ID: 373541 Sample Name: hwi_700.exe Cookbook: default.jbs Time: 01:19:32 Date: 23/03/2021 Version: 31.0.0 Emerald Table of Contents
Table of Contents 2 Analysis Report hwi_700.exe 5 Overview 5 General Information 5 Detection 5 Signatures 5 Classification 5 Analysis Advice 5 Startup 5 Malware Configuration 5 Yara Overview 6 Sigma Overview 6 Signature Overview 6 Data Obfuscation: 6 Lowering of HIPS / PFW / Operating System Security Settings: 6 Mitre Att&ck Matrix 6 Behavior Graph 7 Screenshots 8 Thumbnails 8 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 10 URLs 10 Domains and IPs 11 Contacted Domains 11 URLs from Memory and Binaries 11 Contacted IPs 15 Public 15 Private 15 General Information 15 Simulations 16 Behavior and APIs 16 Joe Sandbox View / Context 17 IPs 17 Domains 17 ASN 17 JA3 Fingerprints 17 Dropped Files 17 Created / dropped Files 17 Static File Info 23 General 24 File Icon 24 Static PE Info 24 General 24 Authenticode Signature 24 Entrypoint Preview 24 Data Directories 25 Sections 26 Resources 26 Imports 27 Version Infos 27 Possible Origin 27 Network Behavior 28 UDP Packets 28
Copyright Joe Security LLC 2021 Page 2 of 48 Code Manipulations 29 Statistics 29 Behavior 29 System Behavior 29 Analysis Process: hwi_700.exe PID: 5524 Parent PID: 5656 29 General 29 File Activities 29 File Created 29 File Deleted 30 File Written 30 File Read 30 Analysis Process: hwi_700.tmp PID: 3176 Parent PID: 5524 31 General 31 File Activities 31 File Created 31 File Deleted 32 File Moved 32 File Written 32 File Read 35 Registry Activities 36 Key Created 36 Key Value Created 36 Analysis Process: svchost.exe PID: 68 Parent PID: 568 39 General 39 File Activities 39 Analysis Process: svchost.exe PID: 4456 Parent PID: 568 39 General 39 File Activities 39 Registry Activities 40 Analysis Process: svchost.exe PID: 6048 Parent PID: 568 40 General 40 File Activities 40 Analysis Process: svchost.exe PID: 4604 Parent PID: 568 40 General 40 Analysis Process: svchost.exe PID: 2344 Parent PID: 568 40 General 40 File Activities 41 Analysis Process: svchost.exe PID: 1320 Parent PID: 568 41 General 41 File Activities 41 Analysis Process: svchost.exe PID: 5540 Parent PID: 568 41 General 41 Registry Activities 41 Analysis Process: svchost.exe PID: 6160 Parent PID: 568 42 General 42 Analysis Process: SgrmBroker.exe PID: 6240 Parent PID: 568 42 General 42 Analysis Process: svchost.exe PID: 6252 Parent PID: 568 42 General 42 File Activities 42 Analysis Process: svchost.exe PID: 6276 Parent PID: 568 43 General 43 Registry Activities 43 Analysis Process: HWiNFO64.EXE PID: 6404 Parent PID: 3176 43 General 43 File Activities 43 File Created 43 File Deleted 43 File Written 44 Registry Activities 45 Key Created 45 Analysis Process: svchost.exe PID: 6592 Parent PID: 568 45 General 45 File Activities 45 Analysis Process: MpCmdRun.exe PID: 6256 Parent PID: 6276 46 General 46 File Activities 46 File Written 46 Analysis Process: conhost.exe PID: 5720 Parent PID: 6256 47 General 47 Disassembly 48 Code Analysis 48 Copyright Joe Security LLC 2021 Page 3 of 48 Copyright Joe Security LLC 2021 Page 4 of 48 Analysis Report hwi_700.exe
Overview
General Information Detection Signatures Classification
Sample hwi_700.exe Name: DDeettteeccttteedd uunnppaacckkiiinngg (((cchhaannggeess PPEE ssee…
Analysis ID: 373541 CDChehataenncggteesds susenecpcuuarrrciiittktyyi n ccgee n(ncttteherrar snsegettettttiisinn gPgssE (( (nsnoeo… MD5: f332037f0b58957… ACAVhV a ppnrrrgooeccese sssse scstuttrrrriiinintgyg ssc efffoonuutennrdd s (((eootfffttttienengn s uu s(sneeo… SHA1: 31dcf1615b32730… Ransomware AAnVnttt iiipvviriirroruucsse osorsrr Mstaraicnchhgiiisnn eefo LLueenaadrrr n(noiiinnftgge ndd eeutttseeecc…
Miner Spreading SHA256: c42c2a82438dc7… CAChnheteivccikkrsus s iiif ff o AArn nMtttiiivaviicirrruhusisn///AeA nnLttteiiissapprynywwinaagrrr eed///eFFtiieirrrece… mmaallliiiccciiioouusss Infos: malicious
Evader Phishing CCohonentctaakiinsn ssif ccAaanpptaiavbbiriiluliittsiiee/Ass n ttotoi s ddpeeyttweecactrt evv/iirFrttuiuraea sssuusssppiiiccciiioouusss CCoonntttaaiiinnss ccaappaabbiiillliiitttiiieess tttoo ddeettteeccttt vviiirrrtttuuaa… suspicious Most interesting Screenshot: cccllleeaann CCoonntttaaiiinnss ffcfuuannpccatttibiiooinlnitaaiellliiitsttyy t tottoo d aaecctcececests svs i lrllootuaaadd… clean
Exploiter Banker CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cacacallcllll e nnsaasttti iivlvoeea ffdf…
CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchahelel ccnkka itiiffif v aae w wf… Spyware Trojan / Bot
Adware CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo ccohomecmk uuifnn aiiicc awa… Score: 26 Range: 0 - 100 CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo dcdyoynmnaammuiiicncaaiclllllalyy…
Whitelisted: false CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo lldlaayuunnnaccmhh i aca a ppllrrry… Confidence: 60% CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qlqauuueenrrrcyyh lllo oacc apallrlee…
CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo sqshuhueuttrtddyo olwowcnna //l/ e …
CCrroreenaattatteeinss s aa f uppnrrroocctcieoesnsssa liiinnty s stuuoss sppheeunntddeeoddw mn o/o … Analysis Advice CCrrreeaattteess dadrr ripiivvreeorrrc ffefiiillsleesss in suspended mo
CCrrreeaattteess ffdfiiillrleeivsse iiirnn sfsiiliidedese ttthhee ssyyssttteem ddiiirrreecc… Sample drops PE files which have not been started, submit dropped PE samples for a secondCCarreeyaa atteenssa flfiyilleesssis iin ntsosii ddJeeo tethh eSe a ssnyysdstbteeomx ddiirreecc… Creates files inside the system direc Sample tries to load a library which is not present or installed on the analysis machine, addinDCDge retetthteaeectce tttleesibd df r i plapeorosyttt ee inmnstttiiiagdallhel cc ttr rrhyryeppv tttsooey affsfuult nenmcmctottii iorodennir ebcehavior
DDrrerootpepscs t PePdEE p fffiioillleetessntial crypto function
EDEnrnoaapbbslllee Pss E dd rrrfiiivlveeesrrr pprrriiivviiillleeggeess
EExnxttateebnnlsesiisivv eed ruuivsseer oopfffr GivieeletttPgPrerroosccAAddddrrreessss (((oo…
FEFoxoutuennndds didvrrreoo puppspeed do PfP GEE e fffiitillPlee r wowchhAiiiccdhhd hrheaassss n n(oo…
Startup FFoouunndd edevrvoaapsspiiivveeed A APPPEIII cfcihlheaa iwiinnh (((idcdahat ttehe a ccshh enecockk)))
FFoouunndd pepovotatteesnnivtttiieiaa lllA ssPtttrrrIiii nncggh addienec c(rrrdyyappttteiiioo ncnh ///e aac…k) System is w10x64 hwi_700.exe (PID: 5524 cmdline: 'C:\Users\user\Desktop\hwi_700.exe' MD5: F332037F0BMF5oa8auy9yn 5 ssd7llle eDpeeo2ppt4 e ((F(nee6tvviDaalsEs siiiCvvtere2i n 7lllogoEo od9ppe1ssc2))) r 2 tytto8op 7 hthi)oiiinnndd e/e rarr … hwi_700.tmp (PID: 3176 cmdline: 'C:\Users\user\AppData\Local\Temp\is-1PO0H.tmp\hwi_700.tmp' /SL5='$11021C,8777995,123392,C:\Users\user\Desktop\hwi_700.exe' Moaonyni iittstoolerrrsse pcce e(rrertttavaaiiinns irrrveeegg iilisosttotrrrypy s kk)ee tyyoss h /// i nvvadalelluur… MD5: 751D4F1D0F96F1DF71F778391555E52B) HWiNFO64.EXE (PID: 6404 cmdline: 'C:\Program Files\HWiNFO64\HWiNFO64.EPXMPEEo ' n fff iiiMlltleeo D rccs5oo c:nn e5tttaar9tiiinaFnsi9sn Ba arAnen g1 iiininDsvvt2araDylllii idCdk e 4ccyh9hse0e cA/c kvk5sas1uulEum3779EB26D8F9A3) svchost.exe (PID: 68 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) PPEE fffiiilllee ccoonntttaaiiinnss eaexnxe eicncuvutattaalbibdllle ec hrrreesscookusururrccmee… svchost.exe (PID: 4456 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 6048 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32PP5E6E9 fffEiiilllee4 0cc3oo2nn7tttaa9iiinBns3s FsestDtxtrrrae2ancEnuggDteeaB brrr7eeleEss oBoreuuDsrrrc0oce3eus6src2e73FA) svchost.exe (PID: 4604 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA) QPEuue efrirrliiiee ssc oddniiisstkak i iniinnsfffo osrrrtmraaantttigiiooenn r ((e(oosffftotteeunnr c uuessseedd… svchost.exe (PID: 2344 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 1320 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDQPuuSeevrrrciiiee Mss Dttdthhi5ese:k v3v io2onll5lfuuo6mr9meeE a i4iintni0foffo3onrr2r m(7oa9aftBttieiioo3nnnF u D(((nsn2eaaEdmD…B7EBD036273FA) svchost.exe (PID: 5540 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA) SQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem… svchost.exe (PID: 6160 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA) SgrmBroker.exe (PID: 6240 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170ASS3aaFm3ppAllle9e 6 ffefii2illxlee6e 5iiciss9u d7dtiiEioiffffffnEee rErrseet1non8ttpt 8 ttsth8h aw6an8nh 6 ioloeErrri i3igpgEiirinnoAaac6llel )… svchost.exe (PID: 6252 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) SSttatoomrrreepssl e fffi iilflleielses tittoso dttthhifeefe Wreiinintdd toohwwasns sosttrtaaigrrrtitt n maele … svchost.exe (PID: 6276 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrSeStstootrrieecstse ffdiille e-sps t-toos twthhseec Wsviicnn ddMooDww5ss: ss3tta2ar5rtt 6 m9eEe…403279B3FD2EDB7EBD036273FA) MpCmdRun.exe (PID: 6256 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.TSTerrtrxiioieers'se - stttwoo f d illloeoasnad adt ob m lteiihis seMss iiinWDngg5i n :DD dALLo2LLw6sss7 5s5ta5r1t 7m4eBFA53844371226F482B86B) conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) UTUrssieess 3t3o22 blboiitat PdP EEm fifisillesesisng DLLs svchost.exe (PID: 6592 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32UU5s6se9esEs 4330223bb2iiittt 7 PP9EEB 3fffiiiFllleeDss2EDB7EBD036273FA)
cleanup UUsseess c3co2odbdeiet oPobbEfffu ufsisleccasatttiiioonn ttteecchhnniiiqquueess (((…
Uses code obfuscation techniques (
Malware Configuration
No configs have been found
Copyright Joe Security LLC 2021 Page 5 of 48 Yara Overview
No yara matches
Sigma Overview
No Sigma rule has matched
Signature Overview
• AV Detection • Cryptography • Compliance • Spreading • Networking • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
Data Obfuscation:
Detected unpacking (changes PE section rights)
Lowering of HIPS / PFW / Operating System Security Settings:
Changes security center settings (notifications, updates, antivirus, firewall)
Mitre Att&ck Matrix
Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows LSASS Exploitation Disable or OS System Remote Archive Exfiltration Encrypted Eavesdrop Remotely System Accounts Managemen Driver 1 for Privilege Modify Credential Time Services Collected Over Other Channel 1 on Insecure Track Shutdown/R t Escalation Tools 1 Dumping Discovery Data 1 1 Network Network Device eboot 1 Instrumenta 1 1 Medium Communica Without tion 1 tion Authorizatio n Default Native DLL Side- LSASS Deobfuscat LSASS Account Remote Data from Exfiltration Junk Data Exploit SS7 Remotely Device Accounts API 2 Loading 1 Driver 1 e/Decode Memory Discovery Desktop Removable Over to Redirect Wipe Data Lockout Files or 1 Protocol Media Bluetooth Phone Without Information Calls/SMS Authorizatio 1 n
Copyright Joe Security LLC 2021 Page 6 of 48 Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Domain At (Linux) Application DLL Side- Obfuscated Security File and SMB/Windo Data from Automated Steganogra Exploit SS7 Obtain Delete Accounts Shimming Loading 1 Files or Account Directory ws Admin Network Exfiltration phy to Track Device Device Data 1 Information Manager Discovery Shares Shared Device Cloud 2 2 Drive Location Backups Local At Windows Application Software NTDS System Distributed Input Scheduled Protocol SIM Card Carrier Accounts (Windows) Service 1 Shimming Packing 1 Information Component Capture Transfer Impersonati Swap Billing 1 1 2 Discovery Object on Fraud 3 5 Model Cloud Cron Registry Access DLL Side- LSA Query SSH Keylogging Data Fallback Manipulate Manipulate Accounts Run Keys / Token Loading 1 Secrets Registry 1 Transfer Channels Device App Store Startup Manipulatio Size Limits Communica Rankings or Folder 1 n 1 tion Ratings Replication Launchd Rc.common Windows Masqueradi Cached Security VNC GUI Input Exfiltration Multiband Jamming or Abuse Through Service 1 ng 1 3 Domain Software Capture Over C2 Communica Denial of Accessibility Removable 1 Credentials Discovery Channel tion Service Features Media 4 1 External Scheduled Startup Process Virtualizatio DCSync Virtualizatio Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Data Remote Task Items Injection 1 n/Sandbox n/Sandbox Remote Capture Over Used Port Access Encrypted Services 3 Evasion 3 Evasion 3 Managemen Alternative Points for Impact t Protocol Drive-by Command Scheduled Registry Access Proc Process Shared Credential Exfiltration Application Downgrade Generate Compromis and Task/Job Run Keys / Token Filesystem Discovery Webroot API Hooking Over Layer to Insecure Fraudulent e Scripting Startup Manipulatio 1 Symmetric Protocol Protocols Advertising Interpreter Folder 1 n 1 Encrypted Revenue Non-C2 Protocol Exploit PowerShell At (Linux) At (Linux) Process /etc/passwd Application Software Data Staged Exfiltration Web Rogue Data Public- Injection 1 and Window Deployment Over Protocols Cellular Destruction Facing 3 /etc/shadow Discovery Tools Asymmetric Base Application 1 Encrypted Station Non-C2 Protocol Supply AppleScript At At Invalid Network System Taint Local Data Exfiltration File Data Chain (Windows) (Windows) Code Sniffing Owner/User Shared Staging Over Transfer Encrypted Compromis Signature Discovery Content Unencrypte Protocols for Impact e 3 d/Obfuscate d Non-C2 Protocol Compromis Windows Cron Cron Right-to- Input Remote Replication Remote Exfiltration Mail Service e Software Command Left Capture System Through Data Over Protocols Stop Dependenci Shell Override Discovery Removable Staging Physical es and 1 Media Medium Developme nt Tools
