ID: 153765 Sample Name: MicroDicom- 3.0.1-x64.exe Cookbook: default.jbs Time: 13:55:16 Date: 18/07/2019 Version: 26.0.0 Aquamarine Table of Contents

Table of Contents 2 Analysis Report MicroDicom-3.0.1-x64.exe 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 5 Mitre Att&ck Matrix 6 Signature Overview 6 AV Detection: 6 Spreading: 6 Networking: 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 System Summary: 7 Data Obfuscation: 7 Persistence and Installation Behavior: 7 Boot Survival: 7 Hooking and other Techniques for Hiding and Protection: 7 Malware Analysis System Evasion: 7 Anti Debugging: 8 HIPS / PFW / Operating System Protection Evasion: 8 Language, Device and Operating System Detection: 8 Behavior Graph 8 Simulations 8 Behavior and APIs 8 Antivirus and Machine Learning Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 11 Created / dropped Files 11 Domains and IPs 17 Contacted Domains 17 URLs from Memory and Binaries 17 Contacted IPs 17 Static File Info 17 General 18 File Icon 18 Static PE Info 18 General 18 Entrypoint Preview 18 Rich Headers 19

Copyright Joe Security LLC 2019 Page 2 of 44 Data Directories 19 Sections 20 Resources 20 Imports 20 Possible Origin 21 Network Behavior 21 Code Manipulations 21 Statistics 21 Behavior 21 System Behavior 21 Analysis Process: MicroDicom-3.0.1-x64.exe PID: 2832 Parent PID: 1804 22 General 22 File Activities 22 File Created 22 File Deleted 25 File Written 25 File Read 35 Registry Activities 36 Key Created 36 Key Value Created 36 Key Value Modified 37 Analysis Process: mDicom.exe PID: 3296 Parent PID: 2832 38 General 38 File Activities 38 File Created 38 File Written 39 File Read 43 Registry Activities 44 Key Created 44 Key Value Created 44 Key Value Modified 44 Disassembly 44 Code Analysis 44

Copyright Joe Security LLC 2019 Page 3 of 44 Analysis Report MicroDicom-3.0.1-x64.exe

Overview

General Information

Joe Sandbox Version: 26.0.0 Aquamarine Analysis ID: 153765 Start date: 18.07.2019 Start time: 13:55:16 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 5m 37s Hypervisor based Inspection enabled: false Report type: light Sample file name: MicroDicom-3.0.1-x64.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 11 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean4.winEXE@3/19@0/0 EGA Information: Successful, ratio: 50% HDC Information: Successful, ratio: 52.7% (good quality ratio 51.9%) Quality average: 86.9% Quality standard deviation: 21.4% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe, WmiPrvSE.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 4 0 - 100 false

Copyright Joe Security LLC 2019 Page 4 of 44 Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 3 0 - 5 true

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Copyright Joe Security LLC 2019 Page 5 of 44 Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Execution Startup Access Token Masquerading 1 Credential Process Application Clipboard Data Standard through API 1 Items 1 Manipulation 1 Dumping Discovery 2 Deployment Data 1 Encrypted 1 Cryptographic Software Protocol 1 Replication Service Registry Run Startup Software Network Security Remote Data from Exfiltration Over Fallback Through Execution Keys / Startup Items 1 Packing 1 Sniffing Software Services Removable Other Network Channels Removable Folder 1 Discovery 1 Media Medium Media Drive-by Windows Accessibility Process Access Token Input File and Windows Data from Automated Custom Compromise Management Features Injection 1 Manipulation 1 Capture Directory Remote Network Shared Exfiltration Cryptographic Instrumentation Discovery 2 Management Drive Protocol Exploit Public- Scheduled Task System DLL Search Process Credentials System Logon Scripts Input Capture Data Encrypted Multiband Facing Firmware Order Hijacking Injection 1 in Files Information Communication Application Discovery 2 2 Spearphishing Command-Line Shortcut File System Obfuscated Files Account Remote System Shared Data Staged Scheduled Standard Link Interface Modification Permissions or Information 1 Manipulation Discovery Webroot Transfer Cryptographic Weakness Protocol Spearphishing Graphical User Modify Existing New Service DLL Side- Brute Force System Third-party Screen Capture Data Transfer Commonly Attachment Interface Service Loading 1 Owner/User Software Size Limits Used Port Discovery

Signature Overview

• AV Detection • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

AV Detection:

Antivirus or Machine Learning detection for unpacked file

Spreading:

Contains functionality to enumerate / list files inside a directory

Networking:

Urls found in memory or binary data

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Copyright Joe Security LLC 2019 Page 6 of 44 Contains functionality for read data from the clipboard

System Summary:

Contains functionality to call native functions

Contains functionality to shutdown / reboot the system

Creates mutexes

Detected potential crypto function

PE file contains strange resources

Sample file is different than original file name gathered from version info

Sample reads its own file content

Tries to load missing DLLs

Classification label

Contains functionality to adjust token privileges (e.g. debug / backup)

Contains functionality to check free disk space

Contains functionality to instantiate COM classes

Creates files inside the program directory

Creates files inside the user directory

Creates temporary files

PE file has an executable .text section and no other executable section

Reads ini files

Reads software policies

Spawns processes

Uses an in-process (OLE) Automation server

Found GUI installer (many successful clicks)

Found graphical window changes (likely an installer)

Found installer window with terms and condition text

Found window with many clickable UI elements (buttons, textforms, scrollbars etc)

Creates a directory in C:\Program Files

Submission file is bigger than most known malware samples

Contains modern PE file flags such as dynamic base (ASLR) or NX

Data Obfuscation:

Contains functionality to dynamically determine API calls

Uses code obfuscation techniques (call, push, ret)

Persistence and Installation Behavior:

Drops PE files

Creates license or readme file

Boot Survival:

Stores files to the Windows start menu directory

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Checks the free space of harddrives

Found dropped PE file which has not been started or loaded

Contains functionality to enumerate / list files inside a directory

Copyright Joe Security LLC 2019 Page 7 of 44 May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Program exit points

Queries a list of all running processes

Anti Debugging:

Contains functionality to dynamically determine API calls

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Contains functionality to query windows version

Behavior Graph

Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Behavior Graph Is Windows Process ID: 153765 Sample: MicroDicom-3.0.1-x64.exe Number of created Registry Values Startdate: 18/07/2019 Architecture: WINDOWS Number of created Files Score: 4 Visual Basic

started Delphi

Java MicroDicom-3.0.1-x64.exe .Net C# or VB.NET

29 56 C, C++ or other language Is malicious dropped dropped dropped dropped Internet

C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 C:\Users\user\AppData\Local\...\System.dll, PE32 2 other files (none is malicious) started

mDicom.exe

1 4

Simulations

Behavior and APIs

Time Type Description 13:56:12 API Interceptor 6x Sleep call for process: MicroDicom-3.0.1-x64.exe modified

Copyright Joe Security LLC 2019 Page 8 of 44 Antivirus and Machine Learning Detection

Initial Sample

Source Detection Scanner Label Link MicroDicom-3.0.1-x64.exe 2% virustotal Browse

Dropped Files

Source Detection Scanner Label Link C:\Program Files\MicroDicom\mDicom.exe 0% virustotal Browse C:\Program Files\MicroDicom\uninstall.exe 0% virustotal Browse C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\System.dll 1% virustotal Browse C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\System.dll 0% metadefender Browse C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\nsDialogs.dll 0% virustotal Browse C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\nsDialogs.dll 0% metadefender Browse

Unpacked PE Files

Source Detection Scanner Label Link Download 0.1.MicroDicom-3.0.1-x64.exe.400000.0.unpack 100% Joe Sandbox ML Download File

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link dicom.offis.de/dcmsr 0% Avira URL Cloud safe dicom.offis.de/dcmtk 0% virustotal Browse dicom.offis.de/dcmtk 0% Avira URL Cloud safe 0% Avira URL Cloud safe www.microdicom.comhttp://forum.microdicom.comhttp://www.microdicom.com/support.htmlhttp://www www.microdicom.com; 0% Avira URL Cloud safe dicom.nema.org/PS3.19/models/NativeDICOM 0% Avira URL Cloud safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Copyright Joe Security LLC 2019 Page 9 of 44 Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match Associated Sample Name / URL SHA 256 Detection Link Context C:\Users\user\AppData\Local\Temp\nsk8 setup_smartpoint.x86.home.exe Get hash malicious Browse C19.tmp\System.dll inst.smartpoint.p2.exe Get hash malicious Browse 47global.doc Get hash malicious Browse 36PO SP08031617LN.doc Get hash malicious Browse 52Sofia Hubert - Bewerbung und Lebenslauf - 07.09.2018.exe Get hash malicious Browse 47Bewerbungsunterlagen - Nina Peter - 17.09.exe Get hash malicious Browse 18PO#33282.doc Get hash malicious Browse 18PO #SAI-1007324.doc Get hash malicious Browse 28Purchase proposal.doc Get hash malicious Browse 72Application12102018.pdf.exe Get hash malicious Browse 1.exe Get hash malicious Browse readerdc_en_us_xa_crd_install.exe Get hash malicious Browse Order confirm-13122018.doc Get hash malicious Browse DHL INVOICE.exe Get hash malicious Browse 13PO#0104019file000000#1.exe Get hash malicious Browse 2QARaajgHL.exe Get hash malicious Browse COPIA DE FOTOCOMPARENDO 95658 CON FOTOS HORA Get hash malicious Browse Y FECHA.exe 60060829-THAI.pdf.exe Get hash malicious Browse b60.exe Get hash malicious Browse scan copy#U007equote.jar Get hash malicious Browse

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2019 Page 10 of 44 Startup

System is w10x64 MicroDicom-3.0.1-x64.exe (PID: 2832 cmdline: 'C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe' MD5: D07ED740FB6180D9FCFD815D2B80D561) mDicom.exe (PID: 3296 cmdline: C:\Program Files\MicroDicom\mDicom.exe MD5: 046C7CF9E19304A9C587262D009E3CB4) cleanup

Created / dropped Files

C:\Program Files\MicroDicom\MicroDicom.url Process: C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe File Type: MS Windows 95 Internet shortcut text (URL=), ASCII text, with CRLF line terminators Size (bytes): 102 Entropy (8bit): 4.461161861367234 Encrypted: false MD5: 55CA6F48DCF47796E0ABAFB205A2881B SHA1: 8F61D76A1EEB6EB46FC87FC637D2C7CFC9FFB327 SHA-256: 0BBFCFEF4C50C0F5237FAE1B6F4B56735298F76EDEA6E6316D5EDD10066E791C SHA-512: 1C0F138396BB8951F362709638DE52BC51F12533DF29DD53408811F66B1FA25A5266DA5F1BC60BE436A78A9F0BF720B9DB72C3688C553A404F1019F3AEDCCE2D Malicious: false Reputation: low Preview: [InternetShortcut]..URL=http://www.microdicom.com..[InternetShortcut]..URL=http://www.microdicom.com..

Copyright Joe Security LLC 2019 Page 11 of 44 C:\Program Files\MicroDicom\mDicom.exe

Process: C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe File Type: PE32+ executable (GUI) x86-64, for MS Windows Size (bytes): 15277056 Entropy (8bit): 6.594937015587871 Encrypted: false MD5: 046C7CF9E19304A9C587262D009E3CB4 SHA1: 508E1D7F470F12F096D22BFD0445B5F679B3335F SHA-256: 627AA6AAA5846AB6D5F6D5970D328C3920C0AF56A9A4E31A69C9BB45F0EF6AF4 SHA-512: 28D60CBFCBF7353E557FB212EA2238C3284095C7384701E0D4D2F6A32B656AC69FAEF6B7905DBC37BD39F30A7C6E13B0509FECC8D3320E936573F6DBB756856C Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Reputation: low Preview: MZ...... @...... H...... !..L.!This program cannot be run in DOS mode....$...... t..70..d0..d0..d.w.d/..d.w.d...d.w.d...d9.xd1..d9.sd!..d9.td1. .d9.wd2..d.K7d:..db..e...db..e#..db..e...d...e...d...el..d9.cd...d0..d6..d...e...d...d1..d0.gd1..d...e1..dRich0..d...... PE..d....[.\...... #...... 2e.....L.v...... @...... p...... :...... X.,....Ht...... `...... (...... 0...... text...... `.rdata..~...... @[email protected]...... @....pdata..Ht...... v...... @..@_RDATA.. +...`...,...... @[email protected].,...... ,..D...... @..@......

