIPS / PFW / Operating System Security Settings: 8 Stealing of Sensitive Information: 8 Remote Access Functionality: 9 Mitre Att&ck Matrix 9 Behavior Graph 9 Screenshots 10 Thumbnails 10 Antivirus, Machine Learning and Genetic Malware Detection 11 Initial Sample 11 Dropped Files 11 Unpacked PE Files 11 Domains 11 URLs 12 Domains and IPs 12 Contacted Domains 12 URLs from Memory and Binaries 12 Contacted IPs 12 Public 12 General Information 13 Simulations 13 Behavior and APIs 13 Joe Sandbox View / Context 13 IPs 13 Domains 14 ASN 14 JA3 Fingerprints 14 Dropped Files 14 Created / dropped Files 14 Static File Info 16 General 16 File Icon 16 Static PE Info 16 General 16 Copyright null 2020 Page 2 of 39 Entrypoint Preview 17 Data Directories 17 Sections 18 Resources 18 Imports 18 Possible Origin 18 Network Behavior 18 TCP Packets 18 Code Manipulations 20 Statistics 20 Behavior 20 System Behavior 21 Analysis Process: tHxifI5gu4.exe PID: 7148 Parent PID: 5940 21 General 21 File Activities 21 File Created 21 File Written 22 File Read 22 Registry Activities 22 Key Created 22 Key Value Created 22 Analysis Process: conhost.exe PID: 7156 Parent PID: 7148 22 General 22 Analysis Process: powershell.exe PID: 6880 Parent PID: 7148 23 General 23 File Activities 23 File Created 23 File Deleted 23 File Written 23 File Read 25 Analysis Process: conhost.exe PID: 6876 Parent PID: 6880 28 General 28 Analysis Process: images.exe PID: 6952 Parent PID: 7148 28 General 28 File Activities 29 File Created 29 File Read 29 Registry Activities 30 Key Created 30 Key Value Created 30 Key Value Modified 30 Analysis Process: conhost.exe PID: 6784 Parent PID: 6952 30 General 30 Analysis Process: cmd.exe PID: 1316 Parent PID: 3424 30 General 30 File Activities 31 File Read 31 Analysis Process: conhost.exe PID: 3492 Parent PID: 1316 31 General 31 Analysis Process: WMIC.exe PID: 4876 Parent PID: 1316 31 General 31 File Activities 31 File Written 32 Analysis Process: powershell.exe PID: 976 Parent PID: 6952 32 General 32 File Activities 32 File Created 32 File Deleted 33 File Written 33 File Read 34 Analysis Process: cmd.exe PID: 4484 Parent PID: 6952 37 General 37 Analysis Process: conhost.exe PID: 960 Parent PID: 976 38 General 38 Analysis Process: conhost.exe PID: 4560 Parent PID: 4484 38 General 38 Analysis Process: rdpvideominiport.sys PID: 4 Parent PID: -1 38 General 38 Analysis Process: rdpdr.sys PID: 4 Parent PID: -1 38 General 39 Analysis Process: tsusbhub.sys PID: 4 Parent PID: -1 39 General 39

Overview

General Information Detection Signatures Classification

Sample tHxifI5gu4 (renamed file Name: extension from none to AAnntttiiivviiirrruuss /// SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubb… exe) MAnaatllliiivcciiiroouuusss / s sSaacmapnpllnleee ddr eedttteetccetttecetddio (((nttth hfrrorooru usgguhhb … Analysis ID: 291701 Muaulllttiticii AiAoVuV s SS sccaaamnnnpneleerrr ddeettteecctttieiioodnn ( fftfohorrr o ssuugbbhm … MD5: b96fe909c2d2f45… SMSiiigugmlti aaA dVde eSttteecccatttneendde::: rDD drrroeoptpessc stsicocrrnriiip pfttot ara ttts sustttbaamrrr… SHA1: 8fed92c2cf9e089… YSYaiagrrrmaa add eedttteetccetttecetdde dAA:v vDeeMroaparrsriiia as scstrtteiepaatl lleaerrtr star SHA256: 67cacba2f313fd6… YYaarraa ddeetteecctteedd AAvveeMaarriiaa sstteeaalleerr Most interesting Screenshot: AYAllallllooracca adttteestse mcteemd oAorrvryye iiMinn a ffforoirraree iisiggtnen a pplrerroorcceessss…

CACololonnctttaaiitinness fffmuunneccmtttiiioonrnyaa lilliniittty yf o tttoroe ccigrrrenea aptttereo ppcrreroosccs…

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo hchiriidedeae t ueus speerrrro aac…

AveMaria CCrroreenaattatteeinss s aa f uttthhnrrrceetaiaoddn iaiinnl i ataynn toottt hheeidrrr e ee xuxiiissetttiiinrn gag … Score: 100 Range: 0 - 100 CCrrreeaattteess ffafiiill leethssr ieiinna adall lttitenerr rnananatottiiivtvheee drd aaetttxaai s sstttitrnrreegaa …

Whitelisted: false CCrrreeaattteess pfpirlrreooscc eeinss ssaeeltsse rvvniiiaa t WiveM dIIIata strea Confidence: 100% HCHiiriddeeeasste uusss peerrro aaccceccsoosuuennstt tsvsia WMI

HHiiigdgheh s nn uumsebbre earrrc oocffof jjujunntkks ccaallllllss fffoouunnddss (((llliiikk…

IIHInniccgrrrhee aanssueemss b ttthehere o nnfu ujmunbbkee crrr a oolflff s cc ofoonnuccnuudrrrrsrree (nnlittkt …

IIInnscsttrtaeallallllss eaas gg tlllhooebb aanlll u kkmeeybybeboro aaorrrfd dc hohonoocokukrrent

MInasactcahhliliinsn eea LLgeeloaabrrrnaniilin nkgge dydebetotteeaccrttdtiiioo hnno fffookrrr ssaampp…

WMarrriiicttteehssin ttteoo Lfffooerrraeeriiingginn gm deeemteoocrrrytyi o rrreneg gfioiioorn nsssamp

AWAbbrnintoeorsrrm toaa lll f hohiriigeghihg CnC PPmUUe mUUsosaraygg ereegions

AAnbnttntiiivoviiirrrmuussa olo hrrr iMghaa cCchhPiiinnUee U LLeseaagrrrnneiiinngg ddeettteecc…

CAConontnivtttaairiiiunnss offfuurn nMcctattiiioconhnaianllliieittty yL ttteooa ccrhnheienccgkk d iiiffef atae dcd…

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qcquhueercrryyk CCif PPaU Ud …

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrqreeuaaeddr y ttth hCeeP PPUEE BB

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy wtwohh riiicechah d m tahayey bPbeeE…B

CCoonntttaaiiinnss llflouonngcg t sisollleneeaeplpistsy ( ((w>>=h= i 3c3h m miiinna)))y be

CCrroreenaattatteeinss s aa l oDDniiirgrree csctltteIIInneppuusttt (oo>bb=jjje e3cc ttmt (((oionffft)tteenn fffoo…

CCrrreeaattteess aa pDprrrioroeccceetssInss p iiinun t s souubssjpepecentn d(doeefdtde mn ofoo…

CCrrreeaattteess aa spsttrtaaorrrcttt e msese nninuu seeunnstttrrpryye (n((SSdttteaadrrrtt t m Moee…

CCrrreeaattteess oaorr r s mtaoordtd imiifffiiieesns uww ieiinnnddtoroyww (ssS stsaeerrrrtvv Miiicceess

DCDereettteaectcettteesd do TrT CmCPPo d ooirfrr i eUUsDD wPPi n tttrrdraaoffffwffiiiccs o osnne rnnvooicnne…s

EDEnenataebbcllleteessd dd TeeCbbuPugg o pprr rrUiiivvDiiillleePgg etersasffic on non

FEFonouaunbndlde asa hdhieiiggbhhu ngnu upmribvbeielerrr g ooefff s Wiiinnddooww /// UUss…

FFoouunndd llalaa rrhrggiege h aa mnuoomuunbntett oro ffof nfn oWonni--n-eedxxoeewccu u/t tteUedds…

FFoouunndd plpaoortgtteeenn tattiiiamalll ossutttrrrniiinnt ggo fdd neeoccrnrryy-pepttxtiiioeoncn u /// t aea…d

IIFInnossutttaanllldlllss p aao rrtraeawnwt i iiainnlp psuuttrtt i dndegev vdiiiceceec r (((yoopfffttteieonnn f ffo/o rarr …

MInasaytya slsllsllee eaep pr a (((ewevv iaansspiiivuvete d llloeoovopipcsse))) (tttoo f htheiiinnd dfeoerrr …

