sign in sign up
<<
Home , Disk Cleanup, Quick Assist, Snipping Tool

ID: 197137 Sample Name: ud-win-x64.exe Cookbook: default.jbs Time: 21:35:52 Date: 18/12/2019 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report ud-win-x64.exe 5 Overview 5 General Information 5 Detection 5 Confidence 6 Classification 6 Analysis Advice 7 Mitre Att&ck Matrix 7 Signature Overview 8 AV Detection: 8 Spreading: 8 Networking: 8 System Summary: 8 Data Obfuscation: 9 Persistence and Installation Behavior: 9 Hooking and other Techniques for Hiding and Protection: 9 Malware Analysis System Evasion: 9 Anti Debugging: 10 HIPS / PFW / Protection Evasion: 10 Language, Device and Operating System Detection: 10 Malware Configuration 10 Behavior Graph 10 Simulations 11 Behavior and 11 Antivirus, Machine Learning and Genetic Malware Detection 11 Initial Sample 11 Dropped Files 11 Unpacked PE Files 11 Domains 11 URLs 12 Yara Overview 12 Initial Sample 12 PCAP (Network Traffic) 12 Dropped Files 12 Memory Dumps 12 Unpacked PEs 12 Sigma Overview 12 Joe Sandbox View / Context 12 IPs 12 Domains 12 ASN 12 JA3 Fingerprints 13 Dropped Files 13 13 Thumbnails 13 Startup 14 Created / dropped Files 14 Domains and IPs 17 Contacted Domains 17 URLs from Memory and Binaries 18 Contacted IPs 18 Static File Info 18 General 18 File Icon 19 Static PE Info 19 General 19 Entrypoint Preview 19 Data Directories 21 Copyright Joe Security LLC 2019 Page 2 of 40 Sections 21 Resources 22 Imports 22 Version Infos 22 Possible Origin 22 Network Behavior 23 Code Manipulations 23 Statistics 23 Behavior 23 System Behavior 23 Analysis Process: ud-win-x64.exe PID: 4816 Parent PID: 4268 23 General 23 File Activities 24 File Created 24 File Deleted 24 File Written 24 File Read 28 Registry Activities 33 Key Created 33 Analysis Process: conhost.exe PID: 904 Parent PID: 4816 34 General 34 Analysis Process: cmd.exe PID: 5028 Parent PID: 4816 34 General 34 File Activities 34 Analysis Process: WMIC.exe PID: 4232 Parent PID: 5028 34 General 34 File Activities 34 Analysis Process: cmd.exe PID: 4272 Parent PID: 4816 35 General 35 File Activities 35 Analysis Process: WMIC.exe PID: 4568 Parent PID: 4272 35 General 35 File Activities 35 Analysis Process: cmd.exe PID: 4796 Parent PID: 4816 35 General 35 File Activities 36 Analysis Process: WMIC.exe PID: 5040 Parent PID: 4796 36 General 36 File Activities 36 Analysis Process: cmd.exe PID: 4668 Parent PID: 4816 36 General 36 File Activities 36 Analysis Process: WMIC.exe PID: 3012 Parent PID: 4668 37 General 37 File Activities 37 Analysis Process: cmd.exe PID: 2576 Parent PID: 4816 37 General 37 File Activities 37 Analysis Process: WMIC.exe PID: 1816 Parent PID: 2576 37 General 37 File Activities 38 Analysis Process: cmd.exe PID: 4424 Parent PID: 4816 38 General 38 Analysis Process: WMIC.exe PID: 1256 Parent PID: 4424 38 General 38 Analysis Process: cmd.exe PID: 4220 Parent PID: 4816 38 General 38 Analysis Process: WMIC.exe PID: 3020 Parent PID: 4220 39 General 39 Analysis Process: cmd.exe PID: 4552 Parent PID: 4816 39 General 39 Analysis Process: WMIC.exe PID: 3428 Parent PID: 4552 39 General 39 Analysis Process: cmd.exe PID: 4516 Parent PID: 4816 39 General 39 Analysis Process: .exe PID: 3964 Parent PID: 4516 40 General 40 Analysis Process: powershell.exe PID: 4412 Parent PID: 4816 40 General 40 Copyright Joe Security LLC 2019 Page 3 of 40 Disassembly 40 Code Analysis 40

Copyright Joe Security LLC 2019 Page 4 of 40 Analysis Report ud-win-x64.exe

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 197137 Start date: 18.12.2019 Start time: 21:35:52 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 6s Hypervisor based Inspection enabled: false Report type: light Sample file name: ud-win-x64.exe Cookbook file name: default.jbs Analysis system description: 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 27 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: MAL Classification: mal76.evad.winEXE@40/14@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 54.6% (good quality ratio 28.4%) Quality average: 39.8% Quality standard deviation: 43.1% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, TiWorker.exe, conhost.exe, CompatTelRunner.exe, TrustedInstaller.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Detection

Strategy Score Range Reporting Whitelisted Detection

Copyright Joe Security LLC 2019 Page 5 of 40 Strategy Score Range Reporting Whitelisted Detection

Threshold 76 0 - 100 false

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification

Copyright Joe Security LLC 2019 Page 6 of 40 Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Mitre Att&ck Matrix

Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Valid Windows Management Application Masquerading 1 Credential System Time Application Data from Data Standard Accounts Instrumentation 4 1 1 Shimming 1 Manipulation 1 Dumping Discovery 2 Deployment Local Encrypted 1 Cryptographic Software System Protocol 1

Copyright Joe Security LLC 2019 Page 7 of 40 Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Replication Command-Line Port Process Software Network Query Registry 1 Remote Data from Exfiltration Fallback Through Interface 2 Monitors Injection 1 2 Packing 1 1 Sniffing Services Removable Over Other Channels Removable Media Network Media Medium External PowerShell 1 Accessibility Application Virtualization/Sandbox Input Capture Virtualization/Sandbox Windows Data from Automated Custom Remote Features Shimming 1 Evasion 3 5 Evasion 3 5 Remote Network Exfiltration Cryptographic Services Management Shared Protocol Drive Drive-by Execution through System DLL Search Access Token Credentials in Process Discovery 2 Logon Input Data Multiband Compromise API 2 Firmware Order Hijacking Manipulation 1 Files Scripts Capture Encrypted Communication

Exploit Public- Command-Line Interface Shortcut Process Account Application Window Shared Data Scheduled Standard Facing Modification Permissions Injection 1 2 Manipulation Discovery 1 Webroot Staged Transfer Cryptographic Application Weakness Protocol

Spearphishing Graphical User Interface Modify New Service Deobfuscate/Decode Brute Force Security Software Third-party Screen Data Commonly Link Existing Files or Information 1 Discovery 5 5 1 Software Capture Transfer Used Port Service Size Limits Spearphishing Scripting Path Scheduled Obfuscated Files or Two-Factor File and Directory Pass the Email Exfiltration Uncommonly Attachment Interception Task Information 2 Authentication Discovery 3 Hash Collection Over Used Port Interception Command and Control Channel Spearphishing Third-party Software Logon Process Indicator Blocking Bash History System Information Remote Clipboard Exfiltration Standard via Service Scripts Injection Discovery 2 3 6 Desktop Data Over Application Protocol Alternative Layer Protocol Protocol

Signature Overview

• AV Detection • Spreading • Networking • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

AV Detection:

Machine Learning detection for sample

Spreading:

Contains functionality to query local drives

Enumerates the file system

Networking:

Urls found in memory or binary data

System Summary:

Contains functionality to communicate with device drivers

Copyright Joe Security LLC 2019 Page 8 of 40 Detected potential crypto function

Found potential string decryption / allocating functions

Sample file is different than original file name gathered from version info

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Classification label

Contains functionality for error logging

Contains functionality to adjust token privileges (e.g. debug / backup)

Contains functionality to check free disk space

Creates files inside the user directory

Creates mutexes

Creates temporary files

Parts of this applications are using the .NET runtime (Probably coded in C#)

Queries process information (via WMI, Win32_Process)

Reads ini files

Reads software policies

Sample might require command line arguments

Sample reads its own file content

Spawns processes

Uses an in-process (OLE) Automation

Uses Silverlight

PE file has a high image base, often used for DLLs

Data Obfuscation:

Detected unpacking (changes PE section rights)

Contains functionality to dynamically determine API calls

Entry point lies outside standard sections

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses code obfuscation techniques (call, push, ret)

Persistence and Installation Behavior:

Drops PE files

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Contains capabilities to detect virtual machines

Contains functionality to read device registry values (via SetupAPI)

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

May sleep (evasive loops) to hinder dynamic analysis

Copyright Joe Security LLC 2019 Page 9 of 40 Queries disk information (often used to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Checks the free space of harddrives

Contains functionality to query local drives

Enumerates the file system

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Program exit points

Queries a list of all running processes

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Enables debug privileges

Contains functionality to register its own exception handler

HIPS / PFW / Operating System Protection Evasion:

Bypasses PowerShell execution policy

Creates a process in suspended mode (likely to inject code)

May try to detect the Windows Explorer process (often used for injection)

Language, Device and Operating System Detection:

Queries device information via Setup API

Queries the volume information (name, serial number etc) of a device

Contains functionality to query local / system time

Contains functionality to query time zone information

Contains functionality to query windows version

Malware Configuration

No configs have been found

Behavior Graph

Copyright Joe Security LLC 2019 Page 10 of 40 Hide Legend Legend: Process Signature Created File DNS/IP Info Behavior Graph ID: 197137 Is Dropped Sample: ud-win-x64.exe

Startdate: 18/12/2019 Architecture: WINDOWS Is Windows Process Score: 76 Number of created Registry Values

Machine Learning detection Bypasses PowerShell started for sample execution policy Number of created Files

ud-win-x64.exe Visual Basic Delphi 13

dropped Java

C:\Users\user\AppData\Local\...\scv7F5B.tmp, PE32 .Net C# or VB.NET

started started started C, C++ or other language Queries sensitive physical Queries sensitive Plug memory information (via and Play Device Information Queries memory information Detected unpacking (changes WMI, Win32_PhysicalMemory, (via WMI, Win32_PnPEntity, (via WMI often done PE section rights) often done to detect often done to detect to detect virtual machines) Is malicious virtual machines) virtual machines)

cmd.exe cmd.exe cmd.exe

8 other processes

1 1 1

started started started started started started

WMIC.exe WMIC.exe WMIC.exe WMIC.exe WMIC.exe WMIC.exe

3 other processes

1 1 1 1 1

Queries sensitive disk Queries sensitive service information (via WMI, information (via WMI, Win32_DiskDrive, often Win32_LogicalDisk, often done to detect virtual done to detect sandboxes) machines)