C:\Program Files\MicroDicom\settings\animations.xml Process: C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe File Type: XML 1.0 document, ASCII text, with CRLF line terminators Size (bytes): 106 Entropy (8bit): 4.7620063149422425 Encrypted: false MD5: D56C489E2A93E853732052A97D47CC7A SHA1: 5E81A8D2AE7111569734CAC194C5C208F5390017 SHA-256: 3661B00E613A8DEB48818FB323A384451BA45768998A76978D50BCA80DB4AC35 SHA-512: 0CF95236C8A2F062819FEB0F7B780AE88C0C50375717DF9E025CE73AA71050C53D8169432EBF4E8D3ED1FBB1F0A0D5C44B9AB329D7A2E923E996C6BDEB11330 B Malicious: false Reputation: low Preview: ....

C:\Program Files\MicroDicom\settings\annotation.xml Process: C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe File Type: XML 1.0 document, ASCII text, with CRLF line terminators Size (bytes): 4408 Entropy (8bit): 5.0730262052947195 Encrypted: false MD5: 62A8D6B8D6B20BA47442B7C9D4D8BC92 SHA1: 3B61202C20FB7F9F15F6B56FED5BFB5D9BFFD828 SHA-256: E8F2EAAC71A8D866EAD392D0262499459ED3F4DAFB1D98930E738FB8B0556CA1 SHA-512: 64B96C1805609AC8707F792CDC4086A12D42675ABF96E5D8A19D47130CD7CD1C7137AA773CB14908EC385B06DB2749846F12006DEB090634F6DA91268C2D8E96 Malicious: false Reputation: low Preview: ..................

C:\Program Files\MicroDicom\settings\overlay_st.xml Process: C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe File Type: XML 1.0 document, ASCII text, with CRLF line terminators Size (bytes): 95 Entropy (8bit): 4.831616829940331 Encrypted: false MD5: 7B72A774B7B9AAEA413E8BBF6C8DCD8D SHA1: 6DA9DBC619114E2704BB7012C248B80128F9432B SHA-256: 6F08D4FBF27BDA81426C2D8272F19C7F4FE9F44DF72C9C492069420B5272E298 SHA-512: 1E4D360B9E3FF91B0DDE36446010006082B9D1522546E6C995E5A6B0B2941BE10DFD3A7DC967A8549ACDEC19AD1F3EB80E5217DD5C060C9A23C30CB1AC12BF 9C Malicious: false Reputation: low Preview: ....

Copyright Joe Security LLC 2019 Page 12 of 44 C:\Program Files\MicroDicom\settings\print.xml Process: C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe File Type: XML 1.0 document, Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators Size (bytes): 24231 Entropy (8bit): 5.067495556970498 Encrypted: false MD5: D328F7DDBEA26333F84FCCE52E24F85C SHA1: B27E15613BA4E5BAEFC2632F660759609D9D7B19 SHA-256: 643985A074937C807ABE66AC910D647CBDEDC1AFA25F1EC4D7E5D573EE99D5FC SHA-512: FDE4E390F84D074F56B24ED30F6122128795E879B485B2995D7E700CA6182070D3DF1B42984CF8CA39D40C86885FA0E51B0C598839E38AEB078E24977A992B45 Malicious: false Reputation: low Preview: ................................End-User License Agreement for MicroDicom DICOM viewer....READ CAREFULLY: This End-User License Agree ment ("EULA") is a legal agreement between you ("end user") and MicroDicom ("the author")

C:\Program Files\MicroDicom\uninstall.exe

Process: C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive Size (bytes): 232193 Entropy (8bit): 7.002616264487749 Encrypted: false MD5: 91C05928A9F7097D4E1D3C84D49400D8 SHA1: 5B942C0BB67CC13D6E2C81799A34EC386A1C95A5 SHA-256: 89CC1D2B070A7AF7DEE207A1799DB1A7598F575A33599B3982C775C01353C559 SHA-512: 283920C501BDD9DA7B4DD030FE6A2843C1E7F8C5C0DC68D807CC749648AC67BB7B24743FA2D2C61772CEB1C0039AE8D35A0538FD881AD790546C8BB987BF29B F Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... (...F...F...F.*.....F...G.v.F.*[email protected]...... PE..L...+.oZ...... `...... 1...... p....@...... @...... (t...... p...... text...._...... `...... `.rdata..H....p...... d...... @[email protected]...... x...... @....ndata...@...@...... rsrc...... |...... @..@......

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MicroDicom\Help.lnk Process: C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sat May 11 22:30:10 2019, mtime=Thu Jul 18 19:56:24 2019, atime=Sat May 11 22:30:10 2019, length=53232, window=hide Size (bytes): 873 Entropy (8bit): 4.417454409660352 Encrypted: false MD5: 043208B3DF8771EAC33A6419A3CDF49D SHA1: 0B3E31C8306195BD133EC839B3B7D2D1759198B5 SHA-256: 9E0A96C8EB342552C19BE91EF6E76DF4CB54EBC762E99D9EF75845FDF87B96F7 SHA-512: 9927C0CE5BBB4E584A05AC27D0B72675742FE21D72D54E0F888A7067CD479BEDEB3EB571BD9664380F1605C2604A5E6ECA0203E1806913DD73E6FD88AC5252B 4 Malicious: false Reputation: low Preview: L...... F...... -oyQ...... B.=...-oyQ...... y....P.O. .:i.....+00.../C:\...... 1.....uM....PROGRA~1..t...... L..N...... <...... J...... P.r.o.g.r.a.m. .F.i.l [email protected].,.-.2.1.7.8.1.....^.1...... N....MICROD~1..F...... N...N...... \...... M.i.c.r.o.D.i.c.o.m.....`.2...... N. .mDicom.chm..F...... N..N...... \...... m .D.i.c.o.m...c.h.m...... U...... -...... T...... N<.....C:\Program Files\MicroDicom\mDicom.chm..5.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.D.i.c.o.m.\.m. D.i.c.o.m...c.h.m...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.D.i.c.o.m.`...... X...... 124406...... x..C..Z.;.."We.}....D...u{....x..C..Z.;.."We.}....D...u{E...... 9...1SPS..mD..pH .H@..=x.....h....H....X/:...... `"......

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MicroDicom\MicroDicom.lnk Process: C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sat May 11 22:33:52 2019, mtime=Thu Jul 18 19:56:28 2019, atime=Sat May 11 22:33:52 2019, length=15277056, window=hide Size (bytes): 1728 Entropy (8bit): 4.429151652462288 Encrypted: false MD5: 05BB51B0D3C0BF06475B8E5D5ABD535D SHA1: 786DDB5B0C73A5ABC54C88C6C4A15DF4074E2BC7 SHA-256: 77CF6220ACC4378AFD284EECC145560B675A729A6534A22FE60004B9348408C9

Copyright Joe Security LLC 2019 Page 13 of 44 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MicroDicom\MicroDicom.lnk SHA-512: 0B29D960ACBF06D3BF7283C0662DE5842358804D95E3C4E0C76D0F87763B636BEAF2F7599A5E0CD9D1284DDE063AAE6DCEFC7A11BB256C5F43EB332CABCF8E BA Malicious: false Reputation: low Preview: L...... F...... Q...WF.E.=...... Q...... y....P.O. .:i.....+00.../C:\...... 1...... N....PROGRA~1..t...... L..N...... <...... J...... P.r.o.g.r.a.m. [email protected] .h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....^.1...... N....MICROD~1..F...... N...N...... \...... IL..M.i.c.r.o.D.i.c.o.m.....`.2...... N:. .mDicom.exe..F...... N:..N...... ']...... m.D.i.c. o.m...e.x.e...... U...... -...... T...... N<.....C:\Program Files\MicroDicom\mDicom.exe..5.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.D.i.c.o.m.\.m.D.i.c.o .m...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.D.i.c.o.m.`...... X...... 124406...... x..C..Z.;...$We.}....D...u{....x..C..Z.;...$We.}....D...u{E...... 9...1SPS..mD..pH.H@.. =x.....h....H....X/:...... `"...... L...... F...... Q...WF.E.=...... Q...... y....P.O. .:i.....+00.../C:\...... 1.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MicroDicom\Uninstall.lnk Process: C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe File Type: MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun D ec 31 23:06:32 1600, length=0, window=hide Size (bytes): 621 Entropy (8bit): 2.854782137823955 Encrypted: false MD5: 442F75E8CF87F637AAAC05D5BA6336C9 SHA1: EA308883E4A273C0FC1CA4D65BA3BFFB901F6C0F SHA-256: B811773483CC0B81901AFEDFC4F7FFA15172FC2716C95B95005F70494BAAE83D SHA-512: 84811CDA24313A5BC71659B88D29AD482BBC8AC7BEC44C744D7A6A086E39B829E487BF1B668F29FCC0DBD42D341FAC33DEB6CE90A8CC348DE0384CB9FB26D 09E Malicious: false Reputation: low Preview: L...... F...... _....P.O. .:i.....+00.../C:\...... h.1...... Program Files.L...... P.r.o.g.r.a.m. .F.i.l.e.s.....`.1...... MicroDicom..F...... M.i.c.r.o.D.i.c.o.m.....h.2...... uninstall.exe.L...... u.n.i.n.s.t.a.l.l...e.x.e...... 8.....\.....\.....\.....\.....\... ..\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.D.i.c.o.m.\.u.n.i.n.s.t.a.l.l...e.x.e.$.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.D.i.c.o.m.\.l.i.c.e.n.s.e.s.....

C:\Users\user\AppData\Local\Temp\AFX1D59450A.tmp Process: C:\Program Files\MicroDicom\mDicom.exe File Type: data Size (bytes): 14723 Entropy (8bit): 2.5742153894863153 Encrypted: false MD5: BCA4A563D4B3BF79A4D8E811B2B3269F SHA1: D5FD939DA8C4F94FD32D202115D776BA25724ADB SHA-256: 693DB07408549DC396A5A4D6116F01B7199AC2255937C973342B371B07928A62 SHA-512: 9462E40B0BC04E89E0A81DBD5094C151056244B2F9189086365EE2CF5881190E4988A97D108D3F0B6BADA9920EC383437D66EFC3B2DB5EF7EE438D6EF2E1357E Malicious: false Reputation: low Preview: ...... CMFCToolBarMenuButton...... &.F.i.l.e...... &.O.p.e.n...... {...... O.p.e.&.n. .C.D./.D.V.D...... f...... O.p.e.n. .D.I.C.O.M.D.I.&.R...... t...... O.p.e.n. .&.Z.I.P. .f.i.l.e...... 9...... &.S.c.a.n. .f.o.r. .D.I.C.O.M. .f.i.l.e.s...... &.A.d.d. .D.I.C.O.M. .i.m.a.g.e.s...... A.d.d. .&.f.i.l.e...... A.d.d. .f.o.l.d.e.&.r...... &.C.l.o.s.e...... &.E.x.p.o.r.t...... T.o. .a. .&.p.i.c.t.u.r.e. .f.i.l.e......

