Automated Malware Analysis Report for Ev2r1pirdu

Home , IExpress

ID: 286248 Sample Name: ev2r1pIrDU Cookbook: default.jbs Time: 11:06:15 Date: 16/09/2020 Version: 30.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report ev2r1pIrDU 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 5 Malware Configuration 5 Yara Overview 5 Sigma Overview 5 Signature Overview 6 AV Detection: 6 Spreading: 6 Persistence and Installation Behavior: 6 Mitre Att&ck Matrix 6 Behavior Graph 7 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 10 URLs 10 Domains and IPs 10 Contacted Domains 10 URLs from Memory and Binaries 10 Contacted IPs 10 General Information 10 Simulations 11 Behavior and APIs 11 Joe Sandbox View / Context 11 IPs 11 Domains 11 ASN 11 JA3 Fingerprints 11 Dropped Files 11 Created / dropped Files 12 Static File Info 13 General 13 File Icon 14 Static PE Info 14 General 14 Entrypoint Preview 14 Rich Headers 15 Data Directories 15 Sections 15 Imports 15 Network Behavior 16 Code Manipulations 16 Statistics 16 Behavior 16 System Behavior 16 Analysis Process: ev2r1pIrDU.exe PID: 6524 Parent PID: 5924 16

Copyright null 2020 Page 2 of 34 General 16 File Activities 17 File Written 17 File Read 25 Analysis Process: conhost.exe PID: 4100 Parent PID: 6524 34 General 34 Disassembly 34 Code Analysis 34

Overview

General Information Detection Signatures Classification

Sample ev2r1pIrDU (renamed file Name: extension from none to AAnntttiiivviiirrruuss /// SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubb… exe) AAnntttiiivviiirrruuss d/d eSetttceeaccntttiiinooennr f ffodorerr tdderrrcootpipoppnee dfdo ffrfii illlseeub Analysis ID: 286248 MAnuutlllitttviii iArAuVVs SSdcecataenncnnteieorrrn dd feeotttree cdcttrtiioiopnnp fffeoodrrr sfsiuluebbm… MD5: bf0e8f99c940dae… IIMInnffufeelctcit ttsAs Veex xSeeccauuntttaanbbelllree d fffieiillleteessc ((t(eieoxxnee ,f,, o ddrll lllls,,, ussbyysms… SHA1: cba8839d75adc4… MInafaeccchhtiisinn ee x LLeeecaaurrrtnnaiiibnnlgge ddfieleetttesec c(ttetiiiooxnen , ff fodorrlr l ,dd srrroyopsppp… SHA256: 748513446c0e14… Maacchhiinnee LLeeaarrnniinngg ddeetteeccttiioonn ffoorr ddrroopppp… Most interesting Screenshot: Maacchhiiinnee LLeeaarrrnniiinngg ddeettteecctttiiioonn fffoorrr sdsaraomppp…

AMAVVa c pphrrroioncceee sLsses a ssrtttnrrriiinnggss d fffeootuuenncddti o (((onof fftftteoenrn s uuassmee…p

AAbVbnn poorrrromcaeallsl hshii igsghthr i CnCgPPsUU f o UUussnaadgg e(eoften use

AAnbnttntiiivoviiirrrmuussa olo hrrr iMghaa cCchhPiiinnUee U LLeseaagrrrnneiiinngg ddeettteecc…

DADrnrrootippvsisr uPPsEE o fffriiil lleMessachine Learning detec Score: 76 Range: 0 - 100 DDrrrooppss PPEE fffiiillleess tttoo ttthhee wwiiinnddoowwss ddiiirrreeccttt…

Whitelisted: false FDFoorouupnnsdd Paa E hh iifiggilheh s nn utuom tbhbeer rrw ooifnff Wdoiiinwnddso odwwir e/// cUUtss… Confidence: 100% FFoouunndd dadrr rohopipgpphee nddu PPmEEb feffiiillrlee o wwf hWhiiiccinhhd hhoaawss / n nUoos…

MFoaauyyn ssdllle edeerpop p (((epevevadas sPiiivvEee fllliooleoo pwpssh))) i ctttooh hhiiiannsdd eenrrro …

Maayy ususlseeee bpbc c(dedevedadisiittt i tvttooe mloooddpiiisfffyy) ttthohe eh Windiiinneddr …

SMSaamy ppulllseee ee bxxceedcceuudtttiiioiot nnto ss tmttoopopsds i wfwyh htiihilllee ppWrrrooinccdee…

SSaampplllee ffefiiillxleee iicissu ddtiiioiffffffnee rrrseetnonttpt ttsthh awannh ioloerrri iigpgiirinnoaacllel …

Sample file is different than original

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Startup

System is w10x64 ev2r1pIrDU.exe (PID: 6524 cmdline: 'C:\Users\user\Desktop\ev2r1pIrDU.exe' MD5: BF0E8F99C940DAE621F377CFA77A0B4C) conhost.exe (PID: 4100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

• AV Detection • Cryptography • Spreading • Networking • System Summary • Persistence and Installation Behavior • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion • Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

AV Detection:

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Machine Learning detection for dropped file

Machine Learning detection for sample

Spreading:

Infects executable files (exe, dll, sys, html)

Persistence and Installation Behavior:

Infects executable files (exe, dll, sys, html)

Mitre Att&ck Matrix

Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Command Bootkit 1 Process Masquerading 1 OS Security Software Taint Shared Archive Exfiltration Data Eavesdrop on Remotely Accounts and Scripting Injection 2 Credential Discovery 1 1 Content 1 Collected Over Other Obfuscation Insecure Track Device Interpreter 2 Dumping Data 1 Network Network Without Medium Communication Authorization Default Scheduled Boot or Boot or Bootkit 1 LSASS Virtualization/Sandbox Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Accounts Task/Job Logon Logon Memory Evasion 1 Desktop Removable Over Redirect Phone Wipe Data Initialization Initialization Protocol Media Bluetooth Calls/SMS Without Scripts Scripts Authorization Domain At (Linux) Logon Script Logon Virtualization/Sandbox Security Process Discovery 1 SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Accounts (Windows) Script Evasion 1 Account Admin Shares Network Exfiltration Track Device Device (Windows) Manager Shared Location Cloud Drive Backups Local At (Windows) Logon Script Logon Software Packing 1 NTDS Application Window Distributed Input Scheduled Protocol SIM Card Accounts (Mac) Script Discovery 1 Component Capture Transfer Impersonation Swap (Mac) Object Model Cloud Cron Network Network Process Injection 2 LSA System Information SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Secrets Discovery 1 Transfer Channels Device Script Size Limits Communication

Hide Legend Legend: Process Signature Created File

Behavior Graph DNS/IP Info ID: 286248 Is Dropped Sample: ev2r1pIrDU Startdate: 16/09/2020 Is Windows Process Architecture: WINDOWS Score: 76 Number of created Registry Values

Number of created Files

Antivirus / Scanner Antivirus detection Multi AV Scanner detection detection for submitted 2 other signatures started Visual Basic for dropped file for submitted file sample Delphi

Java ev2r1pIrDU.exe .Net C# or VB.NET

1 C, C++ or other language

Is malicious dropped dropped dropped dropped Internet C:\Windows\SysWOW64\wget.exe, PE32 C:\Windows\SysWOW64\unarchiver.exe, PE32 C:\Windows\SysWOW64\FlashPlayerApp.exe, PE32 C:\Windows\SysWOW64\7za.exe, PE32

started

Infects executable files (exe, dll, sys, html)

conhost.exe

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version No bigger version No bigger version

No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version

Copyright null 2020 Page 7 of 34 No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version

No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version

No bigger version No bigger version No bigger version

Initial Sample

Source Detection Scanner Label Link ev2r1pIrDU.exe 84% Virustotal Browse ev2r1pIrDU.exe 93% ReversingLabs Win32.Virus.Memery ev2r1pIrDU.exe 100% Avira PUA/ICLoader.uzeg ev2r1pIrDU.exe 100% Joe Sandbox ML

Dropped Files

Source Detection Scanner Label Link C:\Windows\SysWOW64\FlashPlayerApp.exe 100% Avira PUA/ICLoader.uzeg C:\Windows\SysWOW64\wget.exe 100% Avira PUA/ICLoader.uzeg C:\Windows\SysWOW64\7za.exe 100% Avira PUA/ICLoader.uzeg C:\Windows\SysWOW64\unarchiver.exe 100% Avira PUA/ICLoader.uzeg C:\Windows\SysWOW64\FlashPlayerApp.exe 100% Joe Sandbox ML C:\Windows\SysWOW64\wget.exe 100% Joe Sandbox ML C:\Windows\SysWOW64\7za.exe 100% Joe Sandbox ML C:\Windows\SysWOW64\unarchiver.exe 100% Joe Sandbox ML

Unpacked PE Files

Source Detection Scanner Label Link Download 0.0.ev2r1pIrDU.exe.400000.0.unpack 100% Avira PUA/ICLoader.uzeg Download File Copyright null 2020 Page 9 of 34 Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link www.metalinker.org/typedynamicoriginurn:ietf:params:xml:ns:metalinktagsidentityfilesfilenames 0% Avira URL Cloud safe www.metalinker.org/ 0% Virustotal Browse www.metalinker.org/ 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation www.gnu.org/licenses/gpl.html wget.exe.0.dr false high netpreserve.org/warc/1.0/revisit/identical-payload-digest wget.exe.0.dr false high wget.exe.0.dr false Avira URL Cloud: safe unknown www.metalinker.org/typedynamicoriginurn:ietf:params:xml:ns: metalinktagsidentityfilesfilenames www.metalinker.org/ wget.exe.0.dr false 0%, Virustotal, Browse unknown Avira URL Cloud: safe https://www.openssl.org/docs/faq.html wget.exe.0.dr false high netpreserve.org/warc/1.0/revisit/identical-payload- wget.exe.0.dr false high digestWARC-ProfilelengthWARC-Truncatedappl wget.exe.0.dr false high bibnum.bnf.fr/WARC/WARC_ISO_28500_version1_latestdraft. pdf