Simulations

Behavior and APIs

Time Type Description 21:36:59 API Interceptor 5x Sleep call for process: WMIC.exe modified 21:37:52 API Interceptor 51x Sleep call for process: powershell.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link ud-win-x64.exe 4% Virustotal Browse ud-win-x64.exe 100% Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Copyright Joe Security LLC 2019 Page 11 of 40 URLs

Source Detection Scanner Label Link ocsp.entrust.net03 0% URL Reputation safe www.tagvault.org/tv_extensions.xsd 0% Virustotal Browse www.tagvault.org/tv_extensions.xsd 0% URL Reputation safe ocsp.entrust.net02 0% URL Reputation safe https://sectigo.com/CPS0C 0% Virustotal Browse https://sectigo.com/CPS0C 0% URL Reputation safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% Virustotal Browse crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% Virustotal Browse crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe ocsp.sectigo.com0$ 0% Avira URL Cloud safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Copyright Joe Security LLC 2019 Page 12 of 40 JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2019 Page 13 of 40 Startup

System is w10x64 ud-win-x64.exe (PID: 4816 cmdline: 'C:\Users\user\Desktop\ud-win-x64.exe' MD5: DBA317E6BD40A254ABD7CD4008CD15B2) conhost.exe (PID: 904 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cmd.exe (PID: 5028 cmdline: C:\Windows\system32\cmd.exe /C wmic diskdrive get Name, MediaType MD5: 4E2ACF4F8A396486AB4268C94A6A245F) WMIC.exe (PID: 4232 cmdline: wmic diskdrive get Name, MediaType MD5: EC80E603E0090B3AC3C1234C2BA43A0F) cmd.exe (PID: 4272 cmdline: C:\Windows\system32\cmd.exe /C wmic logicaldisk where 'DeviceID='C:'' get size MD5: 4E2ACF4F8A396486AB4268C94A6A245F) WMIC.exe (PID: 4568 cmdline: wmic logicaldisk where 'DeviceID='C:'' get size MD5: EC80E603E0090B3AC3C1234C2BA43A0F) cmd.exe (PID: 4796 cmdline: C:\Windows\system32\cmd.exe /C wmic logicaldisk where 'DeviceID='\\?\Volume{3a2f58e8-0000-0000-0000-100000000000}'' get size MD5: 4E2ACF4F8A396486AB4268C94A6A245F) WMIC.exe (PID: 5040 cmdline: wmic logicaldisk where 'DeviceID='\\?\Volume{3a2f58e8-0000-0000-0000-100000000000}'' get size MD5: EC80E603E0090B3AC3C1234C2BA43A0F) cmd.exe (PID: 4668 cmdline: C:\Windows\system32\cmd.exe /C wmic PAGEFILESET GET MaximumSize /value < %SystemRoot%\win.ini MD5: 4E2ACF4F8A396486AB4268C94A6A245F) WMIC.exe (PID: 3012 cmdline: wmic PAGEFILESET GET MaximumSize /value MD5: EC80E603E0090B3AC3C1234C2BA43A0F) cmd.exe (PID: 2576 cmdline: C:\Windows\system32\cmd.exe /C wmic path Win32_Processor get Name /value < %SystemRoot%\win.ini MD5: 4E2ACF4F8A396486AB4268C94A6A245F) WMIC.exe (PID: 1816 cmdline: wmic path Win32_Processor get Name /value MD5: EC80E603E0090B3AC3C1234C2BA43A0F) cmd.exe (PID: 4424 cmdline: C:\Windows\system32\cmd.exe /C wmic path Win32_Processor get NumberOfCores /value < %SystemRoot%\win.ini MD5: 4E2ACF4F8A396486AB4268C94A6A245F) WMIC.exe (PID: 1256 cmdline: wmic path Win32_Processor get NumberOfCores /value MD5: EC80E603E0090B3AC3C1234C2BA43A0F) cmd.exe (PID: 4220 cmdline: C:\Windows\system32\cmd.exe /C wmic path Win32_Processor get Name /value < %SystemRoot%\win.ini MD5: 4E2ACF4F8A396486AB4268C94A6A245F) WMIC.exe (PID: 3020 cmdline: wmic path Win32_Processor get Name /value MD5: EC80E603E0090B3AC3C1234C2BA43A0F) cmd.exe (PID: 4552 cmdline: C:\Windows\system32\cmd.exe /C wmic path Win32_OperatingSystem get InstallDate MD5: 4E2ACF4F8A396486AB4268C94A6A245F) WMIC.exe (PID: 3428 cmdline: wmic path Win32_OperatingSystem get InstallDate MD5: EC80E603E0090B3AC3C1234C2BA43A0F) cmd.exe (PID: 4516 cmdline: C:\Windows\system32\cmd.exe /C PowerShell foreach ($app in Get-AppxPackage -AllUsers) { Write-Host ($($app.name),$($app.packageful lname),$($app.version),$($app.installlocation),$($app.publisher),$($app.packagefamilyname)) -separator '####' } MD5: 4E2ACF4F8A396486AB4268C94A6A245F) powershell.exe (PID: 3964 cmdline: PowerShell foreach ($app in Get-AppxPackage -AllUsers) { Write-Host ($($app.name),$($app.packagefullname),$($app.version ),$($app.installlocation),$($app.publisher),$($app.packagefamilyname)) -separator '####' } MD5: 95000560239032BC68B4C2FDFCDEF913) powershell.exe (PID: 4412 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass 'foreach ($pkg in Get-AppvClientPackage) { Write-Host $($pkg.PackageId)`t$($pkg.VersionId)`t$($pkg.Name) `t$($pkg.Version)' }' MD5: DBA3E6449E97D4E3DF64527EF7012A10) cleanup

Created / dropped Files

C:\ProgramData\Micro Focus\Universal-Discovery\local$.log Process: C:\Users\user\Desktop\ud-win-x64.exe File Type: ASCII text, with CRLF, LF line terminators Size (bytes): 2476 Entropy (8bit): 4.902079342228557 Encrypted: false MD5: 23F3F247B2E4ABCFAF990C4F85A36D4B SHA1: E772472EFAB006F72CBCEE5B2FCBF1BC2D021F5F SHA-256: 9B877DABD19C851C183244D40DC3249F9EE44FBB7E45FCB5AC2D781F6AD392F6 SHA-512: FB5F17A56EDB72572B9703368A6049BBE151D2A7B1E50DAFF90CC0C57F7A9F47A500515EA6ECCEF93BA39C5F60CDC0785BC452F50A4152DE5E77A2F065B4A48 3 Malicious: false Preview: [2019-12-18 21:36:55] Logging started..[2019-12-18 21:36:55] --..[2019-12-18 21:36:55] Universal Discovery v11.50.000 Build 524 win-x64..[2019-12-18 21:36:55] (C) Copyright 2011-2018 Micro Focus or one of its affiliates..[2019-12-18 21:36:55] --..[2019-12-18 21:36:55] + reading scanner parameters..[2019-12-18 21:36:56] - Low l evel VDD..[2019-12-18 21:36:56] - Log file created: C:\ProgramData\Micro Focus\Universal-Discovery\local$.log..[2019-12-18 21:36:56] - Debug: scan file iHours:-1, i Days:-1...[2019-12-18 21:36:56] + hardware detection..[2019-12-18 21:36:56] detecting BIOS Data..[2019-12-18 21:36:56] - Get BIOS date..[2019-12-18 21:36:56] - Get Dell Info..[2019-12-18 21:36:56] - Get ROM date..[2019-12-18 21:36:56] - Get BIOS info..[2019-12-18 21:36:56] - Detect PnP..[2019-12-18 21:36:56] - Get SM BIOS data..[2019-12-18 21:36:56] - Get BIOS Extensions..[2019-12-18 21:36:56] - Get Asset Tag..[2019-12-18 21:36:56] detecting Video data..[2

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: data Size (bytes): 1392 Entropy (8bit): 5.443491447197289 Encrypted: false MD5: 4F0BB92FABE8BA22CE52D38DFB20A823 SHA1: 94C8EB2B26DB4073348EE788CBD2DA1E51918A2D SHA-256: 042FE7422F41BCE4315D006CB3E364BD78E5A680CD639528A12E3408BCCA2682 SHA-512: 5100ACBE1896B9CDB3B6D810D75820EFB6B9D7AF2F9A16560542D67D39976F645F060C146901DDD34DD9ACD7C1FDC8E4FE53D49E8BB6B6B343F9E9AEF8C047 7C Malicious: false

Copyright Joe Security LLC 2019 Page 14 of 40 C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Preview: @...e...... %...... L...... @.X..}..N.2).t...... #.Microsoft.AppV.AppVClientPowerShell.H...... ]....E..Jqp...... Microsoft.PowerShell .ConsoleHost0...... G-.o...A...4B...... System..4...... A:.(.D...... System.Core.D...... N..o.H...1.w...... System.Management.AutomationL...... 7.....J@...... ~...... #.Microsoft.Management.Infrastructure.<...... H..QN.Y.f...... System.Management...@...... Lo...QN...... ..m...... System.Transactions.L...... V/.C..OG.f..w.v...... $.Microsoft.AppV.AppvClientCom

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_juqg3unb.axu.psm1 Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: ASCII text, with no line terminators Size (bytes): 81 Entropy (8bit): 4.573030276576329 Encrypted: false MD5: F8C09C2771A40BA13696579BF6056A3B SHA1: 4F609701496411AAF73A911E9425080EA903B3F5 SHA-256: 8AD0334A84C98E6D4DD6CA1128013E6B62363EA65AC2EE51144394E19CBC7A90 SHA-512: 3B66BBBF7C27059A91A3F7E502D182F2AD261A6E5BD81C08C1F2F0163F064CA1ED38FB35179127A529EA3D2EF615A08196FEF59453243C4BC0362BE1CC16363E Malicious: false Preview: # PowerShell test file to determine AppLocker lockdown mode 12/18/2019 9:38:00 PM

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n24pqzlg.nsa.ps1 Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: ASCII text, with no line terminators Size (bytes): 81 Entropy (8bit): 4.573030276576329 Encrypted: false MD5: F8C09C2771A40BA13696579BF6056A3B SHA1: 4F609701496411AAF73A911E9425080EA903B3F5 SHA-256: 8AD0334A84C98E6D4DD6CA1128013E6B62363EA65AC2EE51144394E19CBC7A90 SHA-512: 3B66BBBF7C27059A91A3F7E502D182F2AD261A6E5BD81C08C1F2F0163F064CA1ED38FB35179127A529EA3D2EF615A08196FEF59453243C4BC0362BE1CC16363E Malicious: false Preview: # PowerShell test file to determine AppLocker lockdown mode 12/18/2019 9:38:00 PM