Behavior Graph
Copyright Joe Security LLC 2021 Page 7 of 48 Hide Legend Behavior Graph ID: 373541 Legend: Sample: hwi_700.exe Startdate: 23/03/2021 Process Architecture: WINDOWS Score: 26 Signature Created File
Detected unpacking (changes started started started DNS/IP Info PE section rights) Is Dropped
Is Windows Process svchost.exe hwi_700.exe svchost.exe
10 other processes Number of created Registry Values
2 9 1 Number of created Files
Visual Basic 127.0.0.1 dropped unknown Delphi unknown Java
started C:\Users\user\AppData\Local\...\hwi_700.tmp, PE32 started .Net C# or VB.NET C, C++ or other language
Changes security center Is malicious settings (notifications, updates, antivirus, firewall) Internet
MpCmdRun.exe hwi_700.tmp
1 21 12
dropped dropped dropped dropped
started C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 2 other files (none is malicious) started
conhost.exe HWiNFO64.EXE
3
dropped
C:\Users\user\AppData\...\HWiNFO64A_160.SYS, PE32+
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright Joe Security LLC 2021 Page 8 of 48 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link hwi_700.exe 0% Virustotal Browse hwi_700.exe 0% Metadefender Browse hwi_700.exe 0% ReversingLabs
Dropped Files
Source Detection Scanner Label Link C:\Program Files\HWiNFO64\is-VRSNB.tmp 0% Metadefender Browse C:\Program Files\HWiNFO64\is-VRSNB.tmp 2% ReversingLabs C:\Users\user\AppData\Local\Temp\is-1PO0H.tmp\hwi_700.tmp 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\is-1PO0H.tmp\hwi_700.tmp 7% ReversingLabs C:\Users\user\AppData\Local\Temp\is-23PGO.tmp\_isetup\_RegDLL.tmp 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\is-23PGO.tmp\_isetup\_RegDLL.tmp 0% ReversingLabs C:\Users\user\AppData\Local\Temp\is-23PGO.tmp\_isetup\_setup64.tmp 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\is-23PGO.tmp\_isetup\_setup64.tmp 0% ReversingLabs C:\Users\user\AppData\Local\Temp\is-23PGO.tmp\_isetup\_shfoldr.dll 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\is-23PGO.tmp\_isetup\_shfoldr.dll 3% ReversingLabs
Unpacked PE Files
Copyright Joe Security LLC 2021 Page 9 of 48 Source Detection Scanner Label Link Download 3.0.hwi_700.tmp.4c21dc.1.unpack 100% Avira TR/Patched.Ren. Download File Gen 1.3.hwi_700.exe.22c8000.4.unpack 100% Avira TR/Patched.Ren. Download File Gen 3.2.hwi_700.tmp.4c21dc.2.unpack 100% Avira TR/Patched.Ren. Download File Gen 1.1.hwi_700.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK. Download File Gen2 1.2.hwi_700.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK. Download File Gen2 1.0.hwi_700.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK. Download File Gen2 3.2.hwi_700.tmp.400000.0.unpack 100% Avira HEUR/AGEN.110 Download File 8750 1.3.hwi_700.exe.2556448.2.unpack 100% Avira TR/Patched.Ren. Download File Gen 1.3.hwi_700.exe.237a5dc.3.unpack 100% Avira TR/Patched.Ren. Download File Gen
Domains
No Antivirus matches
URLs
Source Detection Scanner Label Link www.sigmatel.com/products/audio-codecs.htm 0% Virustotal Browse www.sigmatel.com/products/audio-codecs.htm 0% Avira URL Cloud safe www.fic.com.tw/product/intel.aspx 0% Virustotal Browse www.fic.com.tw/product/intel.aspx 0% Avira URL Cloud safe www.albatron.com.tw/English/service/service_index.asp?Service=down 0% Virustotal Browse www.albatron.com.tw/English/service/service_index.asp?Service=down 0% Avira URL Cloud safe www.3dlabs.com 0% Virustotal Browse www.3dlabs.com 0% Avira URL Cloud safe www.topstar1.com/products.asp 0% Avira URL Cloud safe www.pcchips.com.tw/PCCWeb/Products/ProductList.aspx?CategoryID=1&MenuID=16&LanID=0 0% Avira URL Cloud safe www.s3graphics.com/en/products/index.aspx 0% Avira URL Cloud safe www.skd.de/e_en/products/nics.html?navid=9 0% Avira URL Cloud safe www.tul.com.tw/Global/products_graphics_cards.aspx 0% Avira URL Cloud safe www.iwill.net/support.asp 0% Avira URL Cloud safe www.matsonic.com 0% Avira URL Cloud safe www.chaintech.com.tw/a21_product_cate.php?pos=2 0% Avira URL Cloud safe www.lsi.com/channel/ChannelDownloads 0% Avira URL Cloud safe www.clevo.com.tw/en/products/index.asp 0% Avira URL Cloud safe www.innosetup.com/ 0% URL Reputation safe www.innosetup.com/ 0% URL Reputation safe www.innosetup.com/ 0% URL Reputation safe https://www.hwinfo.comArial 0% Avira URL Cloud safe www.epox.com/downloads.asp?class=BIOS 0% Avira URL Cloud safe support.efficient.com 0% Avira URL Cloud safe www.via.com.tw/en/products/processors 0% Avira URL Cloud safe www.adata.com.tw/index.php?action=product&cid=3 0% Avira URL Cloud safe www.abit.com.tw/page/en/download/download.php?pFILE_TYPE=Driver 0% Avira URL Cloud safe www.via.com.tw/en/products/mainboards/index.jsp 0% Avira URL Cloud safe www.supox.com.tw/download/home.php 0% Avira URL Cloud safe https://dynamic.t 0% URL Reputation safe https://dynamic.t 0% URL Reputation safe https://dynamic.t 0% URL Reputation safe www.biostar.com.tw/app/en/support/download.php 0% Avira URL Cloud safe www.pcpartner.com/download.php 0% Avira URL Cloud safe www.dfi.com.tw/support/Download.jsp 0% Avira URL Cloud safe www.dtk.com.tw/product/mb.html 0% Avira URL Cloud safe www.dfi.com.tw/products/ProductCategoryAll.jsp 0% Avira URL Cloud safe www.tul.com.tw/global/driver.aspx 0% Avira URL Cloud safe www.zalman.co.kr/ENG/product/CategorySecond_Pic.asp?categoryname=Storage 0% Avira URL Cloud safe www.albatron.com.tw/English/product/vga/pro_index.asp 0% Avira URL Cloud safe
Copyright Joe Security LLC 2021 Page 10 of 48 Source Detection Scanner Label Link www.sigmatel.com/products/tech-support.htm 0% Avira URL Cloud safe www.ite.com.tw/EN/products.aspx 0% Avira URL Cloud safe www.smsc.com 0% Avira URL Cloud safe www.pcchips.com.tw/PCCWeb/Downloads/Category_Download.aspx? 0% Avira URL Cloud safe Categoryid=1&MenuID=35&LanID=0
Domains and IPs
Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Name Source Malicious Antivirus Detection Reputation www.sigmatel.com/products/audio-codecs.htm HWiNFO64.EXE, 00000013.0000000 false 0%, Virustotal, Browse unknown 2.332666037.0000000140001000.0 Avira URL Cloud: safe 0000040.00020000.sdmp www.fic.com.tw/product/intel.aspx HWiNFO64.EXE, 00000013.0000000 false 0%, Virustotal, Browse unknown 2.332666037.0000000140001000.0 Avira URL Cloud: safe 0000040.00020000.sdmp HWiNFO64.EXE, 00000013.0000000 false 0%, Virustotal, Browse unknown www.albatron.com.tw/English/service/service_index.asp? 2.332666037.0000000140001000.0 Avira URL Cloud: safe Service=down 0000040.00020000.sdmp www.leadtek.com/eng/3d_graphic/default.asp?lineid=1 HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.3dlabs.com HWiNFO64.EXE, 00000013.0000000 false 0%, Virustotal, Browse unknown 2.332666037.0000000140001000.0 Avira URL Cloud: safe 0000040.00020000.sdmp www.topstar1.com/products.asp HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown www.pcchips.com.tw/PCCWeb/Products/ProductList.aspx? 2.332666037.0000000140001000.0 CategoryID=1&MenuID=16&LanID=0 0000040.00020000.sdmp www.s3graphics.com/en/products/index.aspx HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp us.acer.com/ac/en/US/content/products HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp https://dev.ditu.live.com/REST/v1/Traffic/Incidents/ svchost.exe, 0000000F.00000003 false high .313049368.000001F54265C000.00 000004.00000001.sdmp https://www.hwinfo.com/forum HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp https://www.amd.com/en/support HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp https://www.hwinfo.com/ref/eSupportDriverAgent HWiNFO64.EXE, 00000013.0000000 false high 2.333323990.0000000140460000.0 0000040.00020000.sdmp www.evga.com/Support/Drivers/Default.asp HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.gainward.com HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.skd.de/e_en/products/nics.html?navid=9 HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.leadtek.com/eng/support/list_driver.asp?license=y HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp https://www.gigabyte.com/Graphics-Card HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.tul.com.tw/Global/products_graphics_cards.aspx HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp
Copyright Joe Security LLC 2021 Page 11 of 48 Name Source Malicious Antivirus Detection Reputation www.iwill.net/support.asp HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.matsonic.com HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.chaintech.com.tw/a21_product_cate.php?pos=2 HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.seagate.com/products HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp support.intel.com/support/graphics HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp HWiNFO64.EXE, 00000013.0000000 false high welcome.hp.com/country/us/eng/prodserv/networking.html 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.jmicron.com/Products.html HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.lsi.com/channel/ChannelDownloads HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp https://www.realtek.com/en/downloads HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.broadcom.com/products HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp https://www.amd.com/en/products/processors-desktop HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.clevo.com.tw/en/products/index.asp HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.highpoint-tech.com/USA_new/service_support.htm HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.ami.com/support/product.cfm HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.innosetup.com/ hwi_700.tmp, hwi_700.tmp, 0000 false URL Reputation: safe unknown 0003.00000002.315028779.000000 URL Reputation: safe 0000401000.00000020.00020000.sdmp, URL Reputation: safe hwi_700.tmp.1.dr https://www.hwinfo.comArial HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.epox.com/downloads.asp?class=BIOS HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp support.efficient.com HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.via.com.tw/en/products/processors HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp downloadcenter.intel.com/default.aspx HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.evga.com/products/prodlist.asp?switch=5 HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.marvell.com/support.html HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.adata.com.tw/index.php?action=product&cid=3 HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.lenovo.com/products HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.abit.com.tw/page/en/download/download.php? HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown pFILE_TYPE=Driver 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.dell.com HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp
Copyright Joe Security LLC 2021 Page 12 of 48 Name Source Malicious Antivirus Detection Reputation www.inno3d.com/support/download_inno3d.html HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.station-drivers.com/page/abit/abit%20index.htm HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp support.turtlebeach.com/site/support/supporthome.asp HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp us.acer.com/ac/en/US/content/drivers HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.ericsson.com/support HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.via.com.tw/en/products/mainboards/index.jsp HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp https://dev.virtualearth.net/REST/v1/Locations svchost.exe, 0000000F.00000003 false high .312981165.000001F542661000.00 000004.00000001.sdmp www.sandisk.com/business-solutions/ssd/landing HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.ralinktech.com/product_overview.php?s=1 HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.supox.com.tw/download/home.php HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.supermicro.com/support/resources HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp https://dynamic.t svchost.exe, 0000000F.00000003 false URL Reputation: safe unknown .313112871.000001F54263D000.00 URL Reputation: safe 000004.00000001.sdmp URL Reputation: safe