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 30.0.0 Red Diamond Analysis ID: 286248 Start date: 16.09.2020 Start time: 11:06:15 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 11m 43s Hypervisor based Inspection enabled: false Report type: light Sample file name: ev2r1pIrDU (renamed file extension from none to exe) Cookbook file name: default.jbs Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 30 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0

Copyright null 2020 Page 10 of 34 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal76.spre.winEXE@2/5@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtQueryVolumeInformationFile calls found. Report size getting too big, too many NtReadFile calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

C:\Windows\SysWOW64\7za.exe

Process: C:\Users\user\Desktop\ev2r1pIrDU.exe File Type: PE32 executable (console) Intel 80386, for MS Windows Size (bytes): 36687530 Entropy (8bit): 5.702179935136307 Encrypted: false MD5: 33ACEFCB932F32D9B86699F667304D83 SHA1: 318AD3CDB429411710A1A0A50ED0A3E45A876A91 SHA-256: 2538286A48D9D6785B717CDD41D88CA20876CD28DACC9540456056227E9330F2 SHA-512: F8CC0C53BF3001B8A5A1B9A0CB1ED954E832FE0AC8135476CB0F995DC2F62E176EB50955F694A6A2AE95111B1BD22CF188EAAE4D1CFC1265D15991CE83791D9 1 Malicious: true Antivirus: Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... <"#.]Lp.]Lp.]Lp.{Gp.]Lp0ABp.]Lp.{Fp.]Lp.B_p.]Lp.]Mp.]Lp[BGp.] LpRich.]Lp...... PE..L...... Q...... `...P...... X...... p....@...... t..(...... text....\...... `...... `.rdata..J....p...... p...... @[email protected]....>...... 0...... @......

C:\Windows\SysWOW64\FlashPlayerApp.exe

Process: C:\Users\user\Desktop\ev2r1pIrDU.exe File Type: PE32 executable (console) Intel 80386, for MS Windows Size (bytes): 37778074 Entropy (8bit): 5.767879324968799 Encrypted: false MD5: B7950C88D69066987D49FE0139C6B990 SHA1: 185D8E39131C4C04072FAFA2D4C3271CC18BE2D0 SHA-256: CE0F4289FEDA0969B9D6230B85B9BED4ACB25026520478AAC9B69C53BD8C162F SHA-512: 319CDDF1BBB26E0EB83ED21215C6D9496DEE79C6E4D93BE056B728C86F32478AC199E49179CB8B5D99F31092BD6C551E64CB51AE58F2E7C45C66AF361B70304 6 Malicious: true Antivirus: Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... <"#.]Lp.]Lp.]Lp.{Gp.]Lp0ABp.]Lp.{Fp.]Lp.B_p.]Lp.]Mp.]Lp[BGp.] LpRich.]Lp...... PE..L...... Q...... `...P...... X...... p....@...... t..(...... text....\...... `...... `.rdata..J....p...... p...... @[email protected]....>...... 0...... @......

C:\Windows\SysWOW64\unarchiver.exe

Process: C:\Users\user\Desktop\ev2r1pIrDU.exe File Type: PE32 executable (console) Intel 80386, for MS Windows Size (bytes): 36128426 Entropy (8bit): 5.684301295785269 Encrypted: false MD5: 0937CDC3E1323C1D820DEC8BF5BFB051 SHA1: 16D0619C7240AC8DE67EFA8C26EBD43495E3A16D SHA-256: 62B0202D4821E5D69F37477ADA2C74A39DA76DB412E9D48F9CA9C426E993B700 SHA-512: EF97CDA05C72771ECF937D667F9DDCBD3ED07DA6543244BAFE1D686444FA7DF3A6C107B1E47681B56E95143EF07651D0D03ACCC70F3C3CB2A30B4D984F0971 C8 Malicious: true Antivirus: Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... <"#.]Lp.]Lp.]Lp.{Gp.]Lp0ABp.]Lp.{Fp.]Lp.B_p.]Lp.]Mp.]Lp[BGp.] LpRich.]Lp...... PE..L...... Q...... `...P...... X...... p....@...... t..(...... text....\...... `...... `.rdata..J....p...... p...... @[email protected]....>...... 0...... @......

C:\Windows\SysWOW64\wget.exe

Process: C:\Users\user\Desktop\ev2r1pIrDU.exe

File Type: PE32 executable (console) Intel 80386, for MS Windows Size (bytes): 43898314 Entropy (8bit): 5.903753238352538 Encrypted: false MD5: 6A34F3AE17B909EE39165EC58240814F SHA1: 96D207D3199F37941D45E34C5F28382CE748487F SHA-256: DB99AEDC2E80EA9A5DEAF3195F520BADEE1DB20573CA1D1471C3ECC5976280C2 SHA-512: C91E7B0A404069EF449AC8B8B6B7DD3084087DEBBA8857E74130495E1AA3AE2F7AFA8878D532215444D528FB6AD8BC736FCE6A5B131AA20A9AF44A5ECF436F2 7 Malicious: true Antivirus: Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... <"#.]Lp.]Lp.]Lp.{Gp.]Lp0ABp.]Lp.{Fp.]Lp.B_p.]Lp.]Mp.]Lp[BGp.] LpRich.]Lp...... PE..L...... Q...... `...P...... X...... p....@...... t..(...... text....\...... `...... `.rdata..J....p...... p...... @[email protected]....>...... 0...... @......

\Device\ConDrv Process: C:\Users\user\Desktop\ev2r1pIrDU.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 218005 Entropy (8bit): 5.210625126461684 Encrypted: false MD5: 906896552D5176F0FDC37B7DCDE19B72 SHA1: CBED38D8A59615EC323692E98836FC012D39CF5F SHA-256: 0D84EE0A6EE13FE12626CD11BB205BBE7620DDFB11D25EEFD9F303C5EC716D4E SHA-512: FDE5DCAFEBAFEA66850FED32285DA288E03EE839BD362EFCAA3FFB67C132FD94D80589538F63AB3C21028C834E9A78AB42713755CC506B0374E0DF35194BF36 A Malicious: false Reputation: low Preview: infect C:\\Windows\bfsvc.exe..infect C:\\Windows\Boot\PCAT\memtest.exe..infect C:\\Windows\explorer.exe..infect C:\\Windows\HelpPane.exe..infect C:\\Windows\hh. exe..infect C:\\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.22.3254.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe..infect C:\\Windows\Infuse dApps\Packages\Microsoft.DesktopAppInstaller_1.0.12271.0_x64__8wekyb3d8bbwe\AppInstaller.exe..infect C:\\Windows\InfusedApps\Packages\Microsoft.GetHel p_10.1706.10441.0_x64__8wekyb3d8bbwe\GetHelp.exe..infect C:\\Windows\InfusedApps\Packages\Microsoft.Getstarted_6.9.10602.0_x64__8wekyb3d8bbwe\WhatsNew .Store.exe..infect C:\\Windows\InfusedApps\Packages\Microsoft.Messaging_3.38.22001.0_x64__8wekyb3d8bbwe\MessagingApplication.exe..infect C:\\Windows\I nfusedApps\Packages\Microsoft.Microsoft3DViewer_2.1803.8022.0_x64__8wekyb3d8bbwe\3DViewer.exe..infect C:\\Windows\InfusedApps\Packages\Microsoft.Micro soft3DViewer_2.1803.8022.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe..infect C:\\Wind

Static File Info

General File type: PE32 executable (console) Intel 80386, for MS Wind ows Entropy (8bit): 5.6843068214495975 TrID: Win32 Executable (generic) Net Framework (10011505/4) 49.10% Win32 Executable (generic) a (10002005/4) 49.05% DirectShow filter (201580/2) 0.99% Windows ActiveX control (116523/4) 0.57% InstallShield setup (43055/19) 0.21% File name: ev2r1pIrDU.exe File size: 12035982 MD5: bf0e8f99c940dae621f377cfa77a0b4c SHA1: cba8839d75adc470ffe4d31e5c2b5e4ec5143de5 SHA256: 748513446c0e14dfee79bbcb17cbc400c4a86689b5e04d 50bdb09906fd5530b8 SHA512: 64036a65a045904f00788ca64d3b0fb29a6509334943670 941a93c7006d88fa3a642597f738609c2c20822461eb998 965f52ea7994ef2b02f98eaffd9f97a422 SSDEEP: 196608:VvDllxhTCbiPS+ibwvDllxhTCbiPS+ib:VvDll3Tq +lvDll3Tq+

Copyright null 2020 Page 13 of 34 General File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... <"#.]Lp. ]Lp.]Lp.{Gp.]Lp0ABp.]Lp.{Fp.]Lp.B_p.]Lp.]Mp.]Lp[BGp.]L pRich.]Lp...... PE..L...... Q...... `...P...... X......

