Automated Malware Analysis Report for Powershell.Exe

ID: 113646 Sample Name: powershell.exe Cookbook: default.jbs Time: 12:44:15 Date: 28/02/2019 Version: 25.0.0 Tiger's Eye Table of Contents

Table of Contents 2 Analysis Report powershell.exe 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 6 Mitre Att&ck Matrix 6 Signature Overview 6 Networking: 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 System Summary: 6 Hooking and other Techniques for Hiding and Protection: 7 Malware Analysis System Evasion: 7 Anti Debugging: 7 Language, Device and Operating System Detection: 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Screenshots 9 Thumbnails 9 Startup 10 Created / dropped Files 10 Domains and IPs 11 Contacted Domains 11 URLs from Memory and Binaries 11 Contacted IPs 12 Static File Info 12 General 12 File Icon 12 Static PE Info 12 General 12 Entrypoint Preview 13 Rich Headers 14 Data Directories 14 Sections 15 Resources 15 Imports 15 Version Infos 16 Possible Origin 16

Copyright Joe Security LLC 2019 Page 2 of 22 Network Behavior 16 Code Manipulations 16 Statistics 16 Behavior 16 System Behavior 17 Analysis Process: powershell.exe PID: 4144 Parent PID: 4424 17 General 17 File Activities 17 File Created 17 File Deleted 18 File Written 19 File Read 20 Analysis Process: conhost.exe PID: 1828 Parent PID: 4144 22 General 22 Disassembly 22 Code Analysis 22

Overview

General Information

Joe Sandbox Version: 25.0.0 Tiger's Eye Analysis ID: 113646 Start date: 28.02.2019 Start time: 12:44:15 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 47s Hypervisor based Inspection enabled: false Report type: light Sample file name: powershell.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 7 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean5.winEXE@2/4@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 5 0 - 100 Report FP / FN true

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Windows Winlogon Port Monitors Disabling Input Process Application Input Capture 1 Data Data Remote Helper DLL Security Capture 1 Discovery 1 Deployment Compressed Obfuscation Management Tools 1 Software Replication Service Port Monitors Accessibility Binary Padding Network Security Remote Services Data from Exfiltration Over Fallback Through Execution Features Sniffing Software Removable Other Network Channels Removable Discovery 1 Media Medium Media Drive-by Windows Accessibility Path Rootkit Input System Windows Data from Automated Custom Compromise Management Features Interception Capture Information Remote Network Shared Exfiltration Cryptographic Instrumentation Discovery 2 Management Drive Protocol

Signature Overview

• Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • Language, Device and Operating System Detection

Click to jump to signature section

Networking:

Urls found in memory or binary data

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

System Summary:

Creates mutexes

PE file contains strange resources

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Classification label

Creates files inside the user directory

Creates temporary files

PE file has an executable .text section and no other executable section

Copyright Joe Security LLC 2019 Page 6 of 22 Parts of this applications are using the .NET runtime (Probably coded in C#)

Reads software policies

Spawns processes

Uses an in-process (OLE) Automation server

Uses Microsoft Silverlight

PE file contains a mix of data directories often seen in goodware

Contains modern PE file flags such as dynamic base (ASLR) or NX

PE file contains a debug data directory

Binary contains paths to debug symbols

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Queries a list of all running processes

Anti Debugging:

Enables debug privileges

Creates guard pages, often used to prevent reverse engineering and debugging

Language, Device and Operating System Detection:

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Queries the cryptographic machine GUID

Behavior Graph

Copyright Joe Security LLC 2019 Page 7 of 22 Hide Legend Legend: Process Signature Created File Behavior Graph DNS/IP Info

ID: 113646 Is Dropped

Sample: powershell.exe Is Windows Process

Startdate: 28/02/2019 Number of created Registry Values Architecture: WINDOWS Number of created Files Score: 5 Visual Basic

Delphi started Java

.Net C# or VB.NET powershell.exe C, C++ or other language

Is malicious

started

conhost.exe

Simulations

Behavior and APIs

Time Type Description 12:45:06 API Interceptor 45x Sleep call for process: powershell.exe modified

Antivirus Detection

Initial Sample

Source Detection Scanner Label Link powershell.exe 0% virustotal Browse powershell.exe 0% metadefender Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