Moaodydi iiffsfiiieleesse epex x(iiiesstvttiiinangsgi vwweiiin nloddoopwwsss) stsoee rrrhvviiiniccdeeessr

PMPEEo d fffiiillfleeie csco oennxtttaiasiiintninss g ss eweccintttiiiodononsws sww isiitttheh r nvnoiocnne---sss…

QPEuue efrirrliiiee ssc ottthhneeta vvinoosllluu smeeec t iiinonffnfoosrrrm waaittthtiiioo nno (((nnn-aasm…

SQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem…

SSpapamawwpnnless eddxrrriieivvceeurrrstsion stops while proce

SSttptooarrrewessn sfffiii llledesrsi v tttoeo r tstthhee Wiiinnddoowwss sstttaarrrttt mee…

YSYataorrrarae ssii igfginlneaasttt uutorrree t hmeaa Wtttcchihndows start me

Yara signature match

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Startup

System is w10x64 tHxifI5gu4.exe (PID: 7148 cmdline: 'C:\Users\user\Desktop\tHxifI5gu4.exe' MD5: B96FE909C2D2F458ABF71665CE1BB1EF) conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) powershell.exe (PID: 6880 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10) conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) images.exe (PID: 6952 cmdline: C:\ProgramData\images.exe MD5: B96FE909C2D2F458ABF71665CE1BB1EF) conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) powershell.exe (PID: 976 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10) conhost.exe (PID: 960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cmd.exe (PID: 4484 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 4560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cmd.exe (PID: 1316 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat' ' MD5: 4E2ACF4F8A396486AB4268C94A6A245F) conhost.exe (PID: 3492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) WMIC.exe (PID: 4876 cmdline: wmic process call create ''C:\ProgramData:ApplicationData'' MD5: EC80E603E0090B3AC3C1234C2BA43A0F) rdpvideominiport.sys (PID: 4 cmdline: MD5: 0600DF60EF88FD10663EC84709E5E245) rdpdr.sys (PID: 4 cmdline: MD5: 52A6CC99F5934CFAE88353C47B6193E7) tsusbhub.sys (PID: 4 cmdline: MD5: 3A84A09CBC42148A0C7D00B3E82517F1) cleanup

Malware Configuration

No configs have been found

Memory Dumps

Source Rule Description Author Strings 00000000.00000003.747141552.0000000000E37000.00000 Codoso_Gh0st_1 Detects Codoso Florian Roth 0x36b0:$x3: Elevation:Administrator!new:{3ad05575-885 004.00000001.sdmp APT Gh0st 7-4850-9277-11b85bdb8e09} Malware 0x36b0:$c1: Elevation:Administrator!new:

00000000.00000003.747102733.0000000000E2F000.00000 Codoso_Gh0st_1 Detects Codoso Florian Roth 0x88a8:$x3: Elevation:Administrator!new:{3ad05575-885 004.00000001.sdmp APT Gh0st 7-4850-9277-11b85bdb8e09} Malware 0xb6b0:$x3: Elevation:Administrator!new:{3ad05575-885 7-4850-9277-11b85bdb8e09} 0x88a8:$c1: Elevation:Administrator!new: 0xb6b0:$c1: Elevation:Administrator!new: 00000000.00000003.747165658.0000000000E22000.00000 JoeSecurity_AveMaria Yara detected Joe Security 004.00000001.sdmp AveMaria stealer 00000008.00000003.850015986.0000000001546000.00000 Codoso_Gh0st_1 Detects Codoso Florian Roth 0x840:$x3: Elevation:Administrator!new:{3ad05575-8857 004.00000001.sdmp APT Gh0st -4850-9277-11b85bdb8e09} Malware 0x3648:$x3: Elevation:Administrator!new:{3ad05575-885 7-4850-9277-11b85bdb8e09} 0x840:$c1: Elevation:Administrator!new: 0x3648:$c1: Elevation:Administrator!new: 00000000.00000003.747113130.0000000000E37000.00000 Codoso_Gh0st_1 Detects Codoso Florian Roth 0x8a8:$x3: Elevation:Administrator!new:{3ad05575-8857 004.00000001.sdmp APT Gh0st -4850-9277-11b85bdb8e09} Malware 0x36b0:$x3: Elevation:Administrator!new:{3ad05575-885 7-4850-9277-11b85bdb8e09} 0x8a8:$c1: Elevation:Administrator!new: 0x36b0:$c1: Elevation:Administrator!new: Click to see the 14 entries

Unpacked PEs

Source Rule Description Author Strings 8.2.images.exe.1600000.1.unpack Codoso_Gh0st_2 Detects Codoso Florian Roth 0x17df0:$s13: Elevation:Administrator!new:{3ad05575-8 APT Gh0st 857-4850-9277-11b85bdb8e09} Malware 8.2.images.exe.1600000.1.unpack Codoso_Gh0st_1 Detects Codoso Florian Roth 0x17df0:$x3: Elevation:Administrator!new:{3ad05575-88 APT Gh0st 57-4850-9277-11b85bdb8e09} Malware 0x17df0:$c1: Elevation:Administrator!new: 8.2.images.exe.1600000.1.unpack MAL_Envrial_Jan18_1 Detects Encrial Florian Roth 0x12fe8:$a1: \Opera Software\Opera Stable\Login Data credential stealer 0x13310:$a2: \Comodo\Dragon\User Data\Default\Login malware Data 0x12c58:$a3: \Google\Chrome\User Data\Default\Login Data 8.2.images.exe.1600000.1.unpack JoeSecurity_AveMaria Yara detected Joe Security AveMaria stealer 8.2.images.exe.1600000.1.unpack AveMaria_WarZone unknown unknown 0x15128:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > N ul & Del /f /q 0x14f04:$str2: MsgBox.exe 0x15194:$str4: \System32\cmd.exe 0x14dd8:$str6: Ave_Maria 0x14638:$str7: SOFTWARE\Microsoft\Windows NT\Curr entVersion\Winlogon\SpecialAccounts\UserList 0x13978:$str8: SMTP Password 0x12c58:$str11: \Google\Chrome\User Data\Default\Logi n Data 0x14608:$str12: \sqlmap.dll 0x17df0:$str16: Elevation:Administrator!new 0x17f10:$str17: /n:%temp%

Click to see the 5 entries

Sigma Overview

System Summary:

Sigma detected: Drops script at startup location

Sigma detected: Group Modification Logging

Sigma detected: Local User Creation

• AV Detection • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • E-Banking Fraud • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings • Stealing of Sensitive Information • Remote Access Functionality

Click to jump to signature section

AV Detection:

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected AveMaria stealer

Machine Learning detection for sample

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

E-Banking Fraud:

Yara detected AveMaria stealer

System Summary:

Malicious sample detected (through community Yara rule)

Contains functionality to create processes via WMI

Persistence and Installation Behavior:

Creates processes via WMI

Hooking and other Techniques for Hiding and Protection:

Contains functionality to hide user accounts

Creates files in alternative data streams (ADS)

Hides user accounts

Malware Analysis System Evasion:

High number of junk calls founds (likely related to sandbox DOS / API hammering)

HIPS / PFW / Operating System Protection Evasion:

Creates a thread in another existing process (thread injection)

Writes to foreign memory regions

Lowering of HIPS / PFW / Operating System Security Settings:

Increases the number of concurrent connection per server for Internet Explorer

Stealing of Sensitive Information:

Yara detected AveMaria stealer

Remote Access Functionality:

Yara detected AveMaria stealer

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Valid Windows Startup Startup Items 1 Masquerading 3 Input System Time Remote Input Exfiltration Non-Standard Accounts Management Items 1 Capture 1 2 1 Discovery 1 Services Capture 1 2 1 Over Other Port 1 Instrumentation 2 1 Network Medium Default Scripting 1 Windows Windows Virtualization/Sandbox LSASS Memory Security Software Remote Data from Exfiltration Junk Data Accounts Service 2 Service 2 Evasion 2 Discovery 2 1 Desktop Removable Over Protocol Media Bluetooth

Domain At (Linux) Registry Process Process Security Account Virtualization/Sandbox SMB/Windows Data from Automated Steganography Accounts Run Keys / Injection 3 1 2 Injection 3 1 2 Manager Evasion 2 Admin Shares Network Shared Exfiltration Startup Drive Folder 2 Local At (Windows) LSASS Registry Run Deobfuscate/Decode NTDS Process Discovery 2 Distributed Input Capture Scheduled Protocol Accounts Driver 1 Keys / Startup Files or Information 1 Component Transfer Impersonation Folder 2 Object Model Cloud Cron Network LSASS Driver 1 Scripting 1 LSA Secrets Application Window SSH Keylogging Data Fallback Accounts Logon Script Discovery 1 Transfer Channels Size Limits