File Icon

Icon Hash: 00828e8e8686b000

Static PE Info

General Entrypoint: 0x401d58 Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows cui Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED DLL Characteristics: Time Stamp: 0x51D3EFDB [Wed Jul 3 09:33:15 2013 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: 4eb74da984c1782f3400d02f16f3250d

Entrypoint Preview

Instruction push ebp mov ebp, esp push FFFFFFFFh push 004070D0h push 00404E6Ch mov eax, dword ptr fs:[00000000h] push eax mov dword ptr fs:[00000000h], esp sub esp, 10h push ebx push esi push edi mov dword ptr [ebp-18h], esp call dword ptr [00407030h] xor edx, edx mov dl, ah mov dword ptr [0040A97Ch], edx mov ecx, eax and ecx, 000000FFh mov dword ptr [0040A978h], ecx shl ecx, 08h add ecx, edx mov dword ptr [0040A974h], ecx shr eax, 10h mov dword ptr [0040A970h], eax push 00000000h call 00007F02F4C88BC4h pop ecx test eax, eax Copyright null 2020 Page 14 of 34 Instruction jne 00007F02F4C8778Ah push 0000001Ch call 00007F02F4C8781Fh pop ecx and dword ptr [ebp-04h], 00000000h call 00007F02F4C89B1Ah call dword ptr [0040702Ch] mov dword ptr [0040BEA4h], eax call 00007F02F4C8A5E9h mov dword ptr [0040A9B0h], eax call 00007F02F4C8A392h call 00007F02F4C8A2D4h call 00007F02F4C86EA5h mov eax, dword ptr [0040A98Ch] mov dword ptr [0040A990h], eax push eax push dword ptr [0040A984h] push dword ptr [0040A980h] call 00007F02F4C86D99h add esp, 0Ch mov dword ptr [ebp-1Ch], eax push eax call 00007F02F4C86EAAh mov eax, dword ptr [ebp-14h] mov ecx, dword ptr [eax] mov ecx, dword ptr [ecx]

Rich Headers

Programming Language: [C++] VS98 (6.0) SP6 build 8804 [C++] VS98 (6.0) build 8168 [ C ] VS98 (6.0) SP6 build 8804

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x74dc 0x28 .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x0 0x0 IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x5cae 0x6000 False 0.628784179688 data 6.52822766441 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x7000 0x94a 0x1000 False 0.262939453125 data 3.28285155829 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .data 0x8000 0x3ebc 0x3000 False 0.0575358072917 data 0.594503090078 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Imports

Copyright null 2020 Page 15 of 34 DLL Import KERNEL32.DLL Sleep, FindClose, FindNextFileA, FindFirstFileA, GetModuleFileNameA, GetLogicalDriveStringsA, ExitProcess, TerminateProcess, GetCurrentProcess, HeapAlloc, HeapFree, GetCommandLineA, GetVersion, GetLastError, CloseHandle, ReadFile, GetModuleHandleA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, SetFilePointer, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, WriteFile, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, RtlUnwind, SetStdHandle, FlushFileBuffers, CreateFileA, GetCPInfo, GetACP, GetOEMCP, GetProcAddress, LoadLibraryA, SetEndOfFile, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• ev2r1pIrDU.exe • conhost.exe

Click to jump to process

System Behavior

Analysis Process: ev2r1pIrDU.exe PID: 6524 Parent PID: 5924

General

Start time: 11:07:03 Start date: 16/09/2020 Path: C:\Users\user\Desktop\ev2r1pIrDU.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\ev2r1pIrDU.exe' Imagebase: 0x400000 File size: 12035982 bytes MD5 hash: BF0E8F99C940DAE621F377CFA77A0B4C Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

Source File Path Access Attributes Options Completion Count Address Symbol

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol \Device\ConDrv unknown 30 69 6e 66 65 63 74 20 infect success or wait 2124 4046E7 WriteFile 43 3a 5c 5c 57 69 6e C:\\Windows\bfsvc.exe.. 64 6f 77 73 5c 62 66 73 76 63 2e 65 78 65 0d 0a C:\Windows\SysWOW64\7za.exe unknown 12034048 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 2 40474C WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... 00 00 00 00 00 00 00 <"#.]Lp.]Lp.]Lp.{Gp.] 00 00 00 00 00 00 00 Lp0ABp.]Lp. 00 00 00 00 00 00 00 {Fp.]Lp.B_p.]Lp.]Mp 00 00 00 d0 00 00 00 .]Lp[BGp.]LpRich.]Lp...... 0e 1f ba 0e 00 b4 09 PE..L...... Q...... `.. cd 21 b8 01 4c cd 21 .P...... X...... 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f7 3c 22 23 b3 5d 4c 70 b3 5d 4c 70 b3 5d 4c 70 85 7b 47 70 b2 5d 4c 70 30 41 42 70 bd 5d 4c 70 85 7b 46 70 8f 5d 4c 70 d1 42 5f 70 b0 5d 4c 70 b3 5d 4d 70 87 5d 4c 70 5b 42 47 70 b1 5d 4c 70 52 69 63 68 b3 5d 4c 70 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 db ef d3 51 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 00 00 00 50 00 00 00 00 00 00 58 1d 00 00 00 10 00

Copyright null 2020 Page 17 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Windows\SysWOW64\7za.exe unknown 4096 00 00 a1 00 46 69 6e ....FindNextFileA...GetCon success or wait 2 40474C WriteFile 64 4e 65 78 74 46 69 sole 6c 65 41 00 ed 00 47 Mode...... GetConsoleScre 65 74 43 6f 6e 73 6f enBuff 6c 65 4d 6f 64 65 00 erInfo...... GetCurrentProce 00 00 00 ef 00 47 65 ss. 74 43 6f 6e 73 6f 6c ..GetDriveTypeA...GetFile 65 53 63 72 65 65 6e Attri 42 75 66 66 65 72 49 butesA...... GetFileTime..... 6e 66 6f 00 00 00 00 Ge f8 00 47 65 74 43 75 tFullPathNameA....GetLast 72 72 65 6e 74 50 72 Error 6f 63 65 73 73 00 05 ....GetLocaleInfoA....B.Get 01 47 65 74 44 72 69 Pro 76 65 54 79 70 65 41 cessHeap....U.GetStdHan 00 0f 01 47 65 74 46 dle..t.GetTimeZoneInfo 69 6c 65 41 74 74 72 69 62 75 74 65 73 41 00 00 00 00 16 01 47 65 74 46 69 6c 65 54 69 6d 65 00 00 00 18 01 47 65 74 46 75 6c 6c 50 61 74 68 4e 61 6d 65 41 00 00 1c 01 47 65 74 4c 61 73 74 45 72 72 6f 72 00 00 1e 01 47 65 74 4c 6f 63 61 6c 65 49 6e 66 6f 41 00 00 00 00 42 01 47 65 74 50 72 6f 63 65 73 73 48 65 61 70 00 00 00 00 55 01 47 65 74 53 74 64 48 61 6e 64 6c 65 00 00 74 01 47 65 74 54 69 6d 65 5a 6f 6e 65 49 6e 66 6f C:\Windows\SysWOW64\7za.exe unknown 286720 10 89 5d f0 39 58 04 ..].9X.va.E..M.9^....<.}:....C success or wait 2 40474C WriteFile 76 61 8b 45 10 8b 4d ...... t..F..F..*9_.t...f.8- f0 39 5e 10 8b 00 8b u..u....u.W...... t,..W.N..>. 3c 88 7d 3a 8b 15 10 ...E..E..M.;H.r....M._^[d..... 82 43 00 8b 0f e8 99 ...... M.W.P...2.....3....H..H. 0b 00 00 84 c0 74 08 .H....>C...!..QV..j..1...Y...M 8b 46 08 89 46 10 eb .3.;[email protected]...... 2a 39 5f 04 74 1c 8b .M.^d...... C ..U.... 07 66 83 38 2d 75 14 .V3.W.....r!Sj. ff 75 0c 8b ce ff 75 08 57 e8 9f fd ff ff 84 c0 74 2c eb 09 57 8d 4e 04 e8 3e 00 00 00 ff 45 f0 8b 45 10 8b 4d f0 3b 48 04 72 9f b0 01 8b 4d f4 5f 5e 5b 64 89 0d 00 00 00 00 c9 c2 0c 00 8b 4d ec 57 e8 50 15 00 00 32 c0 eb e2 8b c1 33 c9 88 08 89 48 08 89 48 0c 89 48 10 c3 b8 92 3e 43 00 e8 da 21 03 00 51 56 8b f1 6a 0c e8 31 05 00 00 59 8b c8 89 4d f0 33 c0 3b c8 89 45 fc 74 08 ff 75 08 e8 40 14 00 00 83 4d fc ff 50 8b ce e8 9b 86 01 00 8b 4d f4 5e 64 89 0d 00 00 00 00 c9 c2 04 00 e9 00 00 00 00 e9 43 20 03 00 55 8b ec 83 ec 10 56 33 f6 57 83 f9 0a 8b fa 72 21 53 6a 0a

Copyright null 2020 Page 18 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Windows\SysWOW64\7za.exe unknown 910 00 00 00 00 00 00 00 ...... success or wait 2 40474C WriteFile 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Windows\SysWOW64\FlashPlayerApp.exe unknown 12034048 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 2 40474C WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... 00 00 00 00 00 00 00 <"#.]Lp.]Lp.]Lp.{Gp.] 00 00 00 00 00 00 00 Lp0ABp.]Lp. 00 00 00 00 00 00 00 {Fp.]Lp.B_p.]Lp.]Mp 00 00 00 d0 00 00 00 .]Lp[BGp.]LpRich.]Lp...... 0e 1f ba 0e 00 b4 09 PE..L...... Q...... `.. cd 21 b8 01 4c cd 21 .P...... X...... 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f7 3c 22 23 b3 5d 4c 70 b3 5d 4c 70 b3 5d 4c 70 85 7b 47 70 b2 5d 4c 70 30 41 42 70 bd 5d 4c 70 85 7b 46 70 8f 5d 4c 70 d1 42 5f 70 b0 5d 4c 70 b3 5d 4d 70 87 5d 4c 70 5b 42 47 70 b1 5d 4c 70 52 69 63 68 b3 5d 4c 70 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 db ef d3 51 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 00 00 00 50 00 00 00 00 00 00 58 1d 00 00 00 10 00