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v2vats3r.00k.psm1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: ASCII text, with no line terminators Size (bytes): 81 Entropy (8bit): 4.616360832185304 Encrypted: false MD5: AA0011AB9433CA2709CD94B7DECA971A SHA1: 3B5574460DAAAF64157006022F9999A77DA45C41 SHA-256: E3FA55696DDE32269F2A2B31DF18F6B162BA5717624B2393B2B9E9445BD80976 SHA-512: 86F2320017B2E58134695FF1CE31AC19C0BFCAFACD562AD01152501448E008B122B4F29BA955AA835CEAC74967152D4F2CE6BA864B8741731597709E657AC1E8 Malicious: false Preview: # PowerShell test file to determine AppLocker lockdown mode 12/18/2019 9:37:51 PM

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zprk4ijf.4wa.ps1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: ASCII text, with no line terminators Size (bytes): 81 Entropy (8bit): 4.616360832185304 Encrypted: false MD5: AA0011AB9433CA2709CD94B7DECA971A SHA1: 3B5574460DAAAF64157006022F9999A77DA45C41 SHA-256: E3FA55696DDE32269F2A2B31DF18F6B162BA5717624B2393B2B9E9445BD80976 SHA-512: 86F2320017B2E58134695FF1CE31AC19C0BFCAFACD562AD01152501448E008B122B4F29BA955AA835CEAC74967152D4F2CE6BA864B8741731597709E657AC1E8 Malicious: false Preview: # PowerShell test file to determine AppLocker lockdown mode 12/18/2019 9:37:51 PM

C:\Users\user\AppData\Local\Temp\sct8FF8.tmp Process: C:\Users\user\Desktop\ud-win-x64.exe File Type: data Size (bytes): 1782 Copyright Joe Security LLC 2019 Page 15 of 40 C:\Users\user\AppData\Local\Temp\sct8FF8.tmp

Entropy (8bit): 5.410251228404315 Encrypted: false MD5: 967A2CD1ECC327FB0CEE9D04B45E4A98 SHA1: 5330FB87B1E71E1D8FAC88133D7B694070591AE2 SHA-256: 6EBAA8DE4F7DDB927E319E6C3738654A8F0CAFFDA9C392B8F5D0883A18EE2608 SHA-512: 204B058EE192F1A084478571668268188645DABDFC499DAF78CE13F0B570E8C25AF9E3BD86F01001E3604A9189AE1C28665A97C656E4D4D379DB31F220858E3E Malicious: false Preview: .Temporary IDD scanner data file.AC:\Windows\system32\cmd.exe /C wmic diskdrive get Name, MediaType.C:\Users\user\Desktop....W...MediaType Name ...Fixed hard disk media \\.\PHYSICALDRIVE0.NC:\Windows\system32\cmd.exe /C wmic logicaldisk where "DeviceID='C:'" get size.C:\Users\user\Desktop...... Size ...119990648832.|C:\Windows\system32\cmd.exe /C wmic logicaldisk where "DeviceID='\\?\Volume{3a2f58e8-0000-0000-0000-100000000000}'" get size.C:\Users \user\Desktop....4...Node - 045012...ERROR:...Description = Invalid query.]C:\Windows\system32\cmd.exe /C wmic PAGEFILESET GET MaximumSize /value < %S ystemRoot%\win.ini.C:\Users\user\Desktop...... No Instance(s) Available...C:\Windows\system32\xm info.C:\Users\user\Desktop...... *C:\Windows\system32\xenpm get- cpu-topology.C:\Users\user\Desktop...... _C:\Windows\system32\cmd.exe /C wmic path Win32_Processor get Name /value < %SystemRoot%\win.ini.C:\Users\user\De sktop....+...Name=Intel(R) Core(T

C:\Users\user\AppData\Local\Temp\scv7C2D.tmp Process: C:\Users\user\Desktop\ud-win-x64.exe File Type: ISO-8859 text, with CRLF line terminators Size (bytes): 217789 Entropy (8bit): 5.493314174562234 Encrypted: false MD5: 6C31B12BC9FE5046447CDA7949B16726 SHA1: A6919A86D1986DDFD2866943D5C7AE7EC512D0BA SHA-256: A08AFAC5EFFF57BF60C686AB363A19A484590CA65E5EFF3110C4F53C0EC16AFA SHA-512: 5CF5B083657112904BA7EA819B42D87042CCBD5AD51EE67069572BA915CD072551FC5194CECDB0FDCD47639C9C5F8B37F6E77A18A12D945ADF5255C73486B7B 2 Malicious: false Preview: 13,C00000,0,"enumDummy","",0=""..13,C00001,0,"enumBool","",0="No"|1="Yes"..13,C00002,0,"enumCPUIntelBrand","",1="Intel Celeron"|2="Intel Pentium III"|3="Intel P entium III Xeon"|4="Intel Pentium III"|6="Mobile Intel Pentium III"|7="Mobile Intel Celeron"|8="Intel Pentium 4"|9="Intel Pentium 4"|10="Intel Celeron"|11="Intel Xeon"|\. .12="Intel Xeon MP"|14="Intel Xeon"|15="Mobile Intel Celeron"|17="Mobile Genuine Intel"|18="Intel Celeron M"|19="Mobile Intel Celeron"|20="Intel Celeron"|21="Mobile Genuine Intel"|22="Pentium M"|23="Mobile Intel Celeron"|256="Intel Celeron"|\..257="Intel Genuine"|258="Intel Xeon MP"|259="Intel Celeron"|260="Intel Xeon"|261="Mobi le Intel Pentium 4"..13,C00003,0,"enumBuses","",0="ISA"|1="EISA"|2="PCI"|3="MCA"|4="PCMCIA"|5="Other"|6="USB"|7="Built-in"|8="Unknown"|9="Firewire/IEE E1394"|10="SBus"|11="AGP"|12="PCI-Express"|13="PCI-X"..13,C00004,0,"enumDisabledEnabled","",-1="Unknown"|0="Disabled"|1="Enabled"|2="Not Implemented"| 3="Unknown"..13,C00005,0,"enumConnectorT

C:\Users\user\AppData\Local\Temp\scv7F5B.tmp Process: C:\Users\user\Desktop\ud-win-x64.exe File Type: PE32 executable (native) Intel 80386, for MS Windows Size (bytes): 14608 Entropy (8bit): 7.210011525023092 Encrypted: false MD5: 9E2EDBC9158CE01B0D7F0358A588B865 SHA1: A3BA5D62385B231B7AF29A3A0FF4965C0C15BA0F SHA-256: 7FE92BC3709D87A289C14E50064E185CB2C8115AACE92043CB45678FFF8AB8A6 SHA-512: 9847F55F387B1F6E9F06CC2B863C10ECFA7E0B33D32BD0CEC94B23527A054F4E58DA0403D80F69A40239DA36DBD73FA83279D24D10B5216CDE85B82A1FD02A0 0 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... i...-zc.-zc.-zc.-zc..zc.+Yi.,zc.Rich-zc...... PE..L...... D...... `...`...@...... `...... `...<...... "...... `...|...... text...... `...... `...... h.data...... @...... @...... @...INIT....*...`...@...`...... reloc...... @..B...... n...`...>...... R...... (...r...... |...... "...*...Z. ..B...F...... b...... \.D.o.s.D.e.v.i.c.e.s.\.f.p.n.t.h.w.....\.D.e.v.i.c.e.\.f.p.n.t.h.w....._SM_...._DMI_..._32_....COMPAQ...... <...@...... U...\SVWj.Y...... }.j..f.Y...... }..e...E.P.E.Pf ...x....]..E.Pj.j..E.hx...Pj.S...... |p.E.j.Y.p(3...V...... hDdk j.j...... F.t.

C:\Users\user\AppData\Local\Temp\scz7BFD.tmp Process: C:\Users\user\Desktop\ud-win-x64.exe File Type: gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT) Size (bytes): 2213 Entropy (8bit): 7.921173810664883 Encrypted: false MD5: 5E76CFB13AB64C498E216CAE4BBFCE84 SHA1: C6EA7CC00D9C297C29EB4D66715CA6083E153C59 SHA-256: 088359B0CC77BC8130FDFBC8449878FE523815BC7113E3973B7CDB852D4D8529 SHA-512: 0888E522E01010E4897A7007CA254A4BCCD791EFCE7FF6A0FFFC9555A0245E348EA3F2E8AECB9EA81AE80ED0A641CFD745A10A15B02D1AEF165AA6C308C52B A2 Malicious: false

Copyright Joe Security LLC 2019 Page 16 of 40 C:\Users\user\AppData\Local\Temp\scz7BFD.tmp Preview: ...... \{o.H...... H......2z..Z..F...... A.t1.zN...bVQ^....ZE..].s..24M..5-..h..J.=...qvb.`...... 1.."...4}.T.P(/....]4.b..E../.$...k...v.}...z..g#W..(..P....*....4.=%[email protected]..+l/8zv.d.....&.d.] ...... &1..*Qf...c&T@>W.v M.M.y.9..."..l...x..[...X.(...%v...... n..,m..X.X.....ZY.....Z...UZ..1...-..sG(....... u.9...... Fp.+.~j.b.|6...... J.c.`G..'.....Z...n.i.Vj..... >.5.h..&....5"<.C.|.l.....(.X.N:.!z.D..e....S.q...S.....J.....li...{h...S.6..u}..1 ..qCQP.-.y....r.4..e...Z[..e{rz=)t.E...g.,o.li.....R.`7.Y.%[email protected]%.D.....x....+.....-(..]J.&\.]...l..YoF...... z^.c...7kk.1.{...v.C.!...0..0...v.