System is w10x64 powershell.exe (PID: 4144 cmdline: 'C:\Users\user\Desktop\powershell.exe' MD5: 92F44E405DB16AC55D97E3BFE3B132FA) conhost.exe (PID: 1828 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Process: C:\Users\user\Desktop\powershell.exe File Type: data Size (bytes): 5829 Entropy (8bit): 4.8968676994158 Encrypted: false MD5: 36DE9155D6C265A1DE62A448F3B5B66E SHA1: 02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3 SHA-256: 8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87 SHA-512: C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DC DBB330FFB878C5919D7B267F6F33D2AAB328E7 Malicious: false Reputation: moderate, very likely benign file

Copyright Joe Security LLC 2019 Page 10 of 22 C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_remxe5eb.5wp.ps1 Process: C:\Users\user\Desktop\powershell.exe File Type: ASCII text, with no line terminators Size (bytes): 81 Entropy (8bit): 4.616360832185304 Encrypted: false MD5: B1716921DB9CA67CE530C3DC89DC650D SHA1: 3865E1109FFFAD465EBE28A9C17EA52650108AC9 SHA-256: 8470679657FC2802DA5B45383D61A773D00B4311A9DD5A2DE182A74579DB5D50 SHA-512: 372A3AEE5C1394485FC9353A0D6F6ABB75832B2EC01D7E7C4E3CB7519F70BEAF1F2EF687A219E44F9A1D08A313 F8B9E1C84A997AB127FEC0B80852287649DF58 Malicious: false Reputation: low

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xr3xgjvo.ivp.psm1 Process: C:\Users\user\Desktop\powershell.exe File Type: ASCII text, with no line terminators Size (bytes): 81 Entropy (8bit): 4.616360832185304 Encrypted: false MD5: B1716921DB9CA67CE530C3DC89DC650D SHA1: 3865E1109FFFAD465EBE28A9C17EA52650108AC9 SHA-256: 8470679657FC2802DA5B45383D61A773D00B4311A9DD5A2DE182A74579DB5D50 SHA-512: 372A3AEE5C1394485FC9353A0D6F6ABB75832B2EC01D7E7C4E3CB7519F70BEAF1F2EF687A219E44F9A1D08A313 F8B9E1C84A997AB127FEC0B80852287649DF58 Malicious: false Reputation: low

C:\Users\user\Documents\20190228\PowerShell_transcript.855271.S_qeAdfA.20190228124505.txt Process: C:\Users\user\Desktop\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 2142 Entropy (8bit): 5.352386747722536 Encrypted: false MD5: F9A798B6DF3441DE0A7E267721612C99 SHA1: 76F34D744EC44CCD0F743F32DBF86208A2D5E4D0 SHA-256: 932B4CA014A24F81AF3F8DCDFC2620B223C0DF6D9AD18CDB7F5325EC13BE2BD4 SHA-512: FD961D51F340473C9B15AF7544CCCD07AED6BAA12DAB869BE545250803974E6B82416B67E9F35E39640FE863677 7BF9F30B4846B61FA7C54C7B9AEFE729F0676 Malicious: false Reputation: low

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation nuget.org/NuGet.exe powershell.exe, 00000001.00000 false high 002.5502936077.000000000365900 0.00000004.sdmp pesterbdd.com/images/Pester.png powershell.exe, 00000001.00000 false high 002.5495793694.000000000283300 0.00000004.sdmp schemas.xmlsoap.org/ws/2005/05/identity/claims/name powershell.exe, 00000001.00000 false high 002.5494379531.000000000263000 0.00000004.sdmp www.apache.org/licenses/LICENSE-2.0.html powershell.exe, 00000001.00000 false high 002.5495793694.000000000283300 0.00000004.sdmp https://go.micro powershell.exe, 00000001.00000 false high 002.5502410239.000000000306B00 0.00000004.sdmp