Replication Launchd Rc.common Rc.common Hidden Users 2 Cached Domain File and Directory VNC GUI Input Exfiltration Multiband Through Credentials Discovery 1 Capture Over C2 Communication Removable Channel Media External Scheduled Task Startup Startup Items NTFS File DCSync System Information Windows Web Portal Exfiltration Commonly Remote Items Attributes 1 Discovery 2 5 Remote Capture Over Used Port Services Management Alternative Protocol Drive-by Command and Scheduled Scheduled Obfuscated Files or Proc Filesystem Network Service Shared Credential API Exfiltration Application Compromise Scripting Interpreter Task/Job Task/Job Information 1 Scanning Webroot Hooking Over Layer Protocol Symmetric Encrypted Non-C2 Protocol Exploit PowerShell At (Linux) At (Linux) Software Packing 1 /etc/passwd and System Network Software Data Staged Exfiltration Web Protocols Public- /etc/shadow Connections Deployment Over Facing Discovery Tools Asymmetric Application Encrypted Non-C2 Protocol

Behavior Graph

Behavior Graph Signature ID: 291701 Sample: tHxifI5gu4 Created File Startdate: 30/09/2020 Architecture: WINDOWS Score: 100 DNS/IP Info Is Dropped

Malicious sample detected Antivirus / Scanner Multi AV Scanner detection (through community Yara detection for submitted 6 other signatures started started started for submitted file rule) sample Is Windows Process Number of created Registry Values

tHxifI5gu4.exe cmd.exe rdpvideominiport.sys Number of created Files 2 other processes 4 9 V1 isual Basic

Delphi Increases the number Creates files in alternative of concurrent connection started started started started started data streams (ADS) per server for Internet Explorer Java

.Net C# or VB.NET

images.exe powershell.exe conhost.exe WMIC.exe conhost.exe C, C++ or other language

5 7 25 I1s malicious

Internet 23.82.140.14, 433, 49767 LEASEWEB-USA-MIA-11US United States

started started started started

Writes to foreign memory Allocates memory in Creates processes via Hides user accounts 2 other signatures regions foreign processes WMI

powershell.exe cmd.exe conhost.exe conhost.exe

started started

conhost.exe conhost.exe

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

Source Detection Scanner Label Link tHxifI5gu4.exe 74% Virustotal Browse tHxifI5gu4.exe 54% Metadefender Browse tHxifI5gu4.exe 54% ReversingLabs Win32.Spyware.AveMaria tHxifI5gu4.exe 100% Avira TR/AD.MortyStealer.qlzld tHxifI5gu4.exe 100% Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source Detection Scanner Label Link Download 0.2.tHxifI5gu4.exe.a00000.0.unpack 100% Avira HEUR/AGEN.1137039 Download File 8.0.images.exe.f70000.0.unpack 100% Avira HEUR/AGEN.1137039 Download File 8.2.images.exe.f70000.0.unpack 100% Avira HEUR/AGEN.1137039 Download File 8.2.images.exe.1600000.1.unpack 100% Avira TR/Redcap.ghjpt Download File 0.2.tHxifI5gu4.exe.ef0000.1.unpack 100% Avira TR/Redcap.ghjpt Download File 0.0.tHxifI5gu4.exe.a00000.0.unpack 100% Avira HEUR/AGEN.1137039 Download File

Domains Copyright null 2020 Page 11 of 39 No Antivirus matches

URLs

Source Detection Scanner Label Link stascorp.comDVarFileInfo$ 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation stascorp.comDVarFileInfo$ images.exe, 00000008.00000003. false Avira URL Cloud: safe low 860104019.00000000015B7000.000 00004.00000001.sdmp https://github.com/syohex/java-simple-mine-sweeperC: tHxifI5gu4.exe, 00000000.00000 false high 003.747165658.0000000000E22000 .00000004.00000001.sdmp, images.exe, 00000008.00000002.924394390.00000 00001080000.00000040.00000001. sdmp

Contacted IPs

No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 23.82.140.14 United States 393886 LEASEWEB-USA-MIA-11US false

Joe Sandbox Version: 30.0.0 Red Diamond Analysis ID: 291701 Start date: 30.09.2020 Start time: 17:04:18 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 9m 47s Hypervisor based Inspection enabled: false Report type: light Sample file name: tHxifI5gu4 (renamed file extension from none to exe) Cookbook file name: default.jbs Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 31 Number of new started drivers analysed: 3 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal100.phis.troj.spyw.evad.winEXE@18/9@0/1 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 100% (good quality ratio 98.1%) Quality average: 85.1% Quality standard deviation: 21.7% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

Time Type Description 17:05:54 API Interceptor 71x Sleep call for process: powershell.exe modified 17:05:56 Autostart Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat 17:06:05 API Interceptor 1x Sleep call for process: WMIC.exe modified 17:06:42 API Interceptor 264x Sleep call for process: cmd.exe modified

Joe Sandbox View / Context

IPs

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: data Size (bytes): 22172 Entropy (8bit): 5.587991581081204 Encrypted: false MD5: 440F88652846FC654A63E66346A5FE9D SHA1: 99ED51B4912FCDE6C720C9B6318929B042A61D18 SHA-256: 549D4AFCFE7634767268634BB3FB467CC2969F68685047E36E45C43111C3C2A5 SHA-512: 5EE13BDFCAEE220E554622510EF462C1E516025A6C2B562738C0F2CF32B14CD9547B6219E2631C689BAB2B92A22DE71753344E9AC0D022B499F3FA98C15985B3 Malicious: false Preview: @...e...... `...... `...... f.r.+...... H...... <@.^.L."My...:<...... Microsoft.PowerShell.ConsoleHostD...... fZve...F.....x.)...... System.Management.Automati on4...... [...{a.C..%6..h...... System.Core.0...... G-.o...A...4B...... System..4...... Zg5..:O..g..q...... System.Xml..L...... 7.....J@...... ~...... #.Microso ft.Management.Infrastructure.8...... '....L..}...... System.Numerics.@...... Lo...QN...... ..m...... System.Trans actions.<...... ):gK..G...$.1.q...... System.ConfigurationP...... /.C..J..%...]...... %.Microsoft.PowerShell.Commands.Utility...D...... -.D.F.<;.nt.1...... Sy stem.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4wo3voon.qnf.psm1 Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_55zgun5e.xi1.ps1 Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1 Copyright null 2020 Page 14 of 39 C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svqpwmv2.m0h.psm1 Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xrh12lav.sil.ps1 Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1

C:\Users\user\Documents\20200930\PowerShell_transcript.887849.5vqBzTGF.20200930170641.txt Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 5045 Entropy (8bit): 5.386258167178381 Encrypted: false MD5: 213AE909A7BFCDFBAC79379C635B1E70 SHA1: 98DC1886416705764B81179FF3CB9E6DCCF761B4 SHA-256: B1E8C23FA537E8A906B069B23B97714B51DF533D5BDE7AFCCF9CE9C25FCCE1E7 SHA-512: 4AC82405802145E6075299547DAC138B9C6F82897F98F49CF40F044D2481F5D18DE024BE502AA23DD39016C3D2D9B9148478AF3C6A5B416E8134E9440380E18D Malicious: false Preview: .**********************..Windows PowerShell transcript start..Start time: 20200930170642..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 887849 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -ExclusionPath C:\..Process ID: 976..PSVersion: 5.1.17134 .1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20200930170642..****************** ****..PS>Add-MpPreference -ExclusionPath C:\..**********************..Windows PowerShell transcript start..Start time: 20200930170647..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 887849 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -Exclusi

C:\Users\user\Documents\20200930\PowerShell_transcript.887849.BLN7F_1Y.20200930170553.txt Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 5048 Entropy (8bit): 5.388073532678625 Encrypted: false MD5: 7C6451B3406F6C62AEF16C9C1B9F8EDA SHA1: 9AE3D4B6FAC78E109D9C2F406050A82FB19946FF SHA-256: DFF934B1C4F7725C5E53DFE3D588BA48979883D365DF93C44DE33C47820D730C SHA-512: CBD84C85728AA22B3A6B5D9F7A3A3666372CA3CB70BE04A8ABB156D95DE6D27789EF431C7548376C5A5EAF78C245A1527AA2FEA66ADE30476FCFD6C06B565C 4D Malicious: false Preview: .**********************..Windows PowerShell transcript start..Start time: 20200930170554..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 887849 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -ExclusionPath C:\..Process ID: 6880..PSVersion: 5.1.1713 4.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20200930170554..***************** *****..PS>Add-MpPreference -ExclusionPath C:\..**********************..Windows PowerShell transcript start..Start time: 20200930170557..Username: computer\user. .RunAs User: computer\user..Configuration Name: ..Machine: 887849 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -Exclus

Copyright null 2020 Page 15 of 39 \Device\ConDrv Process: C:\Windows\System32\wbem\WMIC.exe File Type: ASCII text, with CRLF, CR line terminators Size (bytes): 140 Entropy (8bit): 5.001523394375711 Encrypted: false MD5: DA5950D62F7968DA1F66E3811A9061F9 SHA1: 69B83F624AA9EC9EA09BE0E165499B436101F9EA SHA-256: C09AF5F39B8BF613C007465A63F70E84766710CEE7FEB62780433C9D8C248AD7 SHA-512: 6291C46BC66AEC7AEB973EE076146AF54C800A63F3F6F9C0EF01DA6535539E2F44FBF0BACBEAF66C4D34C4BE122AD728F62681E408FA710127120806D952DC9 E Malicious: false Preview: Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ReturnValue = 9;..};....