C:\Users\user\Documents\20191218\PowerShell_transcript.045012.PyxYVeek.20191218213751.txt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators Size (bytes): 29156 Entropy (8bit): 5.427368550279428 Encrypted: false MD5: 6D93B21E01BF09FAFC2C4E8ABF374154 SHA1: 792038C2F44C6D2D4289E979036D54EEC5AE2E72 SHA-256: 7C10B6A500D4A0F1C4C87EB0EB0710C576201A8C4026BB5FBE82FAC41309FC59 SHA-512: ABDF30347878B8248603C2ADB102AD37CD8EB2BB9E13B94869B04042035E19FC7ED79A2C9F899EDF5B40CAB9BD1C31CAE1750CA2DAEC2E1B35BC397A33B19 A75 Malicious: false Preview: .**********************..Windows PowerShell transcript start..Start time: 20191218213752..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 045012 ( NT 10.0.17134.0)..Host Application: PowerShell foreach ($app in Get-AppxPackage -AllUsers) { Write-Host ($($app.name),$($ap p.packagefullname),$($app.version),$($app.installlocation),$($app.publisher),$($app.packagefamilyname)) -separator '####' }..Process ID: 3964..PSVersion: 5.1.17 134.165..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.165..BuildVersion: 10.0.17134.165..CLRVersion: 4.0.30319.42000..WSManStack Version: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20191218213752..********* *************..PS>foreach ($app in Get-AppxPackage -AllUsers) { Write-Host ($($app.name),$($app.packagefullname),$($app.version),$($app.installlocation),$($app. publisher),$($app.packag

C:\Users\user\Documents\20191218\PowerShell_transcript.045012.aZzJqfDL.20191218213800.txt Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 4214 Entropy (8bit): 5.247370765053983 Encrypted: false MD5: CD898AB4DCDC28725E615D5203324CE2 SHA1: 09DB5139516CC3E3587A1C21965DFDFBF27CA6BE SHA-256: 14174778B15DAD2B09B61EA286F9D2ACFF8BEC148A2BD9D9247C263CB6208317 SHA-512: 8BD47753E2AD5B5B9B66882F033E71EBF38E4D50A767F848128D8800B4F7A7E48A563A14ABE9FE4B41EC20F2ADAB32063DD861B917164C961B3B5780E657CA65 Malicious: false Preview: .**********************..Windows PowerShell transcript start..Start time: 20191218213800..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 045012 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass foreach ($pkg in Get-AppvClientPackage) { Write-Host $($pkg.PackageId)`t$($pkg.VersionId)`t$($pkg.Name) `t$($pkg.Version) }..Process ID: 44 12..PSVersion: 5.1.17134.165..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.165..BuildVersion: 10.0.17134.165..CLRVersion: 4.0.30 319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 2019 1218213800..**********************..PS>foreach ($pkg in Get-AppvClientPackage) { Write-Host $($pkg.PackageId)`t$($pkg.VersionId)`t$($pkg.N

\Device\ConDrv Process: C:\Users\user\Desktop\ud-win-x64.exe File Type: ASCII text, with CRLF, CR line terminators Size (bytes): 1284 Entropy (8bit): 4.56588637404355 Encrypted: false MD5: D5D4A542EB7966126B36BFB182BDDA9D SHA1: DC42B0ED6FB8CFBBE3DDF36333027FEF75230238 SHA-256: 7C4CA2866B430B3884BD6331A678BE53BF36DA03320E44339C873783D030943A SHA-512: 56AB54D493C8E243BE4BB8FE1AD430FB75E38B06AFED47011B202C212E71146F5CD1003C887EF66350896F69CBBA02ACF519133199EFF6EA7F66B2485FF51CD7 Malicious: false Preview: --... Universal Discovery v11.50.000 Build 524 win-x64... (C) Copyright 2011-2018 Micro Focus or one of its affiliates... --... + reading scanner parameters... - Low level VDD... - Debug: scan file iHours:-1, iDays:-1..... + hardware detection... detecting BIOS Data... - Get BIOS date... - Get Dell Info... - Get ROM date... - Get BIOS info... - Detect PnP... - Get SMBIOS data... - Get BIOS Extensions... - Get Asset Tag... detecting Video data... - Get Graphics card... - Get DDC Data... dete cting Port data... - Detect Ports... detecting Mouse data... - Get Keyboard... - Get Mouse... detecting Disk data... - Hard Disks... - Get Floppy Disks... - Other D rives... - Get Mount Points... - Organise volume data for scan... detecting Memory Data... - Detect Total Memory... - Swap Files... detecting CPU Data... - Get CPU Type... - Get CPU Speed... detecting Operating System Data... - Locale Information... - User Profiles...

Domains and IPs

Contacted Domains Copyright Joe Security LLC 2019 Page 17 of 40 No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation www.winimage.com/zLibDll1.2.3 ud-win-x64.exe, 00000000.00000 false high 002.2160578234.000000014000100 0.00000040.00020000.sdmp www.winimage.com/zLibDll-LHarc ud-win-x64.exe, 00000000.00000 false high 002.2160578234.000000014000100 0.00000040.00020000.sdmp ocsp.entrust.net03 ud-win-x64.exe, 00000000.00000 false URL Reputation: safe unknown 002.2156690134.000000000216000 0.00000004.00000001.sdmp, scv7 F5B.tmp.0.dr www.tagvault.org/tv_extensions.xsd ud-win-x64.exe, 00000000.00000 false 0%, Virustotal, Browse unknown 002.2159844335.00000000030DF00 URL Reputation: safe 0.00000004.00000001.sdmp ocsp.entrust.net02 scv7F5B.tmp.0.dr false URL Reputation: safe unknown standards.iso.org/iso/19770/-2/ ud-win-x64.exe false high www.entrust.net/rpa03 scv7F5B.tmp.0.dr false high https://sectigo.com/CPS0C ud-win-x64.exe, 00000000.00000 false 0%, Virustotal, Browse low 002.2156690134.000000000216000 URL Reputation: safe 0.00000004.00000001.sdmp, scv7 F5B.tmp.0.dr aia.entrust.net/ts1-chain256.cer01 ud-win-x64.exe, 00000000.00000 false high 002.2156690134.000000000216000 0.00000004.00000001.sdmp, scv7 F5B.tmp.0.dr www.winimage.com/zLibDll ud-win-x64.exe false high crl.sectigo.com/SectigoRSACodeSigningCA.crl0s ud-win-x64.exe, 00000000.00000 false 0%, Virustotal, Browse low 002.2156690134.000000000216000 URL Reputation: safe 0.00000004.00000001.sdmp, scv7 F5B.tmp.0.dr crl.entrust.net/ts1ca.crl0 ud-win-x64.exe, 00000000.00000 false high 002.2156690134.000000000216000 0.00000004.00000001.sdmp, scv7 F5B.tmp.0.dr standards.iso.org/iso/19770/- ud-win-x64.exe, 00000000.00000 false high 2/SoftwareIdentityxmlnssoftware_identification_tagxsi:schema 002.2160578234.000000014000100 Loca 0.00000040.00020000.sdmp crt.sectigo.com/SectigoRSACodeSigningCA.crt0# scv7F5B.tmp.0.dr false 0%, Virustotal, Browse low URL Reputation: safe standards.iso.org/iso/19770/-2/2015/schema.xsd%s: ud-win-x64.exe, 00000000.00000 false high 002.2160578234.000000014000100 0.00000040.00020000.sdmp www.entrust.net/rpa0 ud-win-x64.exe, 00000000.00000 false high 002.2156690134.000000000216000 0.00000004.00000001.sdmp, scv7 F5B.tmp.0.dr crl.entrust.net/2048ca.crl0 scv7F5B.tmp.0.dr false high standards.iso.org/iso/19770/-2/2009/schema.xsd ud-win-x64.exe, 00000000.00000 false high 002.2159844335.00000000030DF00 0.00000004.00000001.sdmp standards.iso.org/iso/19770/-2/2015/schema.xsd ud-win-x64.exe false high https://curl.haxx.se/docs/http-cookies.html ud-win-x64.exe, ud-win-x64.exe, false high 00000000.00000002.2160578234 .0000000140001000.00000040.000 20000.sdmp https://curl.haxx.se/docs/http-cookies.html# ud-win-x64.exe false high ocsp.sectigo.com0$ scv7F5B.tmp.0.dr false Avira URL Cloud: safe low

Contacted IPs

No contacted IP infos

Static File Info

General File type: MS-DOS executable, MZ for MS-DOS Entropy (8bit): 7.99836873678222

Copyright Joe Security LLC 2019 Page 18 of 40 General TrID: Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04% File name: ud-win-x64.exe File size: 782365 MD5: dba317e6bd40a254abd7cd4008cd15b2 SHA1: b7252da6ada2d566be734dd201889d6220d35e80 SHA256: 134eeb72c77fd330ebcc3143a10591786d92997979a8c6 e8ecb80c5bf2c34400 SHA512: 31bc2146c66cabb428aea46c0101a0d8d4223381819972 3ad5cd34f9cb01fbbcb9c012200fa4791b723c7292cc6bc 278e3ba5e17d1c6eefab829875e223cf7c2 SSDEEP: 12288:FGEgF0DXLu3XKWtwnGmfPNgcuS+f4RhVLbs2 mMC+AKV5Eam54:FG9aDyt3MNgY+fWb0MrA File Content Preview: MZ@...... !..L.!Win64 [email protected] ..d....^.\...... "...... U#...... @...... p #...... E...... P#...... `#.,.....!......

File Icon

Icon Hash: 00828e8e8686b000

Static PE Info

General Entrypoint: 0x140235501 Entrypoint Section: .MPRESS2 Digitally signed: false Imagebase: 0x140000000 Subsystem: windows cui Image File Characteristics: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED DLL Characteristics: TERMINAL_SERVER_AWARE, NX_COMPAT Time Stamp: 0x5CB05E82 [Fri Apr 12 09:46:42 2019 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 2 File Version Major: 5 File Version Minor: 2 Subsystem Version Major: 5 Subsystem Version Minor: 2 Import Hash: ad5fb88fa1e9f4ca773a9853b23bb41d

Entrypoint Preview

Instruction push edi push esi push ebx push ecx push edx inc ecx push eax dec eax lea eax, dword ptr [00000ADEh] dec eax mov esi, dword ptr [eax] dec eax add esi, eax dec eax sub eax, eax dec eax Copyright Joe Security LLC 2019 Page 19 of 40 Instruction mov edi, esi lodsw shl eax, 0Ch dec eax mov ecx, eax push eax lodsd sub ecx, eax dec eax add esi, ecx mov ecx, eax push edi inc esp mov eax, ecx dec ecx mov al, byte ptr [ecx+edi+06h] mov byte ptr [ecx+esi], al jne 00007F8100F0C187h inc ecx push ecx push ebp sub eax, eax lodsb mov ecx, eax shr ecx, 04h push ecx and al, 0Fh push eax lodsb mov ecx, eax add cl, byte ptr [esp] push eax dec eax mov ebp, FFFFFD00h dec eax shl ebp, cl pop ecx pop eax dec eax shl eax, 20h dec eax add ecx, eax pop eax dec eax mov ebx, esp dec eax lea esp, dword ptr [esp+ebp*2-00000E70h] push eax push ecx dec eax sub ecx, ecx push ecx push ecx dec eax mov ecx, esp push ecx mov dx, word ptr [edi] shl edx, 0Ch push edx push edi dec esp lea ecx, dword ptr [ecx+08h] dec ecx lea ecx, dword ptr [ecx+08h]