Copyright Joe Security LLC 2019 Page 11 of 22 Name Source Malicious Antivirus Detection Reputation https://github.com/Pester/Pester powershell.exe, 00000001.00000 false high 002.5495793694.000000000283300 0.00000004.sdmp https://contoso.com/ powershell.exe, 00000001.00000 false high 002.5502936077.000000000365900 0.00000004.sdmp https://nuget.org/nuget.exe powershell.exe, 00000001.00000 false high 002.5502936077.000000000365900 0.00000004.sdmp https://contoso.com/License powershell.exe, 00000001.00000 false high 002.5502936077.000000000365900 0.00000004.sdmp https://contoso.com/Icon powershell.exe, 00000001.00000 false high 002.5502936077.000000000365900 0.00000004.sdmp

Contacted IPs

No contacted IP infos

Static File Info

General File type: PE32 executable (console) Intel 80386, for MS Wind ows Entropy (8bit): 5.944043372159953 TrID: Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: powershell.exe File size: 452608 MD5: 92f44e405db16ac55d97e3bfe3b132fa SHA1: 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d SHA256: 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a 758eb2e6fad47aec7 SHA512: f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb 75a263b55235bbf8adb89d732935b1325aaea848d0311a b283ffe72b19db93e6c28a859204fdf9f SSDEEP: 6144:+FYRyCXBgoDhzoNKXzJ7BapCK5d3klRzULOn WyjLsPhAQzqOm:dRZgQhIKXzJ4pdd3klnnWosPhnzqN File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... 3...... %...... "...... 5...... y.....,...... 2...... 7.... .Rich...... PE..L.....[J...

File Icon

Icon Hash: 00c8d9f1f1f8e600

Static PE Info

General Entrypoint: 0x22917363 Entrypoint Section: .text Digitally signed: false Imagebase: 0x22910000 Subsystem: windows cui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x4A5BC414 [Mon Jul 13 23:32:36 2009 UTC] TLS Callbacks: CLR (.Net) Version:

Copyright Joe Security LLC 2019 Page 12 of 22 General OS Version Major: 6 OS Version Minor: 1 File Version Major: 6 File Version Minor: 1 Subsystem Version Major: 6 Subsystem Version Minor: 1 Import Hash: 96ba691b035d05f44e35ab23f6ba946c

Entrypoint Preview

Instruction call 00007F92ECD61ECEh jmp 00007F92ECD61608h int3 int3 int3 int3 int3 cmp ecx, dword ptr [2291A01Ch] jne 00007F92ECD61845h retn 0000h jmp 00007F92ECD61F4Ah int3 int3 int3 int3 int3 int3 jmp dword ptr [22911188h] int3 int3 int3 int3 int3 int3 jmp dword ptr [22911174h] int3 int3 int3 int3 int3 int3 jmp dword ptr [22911170h] int3 int3 int3 int3 int3 int3 jmp dword ptr [22911168h] int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 int3

Copyright Joe Security LLC 2019 Page 13 of 22 Instruction int3 int3 int3 int3 int3 int3 int3 int3 push ebx push esi push edi mov edx, dword ptr [esp+10h] mov eax, dword ptr [esp+14h] mov ecx, dword ptr [esp+18h] push ebp push edx push eax push ecx push ecx push 22917458h push dword ptr fs:[00000000h] mov eax, dword ptr [2291A01Ch] xor eax, esp mov dword ptr [esp+08h], eax mov dword ptr fs:[00000000h], esp mov eax, dword ptr [esp+30h] mov ebx, dword ptr [eax+08h] mov ecx, dword ptr [esp+2Ch] xor ebx, dword ptr [ecx] mov esi, dword ptr [eax+0Ch] cmp esi, FFFFFFFEh je 00007F92ECD6187Dh mov edx, dword ptr [esp+34h] cmp edx, FFFFFFFEh je 00007F92ECD61846h cmp esi, edx jbe 00007F92ECD61870h lea esi, dword ptr [esi+esi*2] lea ebx, dword ptr [ebx+esi*4+10h]

Rich Headers

Programming Language: [ASM] VS2008 SP1 build 30729 [ C ] VS2008 SP1 build 30729 [IMP] VS2005 build 50727 [LNK] VS2008 SP1 build 30729 [C++] VS2008 SP1 build 30729 [IMP] VS2008 SP1 build 30729

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x9324 0xc8 .text IMAGE_DIRECTORY_ENTRY_RESOURCE 0xb000 0x64188 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x70000 0x9cc .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x11d0 0x1c .text IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x4a80 0x40 .text IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x288 0xb8 IMAGE_DIRECTORY_ENTRY_IAT 0x1000 0x1b0 .text IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0