C:\Users\user\AppData\Local\Temp\AFX32F6DFEE.tmp Process: C:\Program Files\MicroDicom\mDicom.exe File Type: data Size (bytes): 3607 Entropy (8bit): 2.6409977429644056 Encrypted: false MD5: 9222C76DAB75D7B163830041045261EB SHA1: 9897157CA646A207DA198A411389D0BC290DCFBB SHA-256: 36ACB7FE8E85727EC49A27D35FBB1DC7756DB818F784951C4CC57A2CF74F9C7C SHA-512: 2C6BC7E9D175F25A0FD4376DE0C3781AE0ECA3B2FCBF5B8A4F180A3D9B4DCACB14BF402FDD48C5CE336F1475BCA279BE80A91507DB0170830C03DA7B139D3 975 Malicious: false Reputation: low Preview: ...... CMFCToolBarMenuButton...... &.F.i.l.e...... &.O.p.e.n...... C.t.r.l.+.O...... {...... O.p.e.n. .&.C.D./.D.V.D ...... f...... O.p.e.n. .D.I.C.O.M.D.I.&.R...... t...... O.p.e.n. .&.Z.I.P. .f.i.l.e...... 9...... &.S.c.a.n. .f.o.r. .D.I.C.O.M. .f.i.l.e.s...... 8...... &.P.r.i.n.t. .S.e.t.u.p...... R.e.c.e.n.t. .F.i.l.e...... A...... E.&.x.i.t...... &.N.e.t.w.o.r.k...... $...... &.D.o.w.n.l.o

C:\Users\user\AppData\Local\Temp\AFX450CAFF.tmp Process: C:\Program Files\MicroDicom\mDicom.exe File Type: data Size (bytes): 14723 Entropy (8bit): 2.5742153894863153 Copyright Joe Security LLC 2019 Page 14 of 44 C:\Users\user\AppData\Local\Temp\AFX450CAFF.tmp Encrypted: false MD5: BCA4A563D4B3BF79A4D8E811B2B3269F SHA1: D5FD939DA8C4F94FD32D202115D776BA25724ADB SHA-256: 693DB07408549DC396A5A4D6116F01B7199AC2255937C973342B371B07928A62 SHA-512: 9462E40B0BC04E89E0A81DBD5094C151056244B2F9189086365EE2CF5881190E4988A97D108D3F0B6BADA9920EC383437D66EFC3B2DB5EF7EE438D6EF2E1357E Malicious: false Reputation: low Preview: ...... CMFCToolBarMenuButton...... &.F.i.l.e...... &.O.p.e.n...... {...... O.p.e.&.n. .C.D./.D.V.D...... f...... O.p.e.n. .D.I.C.O.M.D.I.&.R...... t...... O.p.e.n. .&.Z.I.P. .f.i.l.e...... 9...... &.S.c.a.n. .f.o.r. .D.I.C.O.M. .f.i.l.e.s...... &.A.d.d. .D.I.C.O.M. .i.m.a.g.e.s...... A.d.d. .&.f.i.l.e...... A.d.d. .f.o.l.d.e.&.r...... &.C.l.o.s.e...... &.E.x.p.o.r.t...... T.o. .a. .&.p.i.c.t.u.r.e. .f.i.l.e......

C:\Users\user\AppData\Local\Temp\AFXB34CB1FC.tmp Process: C:\Program Files\MicroDicom\mDicom.exe File Type: data Size (bytes): 3607 Entropy (8bit): 2.656467993575662 Encrypted: false MD5: 7A367E64FBBCCCD289185C3D0386D762 SHA1: 07728A6EA53A1A218F93A31DCF1625D316F946CE SHA-256: E42E761C348177000D8B1D7F1455425FBEBAF316D0ED47D67BC07C78A54CDE13 SHA-512: E2C7BC01044684503A3C7C8B4585E943AA80D40128D37A8CAA4752779FD28918FDD40D425A03FBC4B2DDADD79C8AA0EA30FE9EA668DD76DA38438040A791668 5 Malicious: false Reputation: low Preview: ...... CMFCToolBarMenuButton...... &.F.i.l.e...... &.O.p.e.n...... C.t.r.l.+.O...... {...... O.p.e.n. .&.C.D./.D.V.D ...... f...... O.p.e.n. .D.I.C.O.M.D.I.&.R...... t...... O.p.e.n. .&.Z.I.P. .f.i.l.e...... &.S.c.a.n. .f.o .r. .D.I.C.O.M. .f.i.l.e.s...... &.P.r.i.n.t. .S.e.t.u.p...... R.e.c.e.n.t. .F.i.l.e...... A...... E.&.x.i.t...... &.N.e.t.w.o.r.k...... $...... &.D.o.w.n.l.o

C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\System.dll

Process: C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 11776 Entropy (8bit): 5.832316471889005 Encrypted: false MD5: B0C77267F13B2F87C084FD86EF51CCFC SHA1: F7543F9E9B4F04386DFBF33C38CBED1BF205AFB3 SHA-256: A0CAC4CF4852895619BC7743EBEB89F9E4927CCDB9E66B1BCD92A4136D0F9C77 SHA-512: F2B57A2EEA00F52A3C7080F4B5F2BB85A7A9B9F16D12DA8F8FF673824556C62A0F742B72BE0FD82A2612A4B6DBD7E0FDC27065212DA703C2F7E28D199696F66E Malicious: false Antivirus: Antivirus: virustotal, Detection: 1%, Browse Antivirus: metadefender, Detection: 0%, Browse Joe Sandbox Filename: setup_smartpoint.x86.home.exe, Detection: malicious, Browse View: Filename: inst.smartpoint.p2.exe, Detection: malicious, Browse Filename: 47global.doc, Detection: malicious, Browse Filename: 36PO SP08031617LN.doc, Detection: malicious, Browse Filename: 52Sofia Hubert - Bewerbung und Lebenslauf - 07.09.2018.exe, Detection: malicious, Browse Filename: 47Bewerbungsunterlagen - Nina Peter - 17.09.exe, Detection: malicious, Browse Filename: 18PO#33282.doc, Detection: malicious, Browse Filename: 18PO #SAI-1007324.doc, Detection: malicious, Browse Filename: 28Purchase proposal.doc, Detection: malicious, Browse Filename: 72Application12102018.pdf.exe, Detection: malicious, Browse Filename: 1.exe, Detection: malicious, Browse Filename: readerdc_en_us_xa_crd_install.exe, Detection: malicious, Browse Filename: Order confirm-13122018.doc, Detection: malicious, Browse Filename: DHL INVOICE.exe, Detection: malicious, Browse Filename: 13PO#0104019file000000#1.exe, Detection: malicious, Browse Filename: 2QARaajgHL.exe, Detection: malicious, Browse Filename: COPIA DE FOTOCOMPARENDO 95658 CON FOTOS HORA Y FECHA.exe, Detection: malicious, Browse Filename: 60060829-THAI.pdf.exe, Detection: malicious, Browse Filename: b60.exe, Detection: malicious, Browse Filename: scan copy#U007equote.jar, Detection: malicious, Browse Reputation: moderate, very likely benign file Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D...... PE..L.....oZ...... !...... (...... 0...... `...... @...... 2...... 0..P...... P...... 0..X...... text...O...... `.rdata..c....0...... $...... @[email protected]....@...... (...... @....reloc..|....P...... *...... @..B......

C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\modern-wizard.bmp Process: C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe Copyright Joe Security LLC 2019 Page 15 of 44 C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\modern-wizard.bmp

File Type: PC bitmap, Windows 3.x format, 165 x 315 x 32 Size (bytes): 415912 Entropy (8bit): 5.598985768096432 Encrypted: false MD5: 2A9A522414BD8493133B5DFE489A4FC4 SHA1: C978000CD0D0CE28E0C2E918447CB61CB8E452F9 SHA-256: 9D5BD283CD5E96C0176869442A329893A10CBBE2C20A2CB2F65B562C002BF258 SHA-512: 4891267190A718CCA808435C203E2DE695B698B53855BF0CDC1A5C888EF7B8C941E54475D4F65FE268D81EAACC346E998B2F5E59F319167ED247CE052603C114 Malicious: false Reputation: low Preview: BMT,...... 6...(...... ;...... ,......

C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\nsDialogs.dll

Process: C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 9728 Entropy (8bit): 5.0684006804573105 Encrypted: false MD5: EAC1C3707970FE7C71B2D760C34763FA SHA1: F275E659AD7798994361F6CCB1481050ABA30FF8 SHA-256: 062C75AD650548750564FFD7AEF8CD553773B5C26CAE7F25A5749B13165194E3 SHA-512: 3415BD555CF47407C0AE62BE0DBCBA7173D2B33A371BF083CE908FC901811ADB888B7787D11EB9D99A1A739CBD9D1C66E565DB6CD678BDADAF753FBDA14FF D09 Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Reputation: moderate, very likely benign file Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... |..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od0 9O`0Rich8O`0...... PE..L.....oZ...... !...... 0...... @...... 6..k....0...... `...... p...... 0...... text...Q...... `.rdata..{....0...... @[email protected]...... @...... @....rsrc...... `...... @[email protected]...... "...... @..B......

C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\nsProcess.dll Process: C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 57328 Entropy (8bit): 7.382578489418771 Encrypted: false MD5: BA551A488DDD26CD2306AF97CA384B80 SHA1: 6600CFDA850C78DDB70CE4F52685325C70DEDDBF SHA-256: F1622B8F8B7C92C1EF08D0EE5CFDA22309E9AFD9D78355A7FA56FE8043F91CD0 SHA-512: 7E86A9F3D80C0523FCB49E2B76E01311BCC9E84A36EE8B54C025D439C049C7DE0CF2CCBB7210289355627BEE55C187FEE40063EDE9677309076AEC200DC2C3E 9 Malicious: false Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... ^W.a.W.a.W.a...<.T.a.W.`.X.a.R.>.V.a.R.=.V.a.R.;.V.a.RichW. a...... PE..L.....D...... !...... P...... "..v...... (...... @..`...... @...... text...}...... `.rdata...... @[email protected]...... 0...... @....reloc...... @...... @..B......

C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\splash.bmp Process: C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe File Type: PC bitmap, Windows 3.x format, 524 x 345 x 32 Size (bytes): 728808 Entropy (8bit): 5.891363237598385 Encrypted: false MD5: BE382BABDDF0F47C4BB07E47F3F1A1D0 SHA1: 9EC6AA73688BDB9859343E036C044D5E67D39285 SHA-256: AAEBB27D3F26619F984DF5D981C22D63F2856CFEFEBC697432536C8203A0C965 SHA-512: 18FB31B53F159D226A1F860D9A0D3A6E85814263EACBFE6E6072FC9409991D9E19B105FCA7D01CC10CA1B89FA5762AD40AF5EECBD419D737EC80C34F77BC6E D2 Malicious: false

Copyright Joe Security LLC 2019 Page 16 of 44 C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\splash.bmp Reputation: low Preview: BM...... 6...(...... Y......