https://www.asus.com/Motherboards HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.tyan.com/support_Step1_bios.aspx HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.xfxforce.com/en-gb/Help/Support.aspx HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp https://dev.virtualearth.net/REST/v1/Routes/Transit svchost.exe, 0000000F.00000003 false high .312981165.000001F542661000.00 000004.00000001.sdmp www.biostar.com.tw/app/en/support/download.php HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp support.amd.com HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.asrock.com/support/download.asp HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.hwinfo.com hwi_700.tmp, 00000003.00000002 false high .314870625.000000000018D000.00 000004.00000010.sdmp, is-VRSNB .tmp.3.dr www.nvidia.com/content/drivers/drivers.asp HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp HWiNFO64.EXE, 00000013.0000000 false high https://www.hwinfo.com/download/AutoUpdateAutoUpdateBet 2.332666037.0000000140001000.0 aDisablehttps://www.hwinfo.com/version-histor 0000040.00020000.sdmp www.pcpartner.com/download.php HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.dfi.com.tw/support/Download.jsp HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.tyan.com/product_board.aspx HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp global.shuttle.com/download.jsp HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp Copyright Joe Security LLC 2021 Page 13 of 48 Name Source Malicious Antivirus Detection Reputation https://www.gigabyte.com/Motherboard HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp svchost.exe, 0000000F.00000003 false high https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/ .313049368.000001F54265C000.00 000004.00000001.sdmp https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r= svchost.exe, 0000000F.00000003 false high .313049368.000001F54265C000.00 000004.00000001.sdmp www.dtk.com.tw/product/mb.html HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.dfi.com.tw/products/ProductCategoryAll.jsp HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp https://downloadcenter.intel.com/ HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp https://dev.virtualearth.net/REST/v1/Routes/Driving svchost.exe, 0000000F.00000003 false high .312981165.000001F542661000.00 000004.00000001.sdmp www.avm.de/en/Produkte/index.html HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.qlogic.com/Products/products_landingpage.aspx HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.cisco.com/public/sw-center HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.smc.com/index.cfm? HWiNFO64.EXE, 00000013.0000000 false high action=products_choose_product&cat_id=1&prodCat=PC%20 2.332666037.0000000140001000.0 Connectivity 0000040.00020000.sdmp www.tul.com.tw/global/driver.aspx HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown www.zalman.co.kr/ENG/product/CategorySecond_Pic.asp? 2.332666037.0000000140001000.0 categoryname=Storage 0000040.00020000.sdmp www.promise.com/support/download.aspx?region=en- HWiNFO64.EXE, 00000013.0000000 false high global&m=93 2.332666037.0000000140001000.0 0000040.00020000.sdmp https://www.hwinfo.com/ver.txt HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.albatron.com.tw/English/product/vga/pro_index.asp HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.foxconnchannel.com/product/Motherboards HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.cisco.com/en/US/products/hw/wireless HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.linksys.com/products HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.sigmatel.com/products/tech-support.htm HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.avm.de/en/Download/index.php3 HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.ite.com.tw/EN/products.aspx HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.smsc.com HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown 2.332666037.0000000140001000.0 0000040.00020000.sdmp www.pegatroncorp.com HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp HWiNFO64.EXE, 00000013.0000000 false Avira URL Cloud: safe unknown www.pcchips.com.tw/PCCWeb/Downloads/Category_Downloa 2.332666037.0000000140001000.0 d.aspx?Categoryid=1&MenuID=35&LanID=0 0000040.00020000.sdmp www.foxconnchannel.com/Product/GraphicCards HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp
Copyright Joe Security LLC 2021 Page 14 of 48 Name Source Malicious Antivirus Detection Reputation https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri? svchost.exe, 0000000F.00000003 false high pv=1&r= .313112871.000001F54263D000.00 000004.00000001.sdmp www.hp.com/support HWiNFO64.EXE, 00000013.0000000 false high 2.332666037.0000000140001000.0 0000040.00020000.sdmp https://www.hwinfo.com/ref/eSupportDriverAgent( HWiNFO64.EXE, 00000013.0000000 false high 2.333323990.0000000140460000.0 0000040.00020000.sdmp
Contacted IPs
No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs
Public
IP Domain Country Flag ASN ASN Name Malicious
Private
IP 127.0.0.1
General Information
Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 373541 Start date: 23.03.2021 Start time: 01:19:32 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 9m 28s Hypervisor based Inspection enabled: false Report type: light Sample file name: hwi_700.exe Cookbook file name: default.jbs
Copyright Joe Security LLC 2021 Page 15 of 48 Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 32 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: SUS Classification: sus26.evad.winEXE@20/17@0/1 EGA Information: Successful, ratio: 66.7% HDC Information: Successful, ratio: 14.3% (good quality ratio 14%) Quality average: 87% Quality standard deviation: 21.9% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 92.122.145.220, 104.43.139.144, 13.88.21.125, 104.42.151.234, 23.218.208.56, 20.50.102.62, 20.54.26.129, 51.11.168.160, 92.122.213.194, 92.122.213.247 Excluded domains from analysis (whitelisted): fs.microsoft.com, arc.msn.com.nsatc.net, ris- prod.trafficmanager.net, store-images.s- microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, store-images.s- microsoft.com, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt- microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.
Simulations
Behavior and APIs
Time Type Description 01:20:46 API Interceptor 2x Sleep call for process: svchost.exe modified 01:22:07 API Interceptor 1x Sleep call for process: MpCmdRun.exe modified
Copyright Joe Security LLC 2021 Page 16 of 48 Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
Match Associated Sample Name / URL SHA 256 Detection Link Context C:\Users\user\AppData\Local\Temp\is- WFilter_en_5.0_117.exe Get hash malicious Browse 23PGO.tmp\_isetup\_RegDLL.tmp MSI71C1.exe Get hash malicious Browse delfino-g3.exe Get hash malicious Browse #U589e#U503c#U7a0e#U53d1#U7968#U5f00#U79 Get hash malicious Browse 68#U8f6f#U4ef6#Uff08#U7a0e#U52a1UKey#U7248#Uff09.e xe PDFCreator-1_2_1_setup.exe Get hash malicious Browse Malwarebytes Anti-Malware 3.8.3.2965.exe Get hash malicious Browse sidmool_www181_freesell_co_kr.exe Get hash malicious Browse 113.163.216.120:84/codebase/WebComponents.exe Get hash malicious Browse Get hash malicious Browse www.terabyteunlimited.com/downloads/terabyte_drive_image_ backup_and_restore_suite_en_gui_trial.exe Get hash malicious Browse https://www.terabyteunlimited.com/downloads/terabyte_drive_i mage_backup_and_restore_suite_en_gui_trial.exe CuteWriter.exe Get hash malicious Browse CuteWriter.exe Get hash malicious Browse LaborProUpgrade.exe Get hash malicious Browse LaborProUpgrade.exe Get hash malicious Browse www.nfobuilder.com/files/MusicNFOBuilder121a- Get hash malicious Browse setup.exe nbumailSrv405.exe Get hash malicious Browse 9GtD8eJphx.exe Get hash malicious Browse RmC5VXmHCD.exe Get hash malicious Browse kS7FWQVypL.exe Get hash malicious Browse SUPERsetup.exe Get hash malicious Browse
Created / dropped Files
C:\Program Files\HWiNFO64\is-5O4KV.tmp Process: C:\Users\user\AppData\Local\Temp\is-1PO0H.tmp\hwi_700.tmp File Type: PE32 executable (GUI) Intel 80386, for MS Windows Category: dropped Size (bytes): 784162 Entropy (8bit): 6.614140541581458 Encrypted: false SSDEEP: 12288:qRObekMtkfohrPUs37uzHnA6zgpKq35eERXprNrHIR3+j1vGgZhXIJDEx9Cq:cObekYkf ohrP337uzHnA6cgqpeEFHR9F MD5: 3E72C2CF777015F52920F168C189739B SHA1: 22DFCF6D09346B9D1B06FD4A2041C907762CD5C4 SHA-256: C939DA00FCFA3F7D498BE9FD1AFC609E74A8497EF2E5FA3C33E238886D5D1E09 SHA-512: 563237803E47E678A557DC8ED1F6ED8262FA0A23AA9CE4FEEF4F9F2C31A5F57909FE36 652B4653D5F681A60CF7F43336D540C7261A59523F72368BAC3D623083 Copyright Joe Security LLC 2021 Page 17 of 48 C:\Program Files\HWiNFO64\is-5O4KV.tmp Malicious: false Preview: MZP...... @...... !..L.!..This program must be run under Win32..$7...... PE..L....^B*...... f...d...... pr...... @...... @...... %...... )...... CODE.....d...... f...... `DATA...... j...... @...BSS...... |...... idata...%...... &...|...... @....tls...... rdata...... @..P.reloc...... @ ..P.rsrc....)...... *...... @..P...... J...... @..P......
C:\Program Files\HWiNFO64\is-VRSNB.tmp
Process: C:\Users\user\AppData\Local\Temp\is-1PO0H.tmp\hwi_700.tmp File Type: PE32+ executable (GUI) x86-64, for MS Windows Category: dropped Size (bytes): 6008776 Entropy (8bit): 7.9943246436910025 Encrypted: true SSDEEP: 98304:QFTdgh9BXlEZ6UGV9WfU4pEQ7jJg+4W4s4KT2KwpXla6Br90Fivxe+v+NnWZVix:QF Tdgh9B1EgUtvpEQ7jKWR4E2fja6haf MD5: 59F9BA1D2DC490A51E3779EB26D8F9A3 SHA1: DEBCC1FCED26A03BAAAC27E2B7E29BF31136D08B SHA-256: 5A9A4757CF66A6B870A499D8231DD652D25A6314BB0B8FA099F2471694BCAD11 SHA-512: 5483BA9B9384712EA968FBCDEDFDE1A1191CB1D363166D89A690799172C87AEED4B4D3 E2CC3156E054FE495593EC48FE8FCAF770B52A165E6F907E21C78E296D Malicious: false Antivirus: Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 2% Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... 8.lpk.lpk.lpk...k.lpk.>.k.mpkq#.k.lpk...kvlpk.>.k.lpk...k.lpk.lqkwnpk..k.lpk... k.lpk...k.mpk.>.k.lpk...k.lpkRich.lpk...... PE..d...{MG`...... #...... Y...... @...... [...... ,...P...... ,.....g..V....[..!...... E.@...... aaaa...... bbbb...... Y...... Y...... @....rsrc...... Y...... @...... !.$..
C:\Program Files\HWiNFO64\unins000.dat Process: C:\Users\user\AppData\Local\Temp\is-1PO0H.tmp\hwi_700.tmp File Type: data Category: dropped Size (bytes): 2342 Entropy (8bit): 3.9382699103064778 Encrypted: false SSDEEP: 24:i7GRg9h1SDxEJOQLRVMMIVRURyRSIRsGXYgIoPVMwVMwvVMw78VtzciItX:cGyGGDlg 7ICSssGIgImLjEELtX MD5: 34C90401A71910BE45D4B1A6B10E474F SHA1: 21B41FEBF81A07807170642A5AC5FB0FB5EB6E5A SHA-256: A1CC539AD869826056DEF2FD8FE27A95CC52512DFB12E92D1D6130B4F9698034 SHA-512: D74C2F7B30785F9D0CD9EC75A6F50A4FF783C58418C8A43A629E18D153D49626A665493 81E4A0C695E8DA0AD6A9B3598F29F58DB489C175FFB1237E6815C6179 Malicious: false Preview: ...... e...... 9....320946.user.C:\Program Files\HWiNFO64...... 5...... ]....%.IFPS...... BOOLEAN...... !MAIN....- 1.....R...... GETNAME3264....8 @8..IS64BITINSTALLMODE...... `...... `...... _...... HWiNFO64...... _...... HWiNFO32...... C:\Program Files\HWiNFO64 =C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HWiNFO64.HWiNFO64.default...... NameAndVersion....
C:\ProgramData\Microsoft\Network\Downloader\edb.log Process: C:\Windows\System32\svchost.exe File Type: data Category: dropped Size (bytes): 4096 Entropy (8bit): 0.5984970803815473 Encrypted: false SSDEEP: 6:btKk1GaD0JOCEfMuaaD0JOCEfMKQmDG/tAl/gz2cE0fMbhEZolrRSQ2hyYIIT:bPGaD0Jcaa D0JwQQ2tAg/0bjSQJ
Copyright Joe Security LLC 2021 Page 18 of 48 C:\ProgramData\Microsoft\Network\Downloader\edb.log MD5: 9DD7D084762273FEB66D6F5CE6EC173C SHA1: 2910F2E0E78B323AEE3D872F3DB996B620788920 SHA-256: A113F04FD9B31A4742327E166C2CEF4934D6A732814C3D3755060FE06CA0CF3E SHA-512: 7B143AD523D2B7E2C566389B7668B94560763787721F6E4182444DE37102516F04D728415 B59968E09A108BEE87963FAC00174C90E97C0C0B8A6A6794E1F6599 Malicious: false Preview: ....E..h..(...... y7...... 1C:\ProgramData\Microsoft\Network\Downloader\...... C:\ProgramData\Microsoft\Network\Downloader\...... 0u...... @...@...... y7...... &...... e.f.3...w...... 3...w...... h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o .w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G......