Copyright Joe Security LLC 2019 Page 14 of 22 Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x8c00 0x8c00 False 0.526925223214 data 5.97022410232 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .data 0xa000 0x8e0 0x400 False 0.7578125 SysEx File - Apple 6.08235880371 IMAGE_SCN_CNT_INITIALIZED_ DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0xb000 0x64188 0x64200 False 0.477425678839 data 5.88608323376 IMAGE_SCN_CNT_INITIALIZED_ DATA, IMAGE_SCN_MEM_READ .reloc 0x70000 0x11c0 0x1200 False 0.444878472222 data 4.30405245757 IMAGE_SCN_CNT_INITIALIZED_ DATA, IMAGE_SCN_MEM_DISCARDAB LE, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country MUI 0x6f0b0 0xd8 data English United States RT_ICON 0xb870 0x668 data English United States RT_ICON 0xbed8 0x2e8 dBase IV DBT of @.DBF, block length 512, next free English United States block index 40, next free block 4170186639, next used block 8947960 RT_ICON 0xc1c0 0x1e8 data English United States RT_ICON 0xc3a8 0x128 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xc4d0 0xea8 data English United States RT_ICON 0xd378 0x8a8 dBase IV DBT of @.DBF, block length 1024, next free English United States block index 40, next free block 14479096, next used block 14348536 RT_ICON 0xdc20 0x6c8 data English United States RT_ICON 0xe2e8 0x568 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xe850 0x12abe PNG image data, 256 x 256, 8-bit/color RGBA, non- English United States interlaced RT_ICON 0x21310 0x25a8 data English United States RT_ICON 0x238b8 0x10a8 data English United States RT_ICON 0x24960 0x988 data English United States RT_ICON 0x252e8 0x468 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x25810 0x668 data English United States RT_ICON 0x25e78 0x2e8 dBase IV DBT of @.DBF, block length 512, next free English United States block index 40, next free block 2296940798, next used block 15239304 RT_ICON 0x26160 0x1e8 data English United States RT_ICON 0x26348 0x128 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x26470 0xea8 data English United States RT_ICON 0x27318 0x8a8 dBase IV DBT of @.DBF, block length 1024, next free English United States block index 40, next free block 14019316, next used block 14479096 RT_ICON 0x27bc0 0x6c8 data English United States RT_ICON 0x28288 0x568 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x287f0 0x42028 dBase IV DBT, blocks size 0, block length 8192, next English United States free block index 40, next free block 0, next used block 0 RT_ICON 0x6a818 0x25a8 data English United States RT_ICON 0x6cdc0 0x10a8 data English United States RT_ICON 0x6de68 0x988 data English United States RT_ICON 0x6e7f0 0x468 GLS_BINARY_LSB_FIRST English United States RT_GROUP_ICON 0x25750 0xbc data English United States RT_GROUP_ICON 0x6ec58 0xbc data English United States RT_VERSION 0x6ed18 0x394 data English United States RT_MANIFEST 0xb690 0x1dd XML 1.0 document text English United States

Imports

DLL Import ADVAPI32.dll RegOpenKeyExW, RegEnumKeyExW, RegCloseKey, RegQueryValueExW