Copyright Joe Security LLC 2019 Page 20 of 40 Instruction push esi pop edx dec eax sub esp, 20h call 00007F8100F0C25Dh dec eax mov esp, ebx pop ebp inc ecx pop ecx pop esi pop edx sub edx, 00001000h sub ecx, ecx cmp ecx, edx jnc 00007F8100F0C1DCh mov ebx, ecx lodsb inc ecx cmp al, FFh jne 00007F8100F0C19Fh mov al, byte ptr [esi] and al, FDh cmp al, 15h jne 00007F8100F0C17Dh lodsb inc ecx jmp 00007F8100F0C1A9h cmp al, 8Dh jne 00007F8100F0C19Fh mov al, byte ptr [esi] and al, C7h

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x235000 0x508 .MPRESS2 IMAGE_DIRECTORY_ENTRY_RESOURCE 0x236000 0x72c .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x21b000 0x10ecc .MPRESS1 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x2351a4 0x140 .MPRESS2 IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .MPRESS1 0x1000 0x234000 0xaa200 unknown unknown unknown unknown IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZE D_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Copyright Joe Security LLC 2019 Page 21 of 40 Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .MPRESS2 0x235000 0xffb 0x1000 False 0.545166015625 data 5.95754481795 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZE D_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rsrc 0x236000 0x72c 0x800 False 0.40869140625 data 4.0469729993 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_DIALOG 0x22d154 0x54 empty RT_RCDATA 0x22d1a8 0x1dec empty English Canada RT_VERSION 0x236114 0x362 data English United States RT_MANIFEST 0x2364b8 0x272 ASCII text, with very long lines, with CRLF line English United States terminators

Imports

DLL Import KERNEL32 GetModuleHandleA, GetProcAddress WS2_32.dll getpeername WINMM.dll timeGetTime VERSION.dll VerQueryValueA MPR.dll WNetGetUniversalNameA NETAPI32.dll Netbios USERENV.dll LoadUserProfileA SETUPAPI.dll SetupOpenFileQueue IPHLPAPI.DLL GetIpAddrTable PSAPI.DLL EnumProcesses ADVAPI32.dll FreeSid CRYPT32.dll CertFreeCertificateContext WLDAP32.dll Normaliz.dll IdnToAscii USER32.dll GetDC GDI32.dll GetDeviceCaps WINSPOOL.DRV SHELL32.dll SHGetMalloc ole32.dll CoInitialize OLEAUT32.dll VariantInit

Version Infos

Description Data LegalCopyright (C) Copyright 2011-2018 Micro Focus or one of its affiliates InternalName Win32Scanner FileVersion 11.50.0.524 CompanyName Micro Focus ProductName Universal Discovery ProductVersion 11.50.0.524 FileDescription Inventory Scanner OriginalFilename Win32Scanner.exe

Possible Origin

Language of compilation system Country where language is spoken Map

English Canada

English United States

Copyright Joe Security LLC 2019 Page 22 of 40 Language of compilation system Country where language is spoken Map

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• ud-win-x64.exe • conhost.exe • cmd.exe • WMIC.exe • cmd.exe • WMIC.exe • cmd.exe • WMIC.exe • cmd.exe • WMIC.exe • cmd.exe • WMIC.exe • cmd.exe • WMIC.exe • cmd.exe • WMIC.exe • cmd.exe • WMIC.exe • cmd.exe • powershell.exe • powershell.exe

Click to jump to process

System Behavior

Analysis Process: ud-win-x64.exe PID: 4816 Parent PID: 4268

General

Start time: 21:36:55 Start date: 18/12/2019 Path: C:\Users\user\Desktop\ud-win-x64.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\Desktop\ud-win-x64.exe' Imagebase: 0x140000000 File size: 782365 bytes MD5 hash: DBA317E6BD40A254ABD7CD4008CD15B2 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low Copyright Joe Security LLC 2019 Page 23 of 40 File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\sct7BFC.tmp read attributes | normal synchronous io success or wait 1 1400B1FA0 GetTempFileNameA synchronize | non alert | non generic read directory file C:\Users\user\AppData\Local\Temp\scz7BFD.tmp read attributes | normal synchronous io success or wait 1 1400B1FA0 GetTempFileNameA synchronize | non alert | non generic read directory file C:\Users\user\AppData\Local\Temp\scv7C2D.tmp read attributes | normal synchronous io success or wait 1 1400B1FA0 GetTempFileNameA synchronize | non alert | non generic read directory file C:\ProgramData\Micro Focus read data or list normal directory file | success or wait 1 14014D92C CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\ProgramData\Micro Focus\Universal-Discovery read data or list normal directory file | success or wait 1 14014D92C CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\ProgramData\Micro Focus\Universal-Discovery\scd7F5A.tmp read attributes | normal synchronous io success or wait 1 1400B1FA0 GetTempFileNameA synchronize | non alert | non generic read directory file C:\Users\user\AppData\Local\Temp\scv7F5B.tmp read attributes | normal synchronous io success or wait 1 1400B1FA0 GetTempFileNameA synchronize | non alert | non generic read directory file C:\ProgramData\Micro Focus\Universal-Discovery\scd7F8B.tmp read attributes | normal synchronous io success or wait 1 1400B1FA0 GetTempFileNameA synchronize | non alert | non generic read directory file C:\ProgramData\Micro Focus\Universal-Discovery\local$.log read attributes | normal synchronous io success or wait 1 14015A84C CreateFileA synchronize | non alert | non generic read | directory file generic write C:\ProgramData\Micro Focus\Universal-Discovery\scd7FBB.tmp read attributes | normal synchronous io success or wait 1 1400B1FA0 GetTempFileNameA synchronize | non alert | non generic read directory file C:\Users\user\AppData\Local\Temp\sct8FF8.tmp read attributes | normal synchronous io success or wait 1 1400B1FA0 GetTempFileNameA synchronize | non alert | non generic read directory file

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\sct7BFC.tmp success or wait 1 14014D8D2 DeleteFileA C:\Users\user\AppData\Local\Temp\scz7BFD.tmp success or wait 1 14014D8D2 DeleteFileA C:\Users\user\AppData\Local\Temp\scv7C2D.tmp success or wait 1 14014D8D2 DeleteFileA C:\ProgramData\Micro Focus\Universal-Discovery\scd7F5A.tmp success or wait 1 14014D8D2 DeleteFileA C:\Users\user\AppData\Local\Temp\scv7F5B.tmp success or wait 1 14014D8D2 DeleteFileA C:\ProgramData\Micro Focus\Universal-Discovery\scd7F8B.tmp success or wait 1 14014D8D2 DeleteFileA C:\ProgramData\Micro Focus\Universal-Discovery\scd7FBB.tmp success or wait 1 14014D8D2 DeleteFileA

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol \Device\ConDrv unknown 4 20 20 2d 2d -- success or wait 144 14014D285 WriteFile

Copyright Joe Security LLC 2019 Page 24 of 40 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\scz7BFD.tmp unknown 2213 1f 8b 08 00 00 00 00 ...... \{o.H...... H..... success or wait 1 14014D501 WriteFile 00 00 00 ed 5c 7b 6f .2z..Z.. 96 b9 cb 71 8c 14 27 b8 ab 7e f5 ae 2e fc 98 2f b6 47 c7 64 b2 60 88 13 8f 3a 88 23 85 af e7 f8 9f 15 7f 8a 5d b7 72 fd d3 df 14 e5 8b 3d 9e 74 d1 77 8f 3d 60 e6 03 55 44 41 28 af d7 2a d7 17 5f 7e c9 ad 27 4c 84 96 30 9d 87 4c a9 f5 98 69 88 5f 49 91 41 0b 18 36 6b 31 f1 80 79 ce c2 e6 e5 da e9 7a c0 28 a1 2b 60 94 2a 7b 96 81 90 e9 1c ad bd a5 7a 8e 24 cf da 42 1c 6f 3c cf 19 a1 13 e0 d3 95 be cd 95 9a 96 b5 41 50 c6 dc 4e 0b fb 36 23 73 9e 48 dd b0 b7 f0 18 2d 5c ae 74 e8 2b a6 dc 63 6b c5 b2 11 a5 98 05 60 69 c6 18 4d a2 84 90 fe 59 d7 3e 83 32 7a ed d7 5a fd d7 C:\Users\user\AppData\Local\Temp\scv7C2D.tmp unknown 4096 31 33 2c 43 30 30 30 13,C00000,0,"enumDumm success or wait 53 14014D501 WriteFile 30 30 2c 30 2c 22 65 y","",0=" 6e 75 6d 44 75 6d 6d "..13,C00001,0,"enumBool 79 22 2c 22 22 2c 30 ","",0 3d 22 22 0d 0a 31 33 ="No"|1="Yes"..13,C00002 2c 43 30 30 30 30 31 ,0,"en 2c 30 2c 22 65 6e 75 umCPUIntelBrand","",1="In 6d 42 6f 6f 6c 22 2c tel Celeron"|2="Intel 22 22 2c 30 3d 22 4e Pentium III"|3="Intel 6f 22 7c 31 3d 22 59 Pentium III Xeon"|4="Intel 65 73 22 0d 0a 31 33 Pentium III"|6="Mobile Intel 2c 43 30 30 30 30 32 Pentium III"|7="Mobile Intel 2c 30 2c 22 65 6e 75 Celeron"|8= 6d 43 50 55 49 6e 74 65 6c 42 72 61 6e 64 22 2c 22 22 2c 31 3d 22 49 6e 74 65 6c 20 43 65 6c 65 72 6f 6e 22 7c 32 3d 22 49 6e 74 65 6c 20 50 65 6e 74 69 75 6d 20 49 49 49 22 7c 33 3d 22 49 6e 74 65 6c 20 50 65 6e 74 69 75 6d 20 49 49 49 20 58 65 6f 6e 22 7c 34 3d 22 49 6e 74 65 6c 20 50 65 6e 74 69 75 6d 20 49 49 49 22 7c 36 3d 22 4d 6f 62 69 6c 65 20 49 6e 74 65 6c 20 50 65 6e 74 69 75 6d 20 49 49 49 22 7c 37 3d 22 4d 6f 62 69 6c 65 20 49 6e 74 65 6c 20 43 65 6c 65 72 6f 6e 22 7c 38 3d