Static File Info

General File type: PE32 executable (console) Intel 80386, for MS Wind ows Entropy (8bit): 5.965330757722786 TrID: Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: tHxifI5gu4.exe File size: 1051136 MD5: b96fe909c2d2f458abf71665ce1bb1ef SHA1: 8fed92c2cf9e089458d944b1b549d46200cdf5e0 SHA256: 67cacba2f313fd69b51eb0bc495ee79ce7f2706f068cb35 a5419edc03c97449b SHA512: c4a664578f7be93db6808342d7a4dcde6be86d6c6be26d ceb781a64b7add3af0d1fb6f79b568b903cfa23c04f5f336f b67d7be23d597aae06d4b4b5db947340f SSDEEP: 12288:90u0UiiIuuoS2iooMUvf2w/8bkBQ7ziScPe/+9hN8 gTNCq0g:9ciLoMUvf2w/8wk3ymyYSNh0 File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... s#...... s!.!....s .....+O...... s=...... -...... Rich......

File Icon

Icon Hash: 00828e8e8686b000

Static PE Info

General Entrypoint: 0x403ef4 Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows cui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x5EBBDCDA [Wed May 13 11:41:14 2020 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 6 OS Version Minor: 0 File Version Major: 6 File Version Minor: 0 Copyright null 2020 Page 16 of 39 General Subsystem Version Major: 6 Subsystem Version Minor: 0 Import Hash: 839fce7d0035e7e8ed15f1e90787f2b7

Entrypoint Preview

Instruction jmp 00007F79E898BB4Ch jmp 00007F79E8990B77h jmp 00007F79E89FECA2h jmp 00007F79E8A0942Dh jmp 00007F79E8993288h jmp 00007F79E89ED753h jmp 00007F79E89CB2BEh jmp 00007F79E8A09D99h jmp 00007F79E89CF274h jmp 00007F79E8A1C314h jmp 00007F79E89EAA1Ah jmp 00007F79E8A04305h jmp 00007F79E8A1E500h jmp 00007F79E89C213Bh jmp 00007F79E89A71F6h jmp 00007F79E8A0D261h jmp 00007F79E89B42BCh jmp 00007F79E89B9617h jmp 00007F79E8A0F612h jmp 00007F79E898BA2Dh jmp 00007F79E89A0FB8h jmp 00007F79E89CC9F3h jmp 00007F79E8990AAEh jmp 00007F79E898A2F9h jmp 00007F79E8A0FB84h jmp 00007F79E89EC38Fh jmp 00007F79E8A0953Ah jmp 00007F79E899F2E5h jmp 00007F79E89A8890h jmp 00007F79E8A0519Bh jmp 00007F79E89E8C96h jmp 00007F79E8A0F4D1h jmp 00007F79E89B1A2Ch jmp 00007F79E89F9457h jmp 00007F79E8997A82h jmp 00007F79E89E87DDh jmp 00007F79E8999C58h jmp 00007F79E89C1933h jmp 00007F79E89AD09Eh jmp 00007F79E899A719h

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0xfd1ec 0x28 .idata IMAGE_DIRECTORY_ENTRY_RESOURCE 0xff000 0x43c .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x100000 0x4f08 .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0xc7a50 0x38 .rdata IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0xc7a88 0x40 .rdata IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0xfd000 0x1ec .idata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0

Copyright null 2020 Page 17 of 39 Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0xa3f73 0xa4000 False 0.277619152534 data 5.48511546719 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0xa5000 0x2514d 0x25200 False 0.178319654882 data 3.4520571573 IMAGE_SCN_CNT_INITIALIZE D_DATA, IMAGE_SCN_MEM_READ .data 0xcb000 0x314e0 0x30000 False 0.513041178385 data 6.74141814076 IMAGE_SCN_CNT_INITIALIZE D_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .idata 0xfd000 0xc96 0xe00 False 0.327566964286 data 4.46506043942 IMAGE_SCN_CNT_INITIALIZE D_DATA, IMAGE_SCN_MEM_READ .00cfg 0xfe000 0x104 0x200 False 0.03125 ASCII text, with no line 0.0611628522412 IMAGE_SCN_CNT_INITIALIZE terminators D_DATA, IMAGE_SCN_MEM_READ .rsrc 0xff000 0x43c 0x600 False 0.182291666667 data 2.14297088193 IMAGE_SCN_CNT_INITIALIZE D_DATA, IMAGE_SCN_MEM_READ .reloc 0x100000 0x5c0e 0x5e00 False 0.640084773936 data 6.13514753604 IMAGE_SCN_CNT_INITIALIZE D_DATA, IMAGE_SCN_MEM_DISCARDA BLE, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_MANIFEST 0xff170 0x17d XML 1.0 document text English United States

Imports

DLL Import KERNEL32.dll Sleep, VirtualAlloc, FreeConsole, ReadConsoleW, IsDebuggerPresent, RaiseException, MultiByteToWideChar, WideCharToMultiByte, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetStartupInfoW, GetModuleHandleW, GetLastError, HeapAlloc, HeapFree, GetProcessHeap, VirtualQuery, FreeLibrary, GetProcAddress, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetModuleFileNameW, LoadLibraryExW, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CloseHandle, WriteFile, GetConsoleCP, GetConsoleMode, GetModuleFileNameA, GetModuleHandleExW, GetStdHandle, ExitProcess, GetCommandLineA, GetCommandLineW, GetACP, HeapValidate, GetSystemInfo, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetCurrentThread, SetStdHandle, CreateFileW, SetFilePointerEx, WriteConsoleW, OutputDebugStringA, OutputDebugStringW, WaitForSingleObjectEx, CreateThread, SetConsoleCtrlHandler, FindClose, FindFirstFileExA, FindFirstFileExW, FindNextFileA, FindNextFileW, IsValidCodePage, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetEnvironmentVariableW, GetStringTypeW, HeapReAlloc, HeapSize, HeapQueryInformation, FlushFileBuffers, SetEndOfFile, ReadFile, DecodePointer

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

Network Behavior

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Sep 30, 2020 17:06:43.683691978 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:43.814213037 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:43.814760923 CEST 49767 433 192.168.2.4 23.82.140.14

Copyright null 2020 Page 18 of 39 Timestamp Source Port Dest Port Source IP Dest IP Sep 30, 2020 17:06:43.949225903 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:43.989729881 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:44.240459919 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:44.417177916 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:44.417412996 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:44.612359047 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:44.612529993 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:44.756679058 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:44.756728888 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:44.756766081 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:44.756793022 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:44.757054090 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:44.886380911 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:44.886413097 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:44.886436939 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:44.886461973 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:44.886483908 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:44.886483908 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:44.886501074 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:44.886518002 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:44.886534929 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:44.886538029 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:44.886564970 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:44.886585951 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:45.015861034 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.015899897 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.015913010 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.015924931 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.015938044 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.015949011 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.015960932 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.015973091 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.015990973 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.016007900 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.016022921 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.016042948 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.016061068 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.016074896 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:45.016077995 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.016096115 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.016108990 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.016192913 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:45.016222954 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:45.016231060 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:45.145490885 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145519018 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145541906 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145561934 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145587921 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145593882 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:45.145610094 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145612955 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:45.145632029 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145653009 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145653009 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:45.145673990 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145694017 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:45.145694971 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145721912 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145742893 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145755053 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:45.145771027 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145781040 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:45.145801067 CEST 433 49767 23.82.140.14 192.168.2.4