Copyright null 2020 Page 19 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Windows\SysWOW64\FlashPlayerApp.exe unknown 4096 00 00 a1 00 46 69 6e ....FindNextFileA...GetCon success or wait 2 40474C WriteFile 64 4e 65 78 74 46 69 sole 6c 65 41 00 ed 00 47 Mode...... GetConsoleScre 65 74 43 6f 6e 73 6f enBuff 6c 65 4d 6f 64 65 00 erInfo...... GetCurrentProce 00 00 00 ef 00 47 65 ss. 74 43 6f 6e 73 6f 6c ..GetDriveTypeA...GetFile 65 53 63 72 65 65 6e Attri 42 75 66 66 65 72 49 butesA...... GetFileTime..... 6e 66 6f 00 00 00 00 Ge f8 00 47 65 74 43 75 tFullPathNameA....GetLast 72 72 65 6e 74 50 72 Error 6f 63 65 73 73 00 05 ....GetLocaleInfoA....B.Get 01 47 65 74 44 72 69 Pro 76 65 54 79 70 65 41 cessHeap....U.GetStdHan 00 0f 01 47 65 74 46 dle..t.GetTimeZoneInfo 69 6c 65 41 74 74 72 69 62 75 74 65 73 41 00 00 00 00 16 01 47 65 74 46 69 6c 65 54 69 6d 65 00 00 00 18 01 47 65 74 46 75 6c 6c 50 61 74 68 4e 61 6d 65 41 00 00 1c 01 47 65 74 4c 61 73 74 45 72 72 6f 72 00 00 1e 01 47 65 74 4c 6f 63 61 6c 65 49 6e 66 6f 41 00 00 00 00 42 01 47 65 74 50 72 6f 63 65 73 73 48 65 61 70 00 00 00 00 55 01 47 65 74 53 74 64 48 61 6e 64 6c 65 00 00 74 01 47 65 74 54 69 6d 65 5a 6f 6e 65 49 6e 66 6f C:\Windows\SysWOW64\FlashPlayerApp.exe unknown 831488 46 84 c0 75 f9 2b f1 F..u.+...3..F.P...... t.. success or wait 2 40474C WriteFile eb 02 33 f6 8d 46 01 .t.VSW...... 7....J...B..u. 50 e8 e3 97 01 00 8b +...... t...9

Copyright null 2020 Page 20 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Windows\SysWOW64\FlashPlayerApp.exe unknown 1414 30 81 be a4 81 bb 30 0.....0..1.0...U....US1.0...U. success or wait 2 40474C WriteFile 81 b8 31 0b 30 09 06 ...Washington1.0...U....Red 03 55 04 06 13 02 55 mond1.0...U....Microsoft 53 31 13 30 11 06 03 Corporat 55 04 08 13 0a 57 61 ion1.0...U....AOC1'0%..U... 73 68 69 6e 67 74 6f .nCipher NTS ESN:2665- 6e 31 10 30 0e 06 03 4C3F-C5DE1+ 55 04 07 13 07 52 65 0)..U..."Microsoft Time 64 6d 6f 6e 64 31 1e Source Master 30 1c 06 03 55 04 0a Clock0...*.H...... 13 15 4d 69 63 72 6f ..lz.0"..20180402094433Z.. 73 6f 66 74 20 43 6f 20180403094433Z0w0= 72 70 6f 72 61 74 69 6f 6e 31 0c 30 0a 06 03 55 04 0b 13 03 41 4f 43 31 27 30 25 06 03 55 04 0b 13 1e 6e 43 69 70 68 65 72 20 4e 54 53 20 45 53 4e 3a 32 36 36 35 2d 34 43 33 46 2d 43 35 44 45 31 2b 30 29 06 03 55 04 03 13 22 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 20 53 6f 75 72 63 65 20 4d 61 73 74 65 72 20 43 6c 6f 63 6b 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 02 05 00 de 6c 7a 01 30 22 18 0f 32 30 31 38 30 34 30 32 30 39 34 34 33 33 5a 18 0f 32 30 31 38 30 34 30 33 30 39 34 34 33 33 5a 30 77 30 3d C:\Windows\SysWOW64\unarchiver.exe unknown 12034048 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 2 40474C WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... 00 00 00 00 00 00 00 <"#.]Lp.]Lp.]Lp.{Gp.] 00 00 00 00 00 00 00 Lp0ABp.]Lp. 00 00 00 00 00 00 00 {Fp.]Lp.B_p.]Lp.]Mp 00 00 00 d0 00 00 00 .]Lp[BGp.]LpRich.]Lp...... 0e 1f ba 0e 00 b4 09 PE..L...... Q...... `.. cd 21 b8 01 4c cd 21 .P...... X...... 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f7 3c 22 23 b3 5d 4c 70 b3 5d 4c 70 b3 5d 4c 70 85 7b 47 70 b2 5d 4c 70 30 41 42 70 bd 5d 4c 70 85 7b 46 70 8f 5d 4c 70 d1 42 5f 70 b0 5d 4c 70 b3 5d 4d 70 87 5d 4c 70 5b 42 47 70 b1 5d 4c 70 52 69 63 68 b3 5d 4c 70 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 db ef d3 51 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 00 00 00 50 00 00 00 00 00 00 58 1d 00 00 00 10 00

Copyright null 2020 Page 21 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Windows\SysWOW64\unarchiver.exe unknown 4096 00 00 a1 00 46 69 6e ....FindNextFileA...GetCon success or wait 2 40474C WriteFile 64 4e 65 78 74 46 69 sole 6c 65 41 00 ed 00 47 Mode...... GetConsoleScre 65 74 43 6f 6e 73 6f enBuff 6c 65 4d 6f 64 65 00 erInfo...... GetCurrentProce 00 00 00 ef 00 47 65 ss. 74 43 6f 6e 73 6f 6c ..GetDriveTypeA...GetFile 65 53 63 72 65 65 6e Attri 42 75 66 66 65 72 49 butesA...... GetFileTime..... 6e 66 6f 00 00 00 00 Ge f8 00 47 65 74 43 75 tFullPathNameA....GetLast 72 72 65 6e 74 50 72 Error 6f 63 65 73 73 00 05 ....GetLocaleInfoA....B.Get 01 47 65 74 44 72 69 Pro 76 65 54 79 70 65 41 cessHeap....U.GetStdHan 00 0f 01 47 65 74 46 dle..t.GetTimeZoneInfo 69 6c 65 41 74 74 72 69 62 75 74 65 73 41 00 00 00 00 16 01 47 65 74 46 69 6c 65 54 69 6d 65 00 00 00 18 01 47 65 74 46 75 6c 6c 50 61 74 68 4e 61 6d 65 41 00 00 1c 01 47 65 74 4c 61 73 74 45 72 72 6f 72 00 00 1e 01 47 65 74 4c 6f 63 61 6c 65 49 6e 66 6f 41 00 00 00 00 42 01 47 65 74 50 72 6f 63 65 73 73 48 65 61 70 00 00 00 00 55 01 47 65 74 53 74 64 48 61 6e 64 6c 65 00 00 74 01 47 65 74 54 69 6d 65 5a 6f 6e 65 49 6e 66 6f C:\Windows\SysWOW64\unarchiver.exe unknown 4096 04 00 70 08 6f 13 00 ..p.o....(....(...... *..... success or wait 2 40474C WriteFile 00 0a 28 0e 00 00 0a ...... 0..'...... o9...... - 28 01 00 00 06 00 00 ..r:..p.o9...(....(.... de 00 00 2a 00 01 10 ..*..0..'...... o9...... -. 00 00 00 00 01 00 ad .rt..p.o9...(....(...... *..0.. ae 00 1b 15 00 00 01 3...... (:.....s;...... o 13 30 02 00 27 00 00 <...... &...... &...... +..*. 00 02 00 00 11 00 03 ...... +...... %...... 0 6f 39 00 00 0a 14 fe ...... (=.. 01 0a 06 2d 18 00 72 3a 04 00 70 03 6f 39 00 00 0a 28 0e 00 00 0a 28 01 00 00 06 00 00 2a 00 13 30 02 00 27 00 00 00 02 00 00 11 00 03 6f 39 00 00 0a 14 fe 01 0a 06 2d 18 00 72 74 04 00 70 03 6f 39 00 00 0a 28 0e 00 00 0a 28 01 00 00 06 00 00 2a 00 1b 30 02 00 33 00 00 00 06 00 00 11 00 00 28 3a 00 00 0a 0b 07 73 3b 00 00 0a 0c 08 20 20 02 00 00 6f 3c 00 00 0a 0a 00 de 0e 26 00 16 0a 00 de 07 26 00 16 0a 00 de 00 00 06 0d 2b 00 09 2a 00 01 1c 00 00 00 00 01 00 1d 1e 00 07 2b 00 00 01 00 00 01 00 1d 25 00 07 15 00 00 01 13 30 02 00 1e 00 00 00 07 00 00 11 00 28 3d 00 00