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation dicom.offis.de/dcmsr mDicom.exe, 00000005.00000000. false Avira URL Cloud: safe unknown 20539606953.0000000140851000.0 0000002.00020000.sdmp, mDicom. exe.0.dr www.microdicom.com/online-store.htmlo mDicom.exe, 00000005.00000002. false high 20882361564.00000000005A0000.0 0000004.00000020.sdmp nsis.sf.net/NSIS_Error MicroDicom-3.0.1-x64.exe false high www.microdicom.com/support.html/ mDicom.exe, 00000005.00000002. false high 20882421909.00000000005F2000.0 0000004.00000020.sdmp dicom.offis.de/dcmtk mDicom.exe.0.dr false 0%, virustotal, Browse unknown Avira URL Cloud: safe mDicom.exe, 00000005.00000000. false Avira URL Cloud: safe unknown www.microdicom.comhttp://forum.microdicom.comhttp://www. 20539606953.0000000140851000.0 microdicom.com/support.htmlhttp://www 0000002.00020000.sdmp, mDicom. exe.0.dr forum.microdicom.com mDicom.exe, 00000005.00000002. false high 20882449864.000000000061A000.0 0000004.00000020.sdmp, mDicom.exe, 00000005.00000000.2054092 9327.0000000140B8E000.00000002 .00020000.sdmp, mDicom.exe.0.dr www.microdicom.com MicroDicom-3.0.1-x64.exe, 0000 false high 0000.00000003.20518296954.0000 000003E90000.00000004.00000001 .sdmp, mDicom.exe, 00000005.00 000000.20540929327.0000000140B 8E000.00000002.00020000.sdmp, MicroDicom.url.0.dr, mDicom.exe.0.dr www.winimage.com/zLibDll mDicom.exe, 00000005.00000000. false high 20539606953.0000000140851000.0 0000002.00020000.sdmp, mDicom. exe.0.dr www.microdicom.com/microdicom-viewer/history.htmlr mDicom.exe, 00000005.00000002. false high 20882361564.00000000005A0000.0 0000004.00000020.sdmp nsis.sf.net/NSIS_ErrorError MicroDicom-3.0.1-x64.exe false high www.microdicom.com; mDicom.exe, 00000005.00000002. false Avira URL Cloud: safe low 20882449864.000000000061A000.0 0000004.00000020.sdmp dicom.nema.org/PS3.19/models/NativeDICOM mDicom.exe.0.dr false Avira URL Cloud: safe low www.winimage.com/zLibDll5 mDicom.exe, 00000005.00000000. false high 20539606953.0000000140851000.0 0000002.00020000.sdmp, mDicom. exe.0.dr

Contacted IPs

No contacted IP infos

Static File Info

Copyright Joe Security LLC 2019 Page 17 of 44 General File type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive Entropy (8bit): 7.992396822327603 TrID: Win32 Executable (generic) a (10002005/4) 99.94% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Java Script embedded in Visual Basic Script (1500/0) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: MicroDicom-3.0.1-x64.exe File size: 4925289 MD5: d07ed740fb6180d9fcfd815d2b80d561 SHA1: bdc64b033e48ff1b5f95abf07be2cb02f82acc17 SHA256: 9b9ebc4c3874ae19d3589b3543836d82872f2ce98dc6ea cfc719594728e03607 SHA512: 2f2036f4503a4e35d34597f550de5bf5e9439d7ab466083 cc97e2e6e5d2e2be8d808342a7f83b49da09f49345f0cc3 8b42df5d2392ba36626bb14f74a9df0d7a SSDEEP: 98304:WWEdNReK10QMwlQpzOhF0iT/hyMyKpaCH+Y e8NrUH+CpI4incL+o:8D5rMPPk/0bKpaina+J4incLx File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... (...F...F ...F.*.....F...G.v.F.*[email protected]...... PE..L...+.oZ...... `......

File Icon

Icon Hash: 2950d2f2f0e8d6d6

Static PE Info

General Entrypoint: 0x4031d6 Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED DLL Characteristics: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x5A6FED2B [Tue Jan 30 03:57:31 2018 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: 3abe302b6d9a1256e6a915429af4ffd2

Entrypoint Preview

Instruction sub esp, 00000184h push ebx push esi push edi xor ebx, ebx push 00008001h mov dword ptr [esp+18h], ebx mov dword ptr [esp+10h], 00409198h mov dword ptr [esp+20h], ebx mov byte ptr [esp+14h], 00000020h

Copyright Joe Security LLC 2019 Page 18 of 44 Instruction call dword ptr [004070A0h] call dword ptr [0040709Ch] and eax, BFFFFFFFh cmp ax, 00000006h mov dword ptr [0042370Ch], eax je 00007F113868E573h push ebx call 00007F113869164Ah cmp eax, ebx je 00007F113868E569h push 00000C00h call eax mov esi, 00407298h push esi call 00007F11386915C6h push esi call dword ptr [00407098h] lea esi, dword ptr [esi+eax+01h] cmp byte ptr [esi], bl jne 00007F113868E54Dh push 0000000Ah call 00007F113869161Eh push 00000008h call 00007F1138691617h push 00000006h mov dword ptr [00423704h], eax call 00007F113869160Bh cmp eax, ebx je 00007F113868E571h push 0000001Eh call eax test eax, eax je 00007F113868E569h or byte ptr [0042370Fh], 00000040h push ebp call dword ptr [00407044h] push ebx call dword ptr [00407288h] mov dword ptr [004237D8h], eax push ebx lea eax, dword ptr [esp+38h] push 00000160h push eax push ebx push 0041ECC8h call dword ptr [00407178h] push 00409188h

Rich Headers

Programming Language: [EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x7428 0xa0 .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x38000 0x30180 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0

Copyright Joe Security LLC 2019 Page 19 of 44 Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x7000 0x298 .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x5f0d 0x6000 False 0.664916992188 data 6.45052042396 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x7000 0x1248 0x1400 False 0.4275390625 data 5.00765014918 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .data 0x9000 0x1a818 0x400 False 0.6376953125 data 5.12958781177 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .ndata 0x24000 0x14000 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_ DATA, IMAGE_SCN_MEM_READ .rsrc 0x38000 0x30180 0x30200 False 0.686216517857 data 6.94202531437 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_ICON 0x384c0 0x10828 dBase IV DBT, blocks size 0, block length 2048, next English United States free block index 40, next free block 4281545523, next used block 4281545523 RT_ICON 0x48ce8 0x10475 PNG image data, 256 x 256, 8-bit/color RGBA, non- English United States interlaced RT_ICON 0x59160 0x4228 dBase IV DBT of \200.DBF, blocks size 0, block English United States length 16896, next free block index 40, next free block 0, next used block 16777216 RT_ICON 0x5d388 0x25a8 data English United States RT_ICON 0x5f930 0x1a68 data English United States RT_ICON 0x61398 0x1628 dBase IV DBT of \200.DBF, blocks size 0, block English United States length 4608, next free block index 40, next free block 3486503646, next used block 3991661522 RT_ICON 0x629c0 0x10a8 data English United States RT_ICON 0x63a68 0xea8 data English United States RT_ICON 0x64910 0x988 data English United States RT_ICON 0x65298 0x8a8 data English United States RT_ICON 0x65b40 0x6c8 data English United States RT_ICON 0x66208 0x6b8 data English United States RT_ICON 0x668c0 0x568 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x66e28 0x468 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x67290 0x2e8 data English United States RT_ICON 0x67578 0x128 GLS_BINARY_LSB_FIRST English United States RT_DIALOG 0x676a0 0xb4 data English United States RT_DIALOG 0x67758 0x120 data English United States RT_DIALOG 0x67878 0x202 data English United States RT_DIALOG 0x67a80 0xf8 data English United States RT_DIALOG 0x67b78 0xee data English United States RT_GROUP_ICON 0x67c68 0xe6 data English United States RT_MANIFEST 0x67d50 0x42e XML 1.0 document, ASCII text, with very long lines, English United States with no line terminators

Imports

DLL Import KERNEL32.dll GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA

Copyright Joe Security LLC 2019 Page 20 of 44 DLL Import USER32.dll ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA GDI32.dll SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor SHELL32.dll SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA ADVAPI32.dll AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA COMCTL32.dll ImageList_Create, ImageList_AddMasked, ImageList_Destroy ole32.dll OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• MicroDicom-3.0.1-x64.exe • mDicom.exe

Click to jump to process

System Behavior

Copyright Joe Security LLC 2019 Page 21 of 44 Analysis Process: MicroDicom-3.0.1-x64.exe PID: 2832 Parent PID: 1804

General

Start time: 13:56:11 Start date: 18/07/2019 Path: C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe' Imagebase: 0x400000 File size: 4925289 bytes MD5 hash: D07ED740FB6180D9FCFD815D2B80D561 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user~1\AppData\Local\Temp\ read data or list normal directory file | object name collision 1 4055E0 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user~1\AppData\Local\Temp\nsu8BBA.tmp read attributes | normal synchronous io success or wait 1 405B66 GetTempFileNameA synchronize | non alert | non generic read directory file C:\Users\user~1\AppData\Local\Temp\nsk8C19.tmp read attributes | normal synchronous io success or wait 1 405B66 GetTempFileNameA synchronize | non alert | non generic read directory file C:\Users read data or list normal directory file | object name collision 1 4055E0 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user~1 read data or list normal directory file | object name collision 1 4055E0 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user~1\AppData read data or list normal directory file | object name collision 1 4055E0 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user~1\AppData\Local read data or list normal directory file | object name collision 1 4055E0 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user~1\AppData\Local\Temp read data or list normal directory file | object name collision 1 4055E0 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user~1\AppData\Local\Temp\nsk8C19.tmp read data or list normal directory file | success or wait 1 4055A0 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user~1\AppData\Local\Temp\nsk8C19.tmp\System.dll read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file

Copyright Joe Security LLC 2019 Page 22 of 44 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user~1\AppData\Local\Temp\nsk8C19.tmp\System.dll read attributes | archive synchronous io object name collision 6 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Users\user~1\AppData\Local\Temp\nsk8C19.tmp\System.dll read attributes | archive synchronous io object name collision 5 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Users\user~1\AppData\Local\Temp\nsk8C19.tmp\splash.bmp read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Users\user~1\AppData\Local\Temp\nsk8C19.tmp\advsplash.dll read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Users\user~1\AppData\Local\Temp\nsk8C19.tmp\modern-wizard.bmp read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Users\user~1\AppData\Local\Temp\nsk8C19.tmp\nsDialogs.dll read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Users\user~1\AppData\Local\Temp\nsk8C19.tmp\nsDialogs.dll read attributes | archive synchronous io object name collision 5 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Users\user~1\AppData\Local\Temp\nsk8C19.tmp\nsProcess.dll read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Program Files read data or list normal directory file | object name collision 5 4055E0 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files\MicroDicom read data or list normal directory file | success or wait 1 4055E0 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files\MicroDicom\mDicom.chm read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\ProgramData read data or list normal directory file | object name collision 1 4055E0 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\ProgramData\Microsoft read data or list normal directory file | object name collision 1 4055E0 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\ProgramData\Microsoft\Windows read data or list normal directory file | object name collision 1 4055E0 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\ProgramData\Microsoft\Windows\Start Menu read data or list normal directory file | object name collision 1 4055E0 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\ProgramData\Microsoft\Windows\Start Menu\Programs read data or list normal directory file | object name collision 1 4055E0 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MicroDicom read data or list normal directory file | success or wait 1 4055E0 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files\MicroDicom\mDicom.exe read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file

Copyright Joe Security LLC 2019 Page 23 of 44 Source File Path Access Attributes Options Completion Count Address Symbol C:\Program Files\MicroDicom read data or list normal directory file | object name collision 4 4055E0 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files\MicroDicom\settings read data or list normal directory file | success or wait 1 4055E0 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files\MicroDicom\settings read data or list normal directory file | object name collision 1 4055E0 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files\MicroDicom\settings\animations.xml read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Program Files\MicroDicom\settings\annotation.xml read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Program Files\MicroDicom\settings\application.xml read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Program Files\MicroDicom\settings\exportDicom.xml read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Program Files\MicroDicom\settings\exportImage.xml read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Program Files\MicroDicom\settings\exportVideo.xml read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Program Files\MicroDicom\settings\overlay.xml read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Program Files\MicroDicom\settings\overlay_st.xml read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Program Files\MicroDicom\settings\print.xml read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Program Files\MicroDicom\settings\windowlevels.xml read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Program Files\MicroDicom\licenses read data or list normal directory file | success or wait 1 4055E0 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files\MicroDicom\licenses read data or list normal directory file | object name collision 1 4055E0 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files\MicroDicom\licenses\EULA.txt read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Program Files\MicroDicom\licenses\license.txt read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Program Files\MicroDicom\uninstall.exe read attributes | none synchronous io success or wait 1 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Users\user~1\AppData\Local\Temp\nsk8C19.tmp\System.dll read attributes | archive synchronous io object name collision 20 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Users\user~1\AppData\Local\Temp\nsk8C19.tmp\nsDialogs.dll read attributes | archive synchronous io object name collision 7 405B2F CreateFileA synchronize | non alert | non generic write directory file C:\Users\user~1\AppData\Local\Temp\nsk8C19.tmp\System.dll read attributes | archive synchronous io object name collision 5 405B2F CreateFileA synchronize | non alert | non generic write directory file