Copyright null 2020 Page 19 of 39 Timestamp Source Port Dest Port Source IP Dest IP Sep 30, 2020 17:06:45.145828962 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145843983 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:45.145855904 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145878077 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145893097 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:45.145898104 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145919085 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145940065 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145953894 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:45.145965099 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145988941 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.145993948 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:45.146006107 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.146020889 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.146037102 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.146053076 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.146068096 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.146089077 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.146120071 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:45.146142960 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:45.275536060 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.275589943 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.275628090 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.275654078 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:45.275677919 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.275722027 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.275738955 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:45.275778055 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.275824070 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.275840998 CEST 49767 433 192.168.2.4 23.82.140.14 Sep 30, 2020 17:06:45.275882959 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.275929928 CEST 433 49767 23.82.140.14 192.168.2.4 Sep 30, 2020 17:06:45.275933027 CEST 49767 433 192.168.2.4 23.82.140.14

Code Manipulations

Statistics

Behavior

• tHxifI5gu4.exe • conhost.exe • powershell.exe • conhost.exe • images.exe • conhost.exe • cmd.exe • conhost.exe • WMIC.exe • powershell.exe • cmd.exe • conhost.exe • conhost.exe • rdpvideominiport.sys • rdpdr.sys • tsusbhub.sys

Click to jump to process

Analysis Process: tHxifI5gu4.exe PID: 7148 Parent PID: 5940

General

Start time: 17:05:08 Start date: 30/09/2020 Path: C:\Users\user\Desktop\tHxifI5gu4.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\tHxifI5gu4.exe' Imagebase: 0xa00000 File size: 1051136 bytes MD5 hash: B96FE909C2D2F458ABF71665CE1BB1EF Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Yara matches: Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.747141552.0000000000E37000.00000004.00000001.sdmp, Author: Florian Roth Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.747102733.0000000000E2F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.747165658.0000000000E22000.00000004.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.747113130.0000000000E37000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.751103428.0000000000F03000.00000002.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.751149018.000000000103E000.00000002.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.747095020.0000000000E26000.00000004.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.750743229.0000000000B10000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.750743229.0000000000B10000.00000040.00000001.sdmp, Author: Joe Security

Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Microsoft Vision\ read data or list device directory file | success or wait 1 F02177 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\ProgramData\images.exe read data or list device sequential only | success or wait 1 EFFD98 CopyFileW directory | read non directory attributes | file delete | write dac | synchronize | generic read | generic write C:\ProgramData\images.exe\:Zone.Identifier:$DATA read data or list device sequential only | success or wait 1 EFFD98 CopyFileW directory | synchronous io synchronize | non alert generic write C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\P read attributes | device synchronous io success or wait 1 F00983 CreateFileA rograms\Startup\programs.bat synchronize | non alert | non generic write directory file

Copyright null 2020 Page 21 of 39 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\P read attributes | device synchronous io success or wait 1 F00983 CreateFileA rograms\Startup\programs.bat:start synchronize | non alert | non generic write directory file C:\ProgramData:ApplicationData read data or list device sequential only | success or wait 1 EFFF43 CopyFileW directory | read synchronous io attributes | non alert | non delete | write directory file dac | synchronize | generic read | generic write

Source File Path Completion Count Address Symbol

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol unknown unknown 1 30 0 invalid handle 100 A54EE7 WriteFile

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\tHxifI5gu4.exe unknown 1051136 success or wait 1 F00ABD ReadFile

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\O5XI717XHX success or wait 1 EFFB5B RegCreateKeyExW

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_CURRENT_USER\Software\Mic MaxConnectionsPer1_0S dword 10 success or wait 1 F020DA RegSetValueExA rosoft\Windows\CurrentVersion\Internet Settings erver HKEY_CURRENT_USER\Software\Mic MaxConnectionsPerServ dword 10 success or wait 1 F020EF RegSetValueExA rosoft\Windows\CurrentVersion\Internet Settings er HKEY_CURRENT_USER\Software\Mic inst binary D5 30 31 80 26 E8 C1 C4 26 8F success or wait 1 EFFC19 RegSetValueExW rosoft\Windows\CurrentVersion\ 1E 0C B6 E7 79 4E BA 08 4C FE Explorer\O5XI717XHX A4 E3 E1 D3 93 FE 73 FF C7 9D A3 78 77 E5 4D 65 A8 52 ED 4C 19 D4 C9 96 7B 9C 3C 4F AA 0C DF 6F

Analysis Process: conhost.exe PID: 7156 Parent PID: 7148

General

Start time: 17:05:08 Start date: 30/09/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff724c50000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

General

Start time: 17:05:52 Start date: 30/09/2020 Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): true Commandline: powershell Add-MpPreference -ExclusionPath C:\ Imagebase: 0xed0000 File size: 430592 bytes MD5 hash: DBA3E6449E97D4E3DF64527EF7012A10 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: high

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user read data or list device directory file | object name collision 1 6D1CCF06 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list device directory file | object name collision 1 6D1CCF06 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\__PSscr read attributes | device sequential only | success or wait 1 6C011E60 CreateFileW iptPolicyTest_55zgun5e.xi1.ps1 synchronize | synchronous io generic write non alert | non directory file | open no recall C:\Users\user\AppData\Local\Temp\__PSscr read attributes | device sequential only | success or wait 1 6C011E60 CreateFileW iptPolicyTest_4wo3voon.qnf.psm1 synchronize | synchronous io generic write non alert | non directory file | open no recall C:\Users\user\Documents\20200930 read data or list device directory file | success or wait 1 6C01BEFF CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\Documents\20200930\PowerShell_transcr read attributes | device synchronous io success or wait 1 6C011E60 CreateFileW ipt.887849.BLN7F_1Y.20200930170553.txt synchronize | non alert | non generic read | directory file | generic write open no recall

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\__PSscriptPolicyTest_55zgun5e.xi1.ps1 success or wait 1 6C016A95 DeleteFileW C:\Users\user\AppData\Local\Temp\__PSscriptPolicyTest_4wo3voon.qnf.psm1 success or wait 1 6C016A95 DeleteFileW

File Written

Copyright null 2020 Page 23 of 39 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\Documents\20200930\PowerShell_transcr unknown 3 ef bb bf ... success or wait 1 6C011B4F WriteFile ipt.887849.BLN7F_1Y.20200930170553.txt C:\Users\user\Documents\20200930\PowerShell_transcr unknown 588 2a 2a 2a 2a 2a 2a 2a **********************..Windo success or wait 44 6C011B4F WriteFile ipt.887849.BLN7F_1Y.20200930170553.txt 2a 2a 2a 2a 2a 2a 2a ws PowerShell transcript 2a 2a 2a 2a 2a 2a 2a start..Start time: 2a 0d 0a 57 69 6e 64 20200930170554..Userna 6f 77 73 20 50 6f 77 me: computer\user..RunAs 65 72 53 68 65 6c 6c User: 20 74 72 61 6e 73 63 computer\user..Configurati 72 69 70 74 20 73 74 on Name: ..Machine: 61 72 74 0d 0a 53 74 887849 (Microsoft 61 72 74 20 74 69 6d Windows NT 65 3a 20 32 30 32 30 10.0.17134.0)..Host 30 39 33 30 31 37 30 Application: power 35 35 34 0d 0a 55 73 65 72 6e 61 6d 65 3a 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 6a 6f 6e 65 73 0d 0a 52 75 6e 41 73 20 55 73 65 72 3a 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 6a 6f 6e 65 73 0d 0a 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 4e 61 6d 65 3a 20 0d 0a 4d 61 63 68 69 6e 65 3a 20 38 38 37 38 34 39 20 28 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 2e 31 37 31 33 34 2e 30 29 0d 0a 48 6f 73 74 20 41 70 70 6c 69 63 61 74 69 6f 6e 3a 20 70 6f 77 65 72 C:\Users\user\AppData\Local\Mi unknown 64 40 00 00 01 65 00 00 @...e...... `...... a. success or wait 1 6D4976FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-NonInteractive 00 00 00 00 00 11 00 V...... Q...... 00 00 60 14 00 00 19 00 00 00 80 11 1e 06 61 0b 56 0b 15 0a 00 00 00 00 9c 08 81 00 51 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Mi unknown 40 48 00 00 02 03 00 00 H...... <@.^...L."My...: success or wait 17 6D4976FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-NonInteractive 00 00 00 00 00 01 00 <...... 00 00 3c 40 b0 5e e7 8d bf 4c b2 22 4d 79 98 9c a7 3a 3c 00 00 00 0e 00 20 00 C:\Users\user\AppData\Local\Mi unknown 32 4d 69 63 72 6f 73 6f Microsoft.PowerShell.Cons success or wait 17 6D4976FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-NonInteractive 66 74 2e 50 6f 77 65 oleHost 72 53 68 65 6c 6c 2e 43 6f 6e 73 6f 6c 65 48 6f 73 74 C:\Users\user\AppData\Local\Mi unknown 1 00 . success or wait 11 6D4976FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Users\user\AppData\Local\Mi unknown 4 00 08 00 03 .... success or wait 11 6D4976FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-NonInteractive

Copyright null 2020 Page 24 of 39 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Mi unknown 2044 00 0e 80 00 01 0e 80 ...... success or wait 11 6D4976FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-NonInteractive 00 02 0e 80 00 03 0e ...... T.@..>@..g@...@... 80 00 04 0e 80 00 05 @[email protected][email protected][email protected].@. 0e 80 00 06 0e 80 00 [[email protected]@[email protected] 07 0e 80 00 08 0e 80 @[email protected]@[email protected]@..S 00 09 0c 80 00 54 01 @.\[email protected]@..T@.@X@.? 40 00 f9 3e 40 01 ce [email protected]@[email protected]@[email protected] 67 40 01 99 01 40 00 @[email protected]@..T@[email protected] fb 00 40 00 cb 00 40 M@.:M@."M@. 00 56 01 40 00 48 01 M@.!M@.;[email protected]@..D@. 40 00 58 01 40 00 5b @M@.