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Process: C:\Windows\System32\svchost.exe File Type: Extensible storage engine DataBase, version 0x620, checksum 0x7a394d54, page size 16384, DirtyShutdown, Windows version 10.0 Category: dropped Size (bytes): 32768 Entropy (8bit): 0.0968072511218519 Encrypted: false SSDEEP: 6:X4zwl/+K76RIE11Y8TRXbYEYBeKB4zwl/+K76RIE11Y8TRXbYEYBeK:X40+m6O4blwkKB4 0+m6O4blwkK MD5: BD3E4286E17C12818DF8DE1BFFF81B93 SHA1: 7ACAF520ECEC1AD16EE19D847AC48B5301D1EE18 SHA-256: D4DF3D9E4C49FDE0F828050FF2DEE505C7667E4E8F54E7E8089C1687DB2C10B3 SHA-512: 6871A189B866DEDBD5EB4DBA79220C2D4B27D0425ADABBD840A64BCCB695E2B8FACB 565397D3426784F89609580D705A1586A0E1AA221105F6043E61813FCFC5 Malicious: false Preview: z9MT...... e.f.3...w...... &...... w...... y7.h.(...... 3...w...... B...... @...... 3...w...... y.m...... -...... y......
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Process: C:\Windows\System32\svchost.exe File Type: data Category: dropped Size (bytes): 8192 Entropy (8bit): 0.11101844856116926 Encrypted: false SSDEEP: 3:25EvL6wQ/MAl/bJdAtiEYcwLltall:28HQ/MAt4jYBa MD5: A4DA5CC5902FC2DEE92CD4CFF638E405 SHA1: E707BB92ADEABC731C9334B3EE1EFFF3E58AE2F3 SHA-256: 5BA9FA515BED4D5D7A59B1CB45ACC129919A68DB01B41F3CC0E474D8FE1FF16A SHA-512: F6856206E35C0C95E170326CCFDB7E527A978BF045C311D14642B7D73A006F89C63CCE9 6E9801FE2238B54E9C9913B7B4C39A453127F4770C5A89BF7D8CA24E6 Malicious: false Preview: .u.-...... 3...w...... y...... w...... w...... w....:O.....w...... -...... y......
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HWiNFO64\HWiNFO64.lnk Process: C:\Users\user\AppData\Local\Temp\is-1PO0H.tmp\hwi_700.tmp File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Mar 23 07:20:53 2021, mtime=Tue Mar 23 07:20:54 2021, atime=Tue Mar 9 17:27:28 2021, length=6008776, window=hide Category: dropped Size (bytes): 871 Entropy (8bit): 4.6218530010121865 Encrypted: false Copyright Joe Security LLC 2021 Page 19 of 48 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HWiNFO64\HWiNFO64.lnk
SSDEEP: 12:8mp1BYXZhMBIdpF4y7yk78uPyFSqLjEjASJYbdp0mqJbdp0WGc5IG65IGFGm:8mpcdhv7 DMSWUASJMdWmudW1DKm MD5: DB41CF469F20081FBD40E3BE73F72538 SHA1: D16CC4841A6C2AA8D5ECE4AFE3300E7BD079273B SHA-256: 526CF40C04418D3A0BCE5A29A4DEE95665CFEF481E7F7E184D0A358DB5DD23C8 SHA-512: 1ADDA8262CC4F410ABE440D6C6588EA6CA708BDAC6FAD10E10BE9125E1709A95D988B 2489ACACCCCE1CEC2E50B7EFBAB2554AA6EBD80AD6F25E270876A0D6301 Malicious: false Preview: L...... F...... @."q....9.Rq...... [...... {....P.O. .:i.....+00.../C:\...... 1..... >Q=w..PROGRA~1..t...... L.>Qnx....E...... J...... P.r.o.g.r.a.m. [email protected] .2...d.l.l.,.-.2.1.7.8.1.....Z.1.....wR.B..HWiNFO64..B...... wR.BwR.B.....g...... ?..H. W.i.N.F.O.6.4.....f.2..[.iRn. .HWiNFO64.EXE..J...... wR.BwR.B.....g...... H.W.i.N.F. O.6.4...E.X.E...... U...... -...... T...... 6...... C:\Program Files\HWiNFO64\HWiNFO64.E XE..5.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.H.W.i.N.F.O.6.4.\.H.W.i.N.F.O.6.4...E.X. E...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.H.W.i.N.F.O.6.4.`...... X...... 320946...... !a..%.H.VZAj...... -...... -..!a..%.H.VZAj...... -...... -.E...... 9...1SPS..mD..pH.H@..=x.....h....H...... K*[email protected]......
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl Process: C:\Windows\System32\svchost.exe File Type: data Category: dropped Size (bytes): 65536 Entropy (8bit): 0.11016530345718395 Encrypted: false SSDEEP: 12:26BzXm/Ey6q99958a+4nq3qQ10nMCldimE8eawHjccwCv:26Ml68q5PLyMCldzE9BHjcS MD5: 489125DD4DC4D901DA4262426E34B6A5 SHA1: 4AD5E06C09973D7442D6F5C4DDCC6EE8CC8B60B8 SHA-256: B64189CA2FC346FDACE856540DAE99E9FA171B60A0F8F129F19B130DD7C98369 SHA-512: A0CA4EEC8B315FB59A79DE4F86AA22094A8EC517DB86F186C1EB061F9E1319E3D6B0B C9697CA29C45BE3DD06946D366CB19186FCF0A6F3F27E695B0781CE9BA8 Malicious: false Preview: ...... x...(....3...... B...... Zb...... @.t.z.r.e.s...d.l.l.,.-.2.1.2...... @.t.z. r.e.s...d.l.l.,.-.2.1.1...... }v.B*...... ~..t...... S.y.n.c.V.e.r.b. o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y. n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...... P.P.x...(....z ......
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl Process: C:\Windows\System32\svchost.exe File Type: data Category: dropped Size (bytes): 65536 Entropy (8bit): 0.11275794893125118 Encrypted: false SSDEEP: 12:q/zXm/Ey6q99958aRvlx1miM3qQ10nMCldimE8eawHza1miIfJkf:5l68qET1tMLyMCldzE9B Hza1tIBU MD5: 6C34EA8C7C65EDC395A81FBADBBA790D SHA1: 19C8D8C8B4055F67B81979CA18791023E81D1238 SHA-256: EAB05F065C3A9186AB55F186400009A3373C2C4B3DCE439C6597B3DD7568F23B SHA-512: 40287131F4EB0CA52C3E30E869922EA94B5A3B61F89B59C61E3E906A73F999092D65DF5 690C8D8AAC6EFA89D7A6D76BEC318E8D23711F08F1EABD0C5F321CBE4 Malicious: false Preview: ...... x...(...... B...... Zb...... @.t.z.r.e.s...d.l.l.,.-.2.1.2...... @.t.z. r.e.s...d.l.l.,.-.2.1.1...... }v.B*...... ,,.t...... U.n.i.s.t.a.c.k. C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y. n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l...... P.P.x... (......
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Process: C:\Windows\System32\svchost.exe File Type: data Category: dropped Copyright Joe Security LLC 2021 Page 20 of 48 C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Size (bytes): 65536 Entropy (8bit): 0.11259647075590015 Encrypted: false SSDEEP: 12:cDXm/Ey6q99958awx1mK2P3qQ10nMCldimE8eawHza1mK62f:c6l68qB1iPLyMCldzE9BH za1zf MD5: 83F7A796B7130604B0D3E0E807A19A76 SHA1: F29D4A50876A5E35268A5B39054D90BDA26E0822 SHA-256: 444FED23A36A9D5E3D0703251A5FC7EC7BB9C37F22BC6587F68E68D5821DF887 SHA-512: B58E4F595C3D6F608D80A8DEA3464AB53BDFD39AB40F297F23E9CAC96EB3AFB43FBC2 D44C878C2EC84D9148251DB2C802E65CC3D9E4C77D55BAC1985918411ED Malicious: false Preview: ...... x...(...... B...... Zb...... @.t.z.r.e.s...d.l.l.,.-.2.1.2...... @.t.z.r .e.s...d.l.l.,.-.2.1.1...... }v.B*...... t...... U.n.i.s.t.a.c.k.C. r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n. c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l...... P.P.x...(. ..b......
C:\Users\user\AppData\Local\Temp\HWiNFO64A_160.SYS Process: C:\Program Files\HWiNFO64\HWiNFO64.EXE File Type: PE32+ executable (native) x86-64, for MS Windows Category: dropped Size (bytes): 387216 Entropy (8bit): 6.744044779297885 Encrypted: false SSDEEP: 6144:/Pa0HKjPa0HKjPa0HKjPa0HKjPa0HKjPa0HKz:Nsssss2 MD5: ACD766DEBD34EE048AF5034E54361F63 SHA1: 486476ECDC49B8698E8C0D0A54827917E5F4734B SHA-256: 6DC35E6FDBE9E06B38CE25EC2E2E5232B37B36A32C9962F0F79E7453CEA6847B SHA-512: 2C5110FE1E2C703E82EF81F6B5D3FFCF4A364C7FC8FE99C18551DA76A355450E9211B72 55CB4B2B7343F7B9B25BAB2F7EAE48A2253E9258FA9858CC097280385 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... m...... k...... }...... w...... j...... o.....Rich...... PE..d...kN?`...... "...... d...... <...... |...... F...... @...... @...... text...m...... h.rdata...... @..H.data...p...... @....pdata..|...... @..HINIT....T...... rsrc...... @..B......
C:\Users\user\AppData\Local\Temp\is-1PO0H.tmp\hwi_700.tmp
Process: C:\Users\user\Desktop\hwi_700.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Category: dropped Size (bytes): 773632 Entropy (8bit): 6.607339053646843 Encrypted: false SSDEEP: 12288:qRObekMtkfohrPUs37uzHnA6zgpKq35eERXprNrHIR3+j1vGgZhXIJDEx9C+:cObekYkf ohrP337uzHnA6cgqpeEFHR91 MD5: 751D4F1D0F96F1DF71F778391555E52B SHA1: C001191FE2D59542A94471F37127F7FC43FCFD02 SHA-256: 249A43F4202A145F53CB034C6AD9AB91A2F783621B4B172B89660F91A9285D1F SHA-512: 4588091FC4E9187056C0B8F943973E1F49F511F037EB5153A0F716CD32ED87B2139E8604 A49FE2F091F84CF17960388A2A7F95EFA775F563580810039CEBFD2D Malicious: false Antivirus: Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 7% Preview: MZP...... @...... !..L.!..This program must be run under Win32..$7...... PE..L....^B*...... f...d...... pr...... @...... @...... %...... )...... CODE.....d...... f...... `DATA...... j...... @...BSS...... |...... idata...%...... &...|...... @....tls...... rdata...... @..P.reloc...... @ ..P.rsrc....)...... *...... @..P...... J...... @..P......
Copyright Joe Security LLC 2021 Page 21 of 48 C:\Users\user\AppData\Local\Temp\is-23PGO.tmp\_isetup\_RegDLL.tmp
Process: C:\Users\user\AppData\Local\Temp\is-1PO0H.tmp\hwi_700.tmp File Type: PE32 executable (GUI) Intel 80386, for MS Windows Category: dropped Size (bytes): 4096 Entropy (8bit): 4.026670007889822 Encrypted: false SSDEEP: 48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc MD5: 0EE914C6F0BB93996C75941E1AD629C6 SHA1: 12E2CB05506EE3E82046C41510F39A258A5E5549 SHA-256: 4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2 SHA-512: A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331A B53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9 Malicious: false Antivirus: Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0% Joe Sandbox View: Filename: WFilter_en_5.0_117.exe, Detection: malicious, Browse Filename: MSI71C1.exe, Detection: malicious, Browse Filename: delfino-g3.exe, Detection: malicious, Browse Filename: #U589e#U503c#U7a0e#U53d1#U7968#U5f00#U7968#U8f6f#U4ef6#Uff08#U7a0e#U52a1 UKey#U7248#Uff09.exe, Detection: malicious, Browse Filename: PDFCreator-1_2_1_setup.exe, Detection: malicious, Browse Filename: Malwarebytes Anti-Malware 3.8.3.2965.exe, Detection: malicious, Browse Filename: sidmool_www181_freesell_co_kr.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: CuteWriter.exe, Detection: malicious, Browse Filename: CuteWriter.exe, Detection: malicious, Browse Filename: LaborProUpgrade.exe, Detection: malicious, Browse Filename: LaborProUpgrade.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: nbumailSrv405.exe, Detection: malicious, Browse Filename: 9GtD8eJphx.exe, Detection: malicious, Browse Filename: RmC5VXmHCD.exe, Detection: malicious, Browse Filename: kS7FWQVypL.exe, Detection: malicious, Browse Filename: SUPERsetup.exe, Detection: malicious, Browse
Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... H...... |...... |...... |...... Rich...... PE..L....M;J...... @...... @...... l ..P....0..@...... D...... text...... `.rdata...... @[email protected][email protected]...... @..@......
C:\Users\user\AppData\Local\Temp\is-23PGO.tmp\_isetup\_setup64.tmp
Process: C:\Users\user\AppData\Local\Temp\is-1PO0H.tmp\hwi_700.tmp File Type: PE32+ executable (console) x86-64, for MS Windows Category: dropped Size (bytes): 6144 Entropy (8bit): 4.215994423157539 Encrypted: false SSDEEP: 96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF MD5: 4FF75F505FDDCC6A9AE62216446205D9 SHA1: EFE32D504CE72F32E92DCF01AA2752B04D81A342 SHA-256: A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81 SHA-512: BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF 55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824 Malicious: false Antivirus: Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0% Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... ^...... l...... =\...... =\...... =\...... Rich...... PE..d...XW:J...... #...... @...... `......