Copyright null 2020 Page 22 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Windows\SysWOW64\unarchiver.exe unknown 3982 69 00 6e 00 64 00 6f i.n.d.o.w.s.\.S.y.s.t.e.m.3.2. success or wait 2 40474C WriteFile 00 77 00 73 00 5c 00 \.7.z.a...e.x.e...U.n.p.a.c.k. 53 00 79 00 73 00 74 :. ...T.m.p. .d.i.r.:. ..'x. .- 00 65 00 6d 00 33 00 .p.i.n.f.e.c.t.e.d. .-.y. .-. 32 00 5c 00 37 00 7a o."...". ."..."...G.e.t. .f.i. 00 61 00 2e 00 65 00 l.e.s...*...*...N.b.r. .o.f. . 78 00 65 00 00 11 55 f.i.l.e.s.:...... 1F.o.u.n.d. 00 6e 00 70 00 61 00 .i.n.t.e.r.e.s.t.i.n.g. .f.i.l.e.:. 63 00 6b 00 3a 00 20 .....F.i 00 00 13 54 00 6d 00 70 00 20 00 64 00 69 00 72 00 3a 00 20 00 00 27 78 00 20 00 2d 00 70 00 69 00 6e 00 66 00 65 00 63 00 74 00 65 00 64 00 20 00 2d 00 79 00 20 00 2d 00 6f 00 22 00 01 07 22 00 20 00 22 00 00 03 22 00 00 13 47 00 65 00 74 00 20 00 66 00 69 00 6c 00 65 00 73 00 00 07 2a 00 2e 00 2a 00 00 1d 4e 00 62 00 72 00 20 00 6f 00 66 00 20 00 66 00 69 00 6c 00 65 00 73 00 3a 00 20 00 00 03 2e 00 00 31 46 00 6f 00 75 00 6e 00 64 00 20 00 69 00 6e 00 74 00 65 00 72 00 65 00 73 00 74 00 69 00 6e 00 67 00 20 00 66 00 69 00 6c 00 65 00 3a 00 20 00 00 01 00 1f 46 00 69 C:\Windows\SysWOW64\wget.exe unknown 12034048 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 2 40474C WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... 00 00 00 00 00 00 00 <"#.]Lp.]Lp.]Lp.{Gp.] 00 00 00 00 00 00 00 Lp0ABp.]Lp. 00 00 00 00 00 00 00 {Fp.]Lp.B_p.]Lp.]Mp 00 00 00 d0 00 00 00 .]Lp[BGp.]LpRich.]Lp...... 0e 1f ba 0e 00 b4 09 PE..L...... Q...... `.. cd 21 b8 01 4c cd 21 .P...... X...... 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f7 3c 22 23 b3 5d 4c 70 b3 5d 4c 70 b3 5d 4c 70 85 7b 47 70 b2 5d 4c 70 30 41 42 70 bd 5d 4c 70 85 7b 46 70 8f 5d 4c 70 d1 42 5f 70 b0 5d 4c 70 b3 5d 4d 70 87 5d 4c 70 5b 42 47 70 b1 5d 4c 70 52 69 63 68 b3 5d 4c 70 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 db ef d3 51 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 00 00 00 50 00 00 00 00 00 00 58 1d 00 00 00 10 00

Copyright null 2020 Page 23 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Windows\SysWOW64\wget.exe unknown 4096 00 00 a1 00 46 69 6e ....FindNextFileA...GetCon success or wait 2 40474C WriteFile 64 4e 65 78 74 46 69 sole 6c 65 41 00 ed 00 47 Mode...... GetConsoleScre 65 74 43 6f 6e 73 6f enBuff 6c 65 4d 6f 64 65 00 erInfo...... GetCurrentProce 00 00 00 ef 00 47 65 ss. 74 43 6f 6e 73 6f 6c ..GetDriveTypeA...GetFile 65 53 63 72 65 65 6e Attri 42 75 66 66 65 72 49 butesA...... GetFileTime..... 6e 66 6f 00 00 00 00 Ge f8 00 47 65 74 43 75 tFullPathNameA....GetLast 72 72 65 6e 74 50 72 Error 6f 63 65 73 73 00 05 ....GetLocaleInfoA....B.Get 01 47 65 74 44 72 69 Pro 76 65 54 79 70 65 41 cessHeap....U.GetStdHan 00 0f 01 47 65 74 46 dle..t.GetTimeZoneInfo 69 6c 65 41 74 74 72 69 62 75 74 65 73 41 00 00 00 00 16 01 47 65 74 46 69 6c 65 54 69 6d 65 00 00 00 18 01 47 65 74 46 75 6c 6c 50 61 74 68 4e 61 6d 65 41 00 00 1c 01 47 65 74 4c 61 73 74 45 72 72 6f 72 00 00 1e 01 47 65 74 4c 6f 63 61 6c 65 49 6e 66 6f 41 00 00 00 00 42 01 47 65 74 50 72 6f 63 65 73 73 48 65 61 70 00 00 00 00 55 01 47 65 74 53 74 64 48 61 6e 64 6c 65 00 00 74 01 47 65 74 54 69 6d 65 5a 6f 6e 65 49 6e 66 6f C:\Windows\SysWOW64\wget.exe unknown 3891200 00 00 00 00 00 00 00 ...... success or wait 2 40474C WriteFile 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Copyright null 2020 Page 24 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Windows\SysWOW64\wget.exe unknown 1822 04 a0 30 82 04 9c 30 ..0...0...... N....$56..... success or wait 2 40474C WriteFile 82 03 84 a0 03 02 01 9Uw0...*.H...... 0..1.0...U.. 02 02 10 4e b0 87 8f ..US1.0...U....UT1.0...U.... cc 24 35 36 b2 d8 c9 Salt Lake City1.0...U....The f7 bf 39 55 77 30 0d USERTRUST 06 09 2a 86 48 86 f7 Network1!0...U....http: 0d 01 01 0b 05 00 30 //www.usertrust.com1.0...U 81 95 31 0b 30 09 06 ....UTN-USERFirst- 03 55 04 06 13 02 55 Object0...151231 53 31 0b 30 09 06 03 000000Z..190709184036Z 55 04 08 13 02 55 54 0..1.0...U....GB1.0...U 31 17 30 15 06 03 55 04 07 13 0e 53 61 6c 74 20 4c 61 6b 65 20 43 69 74 79 31 1e 30 1c 06 03 55 04 0a 13 15 54 68 65 20 55 53 45 52 54 52 55 53 54 20 4e 65 74 77 6f 72 6b 31 21 30 1f 06 03 55 04 0b 13 18 68 74 74 70 3a 2f 2f 77 77 77 2e 75 73 65 72 74 72 75 73 74 2e 63 6f 6d 31 1d 30 1b 06 03 55 04 03 13 14 55 54 4e 2d 55 53 45 52 46 69 72 73 74 2d 4f 62 6a 65 63 74 30 1e 17 0d 31 35 31 32 33 31 30 30 30 30 30 30 5a 17 0d 31 39 30 37 30 39 31 38 34 30 33 36 5a 30 81 86 31 0b 30 09 06 03 55 04 06 13 02 47 42 31 1b 30 19 06 03 55 \Device\ConDrv unknown 19 66 69 6e 64 20 66 69 find file failed!.. success or wait 1 4046E7 WriteFile 6c 65 20 66 61 69 6c 65 64 21 0d 0a

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\ev2r1pIrDU.exe unknown 12034048 success or wait 1 402BB8 ReadFile C:\Users\user\Desktop\ev2r1pIrDU.exe unknown 4096 success or wait 1 402BB8 ReadFile C:\Users\user\Desktop\ev2r1pIrDU.exe unknown 12034048 success or wait 2 402BB8 ReadFile C:\Users\user\Desktop\ev2r1pIrDU.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Users\user\Desktop\ev2r1pIrDU.exe unknown 12034048 success or wait 18512 402BB8 ReadFile C:\Users\user\Desktop\ev2r1pIrDU.exe unknown 4096 success or wait 18512 402BB8 ReadFile C:\Windows\bfsvc.exe unknown 65536 success or wait 1 402BB8 ReadFile C:\Windows\bfsvc.exe unknown 4096 success or wait 1 402BB8 ReadFile C:\Windows\Boot\PCAT\memtest.exe unknown 843776 success or wait 1 402BB8 ReadFile C:\Windows\Boot\PCAT\memtest.exe unknown 4096 success or wait 1 402BB8 ReadFile C:\Windows\explorer.exe unknown 3932160 success or wait 1 402BB8 ReadFile C:\Windows\explorer.exe unknown 4096 success or wait 1 402BB8 ReadFile C:\Windows\HelpPane.exe unknown 1052672 success or wait 1 402BB8 ReadFile C:\Windows\HelpPane.exe unknown 4096 success or wait 1 402BB8 ReadFile C:\Windows\hh.exe unknown 16384 success or wait 1 402BB8 ReadFile C:\Windows\hh.exe unknown 4096 success or wait 1 402BB8 ReadFile C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.22.3 unknown 16384 success or wait 1 402BB8 ReadFile 254.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.22.3 unknown 4096 success or wait 1 402BB8 ReadFile 254.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe C:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.12271.0_x64__8wekyb3d8bb unknown 2162688 success or wait 1 402BB8 ReadFile we\AppInstaller.exe C:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.12271.0_x64__8wekyb3d8bb unknown 4096 success or wait 1 402BB8 ReadFile we\AppInstaller.exe C:\Windows\InfusedApps\Packages\Microsoft.GetHelp_10.1706.10 unknown 12288 success or wait 1 402BB8 ReadFile 441.0_x64__8wekyb3d8bbwe\GetHelp.exe C:\Windows\InfusedApps\Packages\Microsoft.GetHelp_10.1706.10 unknown 4096 success or wait 1 402BB8 ReadFile 441.0_x64__8wekyb3d8bbwe\GetHelp.exe C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_6.9.106 unknown 12288 success or wait 1 402BB8 ReadFile 02.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe

Copyright null 2020 Page 25 of 34 Source File Path Offset Length Completion Count Address Symbol C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_6.9.106 unknown 4096 success or wait 1 402BB8 ReadFile 02.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe C:\Windows\InfusedApps\Packages\Microsoft.Messaging_3.38.220 unknown 12288 success or wait 1 402BB8 ReadFile 01.0_x64__8wekyb3d8bbwe\MessagingApplication.exe C:\Windows\InfusedApps\Packages\Microsoft.Messaging_3.38.220 unknown 4096 success or wait 1 402BB8 ReadFile 01.0_x64__8wekyb3d8bbwe\MessagingApplication.exe C:\Windows\InfusedApps\Packages\Microsoft.Microsoft3DViewer_ unknown 16384 success or wait 1 402BB8 ReadFile 2.1803.8022.0_x64__8wekyb3d8bbwe\3DViewer.exe C:\Windows\InfusedApps\Packages\Microsoft.Microsoft3DViewer_ unknown 8192 success or wait 1 402BB8 ReadFile 2.1803.8022.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe C:\Windows\InfusedApps\Packages\Microsoft.Microsoft3DViewer_ unknown 4096 success or wait 1 402BB8 ReadFile 2.1803.8022.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftOfficeHub unknown 32768 success or wait 1 402BB8 ReadFile _17.8918.5926.0_x64__8wekyb3d8bbwe\Office16\OfficeHubTaskHost.exe C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftOfficeHub unknown 4096 success or wait 1 402BB8 ReadFile _17.8918.5926.0_x64__8wekyb3d8bbwe\Office16\OfficeHubTaskHost.exe C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftOfficeHub unknown 1961984 success or wait 1 402BB8 ReadFile _17.8918.5926.0_x64__8wekyb3d8bbwe\Office16\OfficeHubWin32.exe C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftOfficeHub unknown 4096 success or wait 1 402BB8 ReadFile _17.8918.5926.0_x64__8wekyb3d8bbwe\Office16\OfficeHubWin32.exe C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftOfficeHub unknown 1900544 success or wait 1 402BB8 ReadFile _17.8918.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.exe C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftOfficeHub unknown 4096 success or wait 1 402BB8 ReadFile _17.8918.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.exe C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftOfficeHub unknown 327680 success or wait 1 402BB8 ReadFile _17.8918.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftOfficeHub unknown 4096 success or wait 1 402BB8 ReadFile _17.8918.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_4.0.1301.0_x86__8we unknown 12288 success or wait 1 402BB8 ReadFile kyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_4.0.1301.0_x86__8we unknown 4096 success or wait 1 402BB8 ReadFile kyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_4.0.1301.0_x86__8we unknown 10027008 success or wait 1 402BB8 ReadFile kyb3d8bbwe\Solitaire.exe C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_4.0.1301.0_x86__8we unknown 4096 success or wait 1 402BB8 ReadFile kyb3d8bbwe\Solitaire.exe C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftStickyNotes_2.0.13.0_x64__8wekyb3d8bbwe unknown 20480 success or wait 1 402BB8 ReadFile \Microsoft.Notes.exe C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftStickyNotes_2.0.13.0_x64__8wekyb3d8bbwe unknown 4096 success or wait 1 402BB8 ReadFile \Microsoft.Notes.exe C:\Windows\InfusedApps\Packages\Microsoft.MSPaint_3.1803.502 unknown 3809280 success or wait 1 402BB8 ReadFile 7.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe C:\Windows\InfusedApps\Packages\Microsoft.MSPaint_3.1803.502 unknown 4096 success or wait 1 402BB8 ReadFile 7.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17. unknown 2596864 success or wait 1 402BB8 ReadFile 8827.20991.0_x64__8wekyb3d8bbwe\onenoteim.exe C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17. unknown 4096 success or wait 1 402BB8 ReadFile 8827.20991.0_x64__8wekyb3d8bbwe\onenoteim.exe C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17. unknown 528384 success or wait 1 402BB8 ReadFile 8827.20991.0_x64__8wekyb3d8bbwe\onenoteshare.exe C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17. unknown 4096 success or wait 1 402BB8 ReadFile 8827.20991.0_x64__8wekyb3d8bbwe\onenoteshare.exe C:\Windows\InfusedApps\Packages\Microsoft.OneConnect_4.1801. unknown 12288 success or wait 1 402BB8 ReadFile 521.0_x64__8wekyb3d8bbwe\OneConnect.exe C:\Windows\InfusedApps\Packages\Microsoft.OneConnect_4.1801. unknown 4096 success or wait 1 402BB8 ReadFile 521.0_x64__8wekyb3d8bbwe\OneConnect.exe C:\Windows\InfusedApps\Packages\Microsoft.People_10.3.10452. unknown 12288 success or wait 1 402BB8 ReadFile 0_x64__8wekyb3d8bbwe\PeopleApp.exe C:\Windows\InfusedApps\Packages\Microsoft.People_10.3.10452. unknown 4096 success or wait 1 402BB8 ReadFile 0_x64__8wekyb3d8bbwe\PeopleApp.exe C:\Windows\InfusedApps\Packages\Microsoft.Print3D_2.0.3621.0_x64__8wekyb3d8bbwe\Print3D.ex unknown 15650816 success or wait 1 402BB8 ReadFile e C:\Windows\InfusedApps\Packages\Microsoft.Print3D_2.0.3621.0_x64__8wekyb3d8bbwe\Print3D.ex unknown 4096 success or wait 1 402BB8 ReadFile e C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_12.13.274 unknown 16384 success or wait 1 402BB8 ReadFile .0_x64__kzf8qxf38zg5c\SkypeApp.exe C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_12.13.274 unknown 4096 success or wait 1 402BB8 ReadFile .0_x64__kzf8qxf38zg5c\SkypeApp.exe C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_12.13.274 unknown 86016 success or wait 1 402BB8 ReadFile .0_x64__kzf8qxf38zg5c\SkypeHost.exe

