Automated Malware Analysis Report for Resilio-Sync X64.Exe

ID: 162486 Sample Name: Resilio- Sync_x64.exe Cookbook: default.jbs Time: 18:16:15 Date: 12/08/2019 Version: 26.0.0 Aquamarine Table of Contents

Table of Contents 2 Analysis Report Resilio-Sync_x64.exe 5 Overview 5 General Information 5 Detection 5 Confidence 6 Classification 6 Analysis Advice 7 Mitre Att&ck Matrix 7 Signature Overview 8 Bitcoin Miner: 8 Networking: 8 System Summary: 8 Data Obfuscation: 9 Persistence and Installation Behavior: 9 Boot Survival: 9 Hooking and other Techniques for Hiding and Protection: 9 Malware Analysis System Evasion: 9 Anti Debugging: 9 HIPS / PFW / Operating System Protection Evasion: 10 Language, Device and Operating System Detection: 10 Lowering of HIPS / PFW / Operating System Security Settings: 10 Remote Access Functionality: 10 Behavior Graph 10 Simulations 10 Behavior and APIs 10 Antivirus and Machine Learning Detection 11 Initial Sample 11 Dropped Files 11 Unpacked PE Files 11 Domains 11 URLs 11 Yara Overview 12 Initial Sample 12 PCAP (Network Traffic) 12 Dropped Files 12 Memory Dumps 12 Unpacked PEs 12 Joe Sandbox View / Context 12 IPs 12 Domains 12 ASN 12 JA3 Fingerprints 13 Dropped Files 13 Screenshots 13 Thumbnails 13 Startup 14 Created / dropped Files 15 Domains and IPs 21 Contacted Domains 21 Contacted URLs 21 URLs from Memory and Binaries 21 Contacted IPs 31 Public 31 Private 31 Static File Info 31 General 31 File Icon 32 Static PE Info 32 Copyright Joe Security LLC 2019 Page 2 of 85 General 32 Authenticode Signature 32 Entrypoint Preview 32 Data Directories 34 Sections 34 Resources 35 Imports 37 Version Infos 39 Possible Origin 39 Network Behavior 39 Network Port Distribution 40 TCP Packets 40 UDP Packets 41 ICMP Packets 42 DNS Queries 42 DNS Answers 42 HTTP Request Dependency Graph 43 HTTP Packets 43 HTTPS Packets 44 Code Manipulations 45 Statistics 45 Behavior 45 System Behavior 45 Analysis Process: Resilio-Sync_x64.exe PID: 3896 Parent PID: 2736 45 General 45 File Activities 46 File Created 46 File Moved 47 File Written 47 File Read 52 Registry Activities 52 Key Created 52 Key Value Created 52 Key Value Modified 54 Analysis Process: regsvr32.exe PID: 4460 Parent PID: 3896 55 General 55 File Activities 55 File Read 55 Analysis Process: regsvr32.exe PID: 3844 Parent PID: 4460 55 General 55 Registry Activities 55 Key Created 55 Key Value Created 56 Key Value Modified 56 Analysis Process: regsvr32.exe PID: 2704 Parent PID: 3896 56 General 56 Registry Activities 57 Key Created 57 Key Value Created 57 Key Value Modified 57 Analysis Process: Resilio-Sync_x64.exe PID: 2404 Parent PID: 3896 57 General 58 File Activities 58 File Created 58 File Moved 59 File Written 59 File Read 63 Registry Activities 63 Key Created 63 Key Value Created 63 Analysis Process: regsvr32.exe PID: 2880 Parent PID: 2404 63 General 63 File Activities 64 File Read 64 Analysis Process: regsvr32.exe PID: 2536 Parent PID: 2880 64 General 64 Registry Activities 64 Analysis Process: regsvr32.exe PID: 2864 Parent PID: 2404 64 General 64 Registry Activities 65 Analysis Process: Resilio Sync.exe PID: 4524 Parent PID: 2956 65 General 65 File Activities 65 Copyright Joe Security LLC 2019 Page 3 of 85 File Created 65 File Deleted 67 File Moved 67 File Written 67 File Read 79 Registry Activities 79 Analysis Process: Resilio Sync.exe PID: 2584 Parent PID: 3896 79 General 79 File Activities 79 File Created 79 File Moved 80 File Written 80 File Read 82 Analysis Process: Resilio Sync.exe PID: 2448 Parent PID: 2956 82 General 82 File Activities 82 File Created 82 File Moved 83 File Written 83 File Read 85 Disassembly 85 Code Analysis 85

Overview

General Information

Joe Sandbox Version: 26.0.0 Aquamarine Analysis ID: 162486 Start date: 12.08.2019 Start time: 18:16:15 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 10m 50s Hypervisor based Inspection enabled: false Report type: light Sample file name: Resilio-Sync_x64.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 18 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: SUS Classification: sus24.winEXE@19/36@4/5 EGA Information: Failed HDC Information: Failed HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe Excluded IPs from analysis (whitelisted): 13.107.3.128, 13.107.5.88 Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, afdo-tas- offload.trafficmanager.net, s-0001.s-msedge.net, e- 0009.e-msedge.net, config.edge.skype.com Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 24 0 - 100 false

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 3 0 - 5 true

Classification

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Command-Line Startup Startup Modify Credential Query Remote File Data from Local Data Uncommonly Interface 1 Items 1 Items 1 Registry 1 Dumping Registry 1 Copy 2 System Encrypted 1 Used Port 1 Replication Scripting 1 New Service 1 Process Process Network Network Remote Data from Exfiltration Over Standard Through Injection 1 Injection 1 Sniffing Service Services Removable Other Network Cryptographic Removable Scanning 1 Media Medium Protocol 2 Media Drive-by Windows Registry Run New Service 1 Scripting 1 Input Capture Process Windows Data from Automated Remote Access Compromise Management Keys / Startup Discovery 1 Remote Network Shared Exfiltration Tools 1 Instrumentation Folder 1 1 1 Management Drive

Copyright Joe Security LLC 2019 Page 7 of 85 Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Exploit Public- Scheduled Task System DLL Search DLL Side- Credentials in Security Logon Scripts Input Capture Data Encrypted Remote File Facing Firmware Order Hijacking Loading 1 Files Software Copy 2 Application Discovery 2 1 Spearphishing Command-Line Shortcut File System Masquerading Account Remote System Shared Data Staged Scheduled Standard Non- Link Interface Modification Permissions Manipulation Discovery 1 Webroot Transfer Application Weakness Layer Protocol 4 Spearphishing Graphical User Modify Existing New Service DLL Search Brute Force File and Third-party Screen Capture Data Transfer Standard Attachment Interface Service Order Hijacking Directory Software Size Limits Application Discovery 1 Layer Protocol 4 Spearphishing Scripting Path Scheduled Task Software Two-Factor System Pass the Hash Email Collection Exfiltration Over Uncommonly via Service Interception Packing Authentication Information Command and Used Port Interception Discovery 2 Control Channel

Signature Overview

• Bitcoin Miner • Networking • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings • Remote Access Functionality

Click to jump to signature section

Bitcoin Miner:

Configures the Internet Explorer emulation mode (likely to run Javascript)

Networking:

Connects to IPs without corresponding DNS lookups

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Sends SSDP (simple service discovery protocol) broadcast queries

Downloads compressed data via HTTP

Downloads files from webservers via HTTP

Performs DNS lookups

Urls found in memory or binary data

Uses HTTPS

System Summary:

Creates mutexes

PE file contains executable resources (Code or Archives)

PE file contains strange resources

Reads the hosts file

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Classification label

Creates files inside the user directory

PE file has an executable .text section and no other executable section

Reads ini files

Reads software policies

SQL strings found in memory and binary data

Spawns processes

Uses an in-process (OLE) Automation server

Executable creates window controls seldom found in malware

Found graphical window changes (likely an installer)

Creates a software uninstall entry

PE file has a big code size

PE file has a high image base, often used for DLLs

PE file has a valid certificate

Submission file is bigger than most known malware samples

PE file has a big raw section

PE file imports many functions

PE file contains a mix of data directories often seen in goodware

Contains modern PE file flags such as dynamic base (ASLR) or NX

PE file contains a debug data directory

Binary contains paths to debug symbols

PE file contains a valid data directory to section mapping

Data Obfuscation:

PE file contains an invalid checksum

Registers a DLL

Persistence and Installation Behavior:

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Boot Survival:

Creates an undocumented autostart registry key

Stores files to the Windows start menu directory

Creates an autostart registry key

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Allocates memory with a write watch (potentially for evading sandboxes)

Checks the free space of harddrives

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May try to detect the Windows Explorer process (often used for injection)

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Queries the cryptographic machine GUID

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the internet feature controls of the internet explorer

Remote Access Functionality:

Opens a port and listens for incoming connection (possibly a backdoor)

Behavior Graph

Hide Legend Legend: Process Signature Behavior Graph ID: Cr1e624a86ted File Sample: Resilio-Sync_x64.exe Startdate: DN12/0S8/2/0I1P9 Info Architecture: WINDOWS Score: 24 Is Dropped started started started Is Windows Process Resilio-Sync_x64.exe Resilio Sync.exe Resilio Sync.exe Number of created Registry Values 32 65 2 86 31 Number of created Files

bench-resilio-com-lb-1686402547.us-east-1.elb.amazonaws.com 192.16V8.2i.1s, 5u35a1 l Ba1s92i.c168.2.7, 1900, 443, 49703 34.196.17.71, 49724, 49725, 49726 i-2000.b-2-6-3.sync.bench.resilio.com dropped dropped dropped unknown unknown 4 other IPs or domains unknown unknown unknown United States Delphi

started started started started Java

C:\Users\...\ShellExtensionPath86_53C.dll, PE32 C:\Users\...\ShellExtensionPath64_53C.dll, PE32+ C:\Users\user\AppData\...\Resilio Sync.exe, PE32+ .Net C# or VB.NET

C, C++ or other language regsvr32.exe Resilio-Sync_x64.exe Resilio Sync.exe regsvr32.exe Is malicious 4 37 31 2 Internet dropped dropped

started C:\...\ShellExtensionOverlay86_53C.dll, PE32 C:\...\ShellExtensionOverlay64_53C.dll, PE32+ started started

regsvr32.exe regsvr32.exe regsvr32.exe

2 3

Creates an undocumented started autostart registry key

regsvr32.exe

Simulations

Behavior and APIs

Copyright Joe Security LLC 2019 Page 10 of 85 Time Type Description 18:17:19 API Interceptor 6x Sleep call for process: Resilio-Sync_x64.exe modified 18:17:31 Autostart Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Resilio Sync C:\Users\user\AppData\Roaming\R esilio Sync\Resilio Sync.exe /MINIMIZED 18:17:39 Autostart Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Resilio Sync C:\Users\user\AppData\Roaming \Resilio Sync\Resilio Sync.exe /MINIMIZED

Antivirus and Machine Learning Detection

Initial Sample

Source Detection Scanner Label Link Resilio-Sync_x64.exe 0% virustotal Browse Resilio-Sync_x64.exe 0% metadefender Browse

Dropped Files

Source Detection Scanner Label Link C:\ProgramData\Resilio Sync\ShellExtensionOverlay64_53C.dll 0% virustotal Browse C:\ProgramData\Resilio Sync\ShellExtensionOverlay64_53C.dll 0% metadefender Browse C:\ProgramData\Resilio Sync\ShellExtensionOverlay86_53C.dll 0% virustotal Browse C:\ProgramData\Resilio Sync\ShellExtensionOverlay86_53C.dll 0% metadefender Browse C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe 0% virustotal Browse C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe 0% metadefender Browse C:\Users\user\AppData\Roaming\Resilio Sync\ShellExtensionPath64_53C.dll 0% virustotal Browse C:\Users\user\AppData\Roaming\Resilio Sync\ShellExtensionPath86_53C.dll 0% virustotal Browse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link https://)y.background 0% Avira URL Cloud safe 127.0.0.1:%d/guiInstalling 0% Avira URL Cloud safe i-%d.b-%d-%d-%d.%S%S 0% Avira URL Cloud safe https://license.resilio.comdebug.txt%X 0% Avira URL Cloud safe https://%S/sync.conf 0% Avira URL Cloud safe silviomoreto.github.io/bootstrap-select/ 0% virustotal Browse silviomoreto.github.io/bootstrap-select/ 0% Avira URL Cloud safe i-%d.b-%d-%d-%d.%S%Sapid/e? 0% Avira URL Cloud safe i=%d&e=%scvbplsysverrelayTotaleventNamerandomNumberdirectTotalONWE https://%S/sync.confRequesting 0% Avira URL Cloud safe silviomoreto.github.iVH 0% Avira URL Cloud safe 0% Avira URL Cloud safe https://urlmonCoInternetGetSession.pngimage/png.gifimage/gif.htmltext/html.csstext/css.woffapplicati ocsp.thawte.com0 0% Avira URL Cloud safe ocsp.thawte.com0 0% Google Safe safe Browsing https://sync-push-proxy.resilio.com%s/get_pending_requests.phppush_tokenInvite 0% Avira URL Cloud safe https://resilio.comapp.appConfig.links.buyProLink 0% Avira URL Cloud safe https://syncdev.resilio.com%s/%sinvalid 0% Avira URL Cloud safe u.msg/loading.html 0% Avira URL Cloud safe https://orders-staging.resilio.comhttps://orders.resilio.comLC: 0% Avira URL Cloud safe https://helpfiles.resili 0% Avira URL Cloud safe %S/http://helpfiles.resilio.com/unsurvey_new.dllregsvr32.exe 0% Avira URL Cloud safe

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 239.255.255.250 B00F2581.exe Get hash malicious Browse doc2.doc Get hash malicious Browse doc2.doc Get hash malicious Browse doc1.doc Get hash malicious Browse 68.0.3440.106_chrome_installer.exe Get hash malicious Browse ChromeSetup.exe Get hash malicious Browse 72.0.3626.119_chrome_installer.exe Get hash malicious Browse SUSPICIOUS_ccsetup553.exe Get hash malicious Browse Scan Copy.exe Get hash malicious Browse setup.exe Get hash malicious Browse geodynamics.com.pk/awpg/DOC/9f1n2wqp_p9p466- Get hash malicious Browse 0687958098/ DriverUpdate-setup.exe Get hash malicious Browse Dat_72099_8573420.doc Get hash malicious Browse 235.exe Get hash malicious Browse DATA-463086-6985047.doc Get hash malicious Browse 19DHL.exe Get hash malicious Browse Doc 72961 119673946.doc Get hash malicious Browse popcorntime.apk Get hash malicious Browse TJ 7678920-18.doc Get hash malicious Browse Attachment 8327 757076.doc Get hash malicious Browse

Domains

No context

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context unknown request.doc Get hash malicious Browse 192.168.0.44 FERK444259.doc Get hash malicious Browse 192.168.0.44 b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7 Get hash malicious Browse 192.168.0.40 f3cd4e5bb150a4.js Setup.exe Get hash malicious Browse 192.168.0.40 Copyright Joe Security LLC 2019 Page 12 of 85 Match Associated Sample Name / URL SHA 256 Detection Link Context base64.pdf Get hash malicious Browse 192.168.0.40 file.pdf Get hash malicious Browse 192.168.0.40 Spread sheet 2.pdf Get hash malicious Browse 192.168.0.40 request_08.30.doc Get hash malicious Browse 192.168.0.44 P_2038402.xlsx Get hash malicious Browse 192.168.0.44 48b1cf747a678641566cd1778777ca72.apk Get hash malicious Browse 192.168.0.22 seu nome na lista de favorecidos.exe Get hash malicious Browse 192.168.0.40 Adm_Boleto.via2.com Get hash malicious Browse 192.168.0.40 QuitacaoVotorantim345309.exe Get hash malicious Browse 192.168.0.40 pptxb.pdf Get hash malicious Browse 192.168.0.40 unknown request.doc Get hash malicious Browse 192.168.0.44 FERK444259.doc Get hash malicious Browse 192.168.0.44 b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7 Get hash malicious Browse 192.168.0.40 f3cd4e5bb150a4.js Setup.exe Get hash malicious Browse 192.168.0.40 base64.pdf Get hash malicious Browse 192.168.0.40 file.pdf Get hash malicious Browse 192.168.0.40 Spread sheet 2.pdf Get hash malicious Browse 192.168.0.40 request_08.30.doc Get hash malicious Browse 192.168.0.44 P_2038402.xlsx Get hash malicious Browse 192.168.0.44 48b1cf747a678641566cd1778777ca72.apk Get hash malicious Browse 192.168.0.22 seu nome na lista de favorecidos.exe Get hash malicious Browse 192.168.0.40 Adm_Boleto.via2.com Get hash malicious Browse 192.168.0.40 QuitacaoVotorantim345309.exe Get hash malicious Browse 192.168.0.40 pptxb.pdf Get hash malicious Browse 192.168.0.40

JA3 Fingerprints

Match Associated Sample Name / URL SHA 256 Detection Link Context 3b5074b1b5d032e5620f69f9f700ff0e TheDocBuilder.exe Get hash malicious Browse 3.215.228.230 25Katherin Order.jpg.lnk Get hash malicious Browse 3.215.228.230 43MT103_Swift Copy_TT20180226.png.lnk Get hash malicious Browse 3.215.228.230 8ENQUIRY SHEET LISTED ITEMS -201916050147.txt.lnk Get hash malicious Browse 3.215.228.230 ScreenMeet.Support.exe Get hash malicious Browse 3.215.228.230