Copyright Joe Security LLC 2019 Page 25 of 40 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\scv7C2D.tmp unknown 701 22 2c 30 2c 24 43 30 ",0,$C00001..5,1825,1820, success or wait 1 14014D501 WriteFile 30 30 30 31 0d 0a 35 "hwsm 2c 31 38 32 35 2c 31 biosOnboardDeviceTypeIn 38 32 30 2c 22 68 77 stance","Device Type 73 6d 62 69 6f 73 4f Instance",0,"int 6e 62 6f 61 72 64 44 "..5,1826,1820,"hwsmbios 65 76 69 63 65 54 79 Onboar 70 65 49 6e 73 74 61 dDeviceSegmentGroupNu 6e 63 65 22 2c 22 44 mber","Segment Group 65 76 69 63 65 20 54 Number",0,"int"..5 79 70 65 20 49 6e 73 ,1827,1820,"hwsmbiosOnb 74 61 6e 63 65 22 2c oardDev 30 2c 22 69 6e 74 22 iceBusNumber","Bus 0d 0a 35 2c 31 38 32 Number",0,"int"..5,1828,18 36 2c 31 38 32 30 2c 22 68 77 73 6d 62 69 6f 73 4f 6e 62 6f 61 72 64 44 65 76 69 63 65 53 65 67 6d 65 6e 74 47 72 6f 75 70 4e 75 6d 62 65 72 22 2c 22 53 65 67 6d 65 6e 74 20 47 72 6f 75 70 20 4e 75 6d 62 65 72 22 2c 30 2c 22 69 6e 74 22 0d 0a 35 2c 31 38 32 37 2c 31 38 32 30 2c 22 68 77 73 6d 62 69 6f 73 4f 6e 62 6f 61 72 64 44 65 76 69 63 65 42 75 73 4e 75 6d 62 65 72 22 2c 22 42 75 73 20 4e 75 6d 62 65 72 22 2c 30 2c 22 69 6e 74 22 0d 0a 35 2c 31 38 32 38 2c 31 38 C:\Users\user\AppData\Local\Temp\scv7F5B.tmp unknown 4096 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 3 14014D501 WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... i...-zc.-zc.- 00 00 00 00 00 00 00 zc.-zc..zc.+Yi.,zc.Rich- 00 00 00 00 00 00 00 zc...... 00 00 00 00 00 00 00 ....PE..L...... D...... 00 00 00 b8 00 00 00 ...... `...`...@...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 69 1b 0d db 2d 7a 63 88 2d 7a 63 88 2d 7a 63 88 2d 7a 63 88 09 7a 63 88 2b 59 69 88 2c 7a 63 88 52 69 63 68 2d 7a 63 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 19 1e 11 44 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 20 13 00 00 00 01 00 00 00 00 00 00 60 03 00 00 60 02 00 00 40 12 00 00 00 00 01 00 20 00 00 00 20 00 00 00 04 00 00 00 04 00 00

Copyright Joe Security LLC 2019 Page 26 of 40 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\scv7F5B.tmp unknown 2320 61 27 76 ee d4 44 cf a'v..D.c..1E?.....Q..^m-...... success or wait 1 14014D501 WriteFile 63 1e 98 31 45 3f e3 ...r..d.5..}.=...... 9.N0.E.... dd f8 81 1f 51 11 2e .zW..tJ..D...... j..-..tK..YJ.M 5e 6d 2d df f0 a8 07 .K....._t...7....._.....`u..,. 85 e7 16 18 9a 72 0b ...y3..v.-S...... ,.|..q0.. 96 64 83 35 b6 f8 7d .0...... X...... Q...0...*. eb 3d a1 d5 16 9b da H...... 0..1.0...U....Entrust f0 39 f9 4e 30 97 45 .net1@0>..U...7www.entru 04 08 e3 d9 1a 7a 57 st.net/CPS_2048 incor 1a e8 74 4a 92 eb 44 c9 c3 e0 8e 2e f4 6a ad e2 2d 0b 0f 74 4b fc 86 59 4a d8 4d 91 4b 1d e8 07 80 cb 5f 74 b2 d1 d8 37 f1 c2 0b ba a5 5f e0 bb e2 c2 0b 60 75 f6 ca 2c e3 0c e5 b9 79 33 14 c7 76 03 2d 53 dc be f0 9f 2e fa 1e 91 b5 b9 2c 92 7c 16 e9 71 30 82 05 13 30 82 03 fb a0 03 02 01 02 02 0c 58 da 13 ff 00 00 00 00 51 ce 0d f7 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81 b4 31 14 30 12 06 03 55 04 0a 13 0b 45 6e 74 72 75 73 74 2e 6e 65 74 31 40 30 3e 06 03 55 04 0b 14 37 77 77 77 2e 65 6e 74 72 75 73 74 2e 6e 65 74 2f 43 50 53 5f 32 30 34 38 20 69 6e 63 6f 72 C:\ProgramData\Micro Focus\Universal-Discovery\local$.log unknown 377 5b 32 30 31 39 2d 31 [2019-12-18 21:36:55] success or wait 1 14014D501 WriteFile 32 2d 31 38 20 32 31 Logging started..[2019-12- 3a 33 36 3a 35 35 5d 18 21:36:55] --..[2019-12- 20 4c 6f 67 67 69 6e 18 21:36:55] Universal 67 20 73 74 61 72 74 Discovery v11.50.000 65 64 0d 0a 5b 32 30 Build 524 win-x64..[2019- 31 39 2d 31 32 2d 31 12-18 21:36:55] (C) 38 20 32 31 3a 33 36 Copyright 2011-2018 3a 35 35 5d 20 20 20 Micro Focus or one of its 2d 2d 0d 0a 5b 32 30 affiliates..[2019-12-18 2 31 39 2d 31 32 2d 31 1:36:55] --.. 38 20 32 31 3a 33 36 3a 35 35 5d 20 20 20 55 6e 69 76 65 72 73 61 6c 20 44 69 73 63 6f 76 65 72 79 20 76 31 31 2e 35 30 2e 30 30 30 20 42 75 69 6c 64 20 35 32 34 20 77 69 6e 2d 78 36 34 0d 0a 5b 32 30 31 39 2d 31 32 2d 31 38 20 32 31 3a 33 36 3a 35 35 5d 20 20 20 28 43 29 20 43 6f 70 79 72 69 67 68 74 20 32 30 31 31 2d 32 30 31 38 20 4d 69 63 72 6f 20 46 6f 63 75 73 20 6f 72 20 6f 6e 65 20 6f 66 20 69 74 73 20 61 66 66 69 6c 69 61 74 65 73 0d 0a 5b 32 30 31 39 2d 31 32 2d 31 38 20 32 31 3a 33 36 3a 35 35 5d 20 20 20 2d 2d 0d 0a C:\ProgramData\Micro Focus\Universal-Discovery\local$.log unknown 75 4c 6f 67 20 66 69 6c Log file created: success or wait 134 14014D501 WriteFile 65 20 63 72 65 61 74 C:\ProgramData\Micro 65 64 3a 20 43 3a 5c Focus\Universal-Disco 50 72 6f 67 72 61 6d very\local$.log 44 61 74 61 5c 4d 69 63 72 6f 20 46 6f 63 75 73 5c 55 6e 69 76 65 72 73 61 6c 2d 44 69 73 63 6f 76 65 72 79 5c 6c 6f 63 61 6c 24 2e 6c 6f 67

Copyright Joe Security LLC 2019 Page 27 of 40 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\sct8FF8.tmp unknown 32 1f 54 65 6d 70 6f 72 .Temporary IDD scanner success or wait 15 14014D501 WriteFile 61 72 79 20 49 44 44 data file 20 73 63 61 6e 6e 65 72 20 64 61 74 61 20 66 69 6c 65

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\ud-win-x64.exe unknown 4096 success or wait 7 14014C811 ReadFile C:\Users\user\Desktop\ud-win-x64.exe unknown 512 success or wait 1 14014C811 ReadFile C:\Users\user\Desktop\ud-win-x64.exe unknown 512 success or wait 1 14014C811 ReadFile C:\Users\user\Desktop\ud-win-x64.exe unknown 512 success or wait 1 14014C811 ReadFile C:\Users\user\AppData\Local\Temp\scz7BFD.tmp unknown 16384 success or wait 1 14014C811 ReadFile C:\Users\user\AppData\Local\Temp\scz7BFD.tmp unknown 14171 end of file 1 14014C811 ReadFile C:\Users\user\Desktop\ud-win-x64.exe unknown 4 success or wait 3 14014C811 ReadFile C:\Users\user\Desktop\ud-win-x64.exe unknown 16384 success or wait 4 14014C811 ReadFile C:\Users\user\Desktop\ud-win-x64.exe unknown 12288 end of file 1 14014C811 ReadFile C:\Users\user\AppData\Local\Temp\scv7C2D.tmp unknown 1024 success or wait 213 14014C811 ReadFile C:\Users\user\AppData\Local\Temp\scv7C2D.tmp unknown 1024 end of file 1 14014C811 ReadFile unknown unknown 95 success or wait 29 140069157 ReadFile C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run unknown 1024 success or wait 1 14014C811 ReadFile Extensibility Component 64-bit Registration.swidtag C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run unknown 1024 success or wait 1 14014C811 ReadFile Extensibility Component 64-bit Registration.swidtag C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run unknown 952 end of file 1 14014C811 ReadFile Extensibility Component 64-bit Registration.swidtag C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run unknown 1024 success or wait 1 14014C811 ReadFile Extensibility Component.swidtag C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run unknown 1024 success or wait 1 14014C811 ReadFile Extensibility Component.swidtag C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run unknown 972 end of file 1 14014C811 ReadFile Extensibility Component.swidtag C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run unknown 1024 success or wait 1 14014C811 ReadFile Licensing Component.swidtag C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run unknown 1024 success or wait 1 14014C811 ReadFile Licensing Component.swidtag C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run unknown 976 end of file 1 14014C811 ReadFile Licensing Component.swidtag C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run unknown 1024 success or wait 1 14014C811 ReadFile Localization Component.swidtag C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run unknown 1024 success or wait 1 14014C811 ReadFile Localization Component.swidtag C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run unknown 973 end of file 1 14014C811 ReadFile Localization Component.swidtag C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swid unknown 1024 success or wait 1 14014C811 ReadFile tag C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swid unknown 31 end of file 1 14014C811 ReadFile tag C:\ProgramData\Microsoft\Windows\\Programs\Accessibility\Speech Recognition.lnk unknown 76 success or wait 1 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Speech Recognition.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Speech Recognition.lnk unknown 2 success or wait 4 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk unknown 76 success or wait 1 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk unknown 76 success or wait 1 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\.lnk unknown 76 success or wait 1 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Quick Assist.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Quick Assist.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop unknown 76 success or wait 1 14014C811 ReadFile Connection.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop unknown 2 success or wait 2 14014C811 ReadFile Connection.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop unknown 2 success or wait 2 14014C811 ReadFile Connection.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\.lnk unknown 76 success or wait 1 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Steps Recorder.lnk unknown 76 success or wait 1 14014C811 ReadFile