Copyright null 2020 Page 26 of 34 Source File Path Offset Length Completion Count Address Symbol C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_12.13.274 unknown 4096 success or wait 1 402BB8 ReadFile .0_x64__kzf8qxf38zg5c\SkypeHost.exe C:\Windows\InfusedApps\Packages\Microsoft.StorePurchaseApp_1 unknown 12288 success or wait 1 402BB8 ReadFile 1712.1801.10002.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe C:\Windows\InfusedApps\Packages\Microsoft.StorePurchaseApp_1 unknown 4096 success or wait 1 402BB8 ReadFile 1712.1801.10002.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe C:\Windows\InfusedApps\Packages\Microsoft.Wallet_2.1.18009.0_x64__8wekyb3d8bbwe\Microsoft. unknown 12288 success or wait 1 402BB8 ReadFile Wallet.exe C:\Windows\InfusedApps\Packages\Microsoft.Wallet_2.1.18009.0_x64__8wekyb3d8bbwe\Microsoft. unknown 4096 success or wait 1 402BB8 ReadFile Wallet.exe C:\Windows\InfusedApps\Packages\Microsoft.WebMediaExtensions unknown 241664 success or wait 1 402BB8 ReadFile _1.0.3102.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe C:\Windows\InfusedApps\Packages\Microsoft.WebMediaExtensions unknown 4096 success or wait 1 402BB8 ReadFile _1.0.3102.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe C:\Windows\InfusedApps\Packages\Microsoft.Windows.Photos_201 unknown 475136 success or wait 1 402BB8 ReadFile 8.18011.15918.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe C:\Windows\InfusedApps\Packages\Microsoft.WindowsAlarms_10.1 unknown 4399104 success or wait 1 402BB8 ReadFile 712.10611.0_x64__8wekyb3d8bbwe\Time.exe C:\Windows\InfusedApps\Packages\Microsoft.WindowsAlarms_10.1 unknown 4096 success or wait 1 402BB8 ReadFile 712.10611.0_x64__8wekyb3d8bbwe\Time.exe C:\Windows\InfusedApps\Packages\Microsoft.WindowsCalculator_ unknown 4366336 success or wait 1 402BB8 ReadFile 10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exe C:\Windows\InfusedApps\Packages\Microsoft.WindowsCalculator_ unknown 4096 success or wait 1 402BB8 ReadFile 10.1712.10601.0_x64__8wekyb3d8bbwe\Calculator.exe C:\Windows\InfusedApps\Packages\Microsoft.WindowsCamera_2017 unknown 12288 success or wait 1 402BB8 ReadFile .1117.80.0_x64__8wekyb3d8bbwe\WindowsCamera.exe C:\Windows\InfusedApps\Packages\Microsoft.WindowsCamera_2017 unknown 4096 success or wait 1 402BB8 ReadFile .1117.80.0_x64__8wekyb3d8bbwe\WindowsCamera.exe C:\Windows\InfusedApps\Packages\microsoft.windowscommunicati unknown 262144 success or wait 1 402BB8 ReadFile onsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxAccounts.exe C:\Windows\InfusedApps\Packages\microsoft.windowscommunicati unknown 4096 success or wait 1 402BB8 ReadFile onsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxAccounts.exe C:\Windows\InfusedApps\Packages\microsoft.windowscommunicati unknown 10731520 success or wait 1 402BB8 ReadFile onsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe C:\Windows\InfusedApps\Packages\microsoft.windowscommunicati unknown 4096 success or wait 1 402BB8 ReadFile onsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe C:\Windows\InfusedApps\Packages\microsoft.windowscommunicati unknown 2170880 success or wait 1 402BB8 ReadFile onsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe C:\Windows\InfusedApps\Packages\microsoft.windowscommunicati unknown 4096 success or wait 1 402BB8 ReadFile onsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe C:\Windows\InfusedApps\Packages\microsoft.windowscommunicati unknown 98304 success or wait 1 402BB8 ReadFile onsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxTsr.exe C:\Windows\InfusedApps\Packages\microsoft.windowscommunicati unknown 4096 success or wait 1 402BB8 ReadFile onsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxTsr.exe C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub unknown 16384 success or wait 1 402BB8 ReadFile _1.1712.612.0_x64__8wekyb3d8bbwe\PilotshubApp.exe C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub unknown 4096 success or wait 1 402BB8 ReadFile _1.1712.612.0_x64__8wekyb3d8bbwe\PilotshubApp.exe C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1711 unknown 12288 success or wait 1 402BB8 ReadFile .10401.0_x64__8wekyb3d8bbwe\Maps.exe C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1711 unknown 4096 success or wait 1 402BB8 ReadFile .10401.0_x64__8wekyb3d8bbwe\Maps.exe C:\Windows\InfusedApps\Packages\Microsoft.WindowsSoundRecord unknown 3145728 success or wait 1 402BB8 ReadFile er_10.1712.10611.0_x64__8wekyb3d8bbwe\SoundRec.exe C:\Windows\InfusedApps\Packages\Microsoft.WindowsSoundRecord unknown 4096 success or wait 1 402BB8 ReadFile er_10.1712.10611.0_x64__8wekyb3d8bbwe\SoundRec.exe C:\Windows\InfusedApps\Packages\Microsoft.WindowsStore_11712 unknown 16384 success or wait 1 402BB8 ReadFile .1001.23.0_x64__8wekyb3d8bbwe\WinStore.App.exe C:\Windows\InfusedApps\Packages\Microsoft.Xbox.TCUI_1.11.280 unknown 12288 success or wait 1 402BB8 ReadFile 03.0_x64__8wekyb3d8bbwe\TCUI-App.exe C:\Windows\InfusedApps\Packages\Microsoft.Xbox.TCUI_1.11.280 unknown 4096 success or wait 1 402BB8 ReadFile 03.0_x64__8wekyb3d8bbwe\TCUI-App.exe C:\Windows\InfusedApps\Packages\Microsoft.XboxApp_38.38.1400 unknown 16384 success or wait 1 402BB8 ReadFile 2.0_x64__8wekyb3d8bbwe\XboxApp.exe C:\Windows\InfusedApps\Packages\Microsoft.XboxGameOverlay_1. unknown 184320 success or wait 1 402BB8 ReadFile 26.6001.0_x64__8wekyb3d8bbwe\GameBar.exe C:\Windows\InfusedApps\Packages\Microsoft.XboxGameOverlay_1. unknown 4096 success or wait 1 402BB8 ReadFile 26.6001.0_x64__8wekyb3d8bbwe\GameBar.exe C:\Windows\InfusedApps\Packages\Microsoft.XboxGamingOverlay_ unknown 3911680 success or wait 1 402BB8 ReadFile 1.15.1001.0_x64__8wekyb3d8bbwe\GameBar.exe C:\Windows\InfusedApps\Packages\Microsoft.XboxIdentityProvider_12.36.15002.0_x64__8wekyb3d unknown 12288 success or wait 1 402BB8 ReadFile 8bbwe\XboxIdp.exe C:\Windows\InfusedApps\Packages\Microsoft.XboxIdentityProvider_12.36.15002.0_x64__8wekyb3d unknown 4096 success or wait 1 402BB8 ReadFile 8bbwe\XboxIdp.exe Copyright null 2020 Page 27 of 34 Source File Path Offset Length Completion Count Address Symbol C:\Windows\InfusedApps\Packages\Microsoft.XboxSpeechToTextOv unknown 561152 success or wait 1 402BB8 ReadFile erlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe C:\Windows\InfusedApps\Packages\Microsoft.XboxSpeechToTextOv unknown 4096 success or wait 1 402BB8 ReadFile erlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.17112 unknown 28282880 success or wait 1 402BB8 ReadFile .19011.0_x64__8wekyb3d8bbwe\Music.UI.exe C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.17112 unknown 4096 success or wait 1 402BB8 ReadFile .19011.0_x64__8wekyb3d8bbwe\Music.UI.exe C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.17112 unknown 26931200 success or wait 1 402BB8 ReadFile .19011.0_x64__8wekyb3d8bbwe\Video.UI.exe C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.17112 unknown 4096 success or wait 1 402BB8 ReadFile .19011.0_x64__8wekyb3d8bbwe\Video.UI.exe C:\Windows\notepad.exe unknown 245760 success or wait 1 402BB8 ReadFile C:\Windows\SysWOW64\regedit.exe unknown 315392 success or wait 3 402BB8 ReadFile C:\Windows\SysWOW64\regedit.exe unknown 4096 success or wait 3 402BB8 ReadFile C:\Windows\servicing\TrustedInstaller.exe unknown 131072 success or wait 1 402BB8 ReadFile C:\Windows\servicing\TrustedInstaller.exe unknown 4096 success or wait 1 402BB8 ReadFile C:\Windows\Speech\Common\sapisvr.exe unknown 40960 success or wait 1 402BB8 ReadFile C:\Windows\Speech\Common\sapisvr.exe unknown 4096 success or wait 1 402BB8 ReadFile C:\Windows\splwow64.exe unknown 126976 success or wait 1 402BB8 ReadFile C:\Windows\splwow64.exe unknown 4096 success or wait 1 402BB8 ReadFile C:\Windows\SysWOW64\7za.exe unknown 286720 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\7za.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\appidtel.exe unknown 20480 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\appidtel.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ARP.EXE unknown 20480 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ARP.EXE unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\at.exe unknown 24576 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\at.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\AtBroker.exe unknown 49152 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\attrib.exe unknown 16384 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\attrib.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\auditpol.exe unknown 28672 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\auditpol.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\autochk.exe unknown 868352 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\autochk.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\autoconv.exe unknown 851968 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\autofmt.exe unknown 831488 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\backgroundTaskHost.exe unknown 16384 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\backgroundTaskHost.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\BackgroundTransferHost.exe unknown 32768 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\BackgroundTransferHost.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\bitsadmin.exe unknown 176128 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\bitsadmin.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\bootcfg.exe unknown 81920 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\bootcfg.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\bthudtask.exe unknown 36864 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\bthudtask.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ByteCodeGenerator.exe unknown 45056 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ByteCodeGenerator.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cacls.exe unknown 24576 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cacls.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\calc.exe unknown 24576 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\calc.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\CameraSettingsUIHost.exe unknown 28672 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\CameraSettingsUIHost.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\CertEnrollCtrl.exe unknown 40960 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\CertEnrollCtrl.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\certreq.exe unknown 425984 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\certreq.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\certutil.exe unknown 1273856 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\charmap.exe unknown 172032 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\charmap.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\CheckNetIsolation.exe unknown 24576 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\CheckNetIsolation.exe unknown 4096 success or wait 2 402BB8 ReadFile

Copyright null 2020 Page 28 of 34 Source File Path Offset Length Completion Count Address Symbol C:\Windows\SysWOW64\chkdsk.exe unknown 20480 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\chkdsk.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\chkntfs.exe unknown 16384 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\chkntfs.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\choice.exe unknown 24576 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\choice.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cipher.exe unknown 36864 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cipher.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cleanmgr.exe unknown 208896 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cleanmgr.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cliconfg.exe unknown 28672 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\clip.exe unknown 24576 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\clip.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\CloudNotifications.exe unknown 65536 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\CloudNotifications.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\CloudStorageWizard.exe unknown 163840 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\CloudStorageWizard.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cmd.exe unknown 229376 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cmd.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cmdkey.exe unknown 16384 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cmdkey.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cmdl32.exe unknown 45056 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cmdl32.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cmmon32.exe unknown 36864 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cmstp.exe unknown 81920 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cmstp.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\colorcpl.exe unknown 86016 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\colorcpl.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\com\comrepl.exe unknown 12288 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\com\comrepl.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\com\MigRegDB.exe unknown 8192 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\com\MigRegDB.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\comp.exe unknown 20480 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\comp.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\compact.exe unknown 40960 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ComputerDefaults.exe unknown 61440 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\control.exe unknown 114688 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\convert.exe unknown 16384 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\convert.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\CredentialUIBroker.exe unknown 110592 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\CredentialUIBroker.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\credwiz.exe unknown 28672 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\credwiz.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cscript.exe unknown 143360 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ctfmon.exe unknown 8192 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ctfmon.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cttune.exe unknown 311296 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cttune.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cttunesvr.exe unknown 32768 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\cttunesvr.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\dccw.exe unknown 643072 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\dcomcnfg.exe unknown 8192 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\dcomcnfg.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ddodiag.exe unknown 32768 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\DevicePairingWizard.exe unknown 81920 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\DevicePairingWizard.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\dfrgui.exe unknown 561152 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\dialer.exe unknown 32768 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\diskpart.exe unknown 147456 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\diskpart.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\diskperf.exe unknown 20480 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\diskperf.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\diskraid.exe unknown 282624 success or wait 2 402BB8 ReadFile