49New Order.exe Get hash malicious Browse 3.215.228.230 OculusSetup.exe Get hash malicious Browse 3.215.228.230 37PRODUCT ORDER.exe Get hash malicious Browse 3.215.228.230 57NEW ORDER.exe Get hash malicious Browse 3.215.228.230 27MT103_Swift Copy_TT20180226.pdf.png.lnk Get hash malicious Browse 3.215.228.230 0Z4AcFFX6C.exe Get hash malicious Browse 3.215.228.230 51PO0520191799 RR COPYS.png.lnk Get hash malicious Browse 3.215.228.230 6Litigation_4023.js Get hash malicious Browse 3.215.228.230 5PURCHASE NEW ORDERS 12052019.png.lnk Get hash malicious Browse 3.215.228.230 XzoNtoP4RJ.exe Get hash malicious Browse 3.215.228.230 40OfficeIndex.rtf.lnk Get hash malicious Browse 3.215.228.230 59RFQ for FIRST 250MMSCFD TRAIN OF KM500 GAS Get hash malicious Browse 3.215.228.230 TREATMENT PLANT.exe R18347-PL& INV IMG SCAN COPYLNK.jpg.lnk Get hash malicious Browse 3.215.228.230 Get hash malicious Browse 3.215.228.230 https://s3.amazonaws.com/workmailcloud2/IMG_0191309.JP G.hta 40PURCHASE ORDER.exe Get hash malicious Browse 3.215.228.230

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2019 Page 14 of 85 System is w10x64 Resilio-Sync_x64.exe (PID: 3896 cmdline: 'C:\Users\user\Desktop\Resilio-Sync_x64.exe' MD5: 97E86D489C0D6D6185C890257CF87BE7) regsvr32.exe (PID: 4460 cmdline: regsvr32.exe /s /i 'C:\Users\user\AppData\Roaming\Resilio Sync\ShellExtensionPath86_53C.dll' MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 3844 cmdline: /s /i 'C:\Users\user\AppData\Roaming\Resilio Sync\ShellExtensionPath86_53C.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2704 cmdline: regsvr32.exe /s /i 'C:\Users\user\AppData\Roaming\Resilio Sync\ShellExtensionPath64_53C.dll' MD5: D78B75FC68247E8A63ACBA846182740E) Resilio-Sync_x64.exe (PID: 2404 cmdline: 'C:\Users\user\Desktop\Resilio-Sync_x64.exe' /ADMINTASKS NRSDEOTJMRUTAZJUHJXGC3LFGE2DUU3VPJQW43TFEBC GC5TJMVZTIOTQMF2GQNRZHJBTUXCVONSXE424KN2XUYLONZSSARDBOZUWK424IFYHARDBORQVYUTPMFWWS3THLRJGK43JNRUW6ICTPFXGGXCSM VZWS3DJN4QFG6LOMMXGK6DFMVSDEOTJMRUTIZJUHJ2XGZLSGE2DUU3VPJQW43TFEBCGC5TJMVZWKZI MD5: 97E86D489C0D6D6185C890257CF87BE7) regsvr32.exe (PID: 2880 cmdline: regsvr32.exe /s /i 'C:\ProgramData\Resilio Sync\ShellExtensionOverlay86_53C.dll' MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 2536 cmdline: /s /i 'C:\ProgramData\Resilio Sync\ShellExtensionOverlay86_53C.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2864 cmdline: regsvr32.exe /s /i 'C:\ProgramData\Resilio Sync\ShellExtensionOverlay64_53C.dll' MD5: D78B75FC68247E8A63ACBA846182740E) Resilio Sync.exe (PID: 2584 cmdline: Resilio Sync.exe /NOINSTALL /BRINGTOFRONT MD5: 97E86D489C0D6D6185C890257CF87BE7) Resilio Sync.exe (PID: 4524 cmdline: 'C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe' /MINIMIZED MD5: 97E86D489C0D6D6185C890257CF87BE7) Resilio Sync.exe (PID: 2448 cmdline: 'C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe' /MINIMIZED MD5: 97E86D489C0D6D6185C890257CF87BE7) cleanup

Created / dropped Files

C:\ProgramData\Resilio Sync\ShellExtensionOverlay64_53C.dll

Process: C:\Users\user\Desktop\Resilio-Sync_x64.exe File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows Size (bytes): 542208 Entropy (8bit): 5.746185413779297 Encrypted: false MD5: 8CC554B67825E19515D186E884B1F112 SHA1: 24B0CB2C1A617C1D141F8FE3995485B36236AF7D SHA-256: EA4CA761AB80E64CB1608CB3FF6F640AED15FD29C8482E78DAFF41792B56D976 SHA-512: 644732DD960D36B9508AF61C07952A0DBD17CF4657806C71B69135B7B933E5A2A2E4A8678D466D5D46680FD13DECDEB979CBB23D17E51248E435A19350D11B47 Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... a..k%kw8%kw8%kw8V.t9/kw8V.s97kw8V.r9.kw8o.t9/kw8o.r9 .kw8o.s9.kw8V.q9 kw8V.v96kw8%kv8.kw86.~9.kw86.w9$kw86..8$kw86.u9$kw8Rich%kw8...... PE..d.....8\...... " .....*...`...... (...... `...... x...... `..8...... L...px...... y..(....x...... @...... text...D(...... *...... `.rdata..X....@...... @[email protected]...... @....pdata..8....`...0...... @[email protected]...... &...... @[email protected]...... 8...... @..B......

C:\ProgramData\Resilio Sync\ShellExtensionOverlay86_53C.dll

Process: C:\Users\user\Desktop\Resilio-Sync_x64.exe File Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows Size (bytes): 480768 Entropy (8bit): 5.805399749616033 Encrypted: false MD5: 39250E3D42C53262EC8E596A45C79BD7 SHA1: 4993AECE24388B03C18BAD5C65E2196FCF9F024F SHA-256: 68FCAEA0FC3EF03C6AD40E11C988CEE33ADDD28F7EA6EA14D509EC740C6CA965 SHA-512: 17CDDB3F4B36BAAE2BAC001B35A1C807848F7C0536D03F5DABDCA6D5211AD7DEEEAEDB14D3983B2F4D123A464B46DAD52CE3CEF97A7FF8EEB6AFDF0D4C6 38755 Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... h...... "...... Z...... Rich...... PE..L...6.8\...... !...... #y...... @...... x....`...... 8/...... 0...@...... text...]...... `.rdata...... 0...... @[email protected]...... @....rsrc...... `...... @[email protected]/...... 0...&...... @..B......

C:\ProgramData\Resilio Sync\done.ico Process: C:\Users\user\Desktop\Resilio-Sync_x64.exe File Type: MS Windows icon resource - 5 icons, 256x256 withPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 16x16, 32 bits/pixel Size (bytes): 25945 Entropy (8bit): 5.280838927047998 Encrypted: false MD5: 357861C502431645D1732ABD15693756 SHA1: 9593FDE69660082732D5E411710AF23D0CF11F77

Copyright Joe Security LLC 2019 Page 15 of 85 C:\ProgramData\Resilio Sync\done.ico SHA-256: 41022756C3D84C423FD2C7E801FB8E2E7392200C853E55BC55592B276C0F3ED9 SHA-512: 361EAD1EFC8DAD4B8FCE616547A260A2DF5EA4D89E415DBB7D9B61EF0BA7037FC6D14DD7EA675E653D53DF5DBBEC62467BFE88AB1DFC59ACB56B3C6914EA 889F Malicious: false Reputation: low Preview: ...... Q!..V...... h....!...... &...... /..00...... %...?...PNG...... IHDR...... \r.f.. .IDATx...y\Te.?..a..`...... Pp...~..i..i...Z.i.....!....W)....VTjn...... "...6.3.l.?.Cd..3.>3s..Kf. ....=g.B.2h...... ^.7z]Z..8..<].TW..X_"s.V4;H...A.....;..e..R%WY.....x.T#.....hJ%t0..:.W.x..l{[U...*=C...c}.'....!QX4!.V5..o...t..7.&...... 3w...2...k..oJ..Je^...-.l|+^...... "[email protected]..>..... cr..?)#..u...... V...../.+O.../..U..&.M...*...m. .l...... x@...'1.l._8...u.s.3g...... \./.hhe...... uN.i..b...~..K...... e.p.....>...... 3w....7z..D.....!.....=.....;....).L.....V.-..B..Rr...e..*..t&...f...... :. (?.!..;.3.;..zr..^[email protected].^.f..E...#.....>.ef..'.fN...A:.1q.b...#C....v()..=.y...... -...... 7...1.'*&.Uj..L..)e....=...{...... $...... ;.t.g..f.&.lr#.....,.....Z.v.~...... R...... u.|2....(P..t=~O .5...y.t.C....p."..s.E.L...... yP.z....|-.|..caa."...p.t.=....u..u...... q.,|....'..X.v..t...... f..o.....jiE.;.<

C:\ProgramData\Resilio Sync\ro.ico Process: C:\Users\user\Desktop\Resilio-Sync_x64.exe File Type: MS Windows icon resource - 8 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel Size (bytes): 88092 Entropy (8bit): 3.5937222704643346 Encrypted: false MD5: 774ACBC26BAFF31A6667C8B31BE29514 SHA1: 82B55264E4E0990C0DB460F7CCE9EE59AAADA0CD SHA-256: 1FBB8575293B5F4B662CAAFAAB6D282D38C43AD66EB723CF1CEACB0994A33910 SHA-512: BFCAECFA19BC94AF04D28EB315AAF659796E616AB81A8727FB71998EC3F1B4D36998B3E5C842309FC0BBE7601E7A2AC476336F590C434D749FC67E9324818B35 Malicious: false Reputation: low Preview: ...... h...... v...((.... .h...... "...9..@@.... .(B...\..``...... V...... %...2..(...... 333N333.333.QQQ.\\\.aaa.fff.fff.fff.fff.ffg.fff. fff.fff.....333.XXX...... @@@.ffg.vv..~~..ffh.fff.fff.333MYYY...... NNN.___...... vv....vv..fff.fff.fff.333...... QQQ.333.YYY...... vv..fff.fff.fff.fff.333...... 333.YYY.ZZZ...... fff.fff.fff.fff.333.fff.555.333.333.YYY.}}~...... vvv.fff.fff.fff.333...... 333.333.YYY.rr...... fff.fff.fff.333Leee...... III.aad...... ccc.|||...... mmm.....hhh.fff.....333.]]]...... ~~..bbb.^^^.fff.....mmm...... fff...... 333M333.333.ZZZ.\\\.aaa.fff.fff.fff...... fff...... fff.fff.fff.fff.fff.fff.fff...... fff.f ff...... fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff......

C:\ProgramData\Resilio Sync\rw.ico Process: C:\Users\user\Desktop\Resilio-Sync_x64.exe File Type: MS Windows icon resource - 8 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel Size (bytes): 85750 Entropy (8bit): 3.080922307742439 Encrypted: false MD5: A55C8D136FD783BE5675749492CDBD22 SHA1: B67B583184113E1C816EAA1625E671B206B63B44 SHA-256: 755EF552ACE1E6B94B5F2A4223821231EF1A139C693B9932FF59E3467E83611F SHA-512: 37BB4B33260384BEB6898A8790F2539232058522D28796BBF46ABFC251272BB9384726BAD4F4B28FEED0446DD6EB7DB95526DD321A6853E45CBBE57C9F015DE9 Malicious: false Reputation: low Preview: ...... h...... v...((.... .h...... "...9..@@.... .(B...\..``...... V...... 2..(...... 333N333.333.333.333.333Mfff.fff...... 333.XXX...... ]]].333.fff...... 333MYYY...... NNN.III...... ccc.333M...... 333...... QQQ.333.333.333...... 333...... 333...... 333.333.333.666.kkk.333...... 333.fff.555.333.333.333...... 333...... 333...... 333.333.333.QQQ...... 333...... 333Leee...... II I.OOO...... YYY.333M...... 333.]]]...... XXX.333.fff...... 333M333.333.333.333.333Lfff.fff......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\HMQISFIT\sync[1].xml Process: C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe File Type: ASCII text, with no line terminators Size (bytes): 144 Entropy (8bit): 4.268684346004099 Encrypted: false MD5: 0B3BA35688C8AF04A3DE3BB86F0D15D4 SHA1: 271BC633B4BCA44210BC0DFF806392EC749F9FF0 SHA-256: 729123092B02163CA89235120FF6E315C3E6F6302E3093818BC8BDC6CCD0555B SHA-512: AEBF5FAD969EA1963F28DF2F0FDE0B148C3889EDA2FC97D36A8ED1F404C7940F23C4AB4BEB4AD7AFBC70864473EEDACFC1643A118FECCC48E0CCF1FE3D53 4135 Malicious: false Reputation: low Preview:

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-58933367-3072710494-194312298-1002\29441275a7da48c8f20545d4e4163edc_59407d34- c8c5-44df-a766-ba8a11cb1cb0 Process: C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe File Type: data Size (bytes): 1516 Entropy (8bit): 7.361189517107285 Encrypted: false Copyright Joe Security LLC 2019 Page 16 of 85 C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-58933367-3072710494-194312298-1002\29441275a7da48c8f20545d4e4163edc_59407d34- c8c5-44df-a766-ba8a11cb1cb0 MD5: D03C0BF029BAB3D71D508EC832CE75ED SHA1: FE295AA83735EE0B3EA60A59EA5E8152156E6B6A SHA-256: 83AA6E6566EADD6CDA51A863B6C3E1B1761A5B978DEE604999C87760459C81D3 SHA-512: 425C7303A9B125049553C27FD66271ED18549F14D6E4908CEF58E1D0249301EAE5D1241F50D75239CD9C4BA12C3AB876A63B082BAC3FE02EC435C040C9EBD314 Malicious: false Reputation: low Preview: ...... H...... C=US,ST=CA,L=San Francisco,O=BitTorrent,OU=Resilio Sync,CN=Resilio Sync...... RSA1...... &.T0O..'.A...m._x.OI....wl.. <..W.)YD.b.!."..(..OU.N.....3=/.....J...$]..C.).z...%.#..u{]..8...z,.N.k...D..5._.....g/...... z..O...... @c.O..A..Z.g....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... rM.K.. g\..By`,k.:C),..'\+..-...... D.....>....H.1...... E.LQ.'.....S....4...V.o...&..-....8THS..y[K.....'...ZlB.|7_...g.W...... M...... _..y..[../.yP.g..^.X#.&.(...... yssd..P..;:y.}...... |]....=." e..)..U..-.ZY...b...5=.=..P.+.l...... *.pn..9...... *|.F.W7..A.,.yS.l...... (...!.]....D...4f3.#.C?...... 6.=...~$..&.K.....Q,.....$E.e...m..(..9M...5Nj6(...a}.Q.!"..8.V.A...... :]h....s.....`A..... ?g.?..B.x.`...d_.V...... ^...... i0H...'.>l....3$.._8x..3...... L..5 {...6..9...0BA.l..Z.t..PD...... R.KD.|>.mJ.....7..6/Z.=..1..2..#.wq..

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-58933367-3072710494-194312298-1002\95d42093fc093aa8521d9bc831dcd778_59407d34- c8c5-44df-a766-ba8a11cb1cb0 Process: C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe File Type: data Size (bytes): 1562 Entropy (8bit): 7.242417060525933 Encrypted: false MD5: C7B9A85C7F32F1EBF43625975FF2A944 SHA1: 91E9B356A36F6E074A6D46CB47CBD17580B52993 SHA-256: 6781FFE6E4EFA4351ABBB40D7315E29B102D3268B52395E86E5D570DC16EDF0E SHA-512: A9609767A9C1A38297D8022F081AA72DF2CE42B94702AB22181F66671439261B70720DDC5E29D18F78AED267525EC99ECB06ACAE6E67EA5CAB38E1D6D05A6DF 9 Malicious: false Reputation: low Preview: ...... '...... {17598293-F0E9-4474-9524-EE653E8CADEC}...... '...... {17598293-F0E9-4474-9524-EE653E8CADEC}...... RSA1...... awp_..>[email protected]...... [email protected].....".2.A.^=eg.@...... ?K..i.4..Z...]^u.L.0..d...^.pE....@Y/.9...... MQ... .n...... z..O...... @c.O..A..Z.g....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... }]wt$s.b{.Uu...... ;...... N^..-...... EB.a,v....q.TP.3H.....\...;....n...... /ct....."..7.....7...... L.KW`a.U...r~...Y..`.KKM.lq].T.\..H...E2...... D..B (I...5.?7E.q..u....h..n.9.D'S...&...8...... N.|.9...O\@....8.Vx.'^...... i..G.{c...9...... :r...... H.....x..[A..M`....9.*......