C:\Users\user\AppData\Local\Temp\is-23PGO.tmp\_isetup\_shfoldr.dll
Process: C:\Users\user\AppData\Local\Temp\is-1PO0H.tmp\hwi_700.tmp
Copyright Joe Security LLC 2021 Page 22 of 48 C:\Users\user\AppData\Local\Temp\is-23PGO.tmp\_isetup\_shfoldr.dll
File Type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows Category: dropped Size (bytes): 23312 Entropy (8bit): 4.596242908851566 Encrypted: false SSDEEP: 384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1: 2m08QotiCjJuPGw4 MD5: 92DC6EF532FBB4A5C3201469A5B5EB63 SHA1: 3E89FF837147C16B4E41C30D6C796374E0B8E62C SHA-256: 9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 SHA-512: 9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA328 2E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3 Malicious: false Antivirus: Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 3% Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$...... PE..L.....\;...... #...... 4...... '...... 0.....q...... k...l)..<....@.../...... p ..T...... text...{...... `.data...\....0 ...... &...... @....rsrc..../[email protected]...(...... @[email protected]...... p...... X...... @..B......
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Process: C:\Windows\System32\svchost.exe File Type: ASCII text, with no line terminators Category: dropped Size (bytes): 55 Entropy (8bit): 4.306461250274409 Encrypted: false SSDEEP: 3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y MD5: DCA83F08D448911A14C22EBCACC5AD57 SHA1: 91270525521B7FE0D986DB19747F47D34B6318AD SHA-256: 2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9 SHA-512: 96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867 A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA Malicious: false Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Process: C:\Program Files\Windows Defender\MpCmdRun.exe File Type: data Category: modified Size (bytes): 906 Entropy (8bit): 3.1318585797623872 Encrypted: false SSDEEP: 12:58KRBubdpkoF1AG3rPH0LlowZk9+MlWlLehB4yAq7ejCMH0LloQI:OaqdmuF3rmW+kWRe H4yJ7MOw MD5: E639CE98AFFB5C34C80BAD8E422305F0 SHA1: 018E0640535271A04D30D4706DE47AE508C0F5E6 SHA-256: 89CAC0AD4789AD1FB84DA6C442C8C5F26DDDEACD887ECEDACBACA293AF597B74 SHA-512: BD58EE220F9F3F16B24BB9D527D426D4AB87BD54C901755719B35109375A8F5F67034871 243D7BA7ED0E97F78CE3556017EC5B6729EB395812A1AB3545AC965A Malicious: false Preview: ...... -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a. m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e...... S.t.a.r.t. .T.i.m.e.:. .. T.u.e. .. M.a.r. .. 2.3. .. 2.0.2.1. .0.1.:.2.2.:.0.7...... M.p.E.n.s.u.r.e.P.r. o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. . M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. . T.i.m.e.:. .. T.u.e. .. M.a.r. .. 2.3. .. 2.0.2.1. .0.1.:.2.2.:.0.7.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....
Static File Info
Copyright Joe Security LLC 2021 Page 23 of 48 General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 7.99889064936303 TrID: Win32 Executable (generic) a (10002005/4) 98.86% Inno Setup installer (109748/4) 1.08% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% File name: hwi_700.exe File size: 9076976 MD5: f332037f0b58957d24f6dec27e912287 SHA1: 31dcf1615b327302d7937725398c71e44c5f2aa6 SHA256: c42c2a82438dc7f543228367db956801e0e6d2534585d9685c4d4bb5a40ffda1 SHA512: 3ab9bf210d35cb491d0630e7d8dc107566df8184b8cd54a18cd710c5626eccedcbb4562dd0021f b6d698c81e5e78d7c8495a7588889abba4da1271734c4888f0 SSDEEP: 196608:t8J3fA9aiKhT64vlLms5M5hexHEKvPzZHTG8gCcdt70Jtnu9rsvuFuyH1uC:t8JvfQ4VjA CPJ0Ccd+JwUosC File Content Preview: MZP...... @...... !..L.!..This program must be run under Win3 2..$7......
File Icon
Icon Hash: d4bcf4d4d45454aa
Static PE Info
General Entrypoint: 0x409c40 Entrypoint Section: CODE Digitally signed: true Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED DLL Characteristics: TERMINAL_SERVER_AWARE Time Stamp: 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 1 OS Version Minor: 0 File Version Major: 1 File Version Minor: 0 Subsystem Version Major: 1 Subsystem Version Minor: 0 Import Hash: 884310b1928934402ea6fec1dbd3cf5e
Authenticode Signature
Signature Valid: true Signature Issuer: CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 7/11/2018 5:00:00 PM 8/26/2021 5:00:00 AM Subject Chain CN=Martin Malik - REALiX, O=Martin Malik - REALiX, L=Malacky, C=SK, SERIALNUMBER=35437570, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=SK Version: 3 Thumbprint MD5: 3F1B2F4527F6436F6368DDD0F86EE308 Thumbprint SHA-1: 4DE3C444DB88A2A7F964BA6BB4A1B138F1AB4DE5 Thumbprint SHA-256: 646A4E1671AB43E9B1C130AF24A1CCC998562973C10948EAD8271EB4D7097F30 Serial: 0A8D9239E7564A3723D632ADF8D6847A
Entrypoint Preview
Copyright Joe Security LLC 2021 Page 24 of 48 Instruction push ebp mov ebp, esp add esp, FFFFFFC4h push ebx push esi push edi xor eax, eax mov dword ptr [ebp-10h], eax mov dword ptr [ebp-24h], eax call 00007FEF44B694DBh call 00007FEF44B6A6E2h call 00007FEF44B6A971h call 00007FEF44B6C9A8h call 00007FEF44B6C9EFh call 00007FEF44B6F31Eh call 00007FEF44B6F485h xor eax, eax push ebp push 0040A2FCh push dword ptr fs:[eax] mov dword ptr fs:[eax], esp xor edx, edx push ebp push 0040A2C5h push dword ptr fs:[edx] mov dword ptr fs:[edx], esp mov eax, dword ptr [0040C014h] call 00007FEF44B6FEEBh call 00007FEF44B6FB1Eh lea edx, dword ptr [ebp-10h] xor eax, eax call 00007FEF44B6CFD8h mov edx, dword ptr [ebp-10h] mov eax, 0040CDE8h call 00007FEF44B69587h push 00000002h push 00000000h push 00000001h mov ecx, dword ptr [0040CDE8h] mov dl, 01h mov eax, 0040738Ch call 00007FEF44B6D867h mov dword ptr [0040CDECh], eax xor edx, edx push ebp push 0040A27Dh push dword ptr fs:[edx] mov dword ptr fs:[edx], esp call 00007FEF44B6FF5Bh mov dword ptr [0040CDF4h], eax mov eax, dword ptr [0040CDF4h] cmp dword ptr [eax+0Ch], 01h jne 00007FEF44B7009Ah mov eax, dword ptr [0040CDF4h] mov edx, 00000028h call 00007FEF44B6DC68h mov edx, dword ptr [000000F4h]
Data Directories
Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0xd000 0x950 .idata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x11000 0x139b8 .rsrc
Copyright Joe Security LLC 2021 Page 25 of 48 Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x8a5f28 0x21c8 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x10000 0x0 .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0xf000 0x18 .rdata IMAGE_DIRECTORY_ENTRY_LOAD_CONFI 0x0 0x0 G IMAGE_DIRECTORY_ENTRY_BOUND_IMP 0x0 0x0 ORT IMAGE_DIRECTORY_ENTRY_IAT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DELAY_IMPO 0x0 0x0 RT IMAGE_DIRECTORY_ENTRY_COM_DESCR 0x0 0x0 IPTOR IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Sections
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics CODE 0x1000 0x9364 0x9400 False 0.614864864865 data 6.56223225793 IMAGE_SCN_MEM _EXECUTE, IMAGE_SCN_CNT _CODE, IMAGE_SCN_MEM _READ DATA 0xb000 0x24c 0x400 False 0.3154296875 data 2.7534822782 IMAGE_SCN_CNT _INITIALIZED_DAT A, IMAGE_SCN_MEM _WRITE, IMAGE_SCN_MEM _READ BSS 0xc000 0xe4c 0x0 False 0 empty 0.0 IMAGE_SCN_MEM _WRITE, IMAGE_SCN_MEM _READ .idata 0xd000 0x950 0xa00 False 0.414453125 data 4.4307330698 IMAGE_SCN_CNT _INITIALIZED_DAT A, IMAGE_SCN_MEM _WRITE, IMAGE_SCN_MEM _READ .tls 0xe000 0x8 0x0 False 0 empty 0.0 IMAGE_SCN_MEM _WRITE, IMAGE_SCN_MEM _READ .rdata 0xf000 0x18 0x200 False 0.052734375 data 0.20448815744 IMAGE_SCN_CNT _INITIALIZED_DAT A, IMAGE_SCN_MEM _SHARED, IMAGE_SCN_MEM _READ .reloc 0x10000 0x8b4 0x0 False 0 empty 0.0 IMAGE_SCN_CNT _INITIALIZED_DAT A, IMAGE_SCN_MEM _SHARED, IMAGE_SCN_MEM _READ .rsrc 0x11000 0x139b8 0x13a00 False 0.64055035828 data 6.87558504783 IMAGE_SCN_CNT _INITIALIZED_DAT A, IMAGE_SCN_MEM _SHARED, IMAGE_SCN_MEM _READ
Resources
Name RVA Size Type Language Country RT_ICON 0x11474 0xea8 data English United States
Copyright Joe Security LLC 2021 Page 26 of 48 Name RVA Size Type Language Country RT_ICON 0x1231c 0x8a8 dBase IV DBT of @.DBF, English United States block length 1024, next free block index 40, next free block 15003123, next used block 15069173 RT_ICON 0x12bc4 0x6c8 data English United States RT_ICON 0x1328c 0x568 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x137f4 0x75e5 PNG image data, 256 x 256, English United States 8-bit/color RGBA, non- interlaced RT_ICON 0x1addc 0x4228 dBase IV DBT of \200.DBF, English United States blocks size 0, block length 16896, next free block index 40, next free block 248, next used block 251658240 RT_ICON 0x1f004 0x25a8 data English United States RT_ICON 0x215ac 0x10a8 data English United States RT_ICON 0x22654 0x988 data English United States RT_ICON 0x22fdc 0x468 GLS_BINARY_LSB_FIRST English United States RT_STRING 0x23444 0x2f2 data RT_STRING 0x23738 0x30c data RT_STRING 0x23a44 0x2ce data RT_STRING 0x23d14 0x68 data RT_STRING 0x23d7c 0xb4 data RT_STRING 0x23e30 0xae data RT_RCDATA 0x23ee0 0x2c data RT_GROUP_ICON 0x23f0c 0x92 data English United States RT_VERSION 0x23fa0 0x4b8 COM executable for DOS English United States RT_MANIFEST 0x24458 0x560 XML 1.0 document, ASCII English United States text, with CRLF line terminators
Imports
DLL Import kernel32.dll DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle user32.dll MessageBoxA oleaut32.dll VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen advapi32.dll RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA kernel32.dll WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle user32.dll TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA comctl32.dll InitCommonControls advapi32.dll AdjustTokenPrivileges
Version Infos
Description Data LegalCopyright Copyright 1999-2021 Martin Malik - REALiX FileVersion CompanyName Martin Malik - REALiX Comments This installation was built with Inno Setup. ProductName ProductVersion 7.00 FileDescription Translation 0x0000 0x04b0
Possible Origin
Copyright Joe Security LLC 2021 Page 27 of 48 Language of compilation system Country where language is spoken Map
English United States
Network Behavior
UDP Packets