Copyright Joe Security LLC 2019 Page 24 of 44 File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\nsu8BBA.tmp success or wait 1 40344D DeleteFileA C:\Users\user\AppData\Local\Temp\nsk8C19.tmp success or wait 1 405761 DeleteFileA C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\splash.bmp success or wait 1 405713 DeleteFileA C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\advsplash.dll success or wait 1 405713 DeleteFileA C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\modern-wizard.bmp success or wait 1 405713 DeleteFileA C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\nsDialogs.dll success or wait 1 405713 DeleteFileA C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\nsProcess.dll cannot delete 1 405713 DeleteFileA C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\System.dll success or wait 1 405713 DeleteFileA

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\System.dll unknown 11776 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 405BC4 WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... ir*.-.D.-.D.- 00 00 00 00 00 00 00 .D...J.*.D.- 00 00 00 00 00 00 00 .E.>.D.....*.D.y0t.).D.N1n. 00 00 00 00 00 00 00 ,.D..3@.,.D.Rich- 00 00 00 d0 00 00 00 .D...... PE 0e 1f ba 0e 00 b4 09 ..L.....oZ...... !...... cd 21 b8 01 4c cd 21 (..... 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 69 72 2a 92 2d 13 44 c1 2d 13 44 c1 2d 13 44 c1 ae 0f 4a c1 2a 13 44 c1 2d 13 45 c1 3e 13 44 c1 ee 1c 19 c1 2a 13 44 c1 79 30 74 c1 29 13 44 c1 4e 31 6e c1 2c 13 44 c1 d2 33 40 c1 2c 13 44 c1 52 69 63 68 2d 13 44 c1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e ed 6f 5a 00 00 00 00 00 00 00 00 e0 00 2e 21 0b 01 06 00 00 20 00 00 00 0a 00 00 00 00 00 00 e5 28 00 00 00 10 00

Copyright Joe Security LLC 2019 Page 25 of 44 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\splash.bmp unknown 32768 42 4d e8 08 0b 00 00 BM...... 6...(...... Y...... success or wait 25 405BC4 WriteFile 00 00 00 36 00 00 00 ...... 28 00 00 00 0c 02 00 ...... 00 59 01 00 00 01 00 ...... 20 00 00 00 00 00 b2 ...... 08 0b 00 20 2e 00 00 ...... 20 2e 00 00 00 00 00 ...... 00 00 00 00 00 04 00 ...... 04 00 04 00 04 00 04 ...... 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\advsplash.dll unknown 5632 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 405BC4 WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... +.Y.o.7Eo.7Eo.7Eo.6 00 00 00 00 00 00 00 EF. 00 00 00 00 00 00 00 7E..jEf.7E;..Em.7E..3En.7 00 00 00 c0 00 00 00 ERich 0e 1f ba 0e 00 b4 09 o.7E...... PE..L.....oZ...... cd 21 b8 01 4c cd 21 .....!...... `...... 54 68 69 73 20 70 72 ...... 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 2b e8 59 16 6f 89 37 45 6f 89 37 45 6f 89 37 45 6f 89 36 45 46 89 37 45 ac 86 6a 45 66 89 37 45 3b aa 07 45 6d 89 37 45 90 a9 33 45 6e 89 37 45 52 69 63 68 6f 89 37 45 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 09 ed 6f 5a 00 00 00 00 00 00 00 00 e0 00 2e 21 0b 01 06 00 00 08 00 00 00 0a 00 00 00 00 00 00 60 11 00 00 00 10 00 00 00 20 00 00 00 00 00 10 00 10 00 00 00 02 00

Copyright Joe Security LLC 2019 Page 26 of 44 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\modern- unknown 32768 42 4d 54 2c 03 00 00 BMT,...... 6...(...... ;...... success or wait 7 405BC4 WriteFile wizard.bmp 00 00 00 36 00 00 00 .....,...... 28 00 00 00 a5 00 00 ...... 00 3b 01 00 00 01 00 ...... 20 00 00 00 00 00 1e ...... 2c 03 00 d6 0d 00 00 ...... d6 0d 00 00 00 00 00 ...... 00 00 00 00 00 04 00 ...... 04 00 04 00 04 00 04 ...... 00 04 00 04 00 04 00 0d 09 0d 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 0d 09 0d 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 0d 09 0d 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 0d 09 0d 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 0d 09 0d 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\modern- unknown 32768 42 4d 54 2c 03 00 00 BMT,...... 6...(...... ;...... success or wait 7 405BC4 WriteFile wizard.bmp 00 00 00 36 00 00 00 .....,...... 28 00 00 00 a5 00 00 ...... 00 3b 01 00 00 01 00 ...... 20 00 00 00 00 00 1e ...... 2c 03 00 d6 0d 00 00 ...... d6 0d 00 00 00 00 00 ...... 00 00 00 00 00 04 00 ...... 04 00 04 00 04 00 04 ...... 00 04 00 04 00 04 00 0d 09 0d 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 0d 09 0d 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 0d 09 0d 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 0d 09 0d 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 0d 09 0d 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04 00 04

Copyright Joe Security LLC 2019 Page 27 of 44 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\nsDialogs.dll unknown 9728 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 405BC4 WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... |..c8O`08O`08O`08O 00 00 00 00 00 00 00 a0.O 00 00 00 00 00 00 00 `0.@=05O`0llP0=O`0.If09 00 00 00 c8 00 00 00 O`0.od0 0e 1f ba 0e 00 b4 09 9O`0Rich8O`0...... PE..L... cd 21 b8 01 4c cd 21 ..oZ...... !...... 54 68 69 73 20 70 72 ...... 0..... 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7c 2e 0e 63 38 4f 60 30 38 4f 60 30 38 4f 60 30 38 4f 61 30 00 4f 60 30 fb 40 3d 30 35 4f 60 30 6c 6c 50 30 3d 4f 60 30 ff 49 66 30 39 4f 60 30 c7 6f 64 30 39 4f 60 30 52 69 63 68 38 4f 60 30 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c ed 6f 5a 00 00 00 00 00 00 00 00 e0 00 2e 21 0b 01 06 00 00 12 00 00 00 20 00 00 00 00 00 00 05 1d 00 00 00 10 00 00 00 30 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\nsk8C19.tmp\nsProcess.dll unknown 4096 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 405BC4 WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... ^W.a.W.a.W.a... 00 00 00 00 00 00 00 <.T. 00 00 00 00 00 00 00 a.W.`.X.a.R.>.V.a.R.=.V.a. 00 00 00 d8 00 00 00 R.;. 0e 1f ba 0e 00 b4 09 V.a.RichW.a...... cd 21 b8 01 4c cd 21 ...... PE..L...... D...... ! 54 68 69 73 20 70 72 ...... 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 13 9b 0f 5e 57 fa 61 0d 57 fa 61 0d 57 fa 61 0d 94 f5 3c 0d 54 fa 61 0d 57 fa 60 0d 58 fa 61 0d 52 f6 3e 0d 56 fa 61 0d 52 f6 3d 0d 56 fa 61 0d 52 f6 3b 0d 56 fa 61 0d 52 69 63 68 57 fa 61 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 e3 a1 f6 44 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 07 0a 00 06 00 00 00 0c 00 00 00 00 00

Copyright Joe Security LLC 2019 Page 28 of 44 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files\MicroDicom\mDicom.chm unknown 23441 49 54 53 46 03 00 00 ITSF....`...... .. success or wait 1 405BC4 WriteFile 65 72 73 69 6f 6e 3d .. 22 73 65 72 69 65 73 22 20 66 72 61 6d 65 50 65 72 53 65 63 6f 6e 64 3d 22 31 35 22 20 73 68 6f 77 41 6c 6c 46 72 61 6d 65 3d 22 74 72 75 65 22 20 6c 6f 6f 70 3d 22 74 72 75 65 22 2f 3e 0d 0a

Copyright Joe Security LLC 2019 Page 29 of 44 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files\MicroDicom\settings\annotation.xml unknown 255 3c 3f 78 6d 6c 20 76 .. success or wait 1 405BC4 WriteFile 65 72 73 69 6f 6e 3d .. 69 63 6b 6e 65 73 73 3d 22 31 22 20 6f 70 61 63 69 74 79 3d 22 32 35 35 22 20 63 61 6c 69 62 72 61 74 65 44 61 74 61 58 3d 22 31 22 20 63 61 6c 69 62 72 61 74 65 44 61 74 61 59 3d 22 31 22 20 73 68 6f 77 3d 22 74 72 75 65 22 20 69 6e 66 6f 42 6f 78 56 69 73 69 62 69 6c 69 74 79 3d 22 74 72 75 65 22 20 73 68 6f 77 49 6e 66 6f 42 6f 78 4e 61 6d 65 4f 6e 6c 79 3d 22 66 61 6c 73 65 22 20 69 6e 66 6f 42 6f 78 54 65 78 74 53 69 7a 65 3d 22 31 30 22 2f 3e 0d 0a C:\Program Files\MicroDicom\settings\application.xml unknown 211 3c 3f 78 6d 6c 20 76 .. success or wait 1 405BC4 WriteFile 65 72 73 69 6f 6e 3d .. 65 72 44 69 61 6c 6f 67 3d 22 74 72 75 65 22 20 64 65 66 61 75 6c 74 44 49 43 4f 4d 54 61 67 73 54 61 62 3d 22 70 61 74 69 65 6e 74 22 20 64 65 66 61 75 6c 74 54 79 70 65 4f 70 65 6e 44 69 61 6c 6f 67 3d 22 61 6c 6c 5f 66 69 6c 65 73 22 20 64 65 66 61 75 6c 74 54 79 70 65 4f 70 65 6e 5a 69 70 44 69 61 6c 6f 67 3d 22 7a 69 70 5f 66 69 6c 65 73 22 2f 3e 0d 0a

Copyright Joe Security LLC 2019 Page 30 of 44 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files\MicroDicom\settings\exportDicom.xml unknown 179 3c 3f 78 6d 6c 20 76 .. success or wait 1 405BC4 WriteFile 65 72 73 69 6f 6e 3d .. 22 20 65 78 70 6f 72 74 46 72 61 6d 65 54 6f 53 65 70 61 72 61 74 65 46 69 6c 65 73 3d 22 66 61 6c 73 65 22 20 73 65 70 65 72 61 74 65 46 69 6c 65 73 3d 22 66 61 6c 73 65 22 20 76 69 64 65 6f 53 69 7a 65 3d 22 6f 72 69 67 69 6e 61 6c 22 20 65 78 70 6f 72 74 41 6e 6e 6f 74 61 74 69 6f 6e 73 3d 22 66 61 6c 73 65 22 2f 3e 0d 0a C:\Program Files\MicroDicom\settings\exportImage.xml unknown 202 3c 3f 78 6d 6c 20 76 .. success or wait 1 405BC4 WriteFile 65 72 73 69 6f 6e 3d .. 78 70 6f 72 74 46 72 61 6d 65 3d 22 74 72 75 65 22 20 63 72 65 61 74 65 53 75 62 46 6f 6c 64 65 72 3d 22 74 72 75 65 22 20 69 6d 61 67 65 53 69 7a 65 3d 22 6f 72 69 67 69 6e 61 6c 22 20 65 78 70 6f 72 74 41 6e 6e 6f 74 61 74 69 6f 6e 73 3d 22 74 72 75 65 22 20 65 78 70 6f 72 74 4f 76 65 72 6c 61 79 54 79 70 65 3d 22 61 6c 6c 22 20 6a 70 65 67 5f 71 75 61 6c 69 74 79 3d 22 37 35 22 2f 3e 0d 0a

Copyright Joe Security LLC 2019 Page 31 of 44 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files\MicroDicom\settings\exportVideo.xml unknown 240 3c 3f 78 6d 6c 20 76 .. success or wait 1 405BC4 WriteFile 65 72 73 69 6f 6e 3d .. 3d 22 32 35 22 20 65 78 70 6f 72 74 46 72 61 6d 65 3d 22 74 72 75 65 22 20 6e 6f 43 6f 6d 70 72 65 73 73 69 6f 6e 3d 22 66 61 6c 73 65 22 20 73 65 70 65 72 61 74 65 46 69 6c 65 73 3d 22 66 61 6c 73 65 22 20 76 69 64 65 6f 53 69 7a 65 3d 22 6f 72 69 67 69 6e 61 6c 22 20 65 78 70 6f 72 74 41 6e 6e 6f 74 61 74 69 6f 6e 73 3d 22 74 72 75 65 22 20 65 78 70 6f 72 74 4f 76 65 72 6c 61 79 54 79 70 65 3d 22 61 6c 6c 22 20 71 75 61 6c 69 74 79 3d 22 31 30 30 22 2f 3e 0d 0a C:\Program Files\MicroDicom\settings\overlay.xml unknown 3321 3c 3f 78 6d 6c 20 76 .. 22 31 2e 30 22 20 65 ........ success or wait 1 405BC4 WriteFile 65 72 73 69 6f 6e 3d .. 72 6c 61 79 20 63 6f 6c 6f 72 3d 22 23 46 46 46 46 46 46 22 20 73 68 6f 77 3d 22 74 72 75 65 22 20 73 68 6f 77 50 61 74 69 65 6e 74 44 61 74 61 3d 20 22 74 72 75 65 22 2f 3e 0d 0a

Copyright Joe Security LLC 2019 Page 32 of 44 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files\MicroDicom\settings\print.xml unknown 342 3c 3f 78 6d 6c 20 76 .. success or wait 1 405BC4 WriteFile 65 72 73 69 6f 6e 3d .. success or wait 1 405BC4 WriteFile 65 72 73 69 6f 6e 3d ... 22 31 2e 30 22 3f 3e ... 4f 57 4c 45 56 45 4c ... 6d 65 3d 22 53 6b 75 ......