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-58933367-3072710494-194312298-1002\fe4aeb1293903115252d7e3e75163150_59407d34- c8c5-44df-a766-ba8a11cb1cb0 Process: C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe File Type: data Size (bytes): 1562 Entropy (8bit): 7.27519126505624 Encrypted: false MD5: CEB4CA178091C1A6B796BE9E97E04800 SHA1: FC50FBF44F2870C90EBC68E9A942A271956EE0D1 SHA-256: FD7BFF36E50465868DBA0ED2C68FBED9E7AD5E17325CFDB59F291E237BC344B0 SHA-512: CF413C8CDA646955B96D6ED2D9380B41C01E77F12C982D81D253E0304EB41D5B3D6282475B5E5A6E1C386BCAFB0D786CEA18F61CAD6F7712EDC8745EE6E3C6 66 Malicious: false Reputation: low Preview: ...... '...... {B2378552-895F-4DEF-942D-259BF9592E74}...... '...... {B2378552-895F-4DEF-942D-259BF9592E74}...... RSA1...... awp_..>[email protected]...... [email protected].....".2.A.^=eg.@...... ?K..i.4..Z...]^u.L.0..d...^.pE....@Y/.9...... MQ... .n...... z..O...... @c.O..A..Z.g....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... -E..;gY..=....$~I..%..uL.D..Q...... v...'.k...O}..}...... c.....-o....6...j.....(...;...... [...... ?.c.I....C.bmt.....m....X..!.<..W\..=$.<.I.`r:...Zt/.....s`..w...... )NL.s.D..0...Sh.7.|.....\.!..fw...... trt..0..H...... F...L..Sb#Q...Kl.c.y...u0..QGQ...9...g...[..sh?...J..6.....Y.^C.i....P..zn...Df....S\=....g...?..V0.0_...A.... x.d(....-...B..R..I.1e...R.".F@.. E.'.....1.l.T...... b3".EHKJ..jEi..}..3.~....L]..!...... v..Z.....ci(.~X.mW...t...... q....7E....T PM...... 7..+....3<..5..hG-fs*[email protected]

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Resilio Sync.lnk Process: C:\Users\user\Desktop\Resilio-Sync_x64.exe File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 13 00:17:26 2019, mtime=Tue Aug 13 00:17:27 2019, atime=Tue Aug 13 00:17:27 2019, length=23588360, window=hide Size (bytes): 925 Entropy (8bit): 4.995044085923004 Encrypted: false MD5: 54C8C50CFA50A49576BF83F1E1EF589E SHA1: DCE7FAAEAEADAFCD1BA32D7AF78F8CE14D04D105 SHA-256: A010F72149CC7C3C1499BE45BB0238FFBABE0B08E929639D2D21F415C72BCA49 SHA-512: 49824B259A4730EFCC6D6049643132F54407AFBB5208ACB5572A52F49DFF9CB576101135EEC4F57EB46F50D8F510A3D889741656B111A8F82227DD16B64446AA Malicious: false Reputation: low

Copyright Joe Security LLC 2019 Page 17 of 85 C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Resilio Sync.lnk Preview: L...... F...... h.R.tQ...... tQ...... tQ....g...... :..DG..Yr?.D..U..k0.&...&...... tO^.....A@...... tQ...... t...CFSF..1.....vM....AppData...t.Y^...H.g.3..(.....gVA.G..k... @...... vM...O$...... p.A.p.p.D.a.t.a...B.V.1...... O+...Roaming.@...... vM...O+...... R.o.a.m.i.n.g.....b.1...... O+...RESILI~1..J...... O+..O+...... Y...... W..R.e.s.i.l.i.o. .S.y.n.c.....n.2...g..O.. .RESILI~1.EXE..R...... O...O...... ^...... h.R.e.s.i.l.i.o. .S.y.n.c...e.x.e...... t...... -...... s...... N<.....C:\Users\u ser\AppData\Roaming\Resilio Sync\Resilio Sync.exe..&.....\.....\.....\.R.e.s.i.l.i.o. .S.y.n.c.\.R.e.s.i.l.i.o. .S.y.n.c...e.x.e.`...... X...... 651689...... x..C..Z.;....We.}....D... u{....x..C..Z.;....We.}....D...u{E...... 9...1SPS..mD..pH.H@..=x.....h....H....X/:...... `"......

C:\Users\user\AppData\Roaming\Resilio Sync\FileDelayConfig Process: C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe File Type: UTF-8 Unicode (with BOM) text, with no line terminators Size (bytes): 187 Entropy (8bit): 4.2394094801840385 Encrypted: false MD5: 8594A8B7A39E6CD7E1809FCDD4F86D29 SHA1: 3708B0B9CF02E1EE9B7D8C72F437DD34BD10FF09 SHA-256: 679387D9FD5F933C49D9C259A40580EB6C68D7F03B9A7B22100D8EB0B3AD6E45 SHA-512: 7B15100632094D4C981E57A625205E96D4E7F9F83D765BF9E90841D42829790CF09D63525E7F748E142ECD854B17B9E7C1F2DE4D01B62B20D184E9888B73FD55 Malicious: false Preview: .{"*.accdb":10,"*.doc":10,"*.docx":10,"*.dwg":10,"*.dxf":10,"*.indd":10,"*.laccdb":10,"*.ppt":10,"*.pptx":10,"*.psd":10,"*.stl":10,"*.vsd":10,"*.xls":10,"*.xlsx":10,"root_acl_entry ":10}

C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe

Process: C:\Users\user\Desktop\Resilio-Sync_x64.exe File Type: PE32+ executable (GUI) x86-64, for MS Windows Size (bytes): 23588360 Entropy (8bit): 7.146936732205669 Encrypted: false MD5: 97E86D489C0D6D6185C890257CF87BE7 SHA1: 937B445C54BA1EE7977BDDC9C62FB54930C8F0B4 SHA-256: 7166B6B5A48A9FEC616DD5BDD47D8906FD5238C0B6AF8DB385E598F8E0CB734E SHA-512: 9AC0A434C7794724F3FB3CCC713A4891C7683CFD3EA8CFF287BE885B7A804A5A7A6855598BF5282C8F1828EF0A75FC5B1605FCE7AA05E33DB1080B608548FD0E Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... {...X.h...... z...... O.....P...... R ich...... PE..d.....8\...... "...... 2...... Sv...... @...... `k...... h...`...-...... @..@...... g...... j...... T...... (...... P...... text....0...... 2...... `.rdata..6.%..P....%..6...... @[email protected]... 0...`...... 8...... @....pdata...... @[email protected]...@....@...... @[email protected]...... j...... :g...... @..B......

C:\Users\user\AppData\Roaming\Resilio Sync\ShellExtensionPath64_53C.dll

Process: C:\Users\user\Desktop\Resilio-Sync_x64.exe File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows Size (bytes): 1009664 Entropy (8bit): 6.107105288237419 Encrypted: false MD5: 83FB49C12E76F2859A7A0774236D0AAC SHA1: 9091D0B1EB2EBCF133DB6750376164587F91FAAA SHA-256: F0BE5A61960E81EE4785587E231EB9F34C232E0BDE289D16F252FC1F00AC012A SHA-512: CB5E8C0524F15091462A7FE0DCFC67FE44D5B076413CED1E187F215925D12F110C7D9D8BC05D66AE555074D63F36B77C347108631F3918F345F6F1D39B007ED3 Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... y.lj..?j..?j..?.z.>a..?.z.>~..?.z.>...? }.>`..? }.>...? }.>L..?.z.>o..? .z.>...?j..?W..?y~.>V..?y~.>k..?y~.?k..?y~.>k..?Richj..?...... PE..d...j.8\...... " .....R...... `...... `...... `...... P....0..._...... @...... @...... `/..(...`...... p...... text....Q...... R...... `.rdata..,....p...... V...... @[email protected]...... @....pdata..._...0...`...F...... @[email protected]...... @[email protected]...... @...... T...... @..B......

C:\Users\user\AppData\Roaming\Resilio Sync\ShellExtensionPath86_53C.dll

Process: C:\Users\user\Desktop\Resilio-Sync_x64.exe File Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows Size (bytes): 877568 Entropy (8bit): 6.215190686844878 Encrypted: false MD5: 6A5B2A83C8ECED7A36DE84C547546749 SHA1: 265486F531A01B6877FCCA1A95E9FCAB4C0B0282 SHA-256: 2C9DD0763DB9DFA784D9FBA5C039A866BCBD59147E26ABC4E586E892B697CB8A SHA-512: 88FFD59DB7FC8B41A20F8E0EE81D6DC05B4C3636612CE4A205B55B5A0E0A68F70B78B64A8A1C32EB8FFD11E2E7C62E761EBE3204CECC3F5E05DD53FB61EB3 487

Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... ,..B..B..B...A...B...G.B.B...F...B...A..B...G...B...F..B...D..B...C... [email protected]...... PE..L.....8\...... !.....X...... x...... p...... 0...... @...... 4...... 5...... P...... P..p...... 0...... @...... p..X...... text....W...... X...... `.rdata...... p...... \...... @[email protected]...... P...... 6...... @....rsrc...P...... d...... @[email protected] eloc...P...... R...... @..B......

C:\Users\user\AppData\Roaming\Resilio Sync\debug.txt Process: C:\Users\user\Desktop\Resilio-Sync_x64.exe File Type: ASCII text Size (bytes): 11 Entropy (8bit): 1.0957952550009338 Encrypted: false MD5: CE37178E5CD23905534B0D73E86A3D36 SHA1: F9EF6A9AD79BE6565976B0957B121A593A5037C6 SHA-256: AFD728D78A0E50E3FD747520A492F9C669826E99988735240AC1F29D4B8F8B5F SHA-512: 873F968C3D00D9E2DB939B726335AE5A0AEE223AA21A7F303EC936EB47761F0D6E0D28D0F66AF288479616B9F60758E315AC66E552AFA666AFBC347D21347C6C Malicious: false Preview: FFFFFFFF.0.

C:\Users\user\AppData\Roaming\Resilio Sync\history.dat.new Process: C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe File Type: ASCII text, with no line terminators Size (bytes): 68 Entropy (8bit): 4.605917717953222 Encrypted: false MD5: AAD287E5442BE7FF963B29C4DA272321 SHA1: A4F903A4F7CFBBA3C77187BF1D04DDD1F8712688 SHA-256: DB6F88AC315D28FBC7A3D30B97C36A8DD656A4B53C4FC6C7DCBF6E366047DF09 SHA-512: AA1915DE4F608A60A4F17FEBE5F45C6EA92E8F3BB96FC46CAB9DA4B1999D8CBA4D7BFD3D9747C0B5F8A28035B68A02EF1A9EC2D218B938712FD1CD82AC1DC 46D Malicious: false Preview: d10:.fileguard40:7ECDE89CE8A76BD4E137100AF0103D759591ED806:eventslee

C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat.new Process: C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe File Type: data Size (bytes): 2883 Entropy (8bit): 7.2145076072026955 Encrypted: false MD5: 79376CEEA48B43493D84A0E3592B24F3 SHA1: 021626252F2E3EDD2DE4A67E2F38C30EE697E728 SHA-256: 598E6BFD57C9611A6C9E217DCAAD51CE5EDFBF9F246275078E7077455F27F26D SHA-512: E307FDF3FE72B187E88AE3E872958968C5DD4C57388DC563B43FD4944B5C999A56CEF3CCD6D27C48EEC5FD14BC9D39BE6481D9E69BA6BB59CF82485AEB7FAF 50 Malicious: false Preview: d10:.fileguard40:86003733C3FE6BF4A953593A3A8C404F8A1E18DC9:autostarti1e7:born_oni0e14:born_on_remotei0e17:check_update_betai0e11:computer_id 16:glBQ6JQx70NYgrfi28:direct_torrent_max_file_sizei10485760e18:diskio_cache_limiti500e8:exe_path52:C:\Users\user\AppData\Roaming\Resilio Sync3:fgti0e16:history_ log_sizei100e18:history_time_limiti30e13:install_buildi1340e25:install_modification_timei0e16:install_revisioni33947651e12:install_timei1565659041e24:is_webui_c redentials_seti1e3:liti1565659041e10:lit_remotei0e8:log_sizei100e15:mainWndLocation16:...... 19:net.utp2_congestion3:wan21:net.utp2_initial_ratei100000 00e14:net.utp2_limiti0e17:net.utp2_max_ratei125829120e23:net.utp2_rtt_correctioni10000e16:offer_last_showni1565659041e25:peer_max_active_downloadsi500 e17:peer_queue_factor3:2.09:proxy.p2pi1e10:proxy.porti0e2:rti0e8:selfcert1830:0.."...0.....*.H...... 0...0.....*.H...... 0...0.....*.H...... 0...0...*.H...... 0...o...=.v...... m..$8...k.b.H.

C:\Users\user\AppData\Roaming\Resilio Sync\storage.db Process: C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe File Type: SQLite 3.x database, last written using SQLite version 3015001 Size (bytes): 4096 Entropy (8bit): 0.08976799235730107 Encrypted: false MD5: 4F1450786156313666503BC1365977AD SHA1: B4F7D850B8D3F91B82115983EFC06753CABF84B1 SHA-256: 39C3D1634349D248AD48C8B29D50F125C44E8EABDF2173C878FDE00D1030A0F2 SHA-512: E204FD8B50AFD40BB6B986BBB5C77E87D4C3CEC361018B1C65D624D2DE509C3A8C5034DD55727EC46A501224C5AC86A4EB98E7E17C079892CE1EE9CF835853 15 Malicious: false

Copyright Joe Security LLC 2019 Page 19 of 85 C:\Users\user\AppData\Roaming\Resilio Sync\storage.db Preview: SQLite format 3...... @ ...... Y......

C:\Users\user\AppData\Roaming\Resilio Sync\storage.db-journal Process: C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe File Type: data Size (bytes): 524 Entropy (8bit): 0.27937671757176796 Encrypted: false MD5: 41495385117014EAA94471927E44BF6F SHA1: EB372914A9B60B44236DBDD37F397AD93F56D9E1 SHA-256: 12751CE40386E36DAE98EDAC2C708DDFA540318EDD041F644F917701B475A9F6 SHA-512: 6ACBC38313B16CA9902AB7E387DC1DDF1BC45EA07142FA15964BFDD5E11ADAAD4E329854FA1078291DBF45064E55810D0FB98F5D9F2A6FC92341C49864FB550 0 Malicious: false Preview: ...... !v...... c.....

C:\Users\user\AppData\Roaming\Resilio Sync\storage.db-wal Process: C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe File Type: SQLite Write-Ahead Log, version 3007000 Size (bytes): 12392 Entropy (8bit): 0.333334347427059 Encrypted: false MD5: 182D42E5A8F5B7C8239E4F583B044855 SHA1: E279925DAEFC4C3767E9460A4CA65AAFF8F18A1A SHA-256: 561448AE8805AFCC8C7C025DE974888A6026E726E6992651248BBA348DCE225B SHA-512: 1A2F9043AD8DB20B115F11FF008ADCF7D718D98C3AABE795C1A0AB421E7CEFA24657F805C203EEBFE172BAC33E90B0E998A87E934E7BC00D12F2C9C9A45347 09 Malicious: false Preview: 7....-...... 2.,9...... 2.,9...2.8`.CSQLite format 3...... @ ...... Y...... t....t......

C:\Users\user\AppData\Roaming\Resilio Sync\sync.log Process: C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 430 Entropy (8bit): 5.055512571731227 Encrypted: false MD5: CF569F8776157A1D1A05E82E8A9E4E0D SHA1: C30E64176F9F60B2E2C3DD3A9377FBF634399E18 SHA-256: 309BC5FA6BA5A51EEDB7D11CE1F12DDDC58AAF856942A918D45405FEB1C52419 SHA-512: A5B0C73FF69ED8CC6EF93EE45FFA22105933C7E7B3D390DA94AF3C8CBA6AEEB0A5DEECC4F9C097EF73BC454A77AA6B92922D181DE000A8DD0C658F86C92C4 0F7 Malicious: false Preview: [2019-08-12 18:17:54.688] Debug log mask has been set to FFFFFFFF..[2019-08-12 18:17:54.724] Features mask has been set to 0..[2019-08-12 18:17:54.724] ZIP: Can 't locate [version] in zip, error -100...[2019-08-12 18:17:55.064] saved history: 0 events..[2019-08-12 18:17:55.064] Torrent session shutdown: done waiting..[2019-08-12 18:17:55.064] Stopping network threads..[2019-08-12 18:17:55.064] Shutdown. Saving config sync.dat..

C:\Users\user\AppData\Roaming\Resilio Sync\sync.pid Process: C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe File Type: ASCII text Size (bytes): 5 Entropy (8bit): 1.9219280948873623 Encrypted: false MD5: 70620E5DC1C02C0CEF9E176E285DE81F SHA1: F312C1F35BC38D07562EEACE21846E05E1F0F8E8 SHA-256: 39C56AE246E34FC133E796D8492DC2AC43AF5BA1B714FD28CDD4703444B73B62 SHA-512: 7F33CBEC8640F9EBFE7E629FC1B3EC12C2654305E4C4C86F7CC34F031E241EF52ABDDED710A3903568DED5E840EF6CAFC15A6C9B72D96A7B86F3D2D4242AA B95 Malicious: false Preview: 4524.