File Read

Copyright null 2020 Page 25 of 39 Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4121 success or wait 1 6D1A5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4253 success or wait 1 6D1A5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6D1A5705 unknown C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive unknown 64 success or wait 1 6D1B1F73 ReadFile C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive unknown 21268 success or wait 1 6D1B203F ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Config unknown 864 success or wait 1 6D1003DE ReadFile uration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation unknown 4096 success or wait 1 6C011B4F ReadFile \1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation unknown 492 end of file 1 6C011B4F ReadFile \1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation unknown 4096 end of file 1 6C011B4F ReadFile \1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PackageMana unknown 4096 success or wait 1 6C011B4F ReadFile gement\1.0.0.1\PackageManagement.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PackageMana unknown 774 end of file 1 6C011B4F ReadFile gement\1.0.0.1\PackageManagement.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 success or wait 2 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 success or wait 2 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 4096 success or wait 7 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 682 end of file 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 289 end of file 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 289 end of file 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 4096 success or wait 143 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 993 end of file 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 success or wait 1 6C011B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 637 end of file 1 6C011B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 end of file 1 6C011B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 1 6C011B4F ReadFile .PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft unknown 534 end of file 1 6C011B4F ReadFile .PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 end of file 1 6C011B4F ReadFile .PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppBackgr unknown 4096 success or wait 1 6C011B4F ReadFile oundTask\AppBackgroundTask.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppBackgr unknown 4096 end of file 1 6C011B4F ReadFile oundTask\AppBackgroundTask.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 990 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 990 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf4 unknown 748 success or wait 1 6D1003DE ReadFile 9f6405#\ccc7c82770f93d1392abde4be3a80378\Microsoft.Management.Infrastructure.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f unknown 900 success or wait 1 6D1003DE ReadFile 1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7e unknown 620 success or wait 1 6D1003DE ReadFile efa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b2 unknown 748 success or wait 1 6D1003DE ReadFile 19d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Config unknown 864 success or wait 1 6D1003DE ReadFile uration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux Copyright null 2020 Page 26 of 39 Source File Path Offset Length Completion Count Address Symbol C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6D1A5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6D1A5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Appx\Appx.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Appx\Appx.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedA unknown 4096 success or wait 1 6C011B4F ReadFile ccess\AssignedAccess.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedA unknown 4096 end of file 1 6C011B4F ReadFile ccess\AssignedAccess.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 368 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 368 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 4096 success or wait 2 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 770 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 success or wait 1 6C011B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 637 end of file 1 6C011B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 end of file 1 6C011B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 success or wait 8 6C011B4F ReadFile PowerShell.Utility.psm1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 128 end of file 1 6C011B4F ReadFile PowerShell.Utility.psm1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 end of file 1 6C011B4F ReadFile PowerShell.Utility.psm1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6D1A5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6D1A5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 368 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 4096 success or wait 3 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 770 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 unknown 4096 success or wait 73 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 unknown 104 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 unknown 522 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 unknown 358 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 unknown 160 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 699 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 699 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\ unknown 4096 success or wait 1 6C011B4F ReadFile MSFT_MpComputerStatus.cdxml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\ unknown 4096 end of file 1 6C011B4F ReadFile MSFT_MpComputerStatus.cdxml C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 2 6C011B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 2 6C011B4F ReadFile

Copyright null 2020 Page 27 of 39 Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpPreference.cdxml unknown 4096 success or wait 12 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpPreference.cdxml unknown 764 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpPreference.cdxml unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpThreat.cdxml unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpThreat.cdxml unknown 617 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpThreat.cdxml unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\ unknown 4096 success or wait 1 6C011B4F ReadFile MSFT_MpThreatCatalog.cdxml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\ unknown 4096 end of file 1 6C011B4F ReadFile MSFT_MpThreatCatalog.cdxml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\ unknown 4096 success or wait 1 6C011B4F ReadFile MSFT_MpThreatDetection.cdxml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\ unknown 4096 end of file 1 6C011B4F ReadFile MSFT_MpThreatDetection.cdxml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpScan.cdxml unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpScan.cdxml unknown 227 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpScan.cdxml unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpSignature.cdxml unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpSignature.cdxml unknown 243 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpSignature.cdxml unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpWDOScan.cdxml unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpWDOScan.cdxml unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 success or wait 2 6C011B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 637 end of file 2 6C011B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 end of file 1 6C011B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 success or wait 16 6C011B4F ReadFile PowerShell.Utility.psm1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 128 end of file 2 6C011B4F ReadFile PowerShell.Utility.psm1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 end of file 2 6C011B4F ReadFile PowerShell.Utility.psm1

Analysis Process: conhost.exe PID: 6876 Parent PID: 6880

General

Start time: 17:05:52 Start date: 30/09/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff724c50000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: images.exe PID: 6952 Parent PID: 7148

General

Start time: 17:05:52 Start date: 30/09/2020

Copyright null 2020 Page 28 of 39 Path: C:\ProgramData\images.exe Wow64 process (32bit): true Commandline: C:\ProgramData\images.exe Imagebase: 0xf70000 File size: 1051136 bytes MD5 hash: B96FE909C2D2F458ABF71665CE1BB1EF Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Yara matches: Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000008.00000003.850015986.0000000001546000.00000004.00000001.sdmp, Author: Florian Roth Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000008.00000002.925773609.000000000174E000.00000002.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000003.850147665.0000000001536000.00000004.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000008.00000003.849974969.0000000001536000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000003.849974969.0000000001536000.00000004.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000008.00000002.924394390.0000000001080000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000002.924394390.0000000001080000.00000040.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000008.00000003.850124597.0000000001546000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000002.925552799.0000000001613000.00000002.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000003.850188953.0000000001532000.00000004.00000001.sdmp, Author: Joe Security Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Microsoft Vision\ read data or list device directory file | object name collision 1 1612177 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft Vision\ read data or list device directory file | object name collision 1 1602CAE CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft Vision\30-09-2020_17.06.42 read attributes | device synchronous io success or wait 1 1607654 CreateFileW synchronize non alert | non directory file C:\Program Files\Microsoft DN1\sqlmap.dll read attributes | device synchronous io success or wait 1 160E9D4 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files\Microsoft DN1\rdpwrap.ini read attributes | device synchronous io success or wait 1 160E9D4 CreateFileW synchronize | non alert | non generic read | directory file generic write

File Read

Source File Path Offset Length Completion Count Address Symbol C:\ProgramData\images.exe unknown 1051136 success or wait 1 1610ABD ReadFile C:\ProgramData\images.exe unknown 1051136 success or wait 1 1610ABD ReadFile C:\Windows\SysWOW64\user32.dll unknown 1626536 success or wait 1 1610ABD ReadFile

Key Created

Source Key Path Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts success or wait 1 160D228 RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList success or wait 1 160D228 RegCreateKeyExA HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core success or wait 1 160FC61 RegCreateKeyExW

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Mi jCl.fmp dword 0 success or wait 1 160D243 RegSetValueExW crosoft\Windows NT\CurrentVers ion\Winlogon\SpecialAccounts\UserList HKEY_CURRENT_USER\Software\Mic rudp unicode jCl.fmp success or wait 1 160FC19 RegSetValueExW rosoft\Windows\CurrentVersion\ Explorer\O5XI717XHX HKEY_CURRENT_USER\Software\Mic rpdp unicode .aot.Cb success or wait 1 160FC19 RegSetValueExW rosoft\Windows\CurrentVersion\ Explorer\O5XI717XHX HKEY_LOCAL_MACHINE\SYSTEM\Cont EnableConcurrentSession dword 1 success or wait 1 160FC19 RegSetValueExW rolSet001\Control\Terminal Server\Licensing Core s HKEY_LOCAL_MACHINE\SOFTWARE\Mi AllowMultipleTSSessions dword 1 success or wait 1 160FC19 RegSetValueExW crosoft\Windows NT\CurrentVersion\Winlogon