Timestamp Source Port Dest Port Source IP Dest IP Mar 23, 2021 01:20:14.417689085 CET 49199 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:14.467029095 CET 53 49199 8.8.8.8 192.168.2.3 Mar 23, 2021 01:20:15.432759047 CET 50620 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:15.481976986 CET 53 50620 8.8.8.8 192.168.2.3 Mar 23, 2021 01:20:16.041414022 CET 64938 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:16.106201887 CET 53 64938 8.8.8.8 192.168.2.3 Mar 23, 2021 01:20:16.236685991 CET 60152 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:16.299856901 CET 53 60152 8.8.8.8 192.168.2.3 Mar 23, 2021 01:20:17.227976084 CET 57544 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:17.282203913 CET 53 57544 8.8.8.8 192.168.2.3 Mar 23, 2021 01:20:18.083671093 CET 55984 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:18.144742966 CET 53 55984 8.8.8.8 192.168.2.3 Mar 23, 2021 01:20:19.243580103 CET 64185 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:19.295528889 CET 53 64185 8.8.8.8 192.168.2.3 Mar 23, 2021 01:20:20.644748926 CET 65110 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:20.694051027 CET 53 65110 8.8.8.8 192.168.2.3 Mar 23, 2021 01:20:21.967863083 CET 58361 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:22.022594929 CET 53 58361 8.8.8.8 192.168.2.3 Mar 23, 2021 01:20:24.318828106 CET 63492 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:24.368026018 CET 53 63492 8.8.8.8 192.168.2.3 Mar 23, 2021 01:20:25.500263929 CET 60831 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:25.558157921 CET 53 60831 8.8.8.8 192.168.2.3 Mar 23, 2021 01:20:26.402983904 CET 60100 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:26.460644007 CET 53 60100 8.8.8.8 192.168.2.3 Mar 23, 2021 01:20:27.579057932 CET 53195 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:27.636707067 CET 53 53195 8.8.8.8 192.168.2.3 Mar 23, 2021 01:20:28.476373911 CET 50141 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:28.528542995 CET 53 50141 8.8.8.8 192.168.2.3 Mar 23, 2021 01:20:29.736171007 CET 53023 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:29.788399935 CET 53 53023 8.8.8.8 192.168.2.3 Mar 23, 2021 01:20:31.029377937 CET 49563 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:31.080482006 CET 53 49563 8.8.8.8 192.168.2.3 Mar 23, 2021 01:20:31.815937042 CET 51352 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:31.868115902 CET 53 51352 8.8.8.8 192.168.2.3 Mar 23, 2021 01:20:32.607094049 CET 59349 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:32.661993027 CET 53 59349 8.8.8.8 192.168.2.3 Mar 23, 2021 01:20:33.532423019 CET 57084 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:33.581713915 CET 53 57084 8.8.8.8 192.168.2.3 Mar 23, 2021 01:20:49.914151907 CET 58823 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:49.978270054 CET 53 58823 8.8.8.8 192.168.2.3 Mar 23, 2021 01:20:52.960268021 CET 57568 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:20:53.020539999 CET 53 57568 8.8.8.8 192.168.2.3 Mar 23, 2021 01:21:27.440340996 CET 50540 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:21:27.515264034 CET 53 50540 8.8.8.8 192.168.2.3 Mar 23, 2021 01:21:37.484486103 CET 54366 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:21:37.536515951 CET 53 54366 8.8.8.8 192.168.2.3 Mar 23, 2021 01:21:42.842689037 CET 53034 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:21:42.902451992 CET 53 53034 8.8.8.8 192.168.2.3 Mar 23, 2021 01:22:14.416132927 CET 57762 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:22:14.466963053 CET 53 57762 8.8.8.8 192.168.2.3
Copyright Joe Security LLC 2021 Page 28 of 48 Timestamp Source Port Dest Port Source IP Dest IP Mar 23, 2021 01:22:16.238629103 CET 55435 53 192.168.2.3 8.8.8.8 Mar 23, 2021 01:22:16.296483040 CET 53 55435 8.8.8.8 192.168.2.3
Code Manipulations
Statistics
Behavior
• hwi_700.exe • hwi_700.tmp • svchost.exe • svchost.exe • svchost.exe • svchost.exe • svchost.exe • svchost.exe • svchost.exe • svchost.exe • SgrmBroker.exe • svchost.exe • svchost.exe • HWiNFO64.EXE • svchost.exe • MpCmdRun.exe • conhost.exe
Click to jump to process
System Behavior
Analysis Process: hwi_700.exe PID: 5524 Parent PID: 5656
General
Start time: 01:20:23 Start date: 23/03/2021 Path: C:\Users\user\Desktop\hwi_700.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\hwi_700.exe' Imagebase: 0x400000 File size: 9076976 bytes MD5 hash: F332037F0B58957D24F6DEC27E912287 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion CouAndt dSreysmsbol
Copyright Joe Security LLC 2021 Page 29 of 48 Source File Path Access Attributes Options Completion CouAndt dSreysmsbol C:\Users\user\AppData\Local\Temp\is-1PO0H.tmp read data or list device directory file | success or wait 1 40 Cr directory | synchronous io 93 ea synchronize non alert | open 7 te for backup ident | B Di open reparse re point ct or y A C:\Users\user\AppData\Local\Temp\is-1PO0H.tmp\hwi_700.tmp read attributes | device synchronous io success or wait 1 40 Cr synchronize | non alert | non 75 ea generic write directory file B te D Fil e A
File Deleted
Source File Path Completion CouAndt dSreysmsbol C:\Users\user\AppData\Local\Temp\is-1PO0H.tmp\hwi_700.tmp success or wait 1 40 D 8F el F8 et e Fil e A
File Written
Source File Path Offset Length Value Ascii Completion CouAndt dSreysmsbol C:\Users\user\AppData\Local\Temp\is-1PO0H.tmp\hwi_700.tmp unknow 773632 4d 5a 50 00 02 00 00 00 04 MZP...... @..... success or wait 1 40 W n 00 0f 00 ff ff 00 00 b8 00 ...... 76 rit 00 00 00 00 00 00 40 00 1a ...... !..L.!..This program E e 00 00 00 00 00 00 00 00 00 must be run under 4 Fil 00 00 00 00 00 00 00 00 00 Win32..$7 e 00 00 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 01 00 ...... 00 ba 10 00 0e 1f b4 09 cd ...... 21 b8 01 4c cd 21 90 90 54 ...... 68 69 73 20 70 72 6f 67 72 ...... 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
File Read
Source File Path Offset Length Completion CouAndt dSreysmsbol C:\Users\user\Desktop\hwi_700.exe unknown 64 success or wait 1 40 R 76 ea 48 d Fil e C:\Users\user\Desktop\hwi_700.exe unknown 4 success or wait 2 40 R 76 ea 48 d Fil e C:\Users\user\Desktop\hwi_700.exe unknown 4 success or wait 2 40 R 76 ea 48 d Fil e Copyright Joe Security LLC 2021 Page 30 of 48 Analysis Process: hwi_700.tmp PID: 3176 Parent PID: 5524
General
Start time: 01:20:24 Start date: 23/03/2021 Path: C:\Users\user\AppData\Local\Temp\is-1PO0H.tmp\hwi_700.tmp Wow64 process (32bit): true Commandline: 'C:\Users\user\AppData\Local\Temp\is-1PO0H.tmp\hwi_700.tmp' /SL5='$11021C,877799 5,123392,C:\Users\user\Desktop\hwi_700.exe' Imagebase: 0x400000 File size: 773632 bytes MD5 hash: 751D4F1D0F96F1DF71F778391555E52B Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Antivirus matches: Detection: 0%, Metadefender, Browse Detection: 7%, ReversingLabs Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion CouAndt dSreysmsbol C:\Users\user\AppData\Local\Temp\is-23PGO.tmp read data or list device directory file | success or wait 1 45 Cr directory | synchronous io 30 ea synchronize non alert | open D te for backup ident | F Di open reparse re point ct or y A C:\Users\user\AppData\Local\Temp\is-23PGO.tmp\_isetup read data or list device directory file | success or wait 1 47 Cr directory | synchronous io B ea synchronize non alert | open 82 te for backup ident | C Di open reparse re point ct or y A C:\Users\user\AppData\Local\Temp\is-23PGO.tmp\_isetup\_RegDLL.tmp read attributes | device synchronous io success or wait 1 40 Cr synchronize | non alert | non 6 ea generic read | directory file E te generic write E Fil A e A C:\Users\user\AppData\Local\Temp\is-23PGO.tmp\_isetup\_setup64.tmp read attributes | device synchronous io success or wait 1 40 Cr synchronize | non alert | non 6 ea generic read | directory file E te generic write E Fil A e A C:\Users\user\AppData\Local\Temp\is-23PGO.tmp\_isetup\_shfoldr.dll read attributes | device synchronous io success or wait 1 40 Cr synchronize | non alert | non 6 ea generic read | directory file E te generic write E Fil A e A C:\Program Files\HWiNFO64 read data or list device directory file | success or wait 1 45 Cr directory | synchronous io 1 ea synchronize non alert | open E te for backup ident | 1 Di open reparse E re point ct or y A
Copyright Joe Security LLC 2021 Page 31 of 48 Source File Path Access Attributes Options Completion CouAndt dSreysmsbol C:\Program Files\HWiNFO64\unins000.dat read attributes | device synchronous io success or wait 1 47 Cr synchronize | non alert | non 43 ea generic read | directory file 66 te generic write Fil e A C:\Program Files\HWiNFO64\is-5O4KV.tmp read attributes | device synchronous io success or wait 1 44 Cr synchronize | non alert | non F ea generic read | directory file E te generic write 79 Fil e A C:\Program Files\HWiNFO64\is-VRSNB.tmp read attributes | device synchronous io success or wait 1 44 Cr synchronize | non alert | non F ea generic read | directory file E te generic write 79 Fil e A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HWiNFO64 read data or list device directory file | success or wait 1 45 Cr directory | synchronous io 1 ea synchronize non alert | open E te for backup ident | 1 Di open reparse E re point ct or y A
File Deleted
Source File Path Completion CouAndt dSreysmsbol C:\Users\user\AppData\Local\Temp\is-23PGO.tmp\_isetup\_RegDLL.tmp success or wait 1 45 D 1F el B et 4 e Fil e A C:\Users\user\AppData\Local\Temp\is-23PGO.tmp\_isetup\_setup64.tmp success or wait 1 45 D 1F el B et 4 e Fil e A C:\Users\user\AppData\Local\Temp\is-23PGO.tmp\_isetup\_shfoldr.dll success or wait 1 45 D 1F el B et 4 e Fil e A
File Moved
Source Old File Path New File Path Completion CouAndt dSreysmsbol C:\Program Files\HWiNFO64\is-5O4KV.tmp C:\Program Files\HWiNFO64\unins000.exe success or wait 1 45 M 23 ov 37 e Fil e A C:\Program Files\HWiNFO64\is-VRSNB.tmp C:\Program Files\HWiNFO64\HWiNFO64.EXE success or wait 1 45 M 23 ov 37 e Fil e A
File Written
Source File Path Offset Length Value Ascii Completion CouAndt dSreysmsbol
Copyright Joe Security LLC 2021 Page 32 of 48 Source File Path Offset Length Value Ascii Completion CouAndt dSreysmsbol C:\Users\user\AppData\Local\Temp\is-23PGO.tmp\_isetup\_RegDLL.tmp unknow 4096 4d 5a 90 00 03 00 00 00 04 MZ...... @..... success or wait 1 40 W n 00 00 00 ff ff 00 00 b8 00 ...... 6F rit 00 00 00 00 00 00 40 00 00 ...... !..L.!This program 31 e 00 00 00 00 00 00 00 00 00 cannot be run in DOS Fil 00 00 00 00 00 00 00 00 00 mode.... e 00 00 00 00 00 00 00 00 00 $...... H..... 00 00 00 00 00 00 c8 00 00 ...... |...... |...... |.. 00 0e 1f ba 0e 00 b4 09 cd ....Rich...... PE..L....M 21 b8 01 4c cd 21 54 68 69 ;J...... 73 20 70 72 6f 67 72 61 6d ....@ 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cf db f3 aa 8b ba 9d f9 8b ba 9d f9 8b ba 9d f9 48 b5 c0 f9 8c ba 9d f9 8b ba 9c f9 85 ba 9d f9 ac 7c f0 f9 8a ba 9d f9 ac 7c e1 f9 8a ba 9d f9 ac 7c e5 f9 8a ba 9d f9 52 69 63 68 8b ba 9d f9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a3 4d 3b 4a 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 08 00 00 02 00 00 00 0a 00 00 00 00 00 00 d0 11 00 00 00 10 00 00 00 20 00 00 00 00 40 C:\Users\user\AppData\Local\Temp\is-23PGO.tmp\_isetup\_setup64.tmp unknow 6144 4d 5a 90 00 03 00 00 00 04 MZ...... @..... success or wait 1 40 W n 00 00 00 ff ff 00 00 b8 00 ...... 6F rit 00 00 00 00 00 00 40 00 00 ...... !..L.!This program 31 e 00 00 00 00 00 00 00 00 00 cannot be run in DOS Fil 00 00 00 00 00 00 00 00 00 mode.... e 00 00 00 00 00 00 00 00 00 $...... ^...... l..... 00 00 00 00 00 00 d8 00 00 ...... =\...... =\...... =\.. 00 0e 1f ba 0e 00 b4 09 cd ....Rich...... 21 b8 01 4c cd 21 54 68 69 ...... PE..d...XW:J...... #. 73 20 70 72 6f 67 72 61 6d ...... 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 5e fb aa ad 1a 9a c4 fe 1a 9a c4 fe 1a 9a c4 fe 6c 07 bf fe 17 9a c4 fe 1a 9a c5 fe 02 9a c4 fe 3d 5c a9 fe 1b 9a c4 fe 3d 5c b8 fe 1b 9a c4 fe 3d 5c bc fe 1b 9a c4 fe 52 69 63 68 1a 9a c4 fe 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 05 00 58 57 3a 4a 00 00 00 00 00 00 00 00 f0 00 23 00 0b 02 08 00 00 06 00 00 00 12 02 00 00 00 00 C:\Users\user\AppData\Local\Temp\is-23PGO.tmp\_isetup\_shfoldr.dll unknow 23312 4d 5a 90 00 03 00 00 00 04 MZ...... @..... success or wait 1 40 W n 00 00 00 ff ff 00 00 b8 00 ...... 6F rit 00 00 00 00 00 00 40 00 00 ...... !..L.!This program 31 e 00 00 00 00 00 00 00 00 00 cannot be run in DOS Fil 00 00 00 00 00 00 00 00 00 mode.... e 00 00 00 00 00 00 00 00 00 $...... IzJ^..$...$...$...%.". 00 00 00 00 00 00 d0 00 00 $.T87...$.[."...$...$...$.Rich 00 0e 1f ba 0e 00 b4 09 cd ..$...... PE 21 b8 01 4c cd 21 54 68 69 ..L.....\;...... #...... 73 20 70 72 6f 67 72 61 6d .4...... '..... 