Copyright Joe Security LLC 2019 Page 20 of 85 C:\Users\user\Desktop\Resilio Sync.lnk Process: C:\Users\user\Desktop\Resilio-Sync_x64.exe File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 13 00:17:26 2019, mtime=Tue Aug 13 00:17:27 2019, atime=Tue Aug 13 00:17:27 2019, length=23588360, window=hide Size (bytes): 945 Entropy (8bit): 4.975053056809935 Encrypted: false MD5: 19F292F24DC871BCA2BF8C77EBF7E222 SHA1: 8240ED0EA5B3C6A66BFBDD93457578C0929B803F SHA-256: C43914BDDA0233B2FC77BB510FC1C84F3B92EE8F2D148C64A1311581420664F9 SHA-512: 375E96C60E5EA5F7D25BD98B3448AA71FCB269A4EB72ED9ECD1186B12B452669A96D2047B3CFD2A117A6BDA16BC51A85053BA90B67696182C81C676DED79360 A Malicious: false Preview: L...... F...... h.R.tQ...... tQ...... tQ....g...... :..DG..Yr?.D..U..k0.&...&...... tO^.....A@...... tQ...... t...CFSF..1.....vM....AppData...t.Y^...H.g.3..(.....gVA.G..k... @...... vM...O$...... p.A.p.p.D.a.t.a...B.V.1...... O+...Roaming.@...... vM...O+...... R.o.a.m.i.n.g.....b.1...... O....RESILI~1..J...... O+..O...... Y...... R.e.s.i.l.i.o. .S.y.n.c.....n.2...g..O.. .RESILI~1.EXE..R...... O...O...... ^...... h.R.e.s.i.l.i.o. .S.y.n.c...e.x.e...... t...... -...... s...... N<.....C:\Users\u ser\AppData\Roaming\Resilio Sync\Resilio Sync.exe..0.....\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.R.e.s.i.l.i.o. .S.y.n.c.\.R.e.s.i.l.i.o. .S.y.n.c...e.x.e.`...... X...... 651689...... x..C. .Z.;....We.}....D...u{....x..C..Z.;....We.}....D...u{E...... 9...1SPS..mD..pH.H@..=x.....h....H....X/:...... `"......

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation bench-resilio-com-lb-1686402547.us-east- 34.196.17.71 true false high 1.elb.amazonaws.com update-resilio-com-lb-588342624.us-east- 3.215.228.230 true false high 1.elb.amazonaws.com i-2000.b-2-6-3.sync.bench.resilio.com unknown unknown false high update.resilio.com unknown unknown false high

Contacted URLs

Name Malicious Antivirus Detection Reputation i-2000.b-2-6-3.sync.bench.resilio.com/e? false high i=2000&e=eyJhY3Rpb24iOiJpbnN0YWxsIiwiYiI6InN5bmMiLCJjYyI6MCwiY2lkIjoiZ2xCUTZKU Xg3ME5ZZ3JmaSIsImN2IjoiMi42LjMiLCJldmVudE5hbWUiOiJzeW5jQmFzaWMiLCJwbCI6Ind pbjY0Iiwic3NiIjoyMywic3lzdmVyIjoiMTAuMF93b3Jrc3RhdGlvbl94NjQiLCJ0cyI6MTU2NTY1OT A2NCwidHlwZSI6InJlZ3VsYXIifQ== i-2000.b-2-6-3.sync.bench.resilio.com/e? false high i=2000&e=eyJhY3Rpb24iOiJpbnN0YWxsU3RhcnRzIiwiYiI6InN5bmMiLCJjYyI6MCwiY2lkIjoiZ2 xCUTZKUXg3ME5ZZ3JmaSIsImN2IjoiMi42LjMiLCJldmVudE5hbWUiOiJzeW5jQmFzaWMiLC JwbCI6IndpbjY0Iiwic3NiIjoxLCJzeXN2ZXIiOiIxMC4wX3dvcmtzdGF0aW9uX3g2NCIsInRzIjoxN TY1NjU5MDQyfQ==

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation fontawesome.io Resilio Sync.exe, 0000000C.000 false high 00003.22887294355.000001C7DDB0 F000.00000004.00000001.sdmp https://)y.background Resilio Sync.exe, 0000000C.000 false Avira URL Cloud: safe low 00003.22866644156.000001BFD732 4000.00000004.00000001.sdmp https://help.getsync.com/hc/en-us/articles/207371636 Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr https://helpfiles.resilio.com/terms Resilio Sync.exe.0.dr false high

Copyright Joe Security LLC 2019 Page 21 of 85 Name Source Malicious Antivirus Detection Reputation 127.0.0.1:%d/guiInstalling Resilio-Sync_x64.exe, 00000000 false Avira URL Cloud: safe low .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr https://helpfiles.resilio.com/privacy Resilio Sync.exe.0.dr false high helpfiles.resilio.com/locked Resilio Sync.exe, 0000000C.000 false high 00003.22868721867.000001C7D946 8000.00000004.00000001.sdmp i-%d.b-%d-%d-%d.%S%S Resilio-Sync_x64.exe, 00000000 false Avira URL Cloud: safe low .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp schemas.xmlsoap.org/soap/envelope/ Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr helpfiles.resilio.com/advguide Resilio Sync.exe.0.dr false high https://helpfiles.resilio.com/helpcenter1 Resilio Sync.exe, 0000000C.000 false high 00003.22845294360.000001BFD4B1 5000.00000004.00000001.sdmp https://license.resilio.comdebug.txt%X Resilio-Sync_x64.exe, 00000000 false Avira URL Cloud: safe low .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr

Copyright Joe Security LLC 2019 Page 22 of 85 Name Source Malicious Antivirus Detection Reputation https://www.resilio.com/legal/terms-of-use Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr https://%S/sync.conf Resilio-Sync_x64.exe, 00000000 false Avira URL Cloud: safe low .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr https://helpfiles.resilio.com/buyprowg Resilio Sync.exe, 0000000C.000 false high 00003.22933317993.000001C7DD91 E000.00000004.00000001.sdmp, Resilio Sync.exe, 0000000C.00000003.22869 172207.000001C7D94C8000.000000 04.00000001.sdmp https://helpfiles.resilio.com/buyserver Resilio Sync.exe, 0000000C.000 false high 00003.22869022032.000001C7D94F 1000.00000004.00000001.sdmp momentjs.com/guides/#/warnings/zone/isDSTShifted Resilio Sync.exe, 0000000C.000 false high 00003.22870370239.000001C7D969 6000.00000004.00000001.sdmp https://update.resilio.com/9 Resilio Sync.exe, 0000000C.000 false high 00003.22933888046.000001C7D8B4 D000.00000004.00000001.sdmp silviomoreto.github.io/bootstrap-select/ Resilio Sync.exe, 0000000C.000 false 0%, virustotal, Browse low 00003.22887230250.000001C7DDAE Avira URL Cloud: safe E000.00000004.00000001.sdmp helpfiles.resilio.com/umanage Resilio Sync.exe.0.dr false high momentjs.com/guides/#/warnings/js-date/ Resilio Sync.exe, 0000000C.000 false high 00003.22850365481.000001BFD736 F000.00000004.00000001.sdmp i-%d.b-%d-%d-%d.%S%Sapid/e? Resilio-Sync_x64.exe, 00000000 false Avira URL Cloud: safe low i=%d&e=%scvbplsysverrelayTotaleventNamerandomNumberd .00000000.22746893846.00007FF7 irectTotalONWE 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp https://helpfiles.resilio.com/mobplatforms Resilio Sync.exe, 0000000C.000 false high 00003.22869022032.000001C7D94F 1000.00000004.00000001.sdmp https://link.resilio.com/_ Resilio-Sync_x64.exe, 00000000 false high .00000002.22838075527.000001EB DA6E0000.00000004.00000020.sdmp https://helpfiles.resilio.com/helpcorewarning Resilio Sync.exe, 0000000C.000 false high 00003.22887570279.000001C7D8B4 1000.00000004.00000001.sdmp

Copyright Joe Security LLC 2019 Page 23 of 85 Name Source Malicious Antivirus Detection Reputation helpfiles.resilio.com/terms Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000C.00000003 .22933317993.000001C7DD91E000. 00000004.00000001.sdmp, Resilio Sync.exe, 0000000C.00000003. 22869172207.000001C7D94C8000.0 0000004.00000001.sdmp, Resilio Sync.exe, 0000000D.00000002.2 2847476636.00007FF641525000.00 000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000.22 851729168.00007FF641525000.000 00002.00020000.sdmp, Resilio S ync.exe.0.dr https://www.resilio.com/legal/eula. Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr helpfiles.resilio.com/new20 Resilio Sync.exe, 0000000C.000 false high 00003.22869172207.000001C7D94C 8000.00000004.00000001.sdmp helpfiles.resilio.com/versioning Resilio Sync.exe, 0000000C.000 false high 00003.22869493392.000001C7D94A 0000.00000004.00000001.sdmp https://helpfiles.resilio.com/eula Resilio Sync.exe.0.dr false high https://%S/sync.confRequesting Resilio-Sync_x64.exe, 00000000 false Avira URL Cloud: safe low .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr https://link.resilio.com/t Resilio-Sync_x64.exe, 00000006 false high .00000002.22813493550.00000106 B2040000.00000004.00000020.sdmp helpfiles.resilio.com/helpcenter2Resilio Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr

Copyright Joe Security LLC 2019 Page 24 of 85 Name Source Malicious Antivirus Detection Reputation helpfiles.resilio.com/privacy Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000C.00000003 .22933317993.000001C7DD91E000. 00000004.00000001.sdmp, Resilio Sync.exe, 0000000C.00000003. 22869172207.000001C7D94C8000.0 0000004.00000001.sdmp, Resilio Sync.exe, 0000000D.00000002.2 2847476636.00007FF641525000.00 000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000.22 851729168.00007FF641525000.000 00002.00020000.sdmp, Resilio S ync.exe.0.dr silviomoreto.github.iVH Resilio Sync.exe, 0000000C.000 false Avira URL Cloud: safe unknown 00003.22887933565.000001C7DD91 4000.00000004.00000001.sdmp crl.thawte.com/ThawteServerPremiumCA.crl0 Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr momentjs.com/guides/#/warnings/zone/ Resilio Sync.exe, 0000000C.000 false high 00003.22845424186.000001C7D8A9 D000.00000004.00000001.sdmp, Resilio Sync.exe, 0000000C.00000003.22850 365481.000001BFD736F000.000000 04.00000001.sdmp resilio.com Resilio Sync.exe, 0000000C.000 false high 00003.22869172207.000001C7D94C 8000.00000004.00000001.sdmp https://orders-staging.resilio.com Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr schemas.xmlsoap.org/soap/encoding/ Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr https://helpfiles.resilio.com/buybusiness? Resilio Sync.exe, 0000000C.000 false high utm_source=Sync- 00003.22869022032.000001C7D94F App&utm_medium=__medium__&utm_campaign=__c 1000.00000004.00000001.sdmp

Copyright Joe Security LLC 2019 Page 25 of 85 Name Source Malicious Antivirus Detection Reputation Resilio-Sync_x64.exe, 00000000 false Avira URL Cloud: safe unknown https://urlmonCoInternetGetSession.pngimage/png.gifimage/gi .00000000.22746893846.00007FF7 f.htmltext/html.csstext/css.woffapplicati 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp helpfiles.resilio.com/errfolder Resilio Sync.exe, 0000000C.000 false high 00003.22869354211.000001C7D94A C000.00000004.00000001.sdmp, Resilio Sync.exe, 0000000C.00000003.22878 079769.000001C7D8E0D000.000000 04.00000001.sdmp, Resilio Sync.exe, 0000000C.00000003.228875 70279.000001C7D8B41000.0000000 4.00000001.sdmp, Resilio Sync.exe, 0000000C.00000003.2286942 3463.000001C7D9445000.00000004 .00000001.sdmp helpfiles.resilio.com/profaq Resilio Sync.exe.0.dr false high helpfiles.resilio.com/buypro?utm_source=Sync- Resilio-Sync_x64.exe, 00000000 false high App&utm_medium=Pro-Upgrade&utm_campaign=%d&utm_c .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr ocsp.thawte.com0 Resilio-Sync_x64.exe, 00000000 false Avira URL Cloud: safe unknown .00000000.22746893846.00007FF7 Google Safe Browsing: safe 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr https://sync-push- Resilio-Sync_x64.exe, 00000000 false Avira URL Cloud: safe low proxy.resilio.com%s/get_pending_requests.phppush_tokenInvi .00000000.22746893846.00007FF7 te 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr

Copyright Joe Security LLC 2019 Page 26 of 85 Name Source Malicious Antivirus Detection Reputation svr-ov-crl.thawte.com/ThawteOV.crl0 Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr https://update.resilio.com/cfu.php? Resilio Sync.exe, 0000000C.000 false high b=sync&lang=en&pl=win64&rn=67&sysver=10.0_workstation_ 00003.22933888046.000001C7D8B4 x64&v=33947 D000.00000004.00000001.sdmp https://link.resilio.com/ Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr https://resilio.comapp.appConfig.links.buyProLink Resilio Sync.exe, 0000000C.000 false Avira URL Cloud: safe unknown 00003.22869022032.000001C7D94F 1000.00000004.00000001.sdmp https://syncdev.resilio.com%s/%sinvalid Resilio-Sync_x64.exe, 00000000 false Avira URL Cloud: safe low .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr https://helpfiles.resilio.com/helpwarning Resilio Sync.exe, 0000000C.000 false high 00003.22887570279.000001C7D8B4 1000.00000004.00000001.sdmp https://helpfiles.resilio.com/buypro?utm_source=Sync- Resilio Sync.exe, 0000000C.000 false high App&utm_medium=__medium__&utm_campaign=__campai 00003.22869022032.000001C7D94F 1000.00000004.00000001.sdmp https://helpfiles.resilio.com/helpchangedfiles Resilio Sync.exe, 0000000C.000 false high 00003.22868721867.000001C7D946 8000.00000004.00000001.sdmp helpfiles.resilio.com/download Resilio Sync.exe, 0000000C.000 false high 00003.22869423463.000001C7D944 5000.00000004.00000001.sdmp https://update.resilio.com Resilio Sync.exe.0.dr false high helpfiles.resilio.com/dbaseerr Resilio Sync.exe, 0000000C.000 false high 00003.22869423463.000001C7D944 5000.00000004.00000001.sdmp momentjs.com/guides/#/warnings/dst-shifted/ Resilio Sync.exe, 0000000C.000 false high 00003.22845424186.000001C7D8A9 D000.00000004.00000001.sdmp, Resilio Sync.exe, 0000000C.00000003.22870 370239.000001C7D9696000.000000 04.00000001.sdmp, Resilio Sync.exe, 0000000C.00000003.228503 65481.000001BFD736F000.0000000 4.00000001.sdmp

Copyright Joe Security LLC 2019 Page 27 of 85 Name Source Malicious Antivirus Detection Reputation u.msg/loading.html Resilio-Sync_x64.exe, 00000000 false Avira URL Cloud: safe unknown .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr Resilio-Sync_x64.exe, 00000000 false high https://link.resilio.com/2:tdi0e12:tracker_mode2:lb2:tui0e10:ui_ .00000002.22841810700.000001EB versioni0e12:webui.listen14:127.0.0. DCFA2000.00000004.00000001.sdmp https://www.resilio.com/legal/privacy Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr helpfiles.resilio.com/eula Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000C.00000003 .22933317993.000001C7DD91E000. 00000004.00000001.sdmp, Resilio Sync.exe, 0000000C.00000003. 22869172207.000001C7D94C8000.0 0000004.00000001.sdmp, Resilio Sync.exe, 0000000D.00000002.2 2847476636.00007FF641525000.00 000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000.22 851729168.00007FF641525000.000 00002.00020000.sdmp, Resilio S ync.exe.0.dr fontawesome.io/license Resilio Sync.exe, 0000000C.000 false high 00003.22887294355.000001C7DDB0 F000.00000004.00000001.sdmp https://helpfiles.resilio.com/upserver Resilio Sync.exe, 0000000C.000 false high 00003.22869022032.000001C7D94F 1000.00000004.00000001.sdmp https://license.resilio.com Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr https://update.resilio.com/ Resilio Sync.exe, 0000000C.000 false high 00003.22933888046.000001C7D8B4 D000.00000004.00000001.sdmp

Copyright Joe Security LLC 2019 Page 28 of 85 Name Source Malicious Antivirus Detection Reputation https://link.resilio.com/finished Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr https://www.resilio.com/https://u.urlu.verdieValue Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr https://www.resilio.com/legal/eula Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr i-2000.b-2-6-3.sync.bench.resilio.com/e? Resilio-Sync_x64.exe, 00000000 false high i=2000&e=eyJhY3Rpb24iOiJpbnN0YWxsIiwiYiI6InN5bmMiLC .00000002.22841810700.000001EB Jj DCFA2000.00000004.00000001.sdmp https://link.resilio.com/# Resilio Sync.exe, 0000000D.000 false high 00002.22839885529.000002BDCD8F 0000.00000004.00000020.sdmp https://orders- Resilio-Sync_x64.exe, 00000000 false Avira URL Cloud: safe unknown staging.resilio.comhttps://orders.resilio.comLC: .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr https://sync-push-proxy.resilio.com Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr

Copyright Joe Security LLC 2019 Page 29 of 85 Name Source Malicious Antivirus Detection Reputation https://helpfiles.resili Resilio Sync.exe, 0000000C.000 false Avira URL Cloud: safe unknown 00003.22887933565.000001C7DD91 4000.00000004.00000001.sdmp https://helpfiles.resilio.com/buybusinessacc? Resilio Sync.exe, 0000000C.000 false high utm_source=Sync- 00003.22869022032.000001C7D94F App&utm_medium=__medium__&utm_campaign= 1000.00000004.00000001.sdmp helpfiles.resilio.com/helpcenter2Unable Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr https://helpfiles.resilio.com/helpconflicts Resilio Sync.exe, 0000000C.000 false high 00003.22887570279.000001C7D8B4 1000.00000004.00000001.sdmp, Resilio Sync.exe, 0000000C.00000003.22869 423463.000001C7D9445000.000000 04.00000001.sdmp helpfiles.resilio.com/helpcenter2 Resilio Sync.exe, 0000000C.000 false high 00003.22887570279.000001C7D8B4 1000.00000004.00000001.sdmp, Resilio Sync.exe, 0000000D.00000002.22847 476636.00007FF641525000.000000 02.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000.22851729168.0000 7FF641525000.00000002.00020000 .sdmp, Resilio Sync.exe.0.dr www.winimage.com/zLibDll Resilio Sync.exe.0.dr false high i-2000.b-2-6-3.sync.bench.resilio.com/e? Resilio-Sync_x64.exe, 00000000 false high i=2000&e=eyJhY3Rpb24iOiJpbnN0YWxsU3RhcnRzIiwiYiI6In .00000002.22839377596.000001EB N5 DA74A000.00000004.00000001.sdmp https://helpfiles.resilio.com/outofmem Resilio Sync.exe, 0000000C.000 false high 00003.22933317993.000001C7DD91 E000.00000004.00000001.sdmp, Resilio Sync.exe, 0000000C.00000003.22869 172207.000001C7D94C8000.000000 04.00000001.sdmp, Resilio Sync.exe, 0000000C.00000003.228780 79769.000001C7D8E0D000.0000000 4.00000001.sdmp Resilio-Sync_x64.exe, 00000000 false Avira URL Cloud: safe low %S/http://helpfiles.resilio.com/unsurvey_new.dllregsvr32.exe .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr https://orders.resilio.com Resilio-Sync_x64.exe, 00000000 false high .00000000.22746893846.00007FF7 4CD65000.00000002.00020000.sdmp, Resilio-Sync_x64.exe, 00000 006.00000000.22792765656.00007 FF74CD65000.00000002.00020000. sdmp, Resilio Sync.exe, 000000 0C.00000000.22817706208.00007F F641525000.00000002.00020000.sdmp, Resilio Sync.exe, 0000000D.00000002 .22847476636.00007FF641525000. 00000002.00020000.sdmp, Resilio Sync.exe, 0000000E.00000000. 22851729168.00007FF641525000.0 0000002.00020000.sdmp, Resilio Sync.exe.0.dr helpfiles.resilio.com/selectivesync Resilio Sync.exe.0.dr false high

Copyright Joe Security LLC 2019 Page 30 of 85 Name Source Malicious Antivirus Detection Reputation https://link.resilio.com/5 Resilio Sync.exe, 0000000E.000 false high 00002.22867577161.0000022DA3D1 A000.00000004.00000001.sdmp momentjs.com/guides/#/warnings/min-max/ Resilio Sync.exe, 0000000C.000 false high 00003.22850365481.000001BFD736 F000.00000004.00000001.sdmp

Contacted IPs

No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 3.215.228.230 United States 14618 unknown false 239.255.255.250 Reserved unknown unknown false 34.196.17.71 United States 14618 unknown false

Private

IP 192.168.2.1 192.168.2.7

Static File Info

General File type: PE32+ executable (GUI) x86-64, for MS Windows Entropy (8bit): 7.146936732205669 TrID: Win64 Executable GUI (202006/5) 60.11% Windows ActiveX control (116523/4) 34.67% Win64 Executable (generic) (12005/4) 3.57% Generic Win/DOS Executable (2004/3) 0.60% DOS Executable Generic (2002/1) 0.60% File name: Resilio-Sync_x64.exe File size: 23588360 MD5: 97e86d489c0d6d6185c890257cf87be7 SHA1: 937b445c54ba1ee7977bddc9c62fb54930c8f0b4

Copyright Joe Security LLC 2019 Page 31 of 85 General SHA256: 7166b6b5a48a9fec616dd5bdd47d8906fd5238c0b6af8db 385e598f8e0cb734e SHA512: 9ac0a434c7794724f3fb3ccc713a4891c7683cfd3ea8cff2 87be885b7a804a5a7a6855598bf5282c8f1828ef0a75fc5 b1605fce7aa05e33db1080b608548fd0e SSDEEP: 393216:B0QshJMqxcU/bwAUWfkKYx43KdWwOTL8DS Ud6lalfpW8ppDQLA8d2uFkY/Uwmpko:B01JMqxcU/bw AUqkKYx4adWwOTL8DSpE File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... {...X.h...... z...... O.....P......

File Icon

Icon Hash: 70cc969ab696ec71

Static PE Info

General Entrypoint: 0x140765314 Entrypoint Section: .text Digitally signed: true Imagebase: 0x140000000 Subsystem: windows gui Image File Characteristics: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA Time Stamp: 0x5C388AAB [Fri Jan 11 12:23:07 2019 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 6 OS Version Minor: 0 File Version Major: 6 File Version Minor: 0 Subsystem Version Major: 6 Subsystem Version Minor: 0 Import Hash: 01e96e42074cd0a0ff6038dd18071353

Authenticode Signature

Signature Valid: true Signature Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 2/25/2018 4:00:00 PM 6/10/2020 5:00:00 AM Subject Chain CN="Resilio, Inc", O="Resilio, Inc", L=San Francisco, S=California, C=US Version: 3 Thumbprint MD5: FB7513EE7A3E10A6A451D95AEE51118D Thumbprint SHA-1: 779A815F28213211D291D64F8BC481B8301ABBDC Thumbprint SHA-256: E7236CC57CFFD2CCED2C1D78CF4868DBB1AEBDEA51A6854EBCD5686625BE5FE0 Serial: 07A159B8667CAD58DCFB1D208A3A8B78

Entrypoint Preview

Instruction dec eax sub esp, 28h call 00007F1D6478E4CCh dec eax add esp, 28h jmp 00007F1D6478DBE3h int3 int3

Copyright Joe Security LLC 2019 Page 32 of 85 Instruction jmp 00007F1D6478D668h int3 int3 int3 dec eax sub esp, 28h dec ebp mov eax, dword ptr [ecx+38h] dec eax mov ecx, edx dec ecx mov edx, ecx call 00007F1D6478DDE2h mov eax, 00000001h dec eax add esp, 28h ret int3 int3 int3 inc eax push ebx inc ebp mov ebx, dword ptr [eax] dec eax mov ebx, edx inc ecx and ebx, FFFFFFF8h dec esp mov ecx, ecx inc ecx test byte ptr [eax], 00000004h dec esp mov edx, ecx je 00007F1D6478DDE5h inc ecx mov eax, dword ptr [eax+08h] dec ebp arpl word ptr [eax+04h], dx neg eax dec esp add edx, ecx dec eax arpl ax, cx dec esp and edx, ecx dec ecx arpl bx, ax dec edx mov edx, dword ptr [eax+edx] dec eax mov eax, dword ptr [ebx+10h] mov ecx, dword ptr [eax+08h] dec eax mov eax, dword ptr [ebx+08h] test byte ptr [ecx+eax+03h], 0000000Fh je 00007F1D6478DDDDh movzx eax, byte ptr [ecx+eax+03h] and eax, FFFFFFF0h dec esp add ecx, eax dec esp xor ecx, edx dec ecx

Copyright Joe Security LLC 2019 Page 33 of 85 Instruction mov ecx, ecx pop ebx jmp 00007F1D6478CA2Ah int3 dec eax jmp dword ptr [001012CDh] int3 dec eax mov eax, esp dec eax mov dword ptr [eax+08h], ebx dec eax mov dword ptr [eax+10h], ebp dec eax mov dword ptr [eax+18h], esi dec eax mov dword ptr [eax+20h], edi inc ecx push esi dec eax sub esp, 20h dec ecx mov ebx, dword ptr [ecx+38h] dec eax mov esi, edx dec ebp mov esi, eax dec eax mov ebp, ecx dec ecx

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0xab04f8 0x1a4 .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0xb84000 0xb27f40 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0xb0a000 0x79890 .pdata IMAGE_DIRECTORY_ENTRY_SECURITY 0x167d600 0x1808 .rsrc IMAGE_DIRECTORY_ENTRY_BASERELOC 0x16ac000 0x9aa0 .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x95c090 0x54 .rdata IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x95c1f0 0x28 .rdata IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x95c0f0 0x100 .rdata IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x865000 0x1680 .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x86309e 0x863200 unknown unknown unknown unknown IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x865000 0x250036 0x250200 unknown unknown unknown unknown IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .data 0xab6000 0x53020 0x1e800 False 0.167320376537 data 4.37737499736 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .pdata 0xb0a000 0x79890 0x79a00 False 0.484156201824 data 6.59829077235 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .rsrc 0xb84000 0xb27f40 0xb28000 unknown unknown unknown unknown IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ

Copyright Joe Security LLC 2019 Page 34 of 85 Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .reloc 0x16ac000 0x9aa0 0x9c00 False 0.151116786859 data 5.44839675983 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country BIN 0xba65f8 0xd686 Zip archive data, at least v2.0 to extract English United States BIN 0x13e5410 0xd6400 PE32 executable (DLL) (console) Intel 80386, for English United States MS Windows BIN 0x14bb810 0xf6800 PE32+ executable (DLL) (console) x86-64, for MS English United States Windows BIN 0xbb3c80 0x7c8c33 Zip archive data, at least v1.0 to extract English United States BIN 0x1636610 0x75600 PE32 executable (DLL) (console) Intel 80386, for English United States MS Windows BIN 0x15b2010 0x84600 PE32+ executable (DLL) (console) x86-64, for MS English United States Windows BIN 0x1392af8 0x6559 MS Windows icon resource - 5 icons, 256x256 English United States withPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 16x16, 32 bits/pixel BIN 0x1399058 0x1581c MS Windows icon resource - 8 icons, 16x16, 32 English United States bits/pixel, 24x24, 32 bits/pixel BIN 0x13ae878 0x14ef6 MS Windows icon resource - 8 icons, 16x16, 32 English United States bits/pixel, 24x24, 32 bits/pixel BIN 0x137c8b8 0x2cf6 MS Windows icon resource - 4 icons, 16x16, 32 English United States bits/pixel, 20x20, 32 bits/pixel BIN 0x137f5b0 0x2cf6 MS Windows icon resource - 4 icons, 16x16, 32 English United States bits/pixel, 20x20, 32 bits/pixel BIN 0x13822a8 0x2cf6 MS Windows icon resource - 4 icons, 16x16, 32 English United States bits/pixel, 20x20, 32 bits/pixel BIN 0x1384fa0 0xdb52 MS Windows icon resource - 8 icons, 16x16, 32 English United States bits/pixel, 20x20, 32 bits/pixel RT_ICON 0xb86030 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xb86558 0x7f8 data English United States RT_ICON 0xb86d50 0xb68 data English United States RT_ICON 0xb878e8 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xb87e10 0x7f8 data English United States RT_ICON 0xb88608 0xb68 data English United States RT_ICON 0xb891a0 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xb896c8 0x7f8 data English United States RT_ICON 0xb89ec0 0xb68 data English United States RT_ICON 0xb8aa58 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xb8af80 0x7f8 data English United States RT_ICON 0xb8b778 0xb68 data English United States RT_ICON 0xb8c310 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xb8c838 0x7f8 data English United States RT_ICON 0xb8d030 0xb68 data English United States RT_ICON 0xb8dbc8 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xb8e0f0 0x7f8 data English United States RT_ICON 0xb8e8e8 0xb68 data English United States RT_ICON 0xb8f480 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xb8f9a8 0x7f8 data English United States RT_ICON 0xb901a0 0xb68 data English United States RT_ICON 0xb90d38 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xb91260 0x7f8 data English United States RT_ICON 0xb91a58 0xb68 data English United States RT_ICON 0xb925f0 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xb92b18 0x7f8 data English United States RT_ICON 0xb93310 0xb68 data English United States RT_ICON 0xb93ea8 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xb943d0 0x7f8 data English United States RT_ICON 0xb94bc8 0xb68 data English United States RT_ICON 0xb95760 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xb95c88 0x7f8 data English United States RT_ICON 0xb96480 0xb68 data English United States RT_ICON 0xb97018 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xb97540 0x7f8 data English United States RT_ICON 0xb97d38 0xb68 data English United States Copyright Joe Security LLC 2019 Page 35 of 85 Name RVA Size Type Language Country RT_ICON 0xb988d0 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xb98df8 0x7f8 data English United States RT_ICON 0xb995f0 0xb68 data English United States RT_ICON 0xb9a188 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xb9a6b0 0x7f8 data English United States RT_ICON 0xb9aea8 0xb68 data English United States RT_ICON 0xb9ba40 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xb9bf68 0x7f8 data English United States RT_ICON 0xb9c760 0xb68 data English United States RT_ICON 0xb9d2f8 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xb9d820 0x7f8 data English United States RT_ICON 0xb9e018 0xb68 data English United States RT_ICON 0xb9ebb0 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xb9f0d8 0x7f8 data English United States RT_ICON 0xb9f8d0 0xb68 data English United States RT_ICON 0xba0468 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xba0990 0x7f8 data English United States RT_ICON 0xba1188 0xb68 data English United States RT_ICON 0xba1d20 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xba2248 0x7f8 data English United States RT_ICON 0xba2a40 0xb68 data English United States RT_ICON 0xba35d8 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0xba3b00 0x7f8 data English United States RT_ICON 0xba42f8 0xb68 data English United States RT_ICON 0x13c3770 0x468 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x13c3bd8 0x6b8 data English United States RT_ICON 0x13c4290 0x988 data English United States RT_ICON 0x13c4c18 0x10a8 data English United States RT_ICON 0x13c5cc0 0x1a68 dBase III DBT, version number 0, next free block English United States index 40 RT_ICON 0x13c7728 0x25a8 data English United States RT_ICON 0x13c9cd0 0x4228 dBase III DBT, version number 0, next free block English United States index 40 RT_ICON 0x13cdef8 0x3344 PNG image data, 256 x 256, 8-bit/color RGBA, non- English United States interlaced RT_ICON 0x13d12b8 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x13d17e0 0x7f8 data English United States RT_ICON 0x13d1fd8 0xb68 data English United States RT_ICON 0x13d2b70 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x13d3098 0x7f8 data English United States RT_ICON 0x13d3890 0xb68 data English United States RT_ICON 0x13d4428 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x13d4950 0x7f8 data English United States RT_ICON 0x13d5148 0xb68 data English United States RT_ICON 0x13d5ce0 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x13d6208 0x7f8 data English United States RT_ICON 0x13d6a00 0xb68 data English United States RT_ICON 0x13d7598 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x13d7ac0 0x7f8 data English United States RT_ICON 0x13d82b8 0xb68 data English United States RT_ICON 0x13d8e50 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x13d9378 0x7f8 data English United States RT_ICON 0x13d9b70 0xb68 data English United States RT_ICON 0x13da708 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x13dac30 0x7f8 data English United States RT_ICON 0x13db428 0xb68 data English United States RT_ICON 0x13dbfc0 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x13dc4e8 0x7f8 data English United States RT_ICON 0x13dcce0 0xb68 data English United States RT_ICON 0x13dd878 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x13ddda0 0x7f8 data English United States RT_ICON 0x13de598 0xb68 data English United States RT_ICON 0x13df130 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x13df658 0x7f8 data English United States RT_ICON 0x13dfe50 0xb68 data English United States