Copyright Joe Security LLC 2019 Page 28 of 40 Source File Path Offset Length Completion Count Address Symbol C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Steps Recorder.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Character unknown 76 success or wait 1 14014C811 ReadFile Map.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Character unknown 2 success or wait 2 14014C811 ReadFile Map.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\.lnk unknown 76 success or wait 1 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Fax and Scan.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\.lnk unknown 76 success or wait 1 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Media Player.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Media Player.lnk unknown 2 success or wait 4 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Wordpad.lnk unknown 76 success or wait 1 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Wordpad.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Servic unknown 76 success or wait 1 14014C811 ReadFile es.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Servic unknown 2 success or wait 2 14014C811 ReadFile es.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer unknown 76 success or wait 1 14014C811 ReadFile Management.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer unknown 2 success or wait 2 14014C811 ReadFile Management.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer unknown 2 success or wait 4 14014C811 ReadFile Management.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\dfrgui.lnk unknown 76 success or wait 1 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\dfrgui.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\dfrgui.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\.lnk unknown 76 success or wait 1 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Disk Cleanup.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\.lnk unknown 76 success or wait 1 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Event Viewer.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Event Viewer.lnk unknown 2 success or wait 4 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk unknown 76 success or wait 1 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Memory Diagnosti unknown 76 success or wait 1 14014C811 ReadFile cs Tool.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Memory Diagnosti unknown 2 success or wait 2 14014C811 ReadFile cs Tool.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Memory Diagnosti unknown 2 success or wait 2 14014C811 ReadFile cs Tool.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ODBC Data Source unknown 76 success or wait 1 14014C811 ReadFile s (32-bit).lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ODBC Data Source unknown 2 success or wait 2 14014C811 ReadFile s (32-bit).lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ODBC Data Source unknown 2 success or wait 2 14014C811 ReadFile s (32-bit).lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ODBC Data Source unknown 76 success or wait 1 14014C811 ReadFile s (64-bit).lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ODBC Data Source unknown 2 success or wait 2 14014C811 ReadFile s (64-bit).lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ODBC Data Source unknown 2 success or wait 2 14014C811 ReadFile s (64-bit).lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Performance Moni unknown 76 success or wait 1 14014C811 ReadFile tor.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Performance Moni unknown 2 success or wait 2 14014C811 ReadFile tor.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Performance Moni unknown 2 success or wait 2 14014C811 ReadFile tor.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Print Management unknown 76 success or wait 1 14014C811 ReadFile .lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Print Management unknown 2 success or wait 2 14014C811 ReadFile .lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\RecoveryDrive.lnk unknown 76 success or wait 1 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\RecoveryDrive.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ unknown 76 success or wait 1 14014C811 ReadFile .lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Resource Monitor unknown 2 success or wait 2 14014C811 ReadFile .lnk

Copyright Joe Security LLC 2019 Page 29 of 40 Source File Path Offset Length Completion Count Address Symbol C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Resource Monitor unknown 2 success or wait 2 14014C811 ReadFile .lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Security Configu unknown 76 success or wait 1 14014C811 ReadFile ration Management.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Security Configu unknown 2 success or wait 2 14014C811 ReadFile ration Management.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Security Configu unknown 2 success or wait 2 14014C811 ReadFile ration Management.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk unknown 76 success or wait 1 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configura unknown 76 success or wait 1 14014C811 ReadFile tion.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configura unknown 2 success or wait 2 14014C811 ReadFile tion.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Informati unknown 76 success or wait 1 14014C811 ReadFile on.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Informati unknown 2 success or wait 2 14014C811 ReadFile on.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Task Scheduler.lnk unknown 76 success or wait 1 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Task Scheduler.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Task Scheduler.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows Defender unknown 76 success or wait 1 14014C811 ReadFile Firewall with Advanced Security.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows Defender unknown 2 success or wait 2 14014C811 ReadFile Firewall with Advanced Security.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows Defender unknown 2 success or wait 2 14014C811 ReadFile Firewall with Advanced Security.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\AutoIt Help File.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\AutoIt Help File.lnk unknown 4 success or wait 46 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\AutoIt Help File.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\AutoIt Help File.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x64).lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x64).lnk unknown 4 success or wait 51 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x64).lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x64).lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x86).lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x86).lnk unknown 4 success or wait 47 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x86).lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x86).lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Check For Updates.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Check For Updates.lnk unknown 4 success or wait 47 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Check For Updates.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Check For Updates.lnk unknown 2 success or wait 4 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Compile script to .exe (x64).lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Compile script to .exe (x64).lnk unknown 4 success or wait 59 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Compile script to .exe (x64).lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Compile script to .exe (x64).lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Compile script to .exe (x86).lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Compile script to .exe (x86).lnk unknown 4 success or wait 55 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Compile script to .exe (x86).lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Compile script to .exe (x86).lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Examples.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Examples.lnk unknown 4 success or wait 44 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Examples.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Examples.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoIt v3 Website.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoIt v3 Website.lnk unknown 4 success or wait 57 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoIt v3 Website.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoIt v3 Website.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX\AutoItX Help unknown 76 success or wait 2 14014C811 ReadFile File.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX\AutoItX Help unknown 4 success or wait 55 14014C811 ReadFile File.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX\AutoItX Help unknown 2 success or wait 2 14014C811 ReadFile File.lnk

Copyright Joe Security LLC 2019 Page 30 of 40 Source File Path Offset Length Completion Count Address Symbol C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX\AutoItX Help unknown 2 success or wait 2 14014C811 ReadFile File.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX\VBscript unknown 76 success or wait 2 14014C811 ReadFile Examples.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX\VBscript unknown 2 success or wait 2 14014C811 ReadFile Examples.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX\VBscript unknown 2 success or wait 2 14014C811 ReadFile Examples.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\Browse Extras.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\Browse Extras.lnk unknown 4 success or wait 42 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\Browse Extras.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\Browse Extras.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Run script (x64).lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Run script (x64).lnk unknown 4 success or wait 51 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Run script (x64).lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Run script (x64).lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Run script (x86).lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Run script (x86).lnk unknown 4 success or wait 47 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Run script (x86).lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Run script (x86).lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\SciTE script Editor.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\SciTE script Editor.lnk unknown 4 success or wait 51 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\SciTE script Editor.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\SciTE script Editor.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnk unknown 4 success or wait 68 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk unknown 4 success or wait 55 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk unknown 4 success or wait 64 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk unknown 2 success or wait 4 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Immersive .lnk unknown 76 success or wait 1 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Immersive Control Panel.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Immersive Control Panel.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\About Java.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\About Java.lnk unknown 4 success or wait 61 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\About Java.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\About Java.lnk unknown 2 success or wait 4 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Check For Updates.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Check For Updates.lnk unknown 4 success or wait 61 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Check For Updates.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Check For Updates.lnk unknown 2 success or wait 4 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Configure Java.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Configure Java.lnk unknown 4 success or wait 61 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Configure Java.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Configure Java.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Office Language unknown 76 success or wait 2 14014C811 ReadFile Preferences.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Office Language unknown 4 success or wait 70 14014C811 ReadFile Preferences.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Office Language unknown 2 success or wait 2 14014C811 ReadFile Preferences.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Office Language unknown 2 success or wait 2 14014C811 ReadFile Preferences.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Office Upload unknown 76 success or wait 2 14014C811 ReadFile Center.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Office Upload unknown 4 success or wait 67 14014C811 ReadFile Center.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Office Upload unknown 2 success or wait 2 14014C811 ReadFile Center.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Office Upload unknown 2 success or wait 4 14014C811 ReadFile Center.lnk Copyright Joe Security LLC 2019 Page 31 of 40 Source File Path Offset Length Completion Count Address Symbol C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk unknown 4 success or wait 70 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook.lnk unknown 4 success or wait 70 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk unknown 4 success or wait 71 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\.lnk unknown 76 success or wait 1 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Task Manager.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Task Manager.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word.lnk unknown 4 success or wait 70 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify. unknown 76 success or wait 1 14014C811 ReadFile lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify. unknown 2 success or wait 2 14014C811 ReadFile lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator unknown 76 success or wait 1 14014C811 ReadFile .lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator unknown 2 success or wait 2 14014C811 ReadFile .lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen unknown 76 success or wait 1 14014C811 ReadFile Keyboard.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen unknown 2 success or wait 2 14014C811 ReadFile Keyboard.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet E unknown 76 success or wait 2 14014C811 ReadFile xplorer.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet E unknown 4 success or wait 52 14014C811 ReadFile xplorer.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet E unknown 2 success or wait 2 14014C811 ReadFile xplorer.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet E unknown 2 success or wait 4 14014C811 ReadFile xplorer.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.ln unknown 76 success or wait 1 14014C811 ReadFile k C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.ln unknown 2 success or wait 2 14014C811 ReadFile k C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.ln unknown 2 success or wait 2 14014C811 ReadFile k C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free Window Registry unknown 76 success or wait 2 14014C811 ReadFile Repair\Free Window Registry Repair home.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free Window Registry unknown 4 success or wait 67 14014C811 ReadFile Repair\Free Window Registry Repair home.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free Window Registry unknown 2 success or wait 2 14014C811 ReadFile Repair\Free Window Registry Repair home.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free Window Registry unknown 76 success or wait 2 14014C811 ReadFile Repair\Free Window Registry Repair.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free Window Registry unknown 4 success or wait 67 14014C811 ReadFile Repair\Free Window Registry Repair.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free Window Registry unknown 2 success or wait 2 14014C811 ReadFile Repair\Free Window Registry Repair.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free Window Registry unknown 76 success or wait 2 14014C811 ReadFile Repair\Uninstall Free Window Registry Repair.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free Window Registry unknown 4 success or wait 66 14014C811 ReadFile Repair\Uninstall Free Window Registry Repair.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free Window Registry unknown 2 success or wait 2 14014C811 ReadFile Repair\Uninstall Free Window Registry Repair.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk unknown 4 success or wait 65 14014C811 ReadFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Recycle Bin.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System unknown 76 success or wait 1 14014C811 ReadFile Tools\Command Prompt.lnk Copyright Joe Security LLC 2019 Page 32 of 40 Source File Path Offset Length Completion Count Address Symbol C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System unknown 2 success or wait 2 14014C811 ReadFile Tools\Command Prompt.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System unknown 2 success or wait 2 14014C811 ReadFile Tools\Command Prompt.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System unknown 76 success or wait 2 14014C811 ReadFile Tools\computer.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System unknown 2 success or wait 2 14014C811 ReadFile Tools\computer.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control P unknown 76 success or wait 2 14014C811 ReadFile anel.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control P unknown 2 success or wait 2 14014C811 ReadFile anel.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Expl unknown 76 success or wait 2 14014C811 ReadFile orer.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Expl unknown 2 success or wait 2 14014C811 ReadFile orer.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows unknown 76 success or wait 2 14014C811 ReadFile PowerShell\Windows PowerShell (x86).lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows unknown 4 success or wait 62 14014C811 ReadFile PowerShell\Windows PowerShell (x86).lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows unknown 2 success or wait 2 14014C811 ReadFile PowerShell\Windows PowerShell (x86).lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows unknown 2 success or wait 4 14014C811 ReadFile PowerShell\Windows PowerShell (x86).lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows unknown 76 success or wait 1 14014C811 ReadFile PowerShell\Windows PowerShell ISE (x86).lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows unknown 2 success or wait 2 14014C811 ReadFile PowerShell\Windows PowerShell ISE (x86).lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows unknown 2 success or wait 2 14014C811 ReadFile PowerShell\Windows PowerShell ISE (x86).lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows unknown 76 success or wait 1 14014C811 ReadFile PowerShell\Windows PowerShell ISE.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows unknown 2 success or wait 2 14014C811 ReadFile PowerShell\Windows PowerShell ISE.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows unknown 2 success or wait 2 14014C811 ReadFile PowerShell\Windows PowerShell ISE.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows unknown 76 success or wait 2 14014C811 ReadFile PowerShell\Windows PowerShell.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows unknown 4 success or wait 62 14014C811 ReadFile PowerShell\Windows PowerShell.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows unknown 2 success or wait 2 14014C811 ReadFile PowerShell\Windows PowerShell.lnk C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows unknown 2 success or wait 4 14014C811 ReadFile PowerShell\Windows PowerShell.lnk C:\Users\user\Desktop\Word.lnk unknown 76 success or wait 4 14014C811 ReadFile C:\Users\user\Desktop\Word.lnk unknown 4 success or wait 70 14014C811 ReadFile C:\Users\user\Desktop\Word.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\Users\Public\Desktop\Acrobat Reader DC.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\Users\Public\Desktop\Acrobat Reader DC.lnk unknown 4 success or wait 71 14014C811 ReadFile C:\Users\Public\Desktop\Acrobat Reader DC.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\Users\Public\Desktop\Firefox.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\Users\Public\Desktop\Firefox.lnk unknown 4 success or wait 55 14014C811 ReadFile C:\Users\Public\Desktop\Firefox.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\Users\Public\Desktop\Firefox.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\Users\Public\Desktop\Google Chrome.lnk unknown 76 success or wait 2 14014C811 ReadFile C:\Users\Public\Desktop\Google Chrome.lnk unknown 4 success or wait 64 14014C811 ReadFile C:\Users\Public\Desktop\Google Chrome.lnk unknown 2 success or wait 2 14014C811 ReadFile C:\Users\Public\Desktop\Google Chrome.lnk unknown 2 success or wait 4 14014C811 ReadFile