Copyright Joe Security LLC 2019 Page 33 of 44 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files\MicroDicom\licenses\EULA.txt unknown 6953 45 6e 64 2d 55 73 65 End-User License success or wait 1 405BC4 WriteFile 72 20 4c 69 63 65 6e Agreement for MicroDicom 73 65 20 41 67 72 65 DICOM viewer....READ 65 6d 65 6e 74 20 66 CAREFULLY: This End- 6f 72 20 4d 69 63 72 6f User License Agreement 44 69 63 6f 6d 20 44 ("EULA") is a legal 49 43 4f 4d 20 76 69 agreement between you (" 65 77 65 72 0d 0a 0d end user") and 0a 52 45 41 44 20 43 MicroDicom ("the author") 41 52 45 46 55 4c 4c for the "MicroDicom 59 3a 20 54 68 69 73 DICOM Viewer", which 20 45 6e 64 2d 55 73 includes computer softw 65 72 20 4c 69 63 65 6e 73 65 20 41 67 72 65 65 6d 65 6e 74 20 28 22 45 55 4c 41 22 29 20 69 73 20 61 20 6c 65 67 61 6c 20 61 67 72 65 65 6d 65 6e 74 20 62 65 74 77 65 65 6e 20 79 6f 75 20 28 22 65 6e 64 20 75 73 65 72 22 29 20 61 6e 64 20 4d 69 63 72 6f 44 69 63 6f 6d 20 28 22 74 68 65 20 61 75 74 68 6f 72 22 29 20 66 6f 72 20 74 68 65 20 22 4d 69 63 72 6f 44 69 63 6f 6d 20 44 49 43 4f 4d 20 56 69 65 77 65 72 22 2c 20 77 68 69 63 68 20 69 6e 63 6c 75 64 65 73 20 63 6f 6d 70 75 74 65 72 20 73 6f 66 74 77 C:\Program Files\MicroDicom\licenses\license.txt unknown 16469 4d 69 63 72 6f 44 69 MicroDicom uses some success or wait 1 405BC4 WriteFile 63 6f 6d 20 75 73 65 third party components 73 20 73 6f 6d 65 20 listed below. You will also 74 68 69 72 64 20 70 find some disclaimers or 61 72 74 79 20 63 6f copyright messages about 6d 70 6f 6e 65 6e 74 them :..------73 20 6c 69 73 74 65 ------64 20 62 65 6c 6f 77 ------..MicroDicom 2e 20 59 6f 75 20 77 uses DCMTK library, which 69 6c 6c 20 61 6c 73 is dis 6f 20 66 69 6e 64 20 73 6f 6d 65 20 64 69 73 63 6c 61 69 6d 65 72 73 20 6f 72 20 63 6f 70 79 72 69 67 68 74 20 6d 65 73 73 61 67 65 73 20 61 62 6f 75 74 20 74 68 65 6d 20 3a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 0d 0a 4d 69 63 72 6f 44 69 63 6f 6d 20 75 73 65 73 20 44 43 4d 54 4b 20 6c 69 62 72 61 72 79 2c 20 77 68 69 63 68 20 69 73 20 64 69 73

Copyright Joe Security LLC 2019 Page 34 of 44 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files\MicroDicom\uninstall.exe unknown 228864 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 405BC4 WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... 00 00 00 00 00 00 00 (...F...F...F.*..... 00 00 00 00 00 00 00 F...G.v.F.*.....F...v...F...@. 00 00 00 00 00 00 00 ..F.Rich..F...... 00 00 00 d8 00 00 00 ...... PE..L...+.oZ...... 0e 1f ba 0e 00 b4 09 .....`...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad b1 28 81 e9 d0 46 d2 e9 d0 46 d2 e9 d0 46 d2 2a df 19 d2 eb d0 46 d2 e9 d0 47 d2 76 d0 46 d2 2a df 1b d2 e6 d0 46 d2 bd f3 76 d2 e3 d0 46 d2 2e d6 40 d2 e8 d0 46 d2 52 69 63 68 e9 d0 46 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 2b ed 6f 5a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 00 00 00 d0 01 00 00 04 00 C:\Program Files\MicroDicom\uninstall.exe unknown 3329 01 00 00 00 ef be ad ...... NullsoftInst...... success or wait 1 405BC4 WriteFile de 4e 75 6c 6c 73 6f ..][email protected].[...... c.. 66 74 49 6e 73 74 fb M...L["...X...#...g.....-..o.. 1b 00 00 01 0d 00 00 H...=...... q.|....;.[..6B# de 06 00 80 5d 00 00 ....9.p.}...... w...[K....". 80 00 00 40 80 30 05 .o...6....l_l..g.Y.j..e.X^E... 80 18 03 01 56 b3 5b ..%.|Xi9F...).;...0...T.?.P7N bf ff 0c e3 b2 a2 9e 83 c 63 05 a7 4d 89 c6 ff 4c ....Q.ar.g.F.Q..+y...... 5".s.O 5b 22 93 b9 81 58 8b W.[..C.....J{j. 99 dc 23 fd 99 f6 67 be 1c f4 89 e3 2d af 18 6f 1f 8d 48 dc d3 a9 3d 05 c2 1f e0 0e c5 10 d8 06 f2 71 fd 7c 9a ea fb fc 3b a0 5b f0 8a 36 42 23 04 9f fc 01 39 b7 70 06 7d a0 da 0d 8e d2 9b d0 ed ea 77 13 1a fa 5b 4b c8 fd a6 93 22 eb a0 6f c9 14 e9 36 84 94 d5 a9 6c 5f 6c 05 fb 67 04 59 d8 6a 17 01 65 92 58 5e 45 d5 b1 1d 02 92 25 cf 7c 58 69 39 46 de f7 0f 29 19 3b e8 1e 13 30 d4 c6 c2 54 e4 3f 8d 50 37 4e 63 ba ad f8 fa 51 c4 61 72 a7 67 b5 46 fe 51 a9 b2 2b 79 d9 11 c8 cc c3 05 35 22 b5 73 9f 4f 57 f1 5b ed a1 43 e0 fc d4 f9 cc 4a 7b 6a dd

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe unknown 512 success or wait 593 405B95 ReadFile C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe unknown 4 success or wait 2 405B95 ReadFile C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe unknown 4 success or wait 4 405B95 ReadFile C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe unknown 4 success or wait 11 405B95 ReadFile C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe unknown 4 success or wait 2 405B95 ReadFile C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe unknown 4 success or wait 2 405B95 ReadFile

Copyright Joe Security LLC 2019 Page 35 of 44 Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe unknown 4 success or wait 297 405B95 ReadFile C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe unknown 228864 success or wait 1 405B95 ReadFile C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe unknown 4 success or wait 9 405B95 ReadFile C:\Users\user\Desktop\MicroDicom-3.0.1-x64.exe unknown 4 success or wait 2 405B95 ReadFile

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\mDicom.exe success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\mDicom.exe success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\mDicom.exe\shell success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\mDicom.exe\shell\open success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\mDicom.exe\shell\open\command success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\Software\Classes\Applications\mDicom.exe\SupportedTypes success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\Software\Classes\Directory\shell\MicroDicom success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\Software\Classes\Directory\shell\MicroDicom\command success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\Software\Classes\MicroDicom.Application success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\Software\Classes\MicroDicom.Application\DefaultIcon success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MicroDicom.Application\shell success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MicroDicom.Application\shell\open success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MicroDicom.Application\shell\open\command success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MicroDicom.Application\shell\print success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MicroDicom.Application\shell\print\command success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MicroDicom.Application\shell\printto success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MicroDicom.Application\shell\printto\command success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dcm success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dcm\OpenWithList success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dcm\OpenWithList\mDicom.exe success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dcm30 success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dcm30\OpenWithList success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dcm30\OpenWithList\mDicom.exe success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\MicroDicom success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\MicroDicom\Capabilities success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\Software\WOW6432Node\MicroDicom\Capabilities\FileAssociations success or wait 1 405E4D RegCreateKeyExA HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MicroDicom success or wait 1 405E4D RegCreateKeyExA

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Mi Path unicode C:\Program Files\MicroDicom success or wait 1 402464 RegSetValueExA crosoft\Windows\CurrentVersion\App Paths\mDicom.exe HKEY_LOCAL_MACHINE\SOFTWARE\Cl .dcm unicode success or wait 1 402464 RegSetValueExA asses\Applications\mDicom.exe\SupportedTypes HKEY_LOCAL_MACHINE\SOFTWARE\Cl .dcm30 unicode success or wait 1 402464 RegSetValueExA asses\Applications\mDicom.exe\SupportedTypes HKEY_LOCAL_MACHINE\SOFTWARE\Cl .bmp unicode success or wait 1 402464 RegSetValueExA asses\Applications\mDicom.exe\SupportedTypes HKEY_LOCAL_MACHINE\SOFTWARE\Cl .gif unicode success or wait 1 402464 RegSetValueExA asses\Applications\mDicom.exe\SupportedTypes HKEY_LOCAL_MACHINE\SOFTWARE\Cl .jpeg unicode success or wait 1 402464 RegSetValueExA asses\Applications\mDicom.exe\SupportedTypes HKEY_LOCAL_MACHINE\SOFTWARE\Cl .jpe unicode success or wait 1 402464 RegSetValueExA asses\Applications\mDicom.exe\SupportedTypes HKEY_LOCAL_MACHINE\SOFTWARE\Cl .jpg unicode success or wait 1 402464 RegSetValueExA asses\Applications\mDicom.exe\SupportedTypes HKEY_LOCAL_MACHINE\SOFTWARE\Cl .png unicode success or wait 1 402464 RegSetValueExA asses\Applications\mDicom.exe\SupportedTypes HKEY_LOCAL_MACHINE\SOFTWARE\Cl .tiff unicode success or wait 1 402464 RegSetValueExA asses\Applications\mDicom.exe\SupportedTypes HKEY_LOCAL_MACHINE\SOFTWARE\Cl .tif unicode success or wait 1 402464 RegSetValueExA asses\Applications\mDicom.exe\SupportedTypes