Copyright Joe Security LLC 2019 Page 36 of 85 Name RVA Size Type Language Country RT_ICON 0x13e09e8 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x13e0f10 0x7f8 data English United States RT_ICON 0x13e1708 0xb68 data English United States RT_ICON 0x13e22a0 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x13e27c8 0x7f8 data English United States RT_ICON 0x13e2fc0 0xb68 data English United States RT_ICON 0x13e3b58 0x528 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x13e4080 0x7f8 data English United States RT_ICON 0x13e4878 0xb68 data English United States RT_DIALOG 0xba4e90 0x186 data English United States RT_DIALOG 0xba5018 0x362 data English United States RT_DIALOG 0xba5380 0x240 data English United States RT_DIALOG 0xba55c0 0xfc data English United States RT_DIALOG 0xba57f0 0x192 data English United States RT_DIALOG 0xba5988 0x40 data English United States RT_DIALOG 0xba56c0 0x60 data English United States RT_DIALOG 0xba5720 0xd0 data English United States RT_DIALOG 0xba59c8 0x104 data English United States RT_DIALOG 0xba5ad0 0xc8 data English United States RT_DIALOG 0xba5b98 0x13a data English United States RT_DIALOG 0xba5cd8 0x100 data English United States RT_GROUP_ICON 0x13d1240 0x76 data English United States RT_GROUP_ICON 0x13d2b40 0x30 data English United States RT_GROUP_ICON 0x13d43f8 0x30 data English United States RT_GROUP_ICON 0x13d5cb0 0x30 data English United States RT_GROUP_ICON 0x13d7568 0x30 data English United States RT_GROUP_ICON 0x13d8e20 0x30 data English United States RT_GROUP_ICON 0x13da6d8 0x30 data English United States RT_GROUP_ICON 0x13dbf90 0x30 data English United States RT_GROUP_ICON 0x13dd848 0x30 data English United States RT_GROUP_ICON 0x13df100 0x30 data English United States RT_GROUP_ICON 0x13e09b8 0x30 data English United States RT_GROUP_ICON 0x13e2270 0x30 data English United States RT_GROUP_ICON 0x13e3b28 0x30 data English United States RT_GROUP_ICON 0x13e53e0 0x30 data English United States RT_GROUP_ICON 0xb878b8 0x30 data English United States RT_GROUP_ICON 0xb89170 0x30 data English United States RT_GROUP_ICON 0xb8aa28 0x30 data English United States RT_GROUP_ICON 0xb8c2e0 0x30 data English United States RT_GROUP_ICON 0xb8db98 0x30 data English United States RT_GROUP_ICON 0xb8f450 0x30 data English United States RT_GROUP_ICON 0xb90d08 0x30 data English United States RT_GROUP_ICON 0xb925c0 0x30 data English United States RT_GROUP_ICON 0xb93e78 0x30 data English United States RT_GROUP_ICON 0xb95730 0x30 data English United States RT_GROUP_ICON 0xb96fe8 0x30 data English United States RT_GROUP_ICON 0xb988a0 0x30 data English United States RT_GROUP_ICON 0xb9a158 0x30 data English United States RT_GROUP_ICON 0xb9ba10 0x30 data English United States RT_GROUP_ICON 0xb9d2c8 0x30 data English United States RT_GROUP_ICON 0xb9eb80 0x30 data English United States RT_GROUP_ICON 0xba0438 0x30 data English United States RT_GROUP_ICON 0xba1cf0 0x30 data English United States RT_GROUP_ICON 0xba35a8 0x30 data English United States RT_GROUP_ICON 0xba4e60 0x30 data English United States RT_VERSION 0x16abc10 0x32c data English United States RT_MANIFEST 0xba5dd8 0x81a XML 1.0 document, ASCII text, with CRLF line English United States terminators

Imports

DLL Import credui.dll CredUIPromptForWindowsCredentialsW, CredUnPackAuthenticationBufferW

Copyright Joe Security LLC 2019 Page 37 of 85 DLL Import Secur32.dll GetUserNameExW, ApplyControlToken, DecryptMessage, QueryContextAttributesW, EncryptMessage, DeleteSecurityContext, CompleteAuthToken, AcceptSecurityContext, InitializeSecurityContextW, FreeCredentialsHandle, AcquireCredentialsHandleW, FreeContextBuffer KERNEL32.dll InitializeCriticalSection, TryEnterCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetNativeSystemInfo, GetComputerNameW, GetVolumeNameForVolumeMountPointW, FormatMessageW, GlobalMemoryStatusEx, GetSystemTimes, GetProcessTimes, QueryPerformanceCounter, QueryPerformanceFrequency, ReplaceFileW, GetCurrentDirectoryW, GetLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToTzSpecificLocalTime, GetDateFormatA, GetTimeFormatA, GetUserPreferredUILanguages, GetLocaleInfoEx, GetVolumeInformationA, FileTimeToLocalFileTime, GetFullPathNameW, ProcessIdToSessionId, VirtualAlloc, SetUnhandledExceptionFilter, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetModuleFileNameA, GetACP, GetFileType, SetStdHandle, GetModuleHandleExW, ResumeThread, ExitThread, RtlPcToFileHeader, RtlUnwindEx, WaitForMultipleObjectsEx, UnregisterWaitEx, QueryDepthSList, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, ReleaseSemaphore, SetProcessAffinityMask, VirtualFree, VirtualProtect, GetVersionExW, LoadLibraryExW, HeapValidate, IsNormalizedString, UnregisterWait, RegisterWaitForSingleObject, SetThreadAffinityMask, GetProcessAffinityMask, GetNumaHighestNodeNumber, DeleteTimerQueueTimer, ChangeTimerQueueTimer, CreateTimerQueueTimer, GetLogicalProcessorInformation, GetThreadPriority, SwitchToThread, SignalObjectAndWait, CreateTimerQueue, GetStartupInfoW, IsDebuggerPresent, InitializeSListHead, IsProcessorFeaturePresent, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, GetLocaleInfoW, LCMapStringW, CompareStringW, GetCPInfo, EncodePointer, TlsFree, InitializeCriticalSectionAndSpinCount, GetExitCodeThread, GetStringTypeW, MapViewOfFile, CreateFileMappingW, FormatMessageA, LockFileEx, UnlockFile, HeapDestroy, GetSystemInfo, HeapReAlloc, DeleteFileA, CreateFileA, FlushViewOfFile, GetDiskFreeSpaceA, GetTempPathA, HeapSize, UnmapViewOfFile, UnlockFileEx, SetEndOfFile, GetFullPathNameA, LockFile, OutputDebugStringA, GetDiskFreeSpaceW, HeapCreate, AreFileApisANSI, LocalAlloc, HeapWalk, HeapCompact, FreeLibraryAndExitThread, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetSystemDirectoryA, OutputDebugStringW, FreeConsole, WriteConsoleW, AttachConsole, SetConsoleScreenBufferSize, GetStdHandle, GetConsoleScreenBufferInfo, AllocConsole, TerminateProcess, PeekNamedPipe, CreatePipe, OpenProcess, DuplicateHandle, GlobalUnlock, GlobalLock, FindResourceW, GetLogicalDriveStringsW, GlobalFree, MulDiv, FreeResource, GlobalAlloc, SizeofResource, LockResource, LoadResource, FindResourceA, FindNextChangeNotification, FindFirstChangeNotificationW, FindCloseChangeNotification, ExitProcess, OpenMutexW, OpenMutexA, GetShortPathNameW, WinExec, GetEnvironmentVariableW, SetFileTime, GetFileTime, GetLongPathNameW, FindFirstFileExW, GetFinalPathNameByHandleW, GetTempFileNameW, SetFileInformationByHandle, FindClose, FindNextFileW, FindFirstFileW, GetFileAttributesExW, SetFilePointer, GetVolumePathNameW, GetFileAttributesA, SetFilePointerEx, GetFileInformationByHandle, GetFileSize, FlushFileBuffers, SetFileValidData, GetFileAttributesW, GetDiskFreeSpaceExW, GetVolumeInformationW, GetDriveTypeW, DeviceIoControl, WaitForSingleObjectEx, ReadDirectoryChangesW, CreateEventA, RemoveDirectoryW, LoadLibraryA, FileTimeToSystemTime, SystemTimeToFileTime, GetSystemTime, HeapAlloc, HeapFree, SetDllDirectoryW, GetCommandLineW, TlsAlloc, GlobalAddAtomW, SetErrorMode, GetProcessHeap, WriteFile, SetNamedPipeHandleState, SetLastError, MoveFileExW, GetSystemTimeAsFileTime, CreateMutexW, GetCurrentProcess, GetModuleHandleA, ReleaseMutex, GetWindowsDirectoryW, FreeLibrary, GetModuleFileNameW, LoadLibraryW, DecodePointer, GetProcAddress, RtlCaptureStackBackTrace, GetModuleHandleW, DeleteCriticalSection, InitializeCriticalSectionEx, RaiseException, VerifyVersionInfoW, VerSetConditionMask, CopyFileW, CreateDirectoryW, SetFileAttributesW, MoveFileW, DeleteFileW, OpenEventW, GetTickCount, GetTempPathW, WideCharToMultiByte, GetExitCodeProcess, DisconnectNamedPipe, ReadFile, GetOverlappedResult, ResetEvent, WaitForMultipleObjects, CreateProcessW, SetEvent, NormalizeString, ConnectNamedPipe, CreateEventW, CreateFileW, CreateNamedPipeW, LocalFree, FreeEnvironmentStringsW, GetEnvironmentStringsW, WaitForSingleObject, GetCurrentThread, SetThreadPriority, IsBadWritePtr, GetCurrentProcessId, GetCurrentThreadId, CloseHandle, CreateThread, Sleep, GetLastError, EnumSystemLocalesW, GetTimeZoneInformation, HeapQueryInformation, GetConsoleCP, GetConsoleMode, ReadConsoleW, IsValidCodePage, GetOEMCP, SetConsoleCtrlHandler, FindFirstFileExA, FindNextFileA, GetCommandLineA, SetEnvironmentVariableA, SetEnvironmentVariableW, SetCurrentDirectoryW, GetThreadTimes USER32.dll UpdateWindow, GetParent, EnumChildWindows, IsDlgButtonChecked, CheckDlgButton, EnableWindow, GetScrollPos, GetScrollInfo, SetScrollInfo, ScrollWindow, BeginPaint, GetWindow, EndPaint, EqualRect, GetMessagePos, GetMessageTime, CallWindowProcW, GetUserObjectInformationW, GetProcessWindowStation, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, MapWindowPoints, keybd_event, GetDesktopWindow, SendMessageTimeoutA, GetSysColorBrush, DrawIcon, DrawEdge, LoadStringW, LoadBitmapW, DrawIconEx, LoadImageW, ShowWindowAsync, CreateIconIndirect, GetIconInfo, RegisterWindowMessageW, ReleaseCapture, FlashWindowEx, SwitchToThisWindow, SetDlgItemTextW, PeekMessageW, MsgWaitForMultipleObjects, PostThreadMessageW, KillTimer, SetTimer, RemovePropW, GetSystemMetrics, GetMenuItemInfoA, CreateMenu, GetKeyNameTextW, MapVirtualKeyA, GetDC, DialogBoxIndirectParamW, SystemParametersInfoW, GetWindowTextLengthW, GetDlgCtrlID, SetWindowsHookExW, LoadIconW, UnhookWindowsHookEx, SetCapture, SetWindowTextW, RemoveMenu, GetMenuItemID, GetMenuItemCount, GetPropA, CallNextHookEx, SetPropA, GetActiveWindow, GetClassNameA, EndDeferWindowPos, DeferWindowPos, IsWindowVisible, BeginDeferWindowPos, CheckRadioButton, SendDlgItemMessageW, DrawFrameControl, SetWindowPos, LoadIconA, LoadImageA, DispatchMessageW, TranslateMessage, WindowFromPoint, GetMessageW, GetClassNameW, GetPropW, SetPropW, CopyRect, DrawTextA, DrawTextW, FillRect, EndDialog, GetSystemMenu, EnableMenuItem, LoadCursorA, GetAsyncKeyState, GetSysColor, DestroyMenu, TrackPopupMenu, AppendMenuW, CreatePopupMenu, InflateRect, RegisterClassExW, OffsetRect, PtInRect, ScreenToClient, ClientToScreen, SetMenuItemInfoA, InvalidateRect, SendMessageTimeoutW, SendMessageW, GetDlgItem, GetClientRect, GetWindowRect, DestroyWindow, SetWindowLongPtrW, GetWindowLongPtrW, MessageBoxW, GetWindowPlacement, PostQuitMessage, GetWindowTextW, ReleaseDC, CreateWindowExW, MoveWindow, ShowWindow, UnregisterClassW, SetFocus, GetFocus, SetMenu, PostMessageW, RegisterWindowMessageA, GetMenu, SetMenuInfo, DrawMenuBar, RegisterPowerSettingNotification, IsIconic, UnregisterPowerSettingNotification, ShutdownBlockReasonCreate, ShutdownBlockReasonDestroy, GetForegroundWindow, IsWindowEnabled, GetWindowLongW, DestroyIcon, GetWindowThreadProcessId, EnumWindows, FindWindowW, GetCursorPos, IntersectRect, SetForegroundWindow, AttachThreadInput, GetKeyState, SetWindowLongW, CreateDialogIndirectParamW, DefWindowProcW GDI32.dll CreateSolidBrush, SelectObject, SetWindowOrgEx, CreateCompatibleDC, CreateCompatibleBitmap, GetTextExtentPoint32A, BitBlt, DeleteDC, DeleteObject, CreateRectRgn, RectInRegion, CombineRgn, OffsetRgn, SelectClipRgn, GetObjectA, CreateFontIndirectA, GetStockObject, CreateFontA, CreatePen, LineTo, Polyline, ExcludeClipRect, Polygon, Ellipse, Pie, SetBkColor, ExtTextOutW, GetPixel, SetPixel, SetBkMode, SetTextColor, TextOutW, GetTextMetricsA, GetObjectW, CreateBitmap, CreatePatternBrush, CreateDIBSection, PatBlt, StretchBlt, GetCurrentObject, GetDIBits, CreateFontIndirectW, GetDeviceCaps, MoveToEx

Copyright Joe Security LLC 2019 Page 38 of 85 DLL Import WS2_32.dll inet_addr, getservbyname, gethostname, WSAStringToAddressW, inet_ntop, gethostbyname, WSASetEvent, htonl, htons, bind, socket, closesocket, getsockname, sendto, recvfrom, ntohl, WSAGetLastError, setsockopt, ntohs, recv, getpeername, connect, accept, getservbyport, WSASetLastError, WSAIoctl, WSASend, WSARecv, getsockopt, WSASocketW, WSAWaitForMultipleEvents, WSAEventSelect, WSAEnumNetworkEvents, listen, inet_pton, WSAStartup, WSACleanup, ioctlsocket, inet_ntoa, gethostbyaddr COMDLG32.dll GetSaveFileNameW, GetOpenFileNameW, CommDlgExtendedError SHELL32.dll SHGetDataFromIDListW, SHGetFolderPathW, SHGetKnownFolderPath, SHBindToParent, CommandLineToArgvW, SHGetSpecialFolderPathW, ShellExecuteW, Shell_NotifyIconW, SHAppBarMessage, SHFileOperationW, ShellExecuteExW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteA, DragQueryFileW, SHGetFileInfoW, SHChangeNotify, SHOpenFolderAndSelectItems, SHParseDisplayName COMCTL32.dll ImageList_DrawEx, ImageList_GetIconSize, ImageList_GetIcon, ImageList_Replace, ImageList_SetImageCount, ImageList_Duplicate, ImageList_GetImageCount, ImageList_Destroy ADVAPI32.dll LogonUserW, LsaOpenPolicy, ConvertStringSidToSidW, LookupAccountSidW, LsaAddAccountRights, LsaClose, CreateServiceW, CloseServiceHandle, ChangeServiceConfig2W, ControlService, DeleteService, StartServiceW, QueryServiceStatus, StartServiceCtrlDispatcherW, RegisterServiceCtrlHandlerExW, SetServiceStatus, DuplicateToken, ConvertSidToStringSidW, CryptDestroyHash, CryptAcquireContextW, CryptImportKey, CryptGenKey, CryptExportKey, CryptEncrypt, CryptDecrypt, CryptDestroyKey, CryptReleaseContext, EqualSid, GetAce, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetSecurityDescriptorDacl, SetNamedSecurityInfoW, GetSecurityDescriptorOwner, LookupAccountNameW, OpenServiceW, OpenSCManagerW, RegQueryInfoKeyW, RegDeleteValueW, RegSetValueExW, RegCreateKeyExW, SetSecurityInfo, GetSecurityInfo, CryptGenRandom, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, GetUserNameW, FreeSid, AllocateAndInitializeSid, RevertToSelf, AccessCheck, MapGenericMask, OpenThreadToken, ConvertSecurityDescriptorToStringSecurityDescriptorW, ImpersonateSelf, GetFileSecurityW, RegDeleteKeyW, GetNamedSecurityInfoW, GetSecurityDescriptorGroup PSAPI.DLL GetProcessMemoryInfo CRYPT32.dll CryptDecodeObjectEx, CryptEncodeObjectEx, CryptEncodeObject, CertStrToNameW, CertCreateSelfSignCertificate, CertSetCertificateContextProperty, CertAddCertificateContextToStore, CryptSignAndEncodeCertificate, CertAddEncodedCertificateToStore, PFXIsPFXBlob, PFXImportCertStore, CertEnumCertificatesInStore, CertCreateCertificateContext, CertOpenStore, PFXExportCertStoreEx, CertGetNameStringW, CryptImportPublicKeyInfo, CertGetIntendedKeyUsage, CertGetCertificateChain, CertCompareCertificate, CertVerifyCertificateChainPolicy, CertFreeCertificateChain, CryptHashCertificate, CertFreeCertificateContext, CertCloseStore, CertDeleteCertificateFromStore, CertDuplicateCertificateContext IPHLPAPI.DLL NotifyIpInterfaceChange, CancelMibChangeNotify2, GetAdaptersAddresses gdiplus.dll GdipFree, GdipGetImageWidth, GdipAlloc, GdipGetImageGraphicsContext, GdipDeleteGraphics, GdipDrawImageI, GdipDisposeImage, GdipDrawImageRectI, GdipCloneImage, GdipGetImageHeight, GdipGetImagePixelFormat, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipCreateBitmapFromHBITMAP, GdipCreateHBITMAPFromBitmap, GdipBitmapLockBits, GdipBitmapUnlockBits, GdipCreateBitmapFromScan0, GdiplusStartup, GdiplusShutdown SHLWAPI.dll PathIsUNCW, PathIsDirectoryEmptyW, PathFileExistsW WTSAPI32.dll WTSFreeMemory, WTSRegisterSessionNotification, WTSEnumerateSessionsW, WTSQueryUserToken ncrypt.dll BCryptCreateHash, BCryptGetProperty, BCryptOpenAlgorithmProvider, NCryptImportKey, NCryptOpenStorageProvider, BCryptDestroyHash, BCryptHashData, BCryptFinishHash, NCryptVerifySignature, NCryptSignHash, BCryptCloseAlgorithmProvider, NCryptDeleteKey, NCryptFreeObject, NCryptTranslateHandle ntdll.dll NtCreateFile, NtClose, RtlInitUnicodeString ole32.dll CoCreateInstance, OleInitialize, StgCreateDocfile, OleCreate, OleSetContainedObject, OleUninitialize, CreateStreamOnHGlobal, CoTaskMemFree OLEAUT32.dll VariantClear, VariantInit, SysFreeString, SysAllocString