Copyright null 2020 Page 29 of 34 Source File Path Offset Length Completion Count Address Symbol C:\Windows\SysWOW64\diskraid.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\Dism\DismHost.exe unknown 118784 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\Dism\DismHost.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\Dism.exe unknown 225280 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\Dism.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\dllhost.exe unknown 16384 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\dllhost.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\dllhst3g.exe unknown 8192 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\dllhst3g.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\doskey.exe unknown 16384 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\doskey.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\dpapimig.exe unknown 73728 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\DpiScaling.exe unknown 73728 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\DpiScaling.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\dplaysvr.exe unknown 8192 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\dpnsvr.exe unknown 8192 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\driverquery.exe unknown 65536 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\driverquery.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\dtdump.exe unknown 73728 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\dtdump.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\dvdplay.exe unknown 8192 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\dvdplay.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\DWWIN.EXE unknown 176128 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\DWWIN.EXE unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\dxdiag.exe unknown 311296 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\dxdiag.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\EaseOfAccessDialog.exe unknown 286720 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\EaseOfAccessDialog.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\edpnotify.exe unknown 49152 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\edpnotify.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\efsui.exe unknown 12288 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\efsui.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\EhStorAuthn.exe unknown 118784 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\EhStorAuthn.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\esentutl.exe unknown 323584 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\esentutl.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\eudcedit.exe unknown 303104 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\eudcedit.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\eventcreate.exe unknown 32768 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\eventcreate.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\eventvwr.exe unknown 77824 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\eventvwr.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\expand.exe unknown 49152 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\expand.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\explorer.exe unknown 3608576 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\explorer.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\extrac32.exe unknown 28672 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\extrac32.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\fc.exe unknown 20480 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\fc.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\find.exe unknown 12288 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\find.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\findstr.exe unknown 28672 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\findstr.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\finger.exe unknown 12288 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\finger.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\fixmapi.exe unknown 16384 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\fixmapi.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\FlashPlayerApp.exe unknown 831488 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\FlashPlayerApp.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\fltMC.exe unknown 24576 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\Fondue.exe unknown 106496 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\fontdrvhost.exe unknown 659456 success or wait 2 402BB8 ReadFile

Copyright null 2020 Page 30 of 34 Source File Path Offset Length Completion Count Address Symbol C:\Windows\SysWOW64\fontdrvhost.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\fontview.exe unknown 110592 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\fontview.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\forfiles.exe unknown 40960 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\forfiles.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\fsquirt.exe unknown 126976 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\fsquirt.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\fsutil.exe unknown 143360 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\fsutil.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ftp.exe unknown 45056 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ftp.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\GameBarPresenceWriter.exe unknown 208896 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\GameBarPresenceWriter.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\GamePanel.exe unknown 958464 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\GamePanel.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\getmac.exe unknown 65536 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\gpresult.exe unknown 192512 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\gpresult.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\gpscript.exe unknown 36864 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\gpscript.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\gpupdate.exe unknown 24576 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\gpupdate.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\grpconv.exe unknown 36864 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\grpconv.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\hdwwiz.exe unknown 65536 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\help.exe unknown 8192 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\help.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\hh.exe unknown 16384 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\HOSTNAME.EXE unknown 8192 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\HOSTNAME.EXE unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\icacls.exe unknown 28672 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\icacls.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\icsunattend.exe unknown 16384 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ieUnatt.exe unknown 122880 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ieUnatt.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\iexpress.exe unknown 151552 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\iexpress.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE unknown 450560 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\IMEJP\IMJPSET.EXE unknown 126976 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\IMEJP\IMJPSET.EXE unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\IMEJP\IMJPUEX.EXE unknown 77824 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\IMEJP\IMJPUEX.EXE unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe unknown 286720 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\IMETC\IMTCLNWZ.EXE unknown 73728 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe unknown 442368 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\shared\IMCCPHR.exe unknown 393216 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\shared\IMCCPHR.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\shared\imecfmui.exe unknown 229376 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\shared\imecfmui.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\shared\IMEPADSV.EXE unknown 266240 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\shared\IMEPADSV.EXE unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\shared\IMESEARCH.EXE unknown 139264 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\shared\IMESEARCH.EXE unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\shared\IMEWDBLD.EXE unknown 290816 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\IME\shared\IMEWDBLD.EXE unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\InfDefaultInstall.exe unknown 8192 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\InfDefaultInstall.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\InstallShield\setup.exe unknown 69632 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\InstallShield\setup.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\InstallShield\_isdel.exe unknown 24576 success or wait 2 402BB8 ReadFile

Copyright null 2020 Page 31 of 34 Source File Path Offset Length Completion Count Address Symbol C:\Windows\SysWOW64\InstallShield\_isdel.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\instnm.exe unknown 8192 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\instnm.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ipconfig.exe unknown 28672 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ipconfig.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\iscsicli.exe unknown 147456 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\iscsicli.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\iscsicpl.exe unknown 118784 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\iscsicpl.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\isoburn.exe unknown 106496 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ktmutil.exe unknown 12288 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ktmutil.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\label.exe unknown 12288 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\label.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\LaunchTM.exe unknown 180224 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\LaunchTM.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\LaunchWinApp.exe unknown 32768 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\LaunchWinApp.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\lodctr.exe unknown 40960 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\lodctr.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\logagent.exe unknown 86016 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\logman.exe unknown 94208 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\logman.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\Macromed\Flash\FlashUtil_ActiveX.exe unknown 1437696 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\Macromed\Flash\FlashUtil_ActiveX.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\Magnify.exe unknown 733184 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\Magnify.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\makecab.exe unknown 65536 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\makecab.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mavinject.exe unknown 147456 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mavinject.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mcbuilder.exe unknown 77824 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mcbuilder.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mfpmp.exe unknown 40960 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mfpmp.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mmc.exe unknown 1441792 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mmc.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mmgaserver.exe unknown 1056768 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mobsync.exe unknown 90112 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mobsync.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mountvol.exe unknown 12288 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mountvol.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\MRINFO.EXE unknown 12288 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\MRINFO.EXE unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\msdt.exe unknown 1507328 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\msdt.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\msfeedssync.exe unknown 12288 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\msfeedssync.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mshta.exe unknown 12288 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mshta.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\msiexec.exe unknown 57344 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\msiexec.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\msinfo32.exe unknown 335872 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\msinfo32.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mspaint.exe unknown 6586368 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mspaint.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\msra.exe unknown 73728 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\msra.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mstsc.exe unknown 3440640 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mstsc.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mtstocom.exe unknown 114688 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\mtstocom.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\MuiUnattend.exe unknown 81920 success or wait 2 402BB8 ReadFile

Copyright null 2020 Page 32 of 34 Source File Path Offset Length Completion Count Address Symbol C:\Windows\SysWOW64\MuiUnattend.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ndadmin.exe unknown 65536 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\net.exe unknown 45056 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\net.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\net1.exe unknown 139264 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\net1.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\netbtugc.exe unknown 20480 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\netbtugc.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe unknown 57344 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\netiougc.exe unknown 24576 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\netiougc.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\Netplwiz.exe unknown 32768 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\Netplwiz.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\netsh.exe unknown 81920 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\netsh.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\NETSTAT.EXE unknown 32768 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\newdev.exe unknown 65536 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\newdev.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\notepad.exe unknown 233472 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\notepad.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\nslookup.exe unknown 77824 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\nslookup.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ntprint.exe unknown 61440 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ntprint.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\odbcad32.exe unknown 69632 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\odbcad32.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\odbcconf.exe unknown 20480 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\odbcconf.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\OneDriveSetup.exe unknown 20488192 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\OneDriveSetup.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\openfiles.exe unknown 57344 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\openfiles.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\OpenWith.exe unknown 98304 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\OpenWith.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\OposHost.exe unknown 36864 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\OposHost.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\PackagedCWALauncher.exe unknown 28672 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\PackagedCWALauncher.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe unknown 36864 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\PATHPING.EXE unknown 16384 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\PATHPING.EXE unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\pcaui.exe unknown 126976 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\pcaui.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\perfhost.exe unknown 20480 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\perfhost.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\perfmon.exe unknown 159744 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\perfmon.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\PickerHost.exe unknown 94208 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\PickerHost.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\PING.EXE unknown 16384 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\PING.EXE unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\PkgMgr.exe unknown 200704 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\PkgMgr.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\poqexec.exe unknown 114688 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\poqexec.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\powercfg.exe unknown 77824 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\powercfg.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\PresentationHost.exe unknown 241664 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\PresentationHost.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\prevhost.exe unknown 20480 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\prevhost.exe unknown 4096 success or wait 2 402BB8 ReadFile

Copyright null 2020 Page 33 of 34 Source File Path Offset Length Completion Count Address Symbol C:\Windows\SysWOW64\print.exe unknown 12288 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\print.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\printui.exe unknown 61440 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\printui.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\proquota.exe unknown 28672 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\proquota.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\provlaunch.exe unknown 40960 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\provlaunch.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\psr.exe unknown 569344 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\psr.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\quickassist.exe unknown 454656 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\quickassist.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\rasautou.exe unknown 12288 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\rasautou.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\rasdial.exe unknown 20480 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\rasdial.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\raserver.exe unknown 106496 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\raserver.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\rasphone.exe unknown 28672 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\rasphone.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\RdpSa.exe unknown 36864 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\RdpSa.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\RdpSaProxy.exe unknown 24576 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\RdpSaProxy.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\RdpSaUacHelper.exe unknown 24576 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\RdpSaUacHelper.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\rdrleakdiag.exe unknown 40960 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\rdrleakdiag.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ReAgentc.exe unknown 32768 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\ReAgentc.exe unknown 4096 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\recover.exe unknown 12288 success or wait 2 402BB8 ReadFile C:\Windows\SysWOW64\recover.exe unknown 4096 success or wait 2 402BB8 ReadFile

Analysis Process: conhost.exe PID: 4100 Parent PID: 6524

General

Start time: 11:07:03 Start date: 16/09/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7bc490000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Disassembly

Code Analysis