Copyright Joe Security LLC 2019 Page 36 of 44 Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Cl .wmf unicode success or wait 1 402464 RegSetValueExA asses\Applications\mDicom.exe\SupportedTypes HKEY_LOCAL_MACHINE\SOFTWARE\Cl .emf unicode success or wait 1 402464 RegSetValueExA asses\Applications\mDicom.exe\SupportedTypes HKEY_LOCAL_MACHINE\SOFTWARE\Cl .zip unicode success or wait 1 402464 RegSetValueExA asses\Applications\mDicom.exe\SupportedTypes HKEY_LOCAL_MACHINE\SOFTWARE\Cl .dmz unicode success or wait 1 402464 RegSetValueExA asses\Applications\mDicom.exe\SupportedTypes HKEY_LOCAL_MACHINE\SOFTWARE\Cl Icon unicode C:\Program Files\MicroDicom\mD success or wait 1 402464 RegSetValueExA asses\Directory\shell\MicroDicom icom.exe HKEY_LOCAL_MACHINE\SOFTWARE\Re MicroDicom unicode Software\MicroDicom\Capabilities success or wait 1 402464 RegSetValueExA gisteredApplications HKEY_LOCAL_MACHINE\SOFTWARE\WO ApplicationDescription unicode MicroDicom is application for primary success or wait 1 402464 RegSetValueExA W6432Node\MicroDicom\Capabilities processing and preservation of medical images in DICOM formatIt is equipped with most common tools for manipulation of DICOM images and it has an intuitive user interface.It also has the advantage of being free for use and accessible to everyone. HKEY_LOCAL_MACHINE\SOFTWARE\WO .dcm unicode MicroDicom.Application success or wait 1 402464 RegSetValueExA W6432Node\MicroDicom\Capabilit ies\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\WO .dcm30 unicode MicroDicom.Application success or wait 1 402464 RegSetValueExA W6432Node\MicroDicom\Capabilit ies\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\WO DisplayName unicode MicroDicom DICOM viewer 3.0.1 success or wait 1 402464 RegSetValueExA W6432Node\Microsoft\Windows\Cu rrentVersion\Uninstall\MicroDicom HKEY_LOCAL_MACHINE\SOFTWARE\WO UninstallString unicode C:\Program Files\MicroDicom\un success or wait 1 402464 RegSetValueExA W6432Node\Microsoft\Windows\Cu install.exe rrentVersion\Uninstall\MicroDicom HKEY_LOCAL_MACHINE\SOFTWARE\WO DisplayIcon unicode C:\Program Files\MicroDicom\mD success or wait 1 402464 RegSetValueExA W6432Node\Microsoft\Windows\Cu icom.exe rrentVersion\Uninstall\MicroDicom HKEY_LOCAL_MACHINE\SOFTWARE\WO DisplayVersion unicode 3.0.1 success or wait 1 402464 RegSetValueExA W6432Node\Microsoft\Windows\Cu rrentVersion\Uninstall\MicroDicom HKEY_LOCAL_MACHINE\SOFTWARE\WO URLInfoAbout unicode http://www.microdicom.com success or wait 1 402464 RegSetValueExA W6432Node\Microsoft\Windows\Cu rrentVersion\Uninstall\MicroDicom HKEY_LOCAL_MACHINE\SOFTWARE\WO Publisher unicode MicroDicom success or wait 1 402464 RegSetValueExA W6432Node\Microsoft\Windows\Cu rrentVersion\Uninstall\MicroDicom HKEY_LOCAL_MACHINE\SOFTWARE\WO InstallLocation unicode C:\Program Files\MicroDicom success or wait 1 402464 RegSetValueExA W6432Node\Microsoft\Windows\Cu rrentVersion\Uninstall\MicroDicom HKEY_LOCAL_MACHINE\SOFTWARE\WO EstimatedSize dword 15225 success or wait 1 402464 RegSetValueExA W6432Node\Microsoft\Windows\Cu rrentVersion\Uninstall\MicroDicom HKEY_LOCAL_MACHINE\SYSTEM\Cont PendingFileRenameOper unicode array \??\C:\Users\user~1\AppData\Lo success or wait 1 405D59 MoveFileExA rolSet001\Control\Session Manager ations cal\Temp\nsk8C19.tmp\nsProcess.dll

Key Value Modified

Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\S NULL unicode C:\Program success or wait 1 402464 RegSetValueExA OFTWARE\Mi Files\MicroDicom\mDicom.exe crosoft\Windows\CurrentVersi on\App Paths\mDicom.exe HKEY_LOCAL_MACHINE\S NULL unicode "C:\Program success or wait 1 402464 RegSetValueExA OFTWARE\Cl Files\MicroDicom\m asses\Applications\mDicom.e Dicom.exe" "%1" xe\shell\open\command HKEY_LOCAL_MACHINE\S NULL unicode Open with MicroDicom success or wait 1 402464 RegSetValueExA OFTWARE\Cl DICOM Viewer asses\Directory\shell\MicroDic om HKEY_LOCAL_MACHINE\S NULL unicode "C:\Program success or wait 1 402464 RegSetValueExA OFTWARE\Cl Files\MicroDicom\m asses\Directory\shell\MicroDic Dicom.exe" "%1" om\command HKEY_LOCAL_MACHINE\S NULL unicode MicroDicom DICOM file success or wait 1 402464 RegSetValueExA OFTWARE\Cl asses\MicroDicom.Application

Copyright Joe Security LLC 2019 Page 37 of 44 Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\S NULL unicode C:\Program success or wait 1 402464 RegSetValueExA OFTWARE\Cl Files\MicroDicom\mD asses\MicroDicom.Application icom.exe,1 \DefaultIcon HKEY_LOCAL_MACHINE\S NULL unicode "C:\Program success or wait 1 402464 RegSetValueExA OFTWARE\Cl Files\MicroDicom\m asses\MicroDicom.Application Dicom.exe" "%1" \shell\open\command HKEY_LOCAL_MACHINE\S NULL unicode C:\Program success or wait 1 402464 RegSetValueExA OFTWARE\Cl Files\MicroDicom\mDicom.exe asses\MicroDicom.Application /p "%1" \shell\print\command HKEY_LOCAL_MACHINE\S NULL unicode C:\Program success or wait 1 402464 RegSetValueExA OFTWARE\Cl Files\MicroDicom\mDicom.exe asses\MicroDicom.Application /pt "%1" "%2" "%3" "%4" \shell\printto\command HKEY_LOCAL_MACHINE\S NULL unicode success or wait 1 402464 RegSetValueExA OFTWARE\Cl asses\.dcm\OpenWithList\mDi com.exe HKEY_LOCAL_MACHINE\S NULL unicode success or wait 1 402464 RegSetValueExA OFTWARE\Cl asses\.dcm30\OpenWithList\ mDicom.exe HKEY_LOCAL_MACHINE\SY PendingFileRenameOper unicode \?? \?? success or wait 1 405D59 MoveFileExA STEM\Cont ations array \C:\Users\user~1\AppData\Lo \C:\Users\user~1\AppData\Lo rolSet001\Control\Session cal\Temp\nsk8C19.tmp\nsPro cal\Temp\nsk8C19.tmp\nsPro Manager cess.dll cess.dll\?? \C:\Users\user~1\AppDat a\Local\Temp\nsk8C19.tmp\

Analysis Process: mDicom.exe PID: 3296 Parent PID: 2832

General

Start time: 13:56:34 Start date: 18/07/2019 Path: C:\Program Files\MicroDicom\mDicom.exe Wow64 process (32bit): false Commandline: C:\Program Files\MicroDicom\mDicom.exe Imagebase: 0x140000000 File size: 15277056 bytes MD5 hash: 046C7CF9E19304A9C587262D009E3CB4 Has administrator privileges: true Programmed in: C, C++ or other language Antivirus matches: Detection: 0%, virustotal, Browse Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user~1\AppData\Local\Temp\AFXB34CB1FC.tmp read attributes | temporary synchronous io success or wait 1 14069C8DB CreateFileW delete | syn non alert | non chronize | directory file | generic read | delete on close generic write C:\Users\user~1\AppData\Local\Temp\AFX1D59450A.tmp read attributes | temporary synchronous io success or wait 1 14069C8DB CreateFileW delete | syn non alert | non chronize | directory file | generic read | delete on close generic write C:\Users\user~1\AppData\Local\Temp\AFX450CAFF.tmp read attributes | temporary synchronous io success or wait 1 14069C8DB CreateFileW delete | syn non alert | non chronize | directory file | generic read | delete on close generic write

Copyright Joe Security LLC 2019 Page 38 of 44 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user~1\AppData\Local\Temp\AFX32F6DFEE.tmp read attributes | temporary synchronous io success or wait 1 14069C8DB CreateFileW delete | syn non alert | non chronize | directory file | generic read | delete on close generic write

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\AFXB34CB1FC.tmp unknown 3607 00 20 00 00 01 00 00 . success or wait 1 1406172F7 WriteFile 00 05 00 ff ff 01 00 15 ...... CMFCToolBarMe 00 43 4d 46 43 54 6f nuButton...... &.F.i.l 6f 6c 42 61 72 4d 65 .e...... 6e 75 42 75 74 74 6f ...... &.O.p 6e 00 00 00 00 00 00 .e.n...... C.t.r.l.+.O...... 00 00 ff ff ff ff ff fe ff ...... 05 26 00 46 00 69 00 {...... O.p.e.n. .&.C 6c 00 65 00 00 00 00 .D./.D.V.D...... 00 00 00 00 00 01 00 ...... 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 0b 00 01 80 01 e1 00 00 00 00 00 00 ff ff ff ff ff fe ff 0f 26 00 4f 00 70 00 65 00 6e 00 2e 00 2e 00 2e 00 09 00 43 00 74 00 72 00 6c 00 2b 00 4f 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 01 80 7b 9c 00 00 00 00 00 00 ff ff ff ff ff fe ff 0c 4f 00 70 00 65 00 6e 00 20 00 26 00 43 00 44 00 2f 00 44 00 56 00 44 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\AFX1D59450A.tmp unknown 4095 00 20 00 00 01 00 00 . success or wait 1 1406172F7 WriteFile 00 09 00 ff ff 01 00 15 ...... CMFCToolBarMe 00 43 4d 46 43 54 6f nuButton...... &.F.i.l 6f 6c 42 61 72 4d 65 .e...... 6e 75 42 75 74 74 6f ...... &.O.p 6e 00 00 00 00 00 00 .e.n...... 00 00 ff ff ff ff ff fe ff ...... {...... 05 26 00 46 00 69 00 ...O.p.e.&.n. 6c 00 65 00 00 00 00 .C.D./.D.V.D.... 00 00 00 00 00 01 00 ...... 00 00 00 00 00 00 01 ...f...... 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 12 00 01 80 01 e1 00 00 00 00 00 00 00 00 00 00 ff fe ff 08 26 00 4f 00 70 00 65 00 6e 00 2e 00 2e 00 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 01 80 7b 9c 00 00 00 00 00 00 01 00 00 00 ff fe ff 0c 4f 00 70 00 65 00 26 00 6e 00 20 00 43 00 44 00 2f 00 44 00 56 00 44 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 01 80 66 9c 00 00 00 00 00 00 ff ff ff ff

Copyright Joe Security LLC 2019 Page 39 of 44 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\AFX1D59450A.tmp unknown 4094 00 00 00 00 00 00 00 ...... success or wait 1 1406172F7 WriteFile 00 00 00 00 00 01 00 ...... !...... S.h.o.w. 00 00 01 00 00 00 00 .&.O.v.e.r.l.a.y...... 00 00 00 00 00 00 00 ...... 01 00 00 00 00 00 01 ...... S.h.o.w. .P.a.t.i.e.n.t. 80 21 80 00 00 00 00 .&.I.n.f.o.r.m.a.t.i.o.n. 00 00 ff ff ff ff ff fe ff 0d ...... 53 00 68 00 6f 00 77 ...... m...... S.h.o.w. 00 20 00 26 00 4f 00 .&.m.e.a.s... 76 00 65 00 72 00 6c 00 61 00 79 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 01 80 e2 9c 00 00 00 00 00 00 ff ff ff ff ff fe ff 19 53 00 68 00 6f 00 77 00 20 00 50 00 61 00 74 00 69 00 65 00 6e 00 74 00 20 00 26 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 01 80 6d 9c 00 00 00 00 00 00 ff ff ff ff ff fe ff 1b 53 00 68 00 6f 00 77 00 20 00 26 00 6d 00 65 00 61 00 73 00 2e 00 20 C:\Users\user\AppData\Local\Temp\AFX1D59450A.tmp unknown 4096 00 00 00 00 01 00 00 ...... success or wait 1 1406172F7 WriteFile 00 00 00 01 80 00 00 ...... 00 00 00 00 04 00 ff ff ....c...... C.o.p.y. . ff ff ff fe ff 00 00 00 00 i.&.m.a.g.e. .t.o. .c.l.i.p.b. 00 00 00 00 00 00 00 o.a.r.d...... 00 00 01 00 00 00 01 ...... 00 00 00 00 00 00 00 F.i.&.l.t.e.r.s...... 00 00 00 00 01 00 00 ...... 00 00 00 01 80 63 9c ...... &.B.l.u 00 00 00 00 00 00 ff ff ff ff ff fe ff 18 43 00 6f 00 70 00 79 00 20 00 69 00 26 00 6d 00 61 00 67 00 65 00 20 00 74 00 6f 00 20 00 63 00 6c 00 69 00 70 00 62 00 6f 00 61 00 72 00 64 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 01 80 00 00 00 00 00 00 00 00 ff ff ff ff ff fe ff 08 46 00 69 00 26 00 6c 00 74 00 65 00 72 00 73 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 04 00 01 80 ff ff ff ff 00 00 00 00 ff ff ff ff ff fe ff 05 26 00 42 00 6c 00 75