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 49 7a 4a 5e 0d 1b 24 0d 0d 1b 24 0d 0d 1b 24 0d 0d 1b 25 0d 22 1b 24 0d 54 38 37 0d 0b 1b 24 0d 5b 13 22 0d 0c 1b 24 0d 0d 1b 24 0d 0c 1b 24 0d 52 69 63 68 0d 1b 24 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 85 d9 5c 3b 00 00 00 00 00 00 00 00 e0 00 06 23 0b 01 05 0c 00 20 00 00 00 34 00 00 00 00 00 00 f6 27 00 00 00 10 00 Copyright Joe Security LLC 2021 Page 33 of 48 Source File Path Offset Length Value Ascii Completion CouAndt dSreysmsbol C:\Program Files\HWiNFO64\is-5O4KV.tmp unknow 16384 4d 5a 50 00 02 00 00 00 04 MZP...... @..... success or wait 48 44 W n 00 0f 00 ff ff 00 00 b8 00 ...... F rit 00 00 00 00 00 00 40 00 1a ...... !..L.!..This program F e 00 00 00 00 00 00 00 00 00 must be run under D Fil 00 00 00 00 00 00 00 00 00 Win32..$7 4 e 00 00 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 01 00 ...... 00 ba 10 00 0e 1f b4 09 cd ...... 21 b8 01 4c cd 21 90 90 54 ...... 68 69 73 20 70 72 6f 67 72 ...... 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Program Files\HWiNFO64\is-5O4KV.tmp unknow 4 49 6e 55 6e InUn success or wait 1 44 W n F rit F e D Fil 4 e C:\Program Files\HWiNFO64\is-5O4KV.tmp unknow 20 18 23 6f 9b 78 ce 34 37 cb .#o.x.47.w.B.=;.dK.. success or wait 2 44 W n 77 95 42 9d 3d 3b b5 64 4b F rit 1a 11 F e D Fil 4 e C:\Program Files\HWiNFO64\is-5O4KV.tmp unknow 10453 49 6e 6e 6f 20 53 65 74 75 Inno Setup Messages success or wait 2 44 W n 70 20 4d 65 73 73 61 67 65 (5.1.11).. F rit 73 20 28 35 2e 31 2e 31 31 ...... F e 29 00 00 00 00 00 00 00 00 (..*....en^&About Set D Fil 00 00 00 00 00 00 00 00 00 up....%1 version 4 e 00 00 00 00 00 00 00 00 00 %2..%3....%1 home 00 00 00 00 00 00 00 00 00 page:..%4..About Setup.Yo 00 cf 00 00 00 d5 28 00 00 u must be logged in as an 2a d7 ff ff a1 65 6e 5e 26 administrator when 41 62 6f 75 74 20 53 65 74 installing this 75 70 2e 2e 2e 00 25 31 20 program..Folder names 76 65 72 73 69 6f 6e 20 25 cannot include any of 32 0d 0a 25 33 0d 0a 0d 0a 25 31 20 68 6f 6d 65 20 70 61 67 65 3a 0d 0a 25 34 00 00 41 62 6f 75 74 20 53 65 74 75 70 00 59 6f 75 20 6d 75 73 74 20 62 65 20 6c 6f 67 67 65 64 20 69 6e 20 61 73 20 61 6e 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 77 68 65 6e 20 69 6e 73 74 61 6c 6c 69 6e 67 20 74 68 69 73 20 70 72 6f 67 72 61 6d 2e 00 46 6f 6c 64 65 72 20 6e 61 6d 65 73 20 63 61 6e 6e 6f 74 20 69 6e 63 6c 75 64 65 20 61 6e 79 20 6f 66 20
Copyright Joe Security LLC 2021 Page 34 of 48 Source File Path Offset Length Value Ascii Completion CouAndt dSreysmsbol C:\Program Files\HWiNFO64\is-VRSNB.tmp unknow 65536 4d 5a 90 00 03 00 00 00 04 MZ...... @..... success or wait 92 44 W n 00 00 00 ff ff 00 00 b8 00 ...... F rit 00 00 00 00 00 00 40 00 00 ...... !..L.!This program F e 00 00 00 00 00 00 00 00 00 cannot be run in DOS D Fil 00 00 00 00 00 00 00 00 00 mode.... 4 e 00 00 00 00 00 00 00 00 00 $...... 8.lpk.lpk.lpk...k.l 00 00 00 00 00 00 00 01 00 pk.>.k.mpkq#.k.lpk...kvlpk. 00 0e 1f ba 0e 00 b4 09 cd >.k 21 b8 01 4c cd 21 54 68 69 .lpk...k.lpk.lqkwnpk...k.lpk.. 73 20 70 72 6f 67 72 61 6d .k.lpk...k.mpk.>.k.lpk...k.lpk 20 63 61 6e 6e 6f 74 20 62 Rich.lpk...... 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 88 0d 1e 38 cc 6c 70 6b cc 6c 70 6b cc 6c 70 6b c5 14 f7 6b cd 6c 70 6b d2 3e f3 6b 01 6d 70 6b 71 23 e6 6b cd 6c 70 6b c5 14 f3 6b 76 6c 70 6b d2 3e f4 6b cb 6c 70 6b c5 14 e3 6b ef 6c 70 6b cc 6c 71 6b 77 6e 70 6b eb aa 1d 6b c4 6c 70 6b c5 14 e5 6b dc 6c 70 6b c5 14 f4 6b a7 6d 70 6b d2 3e e4 6b cd 6c 70 6b c5 14 e1 6b cd 6c 70 6b 52 69 63 68 cc 6c 70 6b 00 00 00 00 00 00 00 C:\Program Files\HWiNFO64\unins000.dat unknow 448 00 00 00 00 00 00 00 00 00 ...... success or wait 2 44 W n 00 00 00 00 00 00 00 00 00 ...... F rit 00 00 00 00 00 00 00 00 00 ...... F e 00 00 00 00 00 00 00 00 00 ...... D Fil 00 00 00 00 00 00 00 00 00 ...... 4 e 00 00 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Program Files\HWiNFO64\unins000.dat unknow 12 9a 05 00 00 65 fa ff ff c2 0c ....e...... success or wait 2 44 W n ca b2 F rit F e D Fil 4 e
File Read
Source File Path Offset Length Completion CouAndt dSreysmsbol C:\Users\user\Desktop\hwi_700.exe unknown 64 success or wait 1 44 R F ea F0 d 4 Fil e C:\Users\user\Desktop\hwi_700.exe unknown 4 success or wait 2 44 R F ea F0 d 4 Fil e C:\Users\user\Desktop\hwi_700.exe unknown 4 success or wait 2 44 R F ea F0 d 4 Fil e
Copyright Joe Security LLC 2021 Page 35 of 48 Source File Path Offset Length Completion CouAndt dSreysmsbol C:\Users\user\AppData\Local\Temp\is-1PO0H.tmp\hwi_700.tmp unknown 16384 success or wait 1 44 R F ea F0 d 4 Fil e C:\Users\user\AppData\Local\Temp\is-1PO0H.tmp\hwi_700.tmp unknown 16384 success or wait 47 44 R F ea F0 d 4 Fil e C:\Users\user\Desktop\hwi_700.exe unknown 4 success or wait 1 44 R F ea F0 d 4 Fil e C:\Users\user\Desktop\hwi_700.exe unknown 65536 success or wait 91 44 R F ea F0 d 4 Fil e
Registry Activities
Key Created
Source Key Path Completion CouAndt dSreysmsbol HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 success or wait 1 42 R D eg D Cr 3 ea D te K ey E x A
Key Value Created
Source Key Path Name Type Data Completion CouAndt dSreysmsbol HKEY_LOCAL_MACHINE\SOFTWARE\Mi Inno Setup: unicode 5.4.3 (a) success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 Setup Version D eg F S E et 4 V al ue E x A HKEY_LOCAL_MACHINE\SOFTWARE\Mi Inno Setup: App unicode C:\Program Files\HWiNFO64 success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 Path D eg F S E et 4 V al ue E x A HKEY_LOCAL_MACHINE\SOFTWARE\Mi InstallLocation unicode C:\Program Files\HWiNFO64\ success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 D eg F S E et 4 V al ue E x A
Copyright Joe Security LLC 2021 Page 36 of 48 Source Key Path Name Type Data Completion CouAndt dSreysmsbol HKEY_LOCAL_MACHINE\SOFTWARE\Mi Inno Setup: Icon unicode HWiNFO64 success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 Group D eg F S E et 4 V al ue E x A HKEY_LOCAL_MACHINE\SOFTWARE\Mi Inno Setup: User unicode hardz success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 D eg F S E et 4 V al ue E x A HKEY_LOCAL_MACHINE\SOFTWARE\Mi Inno Setup: unicode default success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 Language D eg F S E et 4 V al ue E x A HKEY_LOCAL_MACHINE\SOFTWARE\Mi DisplayName unicode HWiNFO64 Version 7.00 success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 D eg F S E et 4 V al ue E x A HKEY_LOCAL_MACHINE\SOFTWARE\Mi DisplayIcon unicode C:\Program Files\HWiNFO64\HWiNFO64.exe success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 D eg F S E et 4 V al ue E x A HKEY_LOCAL_MACHINE\SOFTWARE\Mi UninstallString unicode "C:\Program Files\HWiNFO64\unins000.exe" success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 D eg F S E et 4 V al ue E x A HKEY_LOCAL_MACHINE\SOFTWARE\Mi QuietUninstallStri unicode "C:\Program Files\HWiNFO64\unins000.exe" success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 ng /SILENT D eg F S E et 4 V al ue E x A HKEY_LOCAL_MACHINE\SOFTWARE\Mi DisplayVersion unicode 7.00 success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 D eg F S E et 4 V al ue E x A
Copyright Joe Security LLC 2021 Page 37 of 48 Source Key Path Name Type Data Completion CouAndt dSreysmsbol HKEY_LOCAL_MACHINE\SOFTWARE\Mi Publisher unicode Martin Malik - REALiX success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 D eg F S E et 4 V al ue E x A HKEY_LOCAL_MACHINE\SOFTWARE\Mi URLInfoAbout unicode https://www.hwinfo.com/ success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 D eg F S E et 4 V al ue E x A HKEY_LOCAL_MACHINE\SOFTWARE\Mi HelpLink unicode https://www.hwinfo.com/forum success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 D eg F S E et 4 V al ue E x A HKEY_LOCAL_MACHINE\SOFTWARE\Mi URLUpdateInfo unicode https://www.hwinfo.com/download/ success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 D eg F S E et 4 V al ue E x A HKEY_LOCAL_MACHINE\SOFTWARE\Mi NoModify dword 1 success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 E eg 04 S 4 et V al ue E x A HKEY_LOCAL_MACHINE\SOFTWARE\Mi NoRepair dword 1 success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 E eg 04 S 4 et V al ue E x A HKEY_LOCAL_MACHINE\SOFTWARE\Mi InstallDate unicode 20210323 success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 D eg F S E et 4 V al ue E x A HKEY_LOCAL_MACHINE\SOFTWARE\Mi MajorVersion dword 7 success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 E eg 04 S 4 et V al ue E x A
Copyright Joe Security LLC 2021 Page 38 of 48 Source Key Path Name Type Data Completion CouAndt dSreysmsbol HKEY_LOCAL_MACHINE\SOFTWARE\Mi MinorVersion dword 0 success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 E eg 04 S 4 et V al ue E x A HKEY_LOCAL_MACHINE\SOFTWARE\Mi EstimatedSize dword 6623 success or wait 1 46 R crosoft\Windows\CurrentVersion\Uninstall\HWiNFO64_is1 E eg 04 S 4 et V al ue E x A
Analysis Process: svchost.exe PID: 68 Parent PID: 568
General
Start time: 01:20:32 Start date: 23/03/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\svchost.exe -k netsvcs -p Imagebase: 0x7ff7488e0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Access Attributes Options Completion CouAndt dSreysmsbol
Analysis Process: svchost.exe PID: 4456 Parent PID: 568
General
Start time: 01:20:46 Start date: 23/03/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS Imagebase: 0x7ff7488e0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Access Attributes Options Completion CouAndt dSreysmsbol
Copyright Joe Security LLC 2021 Page 39 of 48 Source File Path Offset Length Value Ascii Completion CouAndt dSreysmsbol
Source File Path Offset Length Completion CouAndt dSreysmsbol
Registry Activities
Source Key Path Completion CouAndt dSreysmsbol
Source Key Path Name Type Data Completion CouAndt dSreysmsbol
Analysis Process: svchost.exe PID: 6048 Parent PID: 568
General
Start time: 01:20:52 Start date: 23/03/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\svchost.exe -k netsvcs -p Imagebase: 0x7ff7488e0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Access Attributes Options Completion CouAndt dSreysmsbol
Analysis Process: svchost.exe PID: 4604 Parent PID: 568
General
Start time: 01:20:58 Start date: 23/03/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService Imagebase: 0x7ff7e82f0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
Analysis Process: svchost.exe PID: 2344 Parent PID: 568
General
Start time: 01:20:58 Start date: 23/03/2021 Path: C:\Windows\System32\svchost.exe Copyright Joe Security LLC 2021 Page 40 of 48 Wow64 process (32bit): false Commandline: c:\windows\system32\svchost.exe -k unistacksvcgroup Imagebase: 0x7ff7488e0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Access Attributes Options Completion CouAndt dSreysmsbol
Source Old File Path New File Path Completion CouAndt dSreysmsbol
Source File Path Offset Length Value Ascii Completion CouAndt dSreysmsbol
Analysis Process: svchost.exe PID: 1320 Parent PID: 568
General
Start time: 01:20:59 Start date: 23/03/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc Imagebase: 0x7ff7488e0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has elevated privileges: true Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Offset Length Completion CouAndt dSreysmsbol
Analysis Process: svchost.exe PID: 5540 Parent PID: 568
General
Start time: 01:21:00 Start date: 23/03/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc Imagebase: 0x7ff7488e0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has elevated privileges: true Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high