Copyright Joe Security LLC 2019 Page 15 of 22 DLL Import KERNEL32.dll InterlockedDecrement, GetCurrentProcess, GetModuleHandleW, SetThreadUILanguage, WriteFile, FormatMessageW, WriteConsoleW, CreateFileW, CompareStringW, GetStartupInfoW, GetStdHandle, GetLastError, FindClose, IsWow64Process, GetFileType, CloseHandle, LocalFree, ExpandEnvironmentStringsW, GetSystemDefaultUILanguage, UnmapViewOfFile, SetErrorMode, GetLocaleInfoW, GetVersionExW, CreateFileMappingW, MapViewOfFile, LoadLibraryExW, SetLastError, LoadResource, FindResourceExW, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, RtlUnwind, InterlockedCompareExchange, Sleep, InterlockedExchange, SearchPathW, FindFirstFileW, FreeLibrary, GetUserDefaultUILanguage msvcrt.dll __setusermatherr, _initterm, _wcsicmp, _wcsnicmp, wcsncmp, _vsnwprintf, exit, _XcptFilter, __p__commode, _controlfp, ?terminate@@YAXXZ, ??1type_info@@UAE@XZ, memcpy, _amsg_exit, __set_app_type, __p__fmode, _exit, _cexit, __wgetmainargs, _CxxThrowException, memset, __CxxFrameHandler, ??2@YAPAXI@Z, _itow, ??3@YAXPAX@Z, ?? _V@YAXPAX@Z, wcsrchr, malloc, free, wcstoul, ??_U@YAPAXI@Z, wcschr, bsearch ATL.DLL ole32.dll PropVariantClear, CoInitialize, CoUninitialize, CoCreateInstance, CoInitializeEx OLEAUT32.dll SysAllocString, VariantClear, SafeArrayDestroy, SafeArrayCreate, SysFreeString, SafeArrayPutElement, SysStringLen mscoree.dll CorBindToRuntimeEx SHLWAPI.dll SHStrDupW USER32.dll LoadStringW

Version Infos

Description Data LegalCopyright Microsoft Corporation. All rights reserved. InternalName POWERSHELL FileVersion 6.1.7600.16385 (win7_rtm.090713-1255) CompanyName Microsoft Corporation ProductName Microsoft Windows Operating System ProductVersion 6.1.7600.16385 FileDescription Windows PowerShell OriginalFilename PowerShell.EXE Translation 0x0409 0x04b0

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• powershell.exe • conhost.exe

System Behavior

Analysis Process: powershell.exe PID: 4144 Parent PID: 4424

General

Start time: 12:45:04 Start date: 28/02/2019 Path: C:\Users\user\Desktop\powershell.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\powershell.exe' Imagebase: 0x22730000 File size: 452608 bytes MD5 hash: 92F44E405DB16AC55D97E3BFE3B132FA Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: high

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user read data or list normal directory file | object name collision 1 6E54A9F6 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list normal directory file | object name collision 1 6E54A9F6 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot read data or list normal directory file | object name collision 1 68E26F51 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list normal directory file | object name collision 1 68E26F51 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Copyright Joe Security LLC 2019 Page 17 of 22 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\Documents\20190228 read data or list normal directory file | success or wait 1 6D3FBEFF CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\Documents\20190228\PowerShell_transcr read attributes | none synchronous io success or wait 1 6D3F1E60 CreateFileW ipt.855271.S_qeAdfA.20190228124505.txt synchronize | non alert | non generic read | directory file | generic write open no recall C:\Users\user\AppData\Local\Temp\__PSscr read attributes | none sequential only | success or wait 1 6D3F1E60 CreateFileW iptPolicyTest_remxe5eb.5wp.ps1 synchronize | synchronous io generic write non alert | non directory file | open no recall C:\Users\user\AppData\Local\Temp\__PSscr read attributes | none sequential only | success or wait 1 6D3F1E60 CreateFileW iptPolicyTest_xr3xgjvo.ivp.psm1 synchronize | synchronous io generic write non alert | non directory file | open no recall C:\Windows\system32\catroot read data or list normal directory file | object name collision 2 68E26F51 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list normal directory file | object name collision 2 68E26F51 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot read data or list normal directory file | object name collision 1 68E26F51 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list normal directory file | object name collision 1 68E26F51 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot read data or list normal directory file | object name collision 1 68E26F51 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list normal directory file | object name collision 1 68E26F51 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot read data or list normal directory file | object name collision 1 68E26F51 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list normal directory file | object name collision 1 68E26F51 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\Mod read attributes | none synchronous io success or wait 1 6D3F1E60 CreateFileW uleAnalysisCache synchronize | non alert | non generic read | directory file | generic write open no recall

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\__PSscriptPolicyTest_remxe5eb.5wp.ps1 success or wait 1 6D3F6A95 DeleteFileW C:\Users\user\AppData\Local\Temp\__PSscriptPolicyTest_xr3xgjvo.ivp.psm1 success or wait 1 6D3F6A95 DeleteFileW