Copyright Joe Security LLC 2019 Page 40 of 44 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\AFX1D59450A.tmp unknown 2438 01 00 00 00 00 00 00 ...... success or wait 1 1406172F7 WriteFile 00 00 00 00 00 01 00 ...... W...... S.h.o.w. 00 00 01 00 00 00 00 .o.n.l.y. .i.s. .s.e.l.e.c.t. 00 00 00 00 00 00 00 e.d...... 01 00 00 00 00 00 01 ...... 80 57 9d 00 00 00 00 ...... 00 00 ff ff ff ff ff fe ff 15 ..X...... N.a.m.e. .o. 53 00 68 00 6f 00 77 n.l.y...... 00 20 00 6f 00 6e 00 ...... 6c 00 79 00 20 00 69 00 73 00 20 00 73 00 65 00 6c 00 65 00 63 00 74 00 65 00 64 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 01 80 00 00 00 00 00 00 04 00 ff ff ff ff ff fe ff 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 01 80 58 9d 00 00 00 00 00 00 ff ff ff ff ff fe ff 09 4e 00 61 00 6d 00 65 00 20 00 6f 00 6e 00 6c 00 79 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 01 80 00 00 00 C:\Users\user\AppData\Local\Temp\AFX450CAFF.tmp unknown 4095 00 20 00 00 01 00 00 . success or wait 1 1406172F7 WriteFile 00 09 00 ff ff 01 00 15 ...... CMFCToolBarMe 00 43 4d 46 43 54 6f nuButton...... &.F.i.l 6f 6c 42 61 72 4d 65 .e...... 6e 75 42 75 74 74 6f ...... &.O.p 6e 00 00 00 00 00 00 .e.n...... 00 00 ff ff ff ff ff fe ff ...... {...... 05 26 00 46 00 69 00 ...O.p.e.&.n. 6c 00 65 00 00 00 00 .C.D./.D.V.D.... 00 00 00 00 00 01 00 ...... 00 00 00 00 00 00 01 ...f...... 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 12 00 01 80 01 e1 00 00 00 00 00 00 00 00 00 00 ff fe ff 08 26 00 4f 00 70 00 65 00 6e 00 2e 00 2e 00 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 01 80 7b 9c 00 00 00 00 00 00 01 00 00 00 ff fe ff 0c 4f 00 70 00 65 00 26 00 6e 00 20 00 43 00 44 00 2f 00 44 00 56 00 44 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 01 80 66 9c 00 00 00 00 00 00 ff ff ff ff

Copyright Joe Security LLC 2019 Page 41 of 44 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\AFX450CAFF.tmp unknown 4094 00 00 00 00 00 00 00 ...... success or wait 1 1406172F7 WriteFile 00 00 00 00 00 01 00 ...... !...... S.h.o.w. 00 00 01 00 00 00 00 .&.O.v.e.r.l.a.y...... 00 00 00 00 00 00 00 ...... 01 00 00 00 00 00 01 ...... S.h.o.w. .P.a.t.i.e.n.t. 80 21 80 00 00 00 00 .&.I.n.f.o.r.m.a.t.i.o.n. 00 00 ff ff ff ff ff fe ff 0d ...... 53 00 68 00 6f 00 77 ...... m...... S.h.o.w. 00 20 00 26 00 4f 00 .&.m.e.a.s... 76 00 65 00 72 00 6c 00 61 00 79 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 01 80 e2 9c 00 00 00 00 00 00 ff ff ff ff ff fe ff 19 53 00 68 00 6f 00 77 00 20 00 50 00 61 00 74 00 69 00 65 00 6e 00 74 00 20 00 26 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 01 80 6d 9c 00 00 00 00 00 00 ff ff ff ff ff fe ff 1b 53 00 68 00 6f 00 77 00 20 00 26 00 6d 00 65 00 61 00 73 00 2e 00 20 C:\Users\user\AppData\Local\Temp\AFX450CAFF.tmp unknown 4096 00 00 00 00 01 00 00 ...... success or wait 1 1406172F7 WriteFile 00 00 00 01 80 00 00 ...... 00 00 00 00 04 00 ff ff ....c...... C.o.p.y. . ff ff ff fe ff 00 00 00 00 i.&.m.a.g.e. .t.o. .c.l.i.p.b. 00 00 00 00 00 00 00 o.a.r.d...... 00 00 01 00 00 00 01 ...... 00 00 00 00 00 00 00 F.i.&.l.t.e.r.s...... 00 00 00 00 01 00 00 ...... 00 00 00 01 80 63 9c ...... &.B.l.u 00 00 00 00 00 00 ff ff ff ff ff fe ff 18 43 00 6f 00 70 00 79 00 20 00 69 00 26 00 6d 00 61 00 67 00 65 00 20 00 74 00 6f 00 20 00 63 00 6c 00 69 00 70 00 62 00 6f 00 61 00 72 00 64 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 01 80 00 00 00 00 00 00 00 00 ff ff ff ff ff fe ff 08 46 00 69 00 26 00 6c 00 74 00 65 00 72 00 73 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 04 00 01 80 ff ff ff ff 00 00 00 00 ff ff ff ff ff fe ff 05 26 00 42 00 6c 00 75

Copyright Joe Security LLC 2019 Page 42 of 44 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\AFX450CAFF.tmp unknown 2438 01 00 00 00 00 00 00 ...... success or wait 1 1406172F7 WriteFile 00 00 00 00 00 01 00 ...... W...... S.h.o.w. 00 00 01 00 00 00 00 .o.n.l.y. .i.s. .s.e.l.e.c.t. 00 00 00 00 00 00 00 e.d...... 01 00 00 00 00 00 01 ...... 80 57 9d 00 00 00 00 ...... 00 00 ff ff ff ff ff fe ff 15 ..X...... N.a.m.e. .o. 53 00 68 00 6f 00 77 n.l.y...... 00 20 00 6f 00 6e 00 ...... 6c 00 79 00 20 00 69 00 73 00 20 00 73 00 65 00 6c 00 65 00 63 00 74 00 65 00 64 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 01 80 00 00 00 00 00 00 04 00 ff ff ff ff ff fe ff 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 01 80 58 9d 00 00 00 00 00 00 ff ff ff ff ff fe ff 09 4e 00 61 00 6d 00 65 00 20 00 6f 00 6e 00 6c 00 79 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 01 80 00 00 00 C:\Users\user\AppData\Local\Temp\AFX32F6DFEE.tmp unknown 3607 00 20 00 00 01 00 00 . success or wait 1 1406172F7 WriteFile 00 05 00 ff ff 01 00 15 ...... CMFCToolBarMe 00 43 4d 46 43 54 6f nuButton...... &.F.i.l 6f 6c 42 61 72 4d 65 .e...... 6e 75 42 75 74 74 6f ...... &.O.p 6e 00 00 00 00 00 00 .e.n...... C.t.r.l.+.O...... 00 00 ff ff ff ff ff fe ff ...... 05 26 00 46 00 69 00 {...... O.p.e.n. .&.C 6c 00 65 00 00 00 00 .D./.D.V.D...... 00 00 00 00 00 01 00 ...... 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 0b 00 01 80 01 e1 00 00 00 00 00 00 00 00 00 00 ff fe ff 0f 26 00 4f 00 70 00 65 00 6e 00 2e 00 2e 00 2e 00 09 00 43 00 74 00 72 00 6c 00 2b 00 4f 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 01 80 7b 9c 00 00 00 00 00 00 01 00 00 00 ff fe ff 0c 4f 00 70 00 65 00 6e 00 20 00 26 00 43 00 44 00 2f 00 44 00 56 00 44 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Program Files\MicroDicom\settings\application.xml unknown 4096 success or wait 1 1407D5D7D ReadFile C:\Program Files\MicroDicom\settings\windowlevels.xml unknown 4096 success or wait 1 1407D5D7D ReadFile C:\Program Files\MicroDicom\settings\overlay.xml unknown 4096 success or wait 1 1407D5D7D ReadFile C:\Program Files\MicroDicom\settings\animations.xml unknown 4096 success or wait 1 1407D5D7D ReadFile C:\Program Files\MicroDicom\settings\exportImage.xml unknown 4096 success or wait 1 1407D5D7D ReadFile C:\Program Files\MicroDicom\settings\exportVideo.xml unknown 4096 success or wait 1 1407D5D7D ReadFile

Copyright Joe Security LLC 2019 Page 43 of 44 Source File Path Offset Length Completion Count Address Symbol C:\Program Files\MicroDicom\settings\exportDicom.xml unknown 4096 success or wait 1 1407D5D7D ReadFile C:\Program Files\MicroDicom\settings\annotation.xml unknown 4096 success or wait 1 1407D5D7D ReadFile C:\Program Files\MicroDicom\settings\overlay_st.xml unknown 4096 success or wait 1 1407D5D7D ReadFile C:\Program Files\MicroDicom\settings\print.xml unknown 4096 success or wait 1 1407D5D7D ReadFile C:\Users\user\AppData\Local\Temp\AFX32F6DFEE.tmp unknown 4096 success or wait 1 14061713F ReadFile

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_CURRENT_USER\Software\MicroDicom success or wait 1 14067ABC6 RegCreateKeyExW HKEY_CURRENT_USER\Software\MicroDicom\Recent File List success or wait 1 14067B1BF RegCreateKeyExW HKEY_CURRENT_USER\Software\MicroDicom\Settings success or wait 1 14067B1BF RegCreateKeyExW HKEY_CURRENT_USER\SOFTWARE\MicroDicom\Workspace success or wait 1 1406182F2 RegCreateKeyExW HKEY_CURRENT_USER\Software\MicroDicom\Workspace\ControlBars-Summary success or wait 1 14067B1BF RegCreateKeyExW

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_CURRENT_USER\Software\Mic ApplicationLook dword 174 success or wait 1 1406AAA44 RegSetValueExW roDicom\Workspace

Key Value Modified

Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_CURRENT_USER_Class NULL unicode success or wait 1 140618214 RegSetValueW es\.zip \OpenWithList\mDicom.exe HKEY_CURRENT_USER_Class NULL unicode success or wait 1 140618214 RegSetValueW es\.dmz \OpenWithList\mDicom.exe HKEY_CURRENT_USER_Class NULL unicode success or wait 1 140618214 RegSetValueW es\.dcm HKEY_CURRENT_USER_Class NULL unicode MicroDicom.Application success or wait 1 140618214 RegSetValueW es\.dcm HKEY_CURRENT_USER_Class NULL unicode success or wait 1 140618214 RegSetValueW es\.dcm30 HKEY_CURRENT_USER_Class NULL unicode MicroDicom.Application success or wait 1 140618214 RegSetValueW es\.dcm30

Disassembly

Code Analysis

Copyright Joe Security LLC 2019 Page 44 of 44