Key Value Modified

Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SY ServiceDll expand %SystemRoot%\System32\ter %ProgramFiles%\Microsoft success or wait 1 160FC19 RegSetValueExW STEM\Cont unicode msrv.dll DN1\sqlmap.dll rolSet001\Services\TermServic e\Parameters HKEY_LOCAL_MACHINE\SY fDenyTSConnections dword 1 0 success or wait 1 160FC19 RegSetValueExW STEM\Cont rolSet001\Control\Terminal Ser ver

Analysis Process: conhost.exe PID: 6784 Parent PID: 6952

General

Start time: 17:05:53 Start date: 30/09/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff724c50000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: cmd.exe PID: 1316 Parent PID: 3424

General

Start time: 17:06:04 Start date: 30/09/2020 Path: C:\Windows\System32\cmd.exe Copyright null 2020 Page 30 of 39 Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat' ' Imagebase: 0x7ff622070000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat unknown 8191 success or wait 1 7FF62207F404 ReadFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat unknown 8191 end of file 1 7FF62207F404 ReadFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\P unknown 59 success or wait 1 7FF622073977 ReadFile rograms\Startup\programs.bat:start C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat unknown 8191 end of file 1 7FF62207F404 ReadFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat unknown 8191 end of file 1 7FF62207F404 ReadFile

Analysis Process: conhost.exe PID: 3492 Parent PID: 1316

General

Start time: 17:06:04 Start date: 30/09/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff724c50000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: WMIC.exe PID: 4876 Parent PID: 1316

General

Start time: 17:06:05 Start date: 30/09/2020 Path: C:\Windows\System32\wbem\WMIC.exe Wow64 process (32bit): false Commandline: wmic process call create ''C:\ProgramData:ApplicationData'' Imagebase: 0x7ff63ae30000 File size: 521728 bytes MD5 hash: EC80E603E0090B3AC3C1234C2BA43A0F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

File Activities

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol \Device\ConDrv unknown 38 45 78 65 63 75 74 69 Executing success or wait 1 7FF63AE6925F fprintf 6e 67 20 28 57 69 6e (Win32_Process)->Cre 33 32 5f 50 72 6f 63 ate()... 65 73 73 29 2d 3e 43 72 65 61 74 65 28 29 0d 0d 0a \Device\ConDrv unknown 31 4d 65 74 68 6f 64 20 Method execution success or wait 1 7FF63AE6925F fprintf 65 78 65 63 75 74 69 successful.... 6f 6e 20 73 75 63 63 65 73 73 66 75 6c 2e 0d 0d 0a \Device\ConDrv unknown 15 4f 75 74 20 50 61 72 Out Parameters: success or wait 1 7FF63AE6925F fprintf 61 6d 65 74 65 72 73 3a \Device\ConDrv unknown 54 0d 0a 69 6e 73 74 61 ..instance of success or wait 1 7FF63AE6925F fprintf 6e 63 65 20 6f 66 20 __PARAMETERS..{. 5f 5f 50 41 52 41 4d ..ReturnValue = 9;..};.. 45 54 45 52 53 0d 0a 7b 0d 0a 09 52 65 74 75 72 6e 56 61 6c 75 65 20 3d 20 39 3b 0d 0a 7d 3b 0d 0a \Device\ConDrv unknown 2 0d 0a .. success or wait 1 7FF63AE691F1 fprintf

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: powershell.exe PID: 976 Parent PID: 6952

General

Start time: 17:06:40 Start date: 30/09/2020 Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): true Commandline: powershell Add-MpPreference -ExclusionPath C:\ Imagebase: 0xed0000 File size: 430592 bytes MD5 hash: DBA3E6449E97D4E3DF64527EF7012A10 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET

File Activities

File Created

Copyright null 2020 Page 32 of 39 Source File Path Access Attributes Options Completion Count Address Symbol C:\Windows\system32\catroot read data or list device directory file | object name collision 1 6BF75B28 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list device directory file | object name collision 1 6BF75B28 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\__PSscriptPolicyTest_xrh12lav.sil.ps1 read attributes | device sequential only | success or wait 1 6C011E60 CreateFileW synchronize | synchronous io generic write non alert | non directory file | open no recall C:\Users\user\AppData\Local\Temp\__PSscr read attributes | device sequential only | success or wait 1 6C011E60 CreateFileW iptPolicyTest_svqpwmv2.m0h.psm1 synchronize | synchronous io generic write non alert | non directory file | open no recall C:\Users\user\Documents\20200930\PowerShell_transcr read attributes | device synchronous io success or wait 1 6C011E60 CreateFileW ipt.887849.5vqBzTGF.20200930170641.txt synchronize | non alert | non generic read | directory file | generic write open no recall

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\__PSscriptPolicyTest_xrh12lav.sil.ps1 success or wait 1 6C016A95 DeleteFileW C:\Users\user\AppData\Local\Temp\__PSscriptPolicyTest_svqpwmv2.m0h.psm1 success or wait 1 6C016A95 DeleteFileW

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\__PSscr unknown 1 31 1 success or wait 1 6C011B4F WriteFile iptPolicyTest_xrh12lav.sil.ps1 C:\Users\user\AppData\Local\Temp\__PSscr unknown 1 31 1 success or wait 1 6C011B4F WriteFile iptPolicyTest_svqpwmv2.m0h.psm1 C:\Users\user\Documents\20200930\PowerShell_transcr unknown 3 ef bb bf ... success or wait 1 6C011B4F WriteFile ipt.887849.5vqBzTGF.20200930170641.txt C:\Users\user\Documents\20200930\PowerShell_transcr unknown 587 2a 2a 2a 2a 2a 2a 2a **********************..Windo success or wait 44 6C011B4F WriteFile ipt.887849.5vqBzTGF.20200930170641.txt 2a 2a 2a 2a 2a 2a 2a ws PowerShell transcript 2a 2a 2a 2a 2a 2a 2a start..Start time: 2a 0d 0a 57 69 6e 64 20200930170642..Userna 6f 77 73 20 50 6f 77 me: computer\user..RunAs 65 72 53 68 65 6c 6c User: 20 74 72 61 6e 73 63 computer\user..Configurati 72 69 70 74 20 73 74 on Name: ..Machine: 61 72 74 0d 0a 53 74 887849 (Microsoft 61 72 74 20 74 69 6d Windows NT 65 3a 20 32 30 32 30 10.0.17134.0)..Host 30 39 33 30 31 37 30 Application: power 36 34 32 0d 0a 55 73 65 72 6e 61 6d 65 3a 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 6a 6f 6e 65 73 0d 0a 52 75 6e 41 73 20 55 73 65 72 3a 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 6a 6f 6e 65 73 0d 0a 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 4e 61 6d 65 3a 20 0d 0a 4d 61 63 68 69 6e 65 3a 20 38 38 37 38 34 39 20 28 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 2e 31 37 31 33 34 2e 30 29 0d 0a 48 6f 73 74 20 41 70 70 6c 69 63 61 74 69 6f 6e 3a 20 70 6f 77 65 72 Copyright null 2020 Page 33 of 39 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Mi unknown 64 40 00 00 01 65 00 00 @...e...... `...... `..... success or wait 1 6D4976FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-NonInteractive 00 00 00 00 00 11 00 ...... f.r.+...... 00 00 60 14 00 00 18 00 00 00 60 14 c9 07 97 0c 83 0c 82 0c 00 00 00 00 66 02 72 00 2b 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Mi unknown 40 48 00 00 02 03 00 00 H...... <@.^...L."My...: success or wait 17 6D4976FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-NonInteractive 00 00 00 00 00 01 00 <...... 00 00 3c 40 b0 5e e7 8d bf 4c b2 22 4d 79 98 9c a7 3a 3c 00 00 00 0e 00 20 00 C:\Users\user\AppData\Local\Mi unknown 32 4d 69 63 72 6f 73 6f Microsoft.PowerShell.Cons success or wait 17 6D4976FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-NonInteractive 66 74 2e 50 6f 77 65 oleHost 72 53 68 65 6c 6c 2e 43 6f 6e 73 6f 6c 65 48 6f 73 74 C:\Users\user\AppData\Local\Mi unknown 1 00 . success or wait 11 6D4976FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Users\user\AppData\Local\Mi unknown 4 00 08 00 03 .... success or wait 11 6D4976FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Users\user\AppData\Local\Mi unknown 2044 00 0e 80 00 01 0e 80 ...... success or wait 11 6D4976FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-NonInteractive 00 02 0e 80 00 03 0e ...... T.@..>@[email protected][email protected] 80 00 04 0e 80 00 05 [email protected][email protected]@. 0e 80 00 06 0e 80 00 [.@[email protected]@[email protected]@.. 07 0e 80 00 08 0e 80 S 00 09 0c 80 00 54 01 @[email protected]@[email protected]@.\.@ 40 00 f9 3e 40 01 cb ..T@[email protected]@.@X@.? 00 40 00 56 01 40 00 [email protected]@[email protected]@[email protected] 48 01 40 00 58 01 40 @[email protected]@..T@[email protected] 00 ce 67 40 01 5b 01 M@.:M@."M@. 40 00 99 01 40 00 4e M@.!M@.;[email protected]@..D@. 54 40 01 48 54 40 01 @M@.