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\Documents\20190228\PowerShell_transcr unknown 3 ef bb bf ... success or wait 1 6D3F1B4F WriteFile ipt.855271.S_qeAdfA.20190228124505.txt C:\Users\user\Documents\20190228\PowerShell_transcr unknown 569 2a 2a 2a 2a 2a 2a 2a **********************..Windo success or wait 9 6D3F1B4F WriteFile ipt.855271.S_qeAdfA.20190228124505.txt 2a 2a 2a 2a 2a 2a 2a ws PowerShell transcript 2a 2a 2a 2a 2a 2a 2a start..Start time: 2a 0d 0a 57 69 6e 64 20190228124505..Userna 6f 77 73 20 50 6f 77 me: user-PC\user..RunAs 65 72 53 68 65 6c 6c User: user- 20 74 72 61 6e 73 63 PC\user..Configuration 72 69 70 74 20 73 74 Name: ..Machine: 855271 61 72 74 0d 0a 53 74 (Microsoft Windows NT 61 72 74 20 74 69 6d 6.2.9200.0)..Host 65 3a 20 32 30 31 39 Application: 30 32 32 38 31 32 34 C:\Users\user\Deskto 35 30 35 0d 0a 55 73 65 72 6e 61 6d 65 3a 20 47 55 43 43 49 2d 50 43 5c 47 75 63 63 69 0d 0a 52 75 6e 41 73 20 55 73 65 72 3a 20 47 55 43 43 49 2d 50 43 5c 47 75 63 63 69 0d 0a 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 4e 61 6d 65 3a 20 0d 0a 4d 61 63 68 69 6e 65 3a 20 38 35 35 32 37 31 20 28 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 32 2e 39 32 30 30 2e 30 29 0d 0a 48 6f 73 74 20 41 70 70 6c 69 63 61 74 69 6f 6e 3a 20 43 3a 5c 55 73 65 72 73 5c 47 75 63 63 69 5c 44 65 73 6b 74 6f C:\Users\user\AppData\Local\Temp\__PSscr unknown 81 23 20 50 6f 77 65 72 # PowerShell test file to success or wait 1 6D3F1B4F WriteFile iptPolicyTest_remxe5eb.5wp.ps1 53 68 65 6c 6c 20 74 determine AppLocker 65 73 74 20 66 69 6c lockdown mode 2/28/2019 65 20 74 6f 20 64 65 12:45:06 PM 74 65 72 6d 69 6e 65 20 41 70 70 4c 6f 63 6b 65 72 20 6c 6f 63 6b 64 6f 77 6e 20 6d 6f 64 65 20 32 2f 32 38 2f 32 30 31 39 20 31 32 3a 34 35 3a 30 36 20 50 4d C:\Users\user\AppData\Local\Temp\__PSscr unknown 81 23 20 50 6f 77 65 72 # PowerShell test file to success or wait 1 6D3F1B4F WriteFile iptPolicyTest_xr3xgjvo.ivp.psm1 53 68 65 6c 6c 20 74 determine AppLocker 65 73 74 20 66 69 6c lockdown mode 2/28/2019 65 20 74 6f 20 64 65 12:45:06 PM 74 65 72 6d 69 6e 65 20 41 70 70 4c 6f 63 6b 65 72 20 6c 6f 63 6b 64 6f 77 6e 20 6d 6f 64 65 20 32 2f 32 38 2f 32 30 31 39 20 31 32 3a 34 35 3a 30 36 20 50 4d