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Hewlett-Packard success or wait 1 140076A58 RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Hewlett-Packard\Universal Discovery success or wait 1 140076A58 RegCreateKeyExA

Copyright Joe Security LLC 2019 Page 33 of 40 Source Key Path Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Hewlett-Packard\Universal Discovery\V1 success or wait 1 140076A58 RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Hewlett-Packard\Universal Discovery\V1\Options success or wait 1 140076A58 RegCreateKeyExA

Analysis Process: conhost.exe PID: 904 Parent PID: 4816

General

Start time: 21:36:55 Start date: 18/12/2019 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0x4 Imagebase: 0x7ff642e80000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: cmd.exe PID: 5028 Parent PID: 4816

General

Start time: 21:36:58 Start date: 18/12/2019 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /C wmic diskdrive get Name, MediaType Imagebase: 0x7ff7c7c80000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: WMIC.exe PID: 4232 Parent PID: 5028

General

Start time: 21:36:58 Start date: 18/12/2019 Path: C:\Windows\System32\wbem\WMIC.exe Wow64 process (32bit): false Commandline: wmic diskdrive get Name, MediaType Imagebase: 0x7ff6303b0000 File size: 521728 bytes MD5 hash: EC80E603E0090B3AC3C1234C2BA43A0F Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities Copyright Joe Security LLC 2019 Page 34 of 40 Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: cmd.exe PID: 4272 Parent PID: 4816

General

Start time: 21:37:00 Start date: 18/12/2019 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /C wmic logicaldisk where 'DeviceID='C:'' get size Imagebase: 0x7ff7c7c80000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: WMIC.exe PID: 4568 Parent PID: 4272

General

Start time: 21:37:00 Start date: 18/12/2019 Path: C:\Windows\System32\wbem\WMIC.exe Wow64 process (32bit): false Commandline: wmic logicaldisk where 'DeviceID='C:'' get size Imagebase: 0x7ff6303b0000 File size: 521728 bytes MD5 hash: EC80E603E0090B3AC3C1234C2BA43A0F Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: cmd.exe PID: 4796 Parent PID: 4816

General

Start time: 21:37:02 Start date: 18/12/2019 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Copyright Joe Security LLC 2019 Page 35 of 40 Commandline: C:\Windows\system32\cmd.exe /C wmic logicaldisk where 'DeviceID='\\?\Volume{3a2f58e8- 0000-0000-0000-100000000000}'' get size Imagebase: 0x7ff7c7c80000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: WMIC.exe PID: 5040 Parent PID: 4796

General

Start time: 21:37:02 Start date: 18/12/2019 Path: C:\Windows\System32\wbem\WMIC.exe Wow64 process (32bit): false Commandline: wmic logicaldisk where 'DeviceID='\\?\Volume{3a2f58e8-0000-0000-0000-100000000000}'' get size Imagebase: 0x7ff6303b0000 File size: 521728 bytes MD5 hash: EC80E603E0090B3AC3C1234C2BA43A0F Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: cmd.exe PID: 4668 Parent PID: 4816

General

Start time: 21:37:05 Start date: 18/12/2019 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /C wmic PAGEFILESET GET MaximumSize /value < %SystemRoot%\win.ini Imagebase: 0x7ff7c7c80000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Copyright Joe Security LLC 2019 Page 36 of 40 Analysis Process: WMIC.exe PID: 3012 Parent PID: 4668

General

Start time: 21:37:05 Start date: 18/12/2019 Path: C:\Windows\System32\wbem\WMIC.exe Wow64 process (32bit): false Commandline: wmic PAGEFILESET GET MaximumSize /value Imagebase: 0x7ff6303b0000 File size: 521728 bytes MD5 hash: EC80E603E0090B3AC3C1234C2BA43A0F Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: cmd.exe PID: 2576 Parent PID: 4816

General

Start time: 21:37:07 Start date: 18/12/2019 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /C wmic path Win32_Processor get Name /value < %Syst emRoot%\win.ini Imagebase: 0x7ff7c7c80000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: WMIC.exe PID: 1816 Parent PID: 2576

General

Start time: 21:37:07 Start date: 18/12/2019 Path: C:\Windows\System32\wbem\WMIC.exe Wow64 process (32bit): false Commandline: wmic path Win32_Processor get Name /value Imagebase: 0x7ff6303b0000 File size: 521728 bytes MD5 hash: EC80E603E0090B3AC3C1234C2BA43A0F Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Copyright Joe Security LLC 2019 Page 37 of 40 File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: cmd.exe PID: 4424 Parent PID: 4816

General

Start time: 21:37:08 Start date: 18/12/2019 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /C wmic path Win32_Processor get NumberOfCores /value < %SystemRoot%\win.ini Imagebase: 0x7ff7c7c80000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: WMIC.exe PID: 1256 Parent PID: 4424

General

Start time: 21:37:08 Start date: 18/12/2019 Path: C:\Windows\System32\wbem\WMIC.exe Wow64 process (32bit): false Commandline: wmic path Win32_Processor get NumberOfCores /value Imagebase: 0x7ff6303b0000 File size: 521728 bytes MD5 hash: EC80E603E0090B3AC3C1234C2BA43A0F Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: cmd.exe PID: 4220 Parent PID: 4816

General

Start time: 21:37:11 Start date: 18/12/2019 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /C wmic path Win32_Processor get Name /value < %Syst emRoot%\win.ini Imagebase: 0x7ff7c7c80000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Copyright Joe Security LLC 2019 Page 38 of 40 Analysis Process: WMIC.exe PID: 3020 Parent PID: 4220

General

Start time: 21:37:11 Start date: 18/12/2019 Path: C:\Windows\System32\wbem\WMIC.exe Wow64 process (32bit): false Commandline: wmic path Win32_Processor get Name /value Imagebase: 0x7ff6303b0000 File size: 521728 bytes MD5 hash: EC80E603E0090B3AC3C1234C2BA43A0F Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: cmd.exe PID: 4552 Parent PID: 4816

General

Start time: 21:37:13 Start date: 18/12/2019 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /C wmic path Win32_OperatingSystem get InstallDate Imagebase: 0x7ff7c7c80000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: WMIC.exe PID: 3428 Parent PID: 4552

General

Start time: 21:37:13 Start date: 18/12/2019 Path: C:\Windows\System32\wbem\WMIC.exe Wow64 process (32bit): false Commandline: wmic path Win32_OperatingSystem get InstallDate Imagebase: 0x7ff6303b0000 File size: 521728 bytes MD5 hash: EC80E603E0090B3AC3C1234C2BA43A0F Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: cmd.exe PID: 4516 Parent PID: 4816

General

Start time: 21:37:50 Start date: 18/12/2019 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /C PowerShell foreach ($app in Get-AppxPackage -AllUsers) { Write-Host ($($app.name),$($app.packagefullname),$($app.version),$($app.installloc ation),$($app.publisher),$($app.packagefamilyname)) -separator '####' } Imagebase: 0x7ff7c7c80000

Copyright Joe Security LLC 2019 Page 39 of 40 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: powershell.exe PID: 3964 Parent PID: 4516

General

Start time: 21:37:50 Start date: 18/12/2019 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Commandline: PowerShell foreach ($app in Get-AppxPackage -AllUsers) { Write-Host ($($app.nam e),$($app.packagefullname),$($app.version),$($app.installlocation),$($app.publisher),$($ap p.packagefamilyname)) -separator '####' } Imagebase: 0x7ff71c1f0000 File size: 447488 bytes MD5 hash: 95000560239032BC68B4C2FDFCDEF913 Has administrator privileges: true Programmed in: .Net C# or VB.NET

Analysis Process: powershell.exe PID: 4412 Parent PID: 4816

General

Start time: 21:37:59 Start date: 18/12/2019 Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): true Commandline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass 'foreach ($pkg in Get-AppvClientPackage) { Write-Host $($pkg.P ackageId)`t$($pkg.VersionId)`t$($pkg.Name) `t$($pkg.Version)' }' Imagebase: 0x1220000 File size: 430592 bytes MD5 hash: DBA3E6449E97D4E3DF64527EF7012A10 Has administrator privileges: true Programmed in: .Net C# or VB.NET

Disassembly

Code Analysis

Copyright Joe Security LLC 2019 Page 40 of 40