Version Infos

Description Data LegalCopyright Copyright (C) 2019 Resilio, Inc. All Rights Reserved. InternalName Resilio Sync.exe FileVersion 2.6.3.1340 CompanyName Resilio, Inc. ProductName Resilio Sync ProductVersion 2.6.3.1340 FileDescription Resilio Sync OriginalFilename Resilio Sync.exe Translation 0x0409 0x04e4

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

Network Behavior

Total Packets: 60 • 1900 undefined • 53 (DNS) • 443 (HTTPS) • 80 (HTTP)

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Aug 12, 2019 18:17:23.346658945 CEST 49724 80 192.168.2.7 34.196.17.71 Aug 12, 2019 18:17:23.445550919 CEST 80 49724 34.196.17.71 192.168.2.7 Aug 12, 2019 18:17:23.445869923 CEST 49724 80 192.168.2.7 34.196.17.71 Aug 12, 2019 18:17:23.448903084 CEST 49724 80 192.168.2.7 34.196.17.71 Aug 12, 2019 18:17:23.548105955 CEST 80 49724 34.196.17.71 192.168.2.7 Aug 12, 2019 18:17:23.549191952 CEST 80 49724 34.196.17.71 192.168.2.7 Aug 12, 2019 18:17:23.549314976 CEST 49724 80 192.168.2.7 34.196.17.71 Aug 12, 2019 18:17:44.341085911 CEST 49725 80 192.168.2.7 34.196.17.71 Aug 12, 2019 18:17:44.394088984 CEST 49726 80 192.168.2.7 34.196.17.71 Aug 12, 2019 18:17:44.439779997 CEST 80 49725 34.196.17.71 192.168.2.7 Aug 12, 2019 18:17:44.439934969 CEST 49725 80 192.168.2.7 34.196.17.71 Aug 12, 2019 18:17:44.442220926 CEST 49725 80 192.168.2.7 34.196.17.71 Aug 12, 2019 18:17:44.492969990 CEST 80 49726 34.196.17.71 192.168.2.7 Aug 12, 2019 18:17:44.493057013 CEST 49726 80 192.168.2.7 34.196.17.71 Aug 12, 2019 18:17:44.493547916 CEST 49726 80 192.168.2.7 34.196.17.71 Aug 12, 2019 18:17:44.540955067 CEST 80 49725 34.196.17.71 192.168.2.7 Aug 12, 2019 18:17:44.541074038 CEST 49725 80 192.168.2.7 34.196.17.71 Aug 12, 2019 18:17:44.592386961 CEST 80 49726 34.196.17.71 192.168.2.7 Aug 12, 2019 18:17:44.592534065 CEST 49726 80 192.168.2.7 34.196.17.71 Aug 12, 2019 18:17:44.639725924 CEST 80 49725 34.196.17.71 192.168.2.7 Aug 12, 2019 18:17:44.641022921 CEST 80 49725 34.196.17.71 192.168.2.7 Aug 12, 2019 18:17:44.641041994 CEST 80 49725 34.196.17.71 192.168.2.7 Aug 12, 2019 18:17:44.641204119 CEST 49725 80 192.168.2.7 34.196.17.71 Aug 12, 2019 18:17:44.642674923 CEST 49725 80 192.168.2.7 34.196.17.71 Aug 12, 2019 18:17:44.691371918 CEST 80 49726 34.196.17.71 192.168.2.7 Aug 12, 2019 18:17:44.692411900 CEST 80 49726 34.196.17.71 192.168.2.7 Aug 12, 2019 18:17:44.692452908 CEST 80 49726 34.196.17.71 192.168.2.7 Aug 12, 2019 18:17:44.692653894 CEST 49726 80 192.168.2.7 34.196.17.71 Aug 12, 2019 18:17:44.693772078 CEST 49726 80 192.168.2.7 34.196.17.71 Aug 12, 2019 18:17:44.706666946 CEST 49724 80 192.168.2.7 34.196.17.71 Aug 12, 2019 18:17:44.741208076 CEST 80 49725 34.196.17.71 192.168.2.7 Aug 12, 2019 18:17:44.792632103 CEST 80 49726 34.196.17.71 192.168.2.7 Aug 12, 2019 18:17:44.806750059 CEST 80 49724 34.196.17.71 192.168.2.7 Aug 12, 2019 18:17:44.806894064 CEST 49724 80 192.168.2.7 34.196.17.71 Aug 12, 2019 18:17:54.839689016 CEST 49724 80 192.168.2.7 34.196.17.71 Aug 12, 2019 18:17:57.819096088 CEST 49703 80 192.168.2.7 93.184.220.29 Aug 12, 2019 18:17:57.819269896 CEST 49704 80 192.168.2.7 23.37.43.27 Aug 12, 2019 18:17:57.819397926 CEST 49705 80 192.168.2.7 23.37.43.27 Aug 12, 2019 18:17:57.836709976 CEST 80 49703 93.184.220.29 192.168.2.7 Aug 12, 2019 18:17:57.836899996 CEST 49703 80 192.168.2.7 93.184.220.29 Aug 12, 2019 18:17:57.837860107 CEST 80 49704 23.37.43.27 192.168.2.7 Aug 12, 2019 18:17:57.837950945 CEST 80 49705 23.37.43.27 192.168.2.7

Copyright Joe Security LLC 2019 Page 40 of 85 Timestamp Source Port Dest Port Source IP Dest IP Aug 12, 2019 18:17:57.838090897 CEST 49704 80 192.168.2.7 23.37.43.27 Aug 12, 2019 18:17:57.838177919 CEST 49705 80 192.168.2.7 23.37.43.27 Aug 12, 2019 18:17:58.352190018 CEST 49716 80 192.168.2.7 93.184.220.29 Aug 12, 2019 18:17:58.352961063 CEST 49712 443 192.168.2.7 64.4.16.212 Aug 12, 2019 18:17:58.353210926 CEST 49713 443 192.168.2.7 64.4.16.212 Aug 12, 2019 18:17:58.369883060 CEST 80 49716 93.184.220.29 192.168.2.7 Aug 12, 2019 18:17:58.369977951 CEST 49716 80 192.168.2.7 93.184.220.29 Aug 12, 2019 18:17:58.524178982 CEST 443 49713 64.4.16.212 192.168.2.7 Aug 12, 2019 18:17:58.524197102 CEST 443 49712 64.4.16.212 192.168.2.7 Aug 12, 2019 18:17:58.524310112 CEST 49713 443 192.168.2.7 64.4.16.212 Aug 12, 2019 18:17:58.524353981 CEST 49712 443 192.168.2.7 64.4.16.212 Aug 12, 2019 18:18:00.656328917 CEST 443 49726 172.217.23.208 192.168.2.7 Aug 12, 2019 18:18:00.656641006 CEST 49726 443 192.168.2.7 172.217.23.208 Aug 12, 2019 18:18:06.549288034 CEST 49715 80 192.168.2.7 93.184.221.240 Aug 12, 2019 18:18:06.566884041 CEST 80 49715 93.184.221.240 192.168.2.7 Aug 12, 2019 18:18:06.567141056 CEST 49715 80 192.168.2.7 93.184.221.240 Aug 12, 2019 18:18:15.917479038 CEST 49727 443 192.168.2.7 3.215.228.230 Aug 12, 2019 18:18:16.016128063 CEST 443 49727 3.215.228.230 192.168.2.7 Aug 12, 2019 18:18:16.016352892 CEST 49727 443 192.168.2.7 3.215.228.230 Aug 12, 2019 18:18:16.032069921 CEST 49727 443 192.168.2.7 3.215.228.230 Aug 12, 2019 18:18:16.132919073 CEST 443 49727 3.215.228.230 192.168.2.7 Aug 12, 2019 18:18:16.132996082 CEST 443 49727 3.215.228.230 192.168.2.7 Aug 12, 2019 18:18:16.133030891 CEST 443 49727 3.215.228.230 192.168.2.7 Aug 12, 2019 18:18:16.133152008 CEST 49727 443 192.168.2.7 3.215.228.230 Aug 12, 2019 18:18:16.135550022 CEST 443 49727 3.215.228.230 192.168.2.7 Aug 12, 2019 18:18:16.135585070 CEST 443 49727 3.215.228.230 192.168.2.7 Aug 12, 2019 18:18:16.135826111 CEST 49727 443 192.168.2.7 3.215.228.230 Aug 12, 2019 18:18:16.136303902 CEST 443 49727 3.215.228.230 192.168.2.7 Aug 12, 2019 18:18:16.144325972 CEST 49727 443 192.168.2.7 3.215.228.230 Aug 12, 2019 18:18:16.264132977 CEST 443 49727 3.215.228.230 192.168.2.7 Aug 12, 2019 18:18:16.294445992 CEST 49727 443 192.168.2.7 3.215.228.230 Aug 12, 2019 18:18:16.434653997 CEST 443 49727 3.215.228.230 192.168.2.7 Aug 12, 2019 18:18:16.434940100 CEST 49727 443 192.168.2.7 3.215.228.230 Aug 12, 2019 18:18:16.533528090 CEST 443 49727 3.215.228.230 192.168.2.7 Aug 12, 2019 18:18:16.534825087 CEST 443 49727 3.215.228.230 192.168.2.7 Aug 12, 2019 18:18:16.534863949 CEST 443 49727 3.215.228.230 192.168.2.7 Aug 12, 2019 18:18:16.535023928 CEST 49727 443 192.168.2.7 3.215.228.230 Aug 12, 2019 18:18:16.567825079 CEST 49727 443 192.168.2.7 3.215.228.230 Aug 12, 2019 18:18:16.568284035 CEST 49727 443 192.168.2.7 3.215.228.230 Aug 12, 2019 18:18:16.667054892 CEST 443 49727 3.215.228.230 192.168.2.7 Aug 12, 2019 18:18:16.667321920 CEST 49727 443 192.168.2.7 3.215.228.230

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP Aug 12, 2019 18:17:20.895452976 CEST 64824 53 192.168.2.7 8.8.8.8 Aug 12, 2019 18:17:20.897072077 CEST 49878 53 192.168.2.7 8.8.8.8 Aug 12, 2019 18:17:20.920896053 CEST 53 64824 8.8.8.8 192.168.2.7 Aug 12, 2019 18:17:20.937376022 CEST 53 49878 8.8.8.8 192.168.2.7 Aug 12, 2019 18:17:23.290046930 CEST 59897 53 192.168.2.7 8.8.8.8 Aug 12, 2019 18:17:23.330481052 CEST 53 59897 8.8.8.8 192.168.2.7 Aug 12, 2019 18:17:43.668672085 CEST 50038 1900 192.168.2.7 239.255.255.250 Aug 12, 2019 18:17:43.668673992 CEST 50038 1900 192.168.2.7 239.255.255.250 Aug 12, 2019 18:17:43.673417091 CEST 5351 5351 192.168.2.7 192.168.2.1 Aug 12, 2019 18:17:43.673535109 CEST 5351 5351 192.168.2.7 192.168.2.1 Aug 12, 2019 18:17:44.193613052 CEST 54422 53 192.168.2.7 8.8.8.8 Aug 12, 2019 18:17:44.244620085 CEST 53 54422 8.8.8.8 192.168.2.7 Aug 12, 2019 18:17:44.301718950 CEST 60622 53 192.168.2.7 8.8.8.8 Aug 12, 2019 18:17:44.341757059 CEST 53 60622 8.8.8.8 192.168.2.7 Aug 12, 2019 18:17:44.539683104 CEST 5351 5351 192.168.2.7 192.168.2.1 Aug 12, 2019 18:17:44.539841890 CEST 5351 5351 192.168.2.7 192.168.2.1 Aug 12, 2019 18:17:44.539932966 CEST 5351 5351 192.168.2.7 192.168.2.1 Aug 12, 2019 18:17:48.551991940 CEST 50038 1900 192.168.2.7 239.255.255.250 Aug 12, 2019 18:17:48.551999092 CEST 50038 1900 192.168.2.7 239.255.255.250

Copyright Joe Security LLC 2019 Page 41 of 85 Timestamp Source Port Dest Port Source IP Dest IP Aug 12, 2019 18:17:53.895834923 CEST 50038 1900 192.168.2.7 239.255.255.250 Aug 12, 2019 18:17:53.895838976 CEST 50038 1900 192.168.2.7 239.255.255.250 Aug 12, 2019 18:17:59.349893093 CEST 50038 1900 192.168.2.7 239.255.255.250 Aug 12, 2019 18:17:59.349896908 CEST 50038 1900 192.168.2.7 239.255.255.250 Aug 12, 2019 18:18:15.545690060 CEST 58629 53 192.168.2.7 8.8.8.8 Aug 12, 2019 18:18:15.585916042 CEST 53 58629 8.8.8.8 192.168.2.7

ICMP Packets

Timestamp Source IP Dest IP Checksum Code Type Aug 12, 2019 18:17:43.673440933 CEST 192.168.2.1 192.168.2.7 827b (Port Destination unreachable) Unreachable Aug 12, 2019 18:17:43.673544884 CEST 192.168.2.1 192.168.2.7 827b (Port Destination unreachable) Unreachable Aug 12, 2019 18:17:44.539705992 CEST 192.168.2.1 192.168.2.7 827b (Port Destination unreachable) Unreachable Aug 12, 2019 18:17:44.539853096 CEST 192.168.2.1 192.168.2.7 827b (Port Destination unreachable) Unreachable Aug 12, 2019 18:17:44.539942026 CEST 192.168.2.1 192.168.2.7 8271 (Port Destination unreachable) Unreachable

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Aug 12, 2019 18:17:23.290046930 CEST 192.168.2.7 8.8.8.8 0xda32 Standard query i-2000.b-2-6- A (IP address) IN (0x0001) (0) 3.sync.bench.resi lio.com Aug 12, 2019 18:17:44.193613052 CEST 192.168.2.7 8.8.8.8 0x31d0 Standard query i-2000.b-2-6- A (IP address) IN (0x0001) (0) 3.sync.bench.resi lio.com Aug 12, 2019 18:17:44.301718950 CEST 192.168.2.7 8.8.8.8 0x8128 Standard query i-2000.b-2-6- A (IP address) IN (0x0001) (0) 3.sync.bench.resi lio.com Aug 12, 2019 18:18:15.545690060 CEST 192.168.2.7 8.8.8.8 0x6b70 Standard query update.res A (IP address) IN (0x0001) (0) ilio.com

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Aug 12, 2019 8.8.8.8 192.168.2.7 0xda32 No error (0) i-2000.b-2-6- bench-resilio-com-lb- CNAME IN (0x0001) 18:17:23.330481052 3.sync. 1686402547.us-east- (Canonical CEST bench.resi 1.elb.amazonaws.com name) lio.com Aug 12, 2019 8.8.8.8 192.168.2.7 0xda32 No error (0) bench-resilio- 34.196.17.71 A (IP address) IN (0x0001) 18:17:23.330481052 com-lb- CEST 1686402547.us- east-1.elb.amaz onaws.com Aug 12, 2019 8.8.8.8 192.168.2.7 0xda32 No error (0) bench-resilio- 54.172.115.1 A (IP address) IN (0x0001) 18:17:23.330481052 com-lb- CEST 1686402547.us- east-1.elb.amaz onaws.com Aug 12, 2019 8.8.8.8 192.168.2.7 0x31d0 No error (0) i-2000.b-2-6- bench-resilio-com-lb- CNAME IN (0x0001) 18:17:44.244620085 3.sync. 1686402547.us-east- (Canonical CEST bench.resi 1.elb.amazonaws.com name) lio.com Aug 12, 2019 8.8.8.8 192.168.2.7 0x31d0 No error (0) bench-resilio- 34.196.17.71 A (IP address) IN (0x0001) 18:17:44.244620085 com-lb- CEST 1686402547.us- east-1.elb.amaz onaws.com Aug 12, 2019 8.8.8.8 192.168.2.7 0x31d0 No error (0) bench-resilio- 54.172.115.1 A (IP address) IN (0x0001) 18:17:44.244620085 com-lb- CEST 1686402547.us- east-1.elb.amaz onaws.com Aug 12, 2019 8.8.8.8 192.168.2.7 0x8128 No error (0) i-2000.b-2-6- bench-resilio-com-lb- CNAME IN (0x0001) 18:17:44.341757059 3.sync. 1686402547.us-east- (Canonical CEST bench.resi 1.elb.amazonaws.com name) lio.com Aug 12, 2019 8.8.8.8 192.168.2.7 0x8128 No error (0) bench-resilio- 34.196.17.71 A (IP address) IN (0x0001) 18:17:44.341757059 com-lb- CEST 1686402547.us- east-1.elb.amaz onaws.com