Copyright Joe Security LLC 2019 Page 19 of 22 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Mi unknown 4096 50 53 4d 4f 44 55 4c PSMODULECACHE...... success or wait 1 6D3F1B4F WriteFile crosoft\Windows\PowerShell\ModuleAnalysisCache 45 43 41 43 48 45 01 <.e....Y...C:\Program Files 07 00 00 00 ca 3c e1 (x86)\Windows 65 ca 9f d5 08 59 00 PowerShell\Modules\Powe 00 00 43 3a 5c 50 72 rShellG 6f 67 72 61 6d 20 46 et\1.0.0.1\PowerShellGet.p 69 6c 65 73 20 28 78 sd1...... Uninstall- 38 36 29 5c 57 69 6e Module...... 64 6f 77 73 50 6f 77 .inmo...... fimo...... Install- 65 72 53 68 65 6c 6c Module...... New-scr 5c 4d 6f 64 75 6c 65 iptFileInfo...... Publish- 73 5c 50 6f 77 65 72 Module...... Install-Sc 53 68 65 6c 6c 47 65 74 5c 31 2e 30 2e 30 2e 31 5c 50 6f 77 65 72 53 68 65 6c 6c 47 65 74 2e 70 73 64 31 1d 00 00 00 10 00 00 00 55 6e 69 6e 73 74 61 6c 6c 2d 4d 6f 64 75 6c 65 02 00 00 00 04 00 00 00 69 6e 6d 6f 01 00 00 00 04 00 00 00 66 69 6d 6f 01 00 00 00 0e 00 00 00 49 6e 73 74 61 6c 6c 2d 4d 6f 64 75 6c 65 02 00 00 00 12 00 00 00 4e 65 77 2d 53 63 72 69 70 74 46 69 6c 65 49 6e 66 6f 02 00 00 00 0e 00 00 00 50 75 62 6c 69 73 68 2d 4d 6f 64 75 6c 65 02 00 00 00 0e 00 00 00 49 6e 73 74 61 6c 6c 2d 53 63 C:\Users\user\AppData\Local\Mi unknown 1733 00 0a 00 00 00 47 65 .....Get- success or wait 1 6D3F1B4F WriteFile crosoft\Windows\PowerShell\ModuleAnalysisCache 74 2d 52 61 6e 64 6f Random...... CFS.... 6d 08 00 00 00 03 00 ....Out-String...... Write-Pr 00 00 43 46 53 01 00 ogress...... Disable- 00 00 0a 00 00 00 4f PSBreakpoint...... Update- 75 74 2d 53 74 72 69 FormatData...... Write- 6e 67 08 00 00 00 0e Information...... 00 00 00 57 72 69 74 ..ConvertTo-Xml...... Set- 65 2d 50 72 6f 67 72 Variable...... Out- 65 73 73 08 00 00 00 Printer...... 14 00 00 00 44 69 73 ..yH.8....I...C:\Program 61 62 6c 65 2d 50 53 Files (x86)\WindowsP 42 72 65 61 6b 70 6f 69 6e 74 08 00 00 00 11 00 00 00 55 70 64 61 74 65 2d 46 6f 72 6d 61 74 44 61 74 61 08 00 00 00 11 00 00 00 57 72 69 74 65 2d 49 6e 66 6f 72 6d 61 74 69 6f 6e 08 00 00 00 0d 00 00 00 43 6f 6e 76 65 72 74 54 6f 2d 58 6d 6c 08 00 00 00 0c 00 00 00 53 65 74 2d 56 61 72 69 61 62 6c 65 08 00 00 00 0b 00 00 00 4f 75 74 2d 50 72 69 6e 74 65 72 08 00 00 00 ff ff ff ff 79 48 e2 38 ca 9f d5 08 49 00 00 00 43 3a 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 20 28 78 38 36 29 5c 57 69 6e 64 6f 77 73 50