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6D1A5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6D1A5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D1A5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6D1A5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6D1A5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6D1A5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6D1A5705 unknown C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152 unknown 176 success or wait 1 6D1003DE ReadFile fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll.aux C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6D1ACA54 ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6D1ACA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D1ACA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6D1ACA54 ReadFile Copyright null 2020 Page 34 of 39 Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6D1ACA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6D1ACA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6D1ACA54 ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f unknown 900 success or wait 1 6D1003DE ReadFile 1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7e unknown 620 success or wait 1 6D1003DE ReadFile efa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6D1A5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6D1A5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6D1A5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6D1A5705 unknown C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b2 unknown 748 success or wait 1 6D1003DE ReadFile 19d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf4 unknown 748 success or wait 1 6D1003DE ReadFile 9f6405#\ccc7c82770f93d1392abde4be3a80378\Microsoft.Management.Infrastructure.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D1A5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6D1A5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 2 6D1A5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6D1A5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4121 success or wait 1 6D1A5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6D1A5705 unknown C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive unknown 64 success or wait 1 6D1B1F73 ReadFile C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive unknown 22112 success or wait 1 6D1B203F ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Config unknown 864 success or wait 1 6D1003DE ReadFile uration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation unknown 4096 success or wait 1 6C011B4F ReadFile \1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation unknown 492 end of file 1 6C011B4F ReadFile \1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation unknown 4096 end of file 1 6C011B4F ReadFile \1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PackageMana unknown 4096 success or wait 1 6C011B4F ReadFile gement\1.0.0.1\PackageManagement.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PackageMana unknown 774 end of file 1 6C011B4F ReadFile gement\1.0.0.1\PackageManagement.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PackageMana unknown 4096 end of file 1 6C011B4F ReadFile gement\1.0.0.1\PackageManagement.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 success or wait 2 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 success or wait 2 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 4096 success or wait 7 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 682 end of file 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 289 end of file 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 289 end of file 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 4096 success or wait 121 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 993 end of file 1 6C011B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 success or wait 1 6C011B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 637 end of file 1 6C011B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 end of file 1 6C011B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 success or wait 1 6C011B4F ReadFile .PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft unknown 534 end of file 1 6C011B4F ReadFile .PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft unknown 4096 end of file 1 6C011B4F ReadFile .PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppBackgr unknown 4096 success or wait 1 6C011B4F ReadFile oundTask\AppBackgroundTask.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppBackgr unknown 4096 end of file 1 6C011B4F ReadFile oundTask\AppBackgroundTask.psd1 Copyright null 2020 Page 35 of 39 Source File Path Offset Length Completion Count Address Symbol C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 990 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 990 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf4 unknown 748 success or wait 1 6D1003DE ReadFile 9f6405#\ccc7c82770f93d1392abde4be3a80378\Microsoft.Management.Infrastructure.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f unknown 900 success or wait 1 6D1003DE ReadFile 1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7e unknown 620 success or wait 1 6D1003DE ReadFile efa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b2 unknown 748 success or wait 1 6D1003DE ReadFile 19d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Config unknown 864 success or wait 1 6D1003DE ReadFile uration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6D1A5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6D1A5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Appx\Appx.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Appx\Appx.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedA unknown 4096 success or wait 1 6C011B4F ReadFile ccess\AssignedAccess.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedA unknown 4096 end of file 1 6C011B4F ReadFile ccess\AssignedAccess.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 368 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 368 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 4096 success or wait 2 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 770 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 success or wait 1 6C011B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 637 end of file 1 6C011B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 success or wait 8 6C011B4F ReadFile PowerShell.Utility.psm1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 128 end of file 1 6C011B4F ReadFile PowerShell.Utility.psm1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 end of file 1 6C011B4F ReadFile PowerShell.Utility.psm1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6D1A5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6D1A5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 368 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 4096 success or wait 3 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 770 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 unknown 4096 success or wait 74 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 unknown 104 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 unknown 522 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 unknown 358 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 unknown 160 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 unknown 4096 end of file 1 6C011B4F ReadFile Copyright null 2020 Page 36 of 39 Source File Path Offset Length Completion Count Address Symbol C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 699 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 699 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\ unknown 4096 success or wait 1 6C011B4F ReadFile MSFT_MpComputerStatus.cdxml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\ unknown 4096 end of file 1 6C011B4F ReadFile MSFT_MpComputerStatus.cdxml C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 2 6C011B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpPreference.cdxml unknown 4096 success or wait 12 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpPreference.cdxml unknown 764 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpPreference.cdxml unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpThreat.cdxml unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpThreat.cdxml unknown 617 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpThreat.cdxml unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\ unknown 4096 success or wait 1 6C011B4F ReadFile MSFT_MpThreatCatalog.cdxml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\ unknown 4096 end of file 1 6C011B4F ReadFile MSFT_MpThreatCatalog.cdxml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\ unknown 4096 success or wait 1 6C011B4F ReadFile MSFT_MpThreatDetection.cdxml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\ unknown 4096 end of file 1 6C011B4F ReadFile MSFT_MpThreatDetection.cdxml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpScan.cdxml unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpScan.cdxml unknown 227 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpScan.cdxml unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpSignature.cdxml unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpSignature.cdxml unknown 243 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpSignature.cdxml unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpWDOScan.cdxml unknown 4096 success or wait 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender\MSFT_MpWDOScan.cdxml unknown 4096 end of file 1 6C011B4F ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 success or wait 2 6C011B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 637 end of file 2 6C011B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 end of file 2 6C011B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 success or wait 16 6C011B4F ReadFile PowerShell.Utility.psm1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 128 end of file 2 6C011B4F ReadFile PowerShell.Utility.psm1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 end of file 2 6C011B4F ReadFile PowerShell.Utility.psm1

Analysis Process: cmd.exe PID: 4484 Parent PID: 6952

General

Start time: 17:06:40 Start date: 30/09/2020 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: C:\Windows\System32\cmd.exe Imagebase: 0x11d0000

Copyright null 2020 Page 37 of 39 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 960 Parent PID: 976

General

Start time: 17:06:40 Start date: 30/09/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff724c50000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: conhost.exe PID: 4560 Parent PID: 4484

General

Start time: 17:06:41 Start date: 30/09/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff724c50000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: rdpvideominiport.sys PID: 4 Parent PID: -1

General

Start time: 17:06:54 Start date: 30/09/2020 Path: C:\Windows\System32\drivers\rdpvideominiport.sys Wow64 process (32bit): false Commandline: Imagebase: 0x7ff77ba70000 File size: 30616 bytes MD5 hash: 0600DF60EF88FD10663EC84709E5E245 Has elevated privileges: Has administrator privileges: Programmed in: C, C++ or other language

Analysis Process: rdpdr.sys PID: 4 Parent PID: -1

Start time: 17:06:54 Start date: 30/09/2020 Path: C:\Windows\System32\drivers\rdpdr.sys Wow64 process (32bit): Commandline: Imagebase: File size: 182784 bytes MD5 hash: 52A6CC99F5934CFAE88353C47B6193E7 Has elevated privileges: Has administrator privileges: Programmed in: C, C++ or other language

Analysis Process: tsusbhub.sys PID: 4 Parent PID: -1

General

Start time: 17:06:55 Start date: 30/09/2020 Path: C:\Windows\system32\drivers\tsusbhub.sys Wow64 process (32bit): Commandline: Imagebase: File size: 126464 bytes MD5 hash: 3A84A09CBC42148A0C7D00B3E82517F1 Has elevated privileges: Has administrator privileges: Programmed in: C, C++ or other language

Disassembly

Code Analysis