Registry Activities Copyright Joe Security LLC 2021 Page 41 of 48 Source Key Path Name Type Old Data New Data Completion CouAndt dSreysmsbol
Analysis Process: svchost.exe PID: 6160 Parent PID: 568
General
Start time: 01:21:01 Start date: 23/03/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\svchost.exe -k NetworkService -p Imagebase: 0x7ff7488e0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has elevated privileges: true Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high
Analysis Process: SgrmBroker.exe PID: 6240 Parent PID: 568
General
Start time: 01:21:01 Start date: 23/03/2021 Path: C:\Windows\System32\SgrmBroker.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\SgrmBroker.exe Imagebase: 0x7ff67a410000 File size: 163336 bytes MD5 hash: D3170A3F3A9626597EEE1888686E3EA6 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
Analysis Process: svchost.exe PID: 6252 Parent PID: 568
General
Start time: 01:21:02 Start date: 23/03/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\svchost.exe -k netsvcs -p Imagebase: 0x7ff7488e0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language
File Activities
Source File Path Access Attributes Options Completion CouAndt dSreysmsbol
Copyright Joe Security LLC 2021 Page 42 of 48 Analysis Process: svchost.exe PID: 6276 Parent PID: 568
General
Start time: 01:21:02 Start date: 23/03/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc Imagebase: 0x7ff7488e0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has elevated privileges: true Has administrator privileges: false Programmed in: C, C++ or other language
Registry Activities
Source Key Path Completion CouAndt dSreysmsbol
Source Key Path Name Type Old Data New Data Completion CouAndt dSreysmsbol
Analysis Process: HWiNFO64.EXE PID: 6404 Parent PID: 3176
General
Start time: 01:21:10 Start date: 23/03/2021 Path: C:\Program Files\HWiNFO64\HWiNFO64.EXE Wow64 process (32bit): false Commandline: 'C:\Program Files\HWiNFO64\HWiNFO64.EXE' Imagebase: 0x140000000 File size: 6008776 bytes MD5 hash: 59F9BA1D2DC490A51E3779EB26D8F9A3 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language
File Activities
File Created
Source File Path Access Attributes Options Completion CouAndt dSreysmsbol C:\Users\user\AppData\Local\Temp\HWiNFO64A_160.SYS read attributes | device synchronous io success or wait 3 14 Cr synchronize | non alert | non 02 ea generic write directory file 10 te 74 Fil A e A C:\Users\user\AppData\Local\Temp\HWiNFO64A_160.SYS read attributes | device synchronous io success or wait 3 14 Cr synchronize | non alert | non 02 ea generic write directory file 10 te 74 Fil A e A
File Deleted
Source File Path Completion CouAndt dSreysmsbol
Copyright Joe Security LLC 2021 Page 43 of 48 Source File Path Completion CouAndt dSreysmsbol C:\Users\user\AppData\Local\Temp\HWiNFO64A_160.SYS success or wait 3 14 D 02 el 10 et E e E Fil 1 e A C:\Users\user\AppData\Local\Temp\HWiNFO64A_160.SYS success or wait 3 14 D 02 el 10 et E e E Fil 1 e A C:\Program Files\HWiNFO64\HWiNFO64.INI success or wait 1 14 D 01 el F et D e 5 Fil D e 8 A
File Written
Source File Path Offset Length Value Ascii Completion CouAndt dSreysmsbol C:\Users\user\AppData\Local\Temp\HWiNFO64A_160.SYS unknow 64536 4d 5a 90 00 03 00 00 00 04 MZ...... @..... success or wait 3 14 W n 00 00 00 ff ff 00 00 b8 00 ...... 02 rit 00 00 00 00 00 00 40 00 00 ...... !..L.!This program 10 e 00 00 00 00 00 00 00 00 00 cannot be run in DOS 77 Fil 00 00 00 00 00 00 00 00 00 mode.... 1 e 00 00 00 00 00 00 00 00 00 $...... 00 00 00 00 00 00 e0 00 00 ....m...... k...... }...... w. 00 0e 1f ba 0e 00 b4 09 cd ...... j...... o.....Rich...... 21 b8 01 4c cd 21 54 68 69 ...... PE..d...kN?`.... 73 20 70 72 6f 67 72 61 6d ...... "...... 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ed 97 90 e3 a9 f6 fe b0 a9 f6 fe b0 a9 f6 fe b0 a9 f6 ff b0 8f f6 fe b0 a0 8e 6d b0 ac f6 fe b0 a0 8e 6b b0 ad f6 fe b0 a0 8e 7d b0 ad f6 fe b0 a0 8e 77 b0 ab f6 fe b0 a0 8e 6a b0 a8 f6 fe b0 a0 8e 6f b0 a8 f6 fe b0 52 69 63 68 a9 f6 fe b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 6b 4e 3f 60 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 09 00 00 a2 00 C:\Users\user\AppData\Local\Temp\HWiNFO64A_160.SYS unknow 64536 4d 5a 90 00 03 00 00 00 04 MZ...... @..... success or wait 3 14 W n 00 00 00 ff ff 00 00 b8 00 ...... 02 rit 00 00 00 00 00 00 40 00 00 ...... !..L.!This program 10 e 00 00 00 00 00 00 00 00 00 cannot be run in DOS 77 Fil 00 00 00 00 00 00 00 00 00 mode.... 1 e 00 00 00 00 00 00 00 00 00 $...... 00 00 00 00 00 00 e0 00 00 ....m...... k...... }...... w. 00 0e 1f ba 0e 00 b4 09 cd ...... j...... o.....Rich...... 21 b8 01 4c cd 21 54 68 69 ...... PE..d...kN?`.... 73 20 70 72 6f 67 72 61 6d ...... "...... 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ed 97 90 e3 a9 f6 fe b0 a9 f6 fe b0 a9 f6 fe b0 a9 f6 ff b0 8f f6 fe b0 a0 8e 6d b0 ac f6 fe b0 a0 8e 6b b0 ad f6 fe b0 a0 8e 7d b0 ad f6 fe b0 a0 8e 77 b0 ab f6 fe b0 a0 8e 6a b0 a8 f6 fe b0 a0 8e 6f b0 a8 f6 fe b0 52 69 63 68 a9 f6 fe b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 6b 4e 3f 60 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 09 00 00 a2 00
Copyright Joe Security LLC 2021 Page 44 of 48 Source File Path Offset Length Completion CouAndt dSreysmsbol
Registry Activities
Key Created
Source Key Path Completion CouAndt dSreysmsbol HKEY_CURRENT_USER\Software\HWiNFO64 success or wait 1 14 R 01 eg F Cr D ea 92 te 3 K ey E x A HKEY_CURRENT_USER\Software\HWiNFO64\Sensors success or wait 1 14 R 01 eg F Cr D ea 98 te B K ey E x A HKEY_CURRENT_USER\Software\HWiNFO64\Summary success or wait 1 14 R 01 eg F Cr D ea A te 05 K ey E x A HKEY_CURRENT_USER\Software\HWiNFO64\Summary\Clocks success or wait 1 14 R 01 eg F Cr D ea A te 6 K D ey E x A
Analysis Process: svchost.exe PID: 6592 Parent PID: 568
General
Start time: 01:21:18 Start date: 23/03/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\svchost.exe -k netsvcs -p Imagebase: 0x7ff7488e0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language
File Activities
Source File Path Access Attributes Options Completion CouAndt dSreysmsbol
Copyright Joe Security LLC 2021 Page 45 of 48 Analysis Process: MpCmdRun.exe PID: 6256 Parent PID: 6276
General
Start time: 01:22:05 Start date: 23/03/2021 Path: C:\Program Files\Windows Defender\MpCmdRun.exe Wow64 process (32bit): false Commandline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Imagebase: 0x7ff619f80000 File size: 455656 bytes MD5 hash: A267555174BFA53844371226F482B86B Has elevated privileges: true Has administrator privileges: false Programmed in: C, C++ or other language
File Activities
Source File Path Access Attributes Options Completion CouAndt dSreysmsbol
File Written
Source File Path Offset Length Value Ascii Completion CouAndt dSreysmsbol C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\M unknow 182 0d 00 0a 00 0d 00 0a 00 2d ...... -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- success or wait 1 7F W pCmdRun.log n 00 2d 00 2d 00 2d 00 2d 00 .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- F6 rit 2d 00 2d 00 2d 00 2d 00 2d .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- 19 e 00 2d 00 2d 00 2d 00 2d 00 .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- F Fil 2d 00 2d 00 2d 00 2d 00 2d .-.-.-.-.-.-.-.-.-.-.-.-..... A e 00 2d 00 2d 00 2d 00 2d 00 B 2d 00 2d 00 2d 00 2d 00 2d C 00 2d 00 2d 00 2d 00 2d 00 96 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 0d 00 0a 00 C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\M unknow 258 4d 00 70 00 43 00 6d 00 64 M.p.C.m.d.R.u.n.:. success or wait 1 7F W pCmdRun.log n 00 52 00 75 00 6e 00 3a 00 .C.o.m.m.a.n.d. .L.i.n.e.:. F6 rit 20 00 43 00 6f 00 6d 00 6d .".C.:.\.P.r.o.g.r.a.m. 19 e 00 61 00 6e 00 64 00 20 00 .F.i.l.e.s.\.W.i.n.d.o.w.s. F Fil 4c 00 69 00 6e 00 65 00 3a .D.e.f.e.n.d.e.r.\.m. A e 00 20 00 22 00 43 00 3a 00 p.c.m.d.r.u.n...e.x.e.". .-.w. B 5c 00 50 00 72 00 6f 00 67 d.e.n.a.b.l.e...... S.t.a.r.t. C 00 72 00 61 00 6d 00 20 00 .T.i.m.e.:. .. T.u.e. .. M.a.r. 96 46 00 69 00 6c 00 65 00 73 .. 2.3. .. 2.0.2.1. .0.1.:. 00 5c 00 57 00 69 00 6e 00 2.2.:.0.7...... 64 00 6f 00 77 00 73 00 20 00 44 00 65 00 66 00 65 00 6e 00 64 00 65 00 72 00 5c 00 6d 00 70 00 63 00 6d 00 64 00 72 00 75 00 6e 00 2e 00 65 00 78 00 65 00 22 00 20 00 2d 00 77 00 64 00 65 00 6e 00 61 00 62 00 6c 00 65 00 0d 00 0a 00 20 00 53 00 74 00 61 00 72 00 74 00 20 00 54 00 69 00 6d 00 65 00 3a 00 20 00 0e 20 54 00 75 00 65 00 20 00 0e 20 4d 00 61 00 72 00 20 00 0e 20 32 00 33 00 20 00 0e 20 32 00 30 00 32 00 31 00 20 00 30 00 31 00 3a 00 32 00 32 00 3a 00 30 00 37 00 0d 00 0a 00 0d
Copyright Joe Security LLC 2021 Page 46 of 48 Source File Path Offset Length Value Ascii Completion CouAndt dSreysmsbol C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\M unknow 86 4d 00 70 00 45 00 6e 00 73 M.p.E.n.s.u.r.e.P.r.o.c.e.s.s success or wait 1 7F W pCmdRun.log n 00 75 00 72 00 65 00 50 00 .M.i.t.i.g.a.t.i.o.n.P.o.l.i.c. F6 rit 72 00 6f 00 63 00 65 00 73 y.:. .h.r. .=. .0.x.1..... 19 e 00 73 00 4d 00 69 00 74 00 F Fil 69 00 67 00 61 00 74 00 69 A e 00 6f 00 6e 00 50 00 6f 00 B 6c 00 69 00 63 00 79 00 3a C 00 20 00 68 00 72 00 20 00 96 3d 00 20 00 30 00 78 00 31 00 0d 00 0a 00 C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\M unknow 20 57 00 44 00 45 00 6e 00 61 W.D.E.n.a.b.l.e..... success or wait 1 7F W pCmdRun.log n 00 62 00 6c 00 65 00 0d 00 F6 rit 0a 00 19 e F Fil A e B C 96 C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\M unknow 86 45 00 52 00 52 00 4f 00 52 E.R.R.O.R.:. success or wait 1 7F W pCmdRun.log n 00 3a 00 20 00 4d 00 70 00 .M.p.W.D.E.n.a.b.l.e. F6 rit 57 00 44 00 45 00 6e 00 61 (.T.R.U.E.). .f.a.i.l.e.d. . 19 e 00 62 00 6c 00 65 00 28 00 (.8.0.0.7.0.4.E.C.)..... F Fil 54 00 52 00 55 00 45 00 29 A e 00 20 00 66 00 61 00 69 00 B 6c 00 65 00 64 00 20 00 28 C 00 38 00 30 00 30 00 37 00 96 30 00 34 00 45 00 43 00 29 00 0d 00 0a 00 C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\M unknow 100 4d 00 70 00 43 00 6d 00 64 M.p.C.m.d.R.u.n.:. .E.n.d. success or wait 1 7F W pCmdRun.log n 00 52 00 75 00 6e 00 3a 00 .T.i.m.e.:. .. T.u.e. .. M.a.r. . F6 rit 20 00 45 00 6e 00 64 00 20 . 2.3. .. 2.0.2.1. .0.1.:.2.2. 19 e 00 54 00 69 00 6d 00 65 00 :.0.7..... F Fil 3a 00 20 00 0e 20 54 00 75 A e 00 65 00 20 00 0e 20 4d 00 B 61 00 72 00 20 00 0e 20 32 C 00 33 00 20 00 0e 20 32 00 96 30 00 32 00 31 00 20 00 30 00 31 00 3a 00 32 00 32 00 3a 00 30 00 37 00 0d 00 0a 00 C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\M unknow 174 2d 00 2d 00 2d 00 2d 00 2d -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- success or wait 1 7F W pCmdRun.log n 00 2d 00 2d 00 2d 00 2d 00 .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- F6 rit 2d 00 2d 00 2d 00 2d 00 2d .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- 19 e 00 2d 00 2d 00 2d 00 2d 00 .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- F Fil 2d 00 2d 00 2d 00 2d 00 2d .-.-.-.-.-.-.-.-..... A e 00 2d 00 2d 00 2d 00 2d 00 B 2d 00 2d 00 2d 00 2d 00 2d C 00 2d 00 2d 00 2d 00 2d 00 96 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 0d 00 0a 00
Analysis Process: conhost.exe PID: 5720 Parent PID: 6256
General
Start time: 01:22:06 Start date: 23/03/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff6b2800000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: false Programmed in: C, C++ or other language
Copyright Joe Security LLC 2021 Page 47 of 48 Disassembly
Code Analysis
Copyright Joe Security LLC 2021 Page 48 of 48