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E4F3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6E4F3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6E4F3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6E4F3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6E4F3625 unknown Copyright Joe Security LLC 2019 Page 20 of 22 Source File Path Offset Length Completion Count Address Symbol C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e73 unknown 176 success or wait 1 6E45EE1E ReadFile 64da399b604ae01baff696551080\mscorlib.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E4FA974 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6E4FA974 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6E4FA974 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6E4FA974 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6E4FA974 ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb3 unknown 1248 success or wait 1 6E45EE1E ReadFile 78ec07#\a49a6f68fd8329a3643a8c5f19cd22b1\Microsoft.PowerShell.ConsoleHost.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System\84b917 unknown 620 success or wait 1 6E45EE1E ReadFile 1c43be8428a7ceaf253e5d7738\System.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\2 unknown 900 success or wait 1 6E45EE1E ReadFile da4cf2bb9a8f8a554da96d83ee20d39\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa5 unknown 2764 success or wait 1 6E45EE1E ReadFile 7fc8cc#\fa15d91c3a3ce3897f6f7add11b07b7a\System.Management.Automation.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf4 unknown 748 success or wait 1 6E45EE1E ReadFile 9f6405#\7cd45214b16ac052310de729e2e961d1\Microsoft.Management.Infrastructure.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manage unknown 764 success or wait 1 6E45EE1E ReadFile ment\75bcfbe3b1bae498cf18ca849d4fa253\System.Management.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dired1 unknown 752 success or wait 1 6E45EE1E ReadFile 3b18a9#\942ad97090e80aed6f7d90cd2ee80647\System.DirectoryServices.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\4d unknown 748 success or wait 1 6E45EE1E ReadFile 91b386e64bacbfdf3b2db16155386b\System.Xml.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numeri unknown 300 success or wait 1 6E45EE1E ReadFile cs\a6dc920c743d8d4c45ef799d1dd53f5a\System.Numerics.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6E4F3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6E4F3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6E4F3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 2 6E4F3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6E4F3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4121 success or wait 1 6E4F3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4253 success or wait 1 6E4F3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6E4F3625 unknown C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\7 unknown 1540 success or wait 1 6E45EE1E ReadFile d593032eddb9a41f2a32be1037ecf24\System.Data.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f unknown 1268 success or wait 1 6E45EE1E ReadFile 792626#\999dba40835396d9c8714157c431a443\Microsoft.PowerShell.Security.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Transa unknown 924 success or wait 1 6E45EE1E ReadFile ctions\1dd28ec19e7aa8bbfe3c3e047f961f35\System.Transactions.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Config unknown 864 success or wait 1 6E45EE1E ReadFile uration\d88a90d2c98cca1a9d491dfeb73352be\System.Configuration.ni.dll.aux C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation unknown 4096 success or wait 1 6D3F1B4F ReadFile \1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation unknown 492 end of file 1 6D3F1B4F ReadFile \1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation unknown 4096 end of file 1 6D3F1B4F ReadFile \1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PackageMana unknown 4096 success or wait 1 6D3F1B4F ReadFile gement\1.0.0.1\PackageManagement.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PackageMana unknown 774 end of file 1 6D3F1B4F ReadFile gement\1.0.0.1\PackageManagement.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PackageMana unknown 4096 end of file 1 6D3F1B4F ReadFile gement\1.0.0.1\PackageManagement.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 success or wait 1 6D3F1B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 end of file 1 6D3F1B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 success or wait 2 6D3F1B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 unknown 4096 end of file 1 6D3F1B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 4096 success or wait 7 6D3F1B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 682 end of file 1 6D3F1B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 unknown 4096 end of file 1 6D3F1B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 success or wait 1 6D3F1B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 289 end of file 1 6D3F1B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 end of file 1 6D3F1B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 success or wait 1 6D3F1B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 289 end of file 1 6D3F1B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 unknown 4096 end of file 1 6D3F1B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 4096 success or wait 139 6D3F1B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 993 end of file 1 6D3F1B4F ReadFile C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 unknown 4096 end of file 1 6D3F1B4F ReadFile

Copyright Joe Security LLC 2019 Page 21 of 22 Source File Path Offset Length Completion Count Address Symbol C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 success or wait 1 6D3F1B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 637 end of file 1 6D3F1B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 end of file 1 6D3F1B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 success or wait 1 6D3F1B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 637 end of file 1 6D3F1B4F ReadFile PowerShell.Utility.psd1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 end of file 1 6D3F1B4F ReadFile PowerShell.Utility.psd1 C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P52 unknown 2264 success or wait 1 6E45EE1E ReadFile 1220ea#\1fbb6f56ca1fe111ec8b6d45423dc33d\Microsoft.PowerShell.Commands.Utility.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Confe6 unknown 1260 success or wait 1 6E45EE1E ReadFile 4a9051#\07481a515e460188dcc18c39d52d3148\System.Configuration.Install.ni.dll.aux C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 success or wait 8 6D3F1B4F ReadFile PowerShell.Utility.psm1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 128 end of file 1 6D3F1B4F ReadFile PowerShell.Utility.psm1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft. unknown 4096 end of file 1 6D3F1B4F ReadFile PowerShell.Utility.psm1

Analysis Process: conhost.exe PID: 1828 Parent PID: 4144

General

Start time: 12:45:04 Start date: 28/02/2019 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0x4 Imagebase: 0x7ff601f50000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Disassembly

Code Analysis