Copyright Joe Security LLC 2019 Page 42 of 85 Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Aug 12, 2019 8.8.8.8 192.168.2.7 0x8128 No error (0) bench-resilio- 54.172.115.1 A (IP address) IN (0x0001) 18:17:44.341757059 com-lb- CEST 1686402547.us- east-1.elb.amaz onaws.com Aug 12, 2019 8.8.8.8 192.168.2.7 0x6b70 No error (0) update.res update-resilio-com-lb- CNAME IN (0x0001) 18:18:15.585916042 ilio.com 588342624.us-east- (Canonical CEST 1.elb.amazonaws.com name) Aug 12, 2019 8.8.8.8 192.168.2.7 0x6b70 No error (0) update-resilio- 3.215.228.230 A (IP address) IN (0x0001) 18:18:15.585916042 com-lb- CEST 588342624.us- east-1.elb.amaz onaws.com Aug 12, 2019 8.8.8.8 192.168.2.7 0x6b70 No error (0) update-resilio- 54.85.131.145 A (IP address) IN (0x0001) 18:18:15.585916042 com-lb- CEST 588342624.us- east-1.elb.amaz onaws.com

HTTP Request Dependency Graph

i-2000.b-2-6-3.sync.bench.resilio.com

HTTP Packets

Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.7 49724 34.196.17.71 80 C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe

kBytes Timestamp transferred Direction Data Aug 12, 2019 35 OUT GET /e?i=2000&e=eyJhY3Rpb24iOiJpbnN0YWxsU3RhcnRzIiwiYiI6InN5bmMiLCJjYyI6MCwiY2lkIjoiZ2xCUT 18:17:23.448903084 CEST ZKUXg3ME5ZZ3JmaSIsImN2IjoiMi42LjMiLCJldmVudE5hbWUiOiJzeW5jQmFzaWMiLCJwbCI6IndpbjY0Iiwic3Ni IjoxLCJzeXN2ZXIiOiIxMC4wX3dvcmtzdGF0aW9uX3g2NCIsInRzIjoxNTY1NjU5MDQyfQ== HTTP/1.1 Accept-Encoding: gzip User-Agent: Resilio Sync/2630(33947651) Host: i-2000.b-2-6-3.sync.bench.resilio.com Cache-Control: no-cache Aug 12, 2019 40 OUT GET /e?i=2000&e=eyJhY3Rpb24iOiJpbnN0YWxsIiwiYiI6InN5bmMiLCJjYyI6MCwiY2lkIjoiZ2xCUTZKUXg3ME5ZZ3JmaSIs 18:17:44.706666946 CEST ImN2IjoiMi42LjMiLCJldmVudE5hbWUiOiJzeW5jQmFzaWMiLCJwbCI6IndpbjY0Iiwic3NiIjoyMywic3lzdmVyIjoiMTAuMF93 b3Jrc3RhdGlvbl94NjQiLCJ0cyI6MTU2NTY1OTA2NCwidHlwZSI6InJlZ3VsYXIifQ== HTTP/1.1 Accept-Encoding: gzip User-Agent: Resilio Sync/2630(33947651) Host: i-2000.b-2-6-3.sync.bench.resilio.com Cache-Control: no-cache

Session ID Source IP Source Port Destination IP Destination Port Process 1 34.196.17.71 80 192.168.2.7 49724 C:\Users\user\Desktop\Resilio-Sync_x64.exe

kBytes Timestamp transferred Direction Data Aug 12, 2019 35 IN HTTP/1.1 200 OK 18:17:23.549191952 CEST Content-Encoding: gzip Content-Type: text/html Date: Mon, 12 Aug 2019 16:18:12 GMT Server: nginx X-Powered-By: PHP/5.5.9-1ubuntu4.22 Content-Length: 41 Connection: keep-alive Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ab 56 2a 4a 2d 2e c8 cf 2b 4e 8d 4f ce 4f 49 55 b2 32 32 30 a8 05 00 72 92 06 17 15 00 00 00 Data Ascii: V*J-.+NOOIU220r Aug 12, 2019 40 IN HTTP/1.1 200 OK 18:17:44.806750059 CEST Content-Encoding: gzip Content-Type: text/html Date: Mon, 12 Aug 2019 16:18:34 GMT Server: nginx X-Powered-By: PHP/5.5.9-1ubuntu4.22 Content-Length: 41 Connection: keep-alive Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ab 56 2a 4a 2d 2e c8 cf 2b 4e 8d 4f ce 4f 49 55 b2 32 32 30 a8 05 00 72 92 06 17 15 00 00 00 Data Ascii: V*J-.+NOOIU220r

Session ID Source IP Source Port Destination IP Destination Port Process 2 192.168.2.7 49725 34.196.17.71 80 C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe

Copyright Joe Security LLC 2019 Page 43 of 85 kBytes Timestamp transferred Direction Data Aug 12, 2019 37 OUT GET 18:17:44.442220926 CEST Data Raw: Data Ascii:

Session ID Source IP Source Port Destination IP Destination Port Process 3 192.168.2.7 49726 34.196.17.71 80 C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe

kBytes Timestamp transferred Direction Data Aug 12, 2019 37 OUT GET 18:17:44.493547916 CEST Data Raw: Data Ascii:

Session ID Source IP Source Port Destination IP Destination Port Process 4 34.196.17.71 80 192.168.2.7 49725 C:\Users\user\Desktop\Resilio-Sync_x64.exe

kBytes Timestamp transferred Direction Data Aug 12, 2019 39 IN HTTP/1.1 200 OK 18:17:44.641022921 CEST Content-Encoding: gzip Content-Type: text/html Date: Mon, 12 Aug 2019 16:18:34 GMT Server: nginx X-Powered-By: PHP/5.5.9-1ubuntu4.22 Content-Length: 41 Connection: Close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ab 56 2a 4a 2d 2e c8 cf 2b 4e 8d 4f ce 4f 49 55 b2 32 32 30 a8 05 00 72 92 06 17 15 00 00 00 Data Ascii: V*J-.+NOOIU220r

Session ID Source IP Source Port Destination IP Destination Port Process 5 34.196.17.71 80 192.168.2.7 49726 C:\Users\user\Desktop\Resilio-Sync_x64.exe

kBytes Timestamp transferred Direction Data Aug 12, 2019 39 IN HTTP/1.1 200 OK 18:17:44.692411900 CEST Content-Encoding: gzip Content-Type: text/html Date: Mon, 12 Aug 2019 16:18:34 GMT Server: nginx X-Powered-By: PHP/5.5.9-1ubuntu4.22 Content-Length: 41 Connection: Close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ab 56 2a 4a 2d 2e c8 cf 2b 4e 8d 4f ce 4f 49 55 b2 32 32 30 a8 05 00 72 92 06 17 15 00 00 00 Data Ascii: V*J-.+NOOIU220r

HTTPS Packets

Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest Aug 12, 2019 3.215.228.230 443 192.168.2.7 49727 CN=*.resilio.com, CN=DigiCert SHA2 Thu Aug Thu Aug 771,49196-49195- 3b5074b1b5d032e5620f6 18:18:16.136303902 O="Resilio, Inc", L=San Secure Server CA, 08 27 49200-49199-159- 9f9f700ff0e CEST Francisco, ST=California, O=DigiCert Inc, C=US 02:00:00 14:00:00 158-49188-49187- C=US CN=*.resilio.com, CN=DigiCert SHA2 CEST CEST 49192-49191- O="Resilio, Inc", L=San Secure Server CA, 2019 2020 49162-49161- Francisco, ST=California, O=DigiCert Inc, C=US Thu Aug Thu Aug 49172-49171-157- C=US CN=DigiCert SHA2 CN=DigiCert Global 08 27 156-61-60-53-47- Secure Server CA, Root CA, 02:00:00 14:00:00 10,0-10-11-13-35- O=DigiCert Inc, C=US OU=www.digicert.com, CEST CEST 23-65281,29-23- CN=DigiCert Global Root O=DigiCert Inc, C=US 2019 Fri 2020 24,0 CA, OU=www.digicert.com, CN=DigiCert Global Mar 08 Wed O=DigiCert Inc, C=US Root CA, 13:00:00 Mar 08 OU=www.digicert.com, CET 13:00:00 O=DigiCert Inc, C=US 2013 Fri CET Nov 10 2023 01:00:00 Mon CET Nov 10 2006 01:00:00 CET 2031

Copyright Joe Security LLC 2019 Page 44 of 85 Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest CN=*.resilio.com, CN=DigiCert SHA2 Thu Aug Thu Aug O="Resilio, Inc", L=San Secure Server CA, 08 27 Francisco, ST=California, O=DigiCert Inc, C=US 02:00:00 14:00:00 C=US CEST CEST 2019 2020 CN=DigiCert SHA2 Secure CN=DigiCert Global Fri Mar Wed Server CA, O=DigiCert Inc, Root CA, 08 Mar 08 C=US OU=www.digicert.com, 13:00:00 13:00:00 O=DigiCert Inc, C=US CET CET 2013 2023 CN=DigiCert Global Root CN=DigiCert Global Fri Nov Mon CA, OU=www.digicert.com, Root CA, 10 Nov 10 O=DigiCert Inc, C=US OU=www.digicert.com, 01:00:00 01:00:00 O=DigiCert Inc, C=US CET CET 2006 2031

Code Manipulations

Statistics

Behavior

• Resilio-Sync_x64.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • Resilio-Sync_x64.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • Resilio Sync.exe • Resilio Sync.exe • Resilio Sync.exe

Click to jump to process

System Behavior

Analysis Process: Resilio-Sync_x64.exe PID: 3896 Parent PID: 2736

General

Start time: 18:17:18 Start date: 12/08/2019 Path: C:\Users\user\Desktop\Resilio-Sync_x64.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\Desktop\Resilio-Sync_x64.exe' Imagebase: 0x7ff74c500000 File size: 23588360 bytes MD5 hash: 97E86D489C0D6D6185C890257CF87BE7 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users read data or list normal directory file | object name collision 1 7FF74CAF211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list normal directory file | object name collision 1 7FF74CAF211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData read data or list normal directory file | object name collision 1 7FF74CAF211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list normal directory file | object name collision 1 7FF74CAF211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Resilio Sync read data or list normal directory file | success or wait 1 7FF74CAF211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Resilio Sync\sync.log read attributes | normal synchronous io success or wait 1 7FF74CCFC370 CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\Resilio Sync\debug.txt read attributes | normal synchronous io success or wait 1 7FF74CAF99E5 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Roaming\Resilio Sync read data or list normal directory file | object name collision 1 7FF74C6B093F CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat.new read attributes | normal synchronous io success or wait 1 7FF74C8055DA CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Roaming\Resilio Sync\sync.pid read attributes | normal synchronous io success or wait 1 7FF74C724D6C CreateFileW synchronize | non alert | non generic write directory file C:\Users read data or list normal directory file | object name collision 1 7FF74CAF211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list normal directory file | object name collision 1 7FF74CAF211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData read data or list normal directory file | object name collision 1 7FF74CAF211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list normal directory file | object name collision 1 7FF74CAF211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Copyright Joe Security LLC 2019 Page 46 of 85 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync read data or list normal directory file | object name collision 1 7FF74CAF211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe read attributes | normal synchronous io success or wait 1 7FF74CAF99E5 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Roaming\Resilio Sync\ShellExtensionPat read attributes | normal synchronous io success or wait 1 7FF74CAF99E5 CreateFileW h86_53C.dll synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Roaming\Resilio Sync\ShellExtensionPat read attributes | normal synchronous io success or wait 1 7FF74CAF99E5 CreateFileW h64_53C.dll synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat.new read attributes | normal synchronous io success or wait 1 7FF74C8055DA CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Roaming\Resilio Sync\history.dat.new read attributes | normal synchronous io success or wait 1 7FF74C8055DA CreateFileW synchronize | non alert | non generic read | directory file generic write

File Moved

Source Old File Path New File Path Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat success or wait 1 7FF74C805BE4 MoveFileExW Sync\settings.dat.new C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat.old success or wait 1 7FF74C805BC4 MoveFileExW C:\Users\user\AppData\Roaming\Resilio C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat success or wait 1 7FF74C805BE4 MoveFileExW Sync\settings.dat.new C:\Users\user\AppData\Roaming\Resilio Sync\history.dat C:\Users\user\AppData\Roaming\Resilio Sync\history.dat.old success or wait 1 7FF74C805BC4 MoveFileExW C:\Users\user\AppData\Roaming\Resilio Sync\history.dat.new C:\Users\user\AppData\Roaming\Resilio Sync\history.dat success or wait 1 7FF74C805BE4 MoveFileExW

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\debug.txt unknown 11 46 46 46 46 46 46 FFFFFFFF.0. success or wait 1 7FF74CAF9A0E WriteFile 46 46 0a 30 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 208 ef bb bf 70 6c 61 74 ...platform: Windows success or wait 3 7FF74CCEC69E WriteFile 66 6f 72 6d 3a 20 57 workstation 10.0 69 6e 64 6f 77 73 20 amd64..version: 2.6.3. 77 6f 72 6b 73 74 61 1340..[2019-08-12 74 69 6f 6e 20 31 30 18:17:21.932] 2e 30 20 61 6d 64 VerifyFileWithHash failed 36 34 0d 0a 76 65 on file 72 73 69 6f 6e 3a 20 C:\Users\user\AppData\Ro 32 2e 36 2e 33 2e aming\Resilio 31 33 34 30 0d 0a Sync\settings.dat with 5b 32 30 31 39 2d status 2... 30 38 2d 31 32 20 31 38 3a 31 37 3a 32 31 2e 39 33 32 5d 20 56 65 72 69 66 79 46 69 6c 65 57 69 74 68 48 61 73 68 20 66 61 69 6c 65 64 20 6f 6e 20 66 69 6c 65 20 43 3a 5c 55 73 65 72 73 5c 53 75 7a 61 6e 6e 65 20 44 61 76 69 65 73 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 52 65 73 69 6c 69 6f 20 53 79 6e 63 5c 73 65 74 74 69 6e 67 73 2e 64 61 74 20 77 69 74 68 20 73 74 61 74 75 73 20 32 2e 0d 0a

Copyright Joe Security LLC 2019 Page 47 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 75 5b 32 30 31 39 2d [2019-08-12 18:17:21.948] success or wait 1 7FF74CCEC69E WriteFile 30 38 2d 31 32 20 ZIP: Can't locate [version] 31 38 3a 31 37 3a in zip, error -100... 32 31 2e 39 34 38 5d 20 5a 49 50 3a 20 43 61 6e 27 74 20 6c 6f 63 61 74 65 20 5b 76 65 72 73 69 6f 6e 5d 20 69 6e 20 7a 69 70 2c 20 65 72 72 6f 72 20 2d 31 30 30 2e 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 142 5b 32 30 31 39 2d [2019-08-12 18:17:21.948] success or wait 3 7FF74CCEC69E WriteFile 30 38 2d 31 32 20 VerifyFileWithHash failed 31 38 3a 31 37 3a on file 32 31 2e 39 34 38 C:\Users\user\AppData\Ro 5d 20 56 65 72 69 aming\Resilio 66 79 46 69 6c 65 Sync\settings.dat with 57 69 74 68 48 61 status 2... 73 68 20 66 61 69 6c 65 64 20 6f 6e 20 66 69 6c 65 20 43 3a 5c 55 73 65 72 73 5c 53 75 7a 61 6e 6e 65 20 44 61 76 69 65 73 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 52 65 73 69 6c 69 6f 20 53 79 6e 63 5c 73 65 74 74 69 6e 67 73 2e 64 61 74 20 77 69 74 68 20 73 74 61 74 75 73 20 32 2e 0d 0a C:\Users\user\AppData\Roaming\Resilio unknown 57 64 31 30 3a 2e 66 d10:.fileguard40:B4948E6 success or wait 1 7FF74C80565F WriteFile Sync\settings.dat.new 69 6c 65 67 75 61 BFC1ED 72 64 34 30 3a 42 3EF548F134B1331EF257 34 39 34 38 45 36 98DB9B7 42 46 43 31 45 44 33 45 46 35 34 38 46 31 33 34 42 31 33 33 31 45 46 32 35 37 39 38 44 42 39 42 37 C:\Users\user\AppData\Roaming\Resilio unknown 754 37 3a 62 6f 72 6e 5f 7:born_oni0e14:born_on_r success or wait 1 7FF74C8052EF WriteFile Sync\settings.dat.new 6f 6e 69 30 65 31 34 emotei 3a 62 6f 72 6e 5f 6f 0e17:check_update_betai0 6e 5f 72 65 6d 6f 74 e28:di 65 69 30 65 31 37 rect_torrent_max_file_sizei 3a 63 68 65 63 6b 5f 104 75 70 64 61 74 65 5f 85760e18:diskio_cache_li 62 65 74 61 69 30 miti50 65 32 38 3a 64 69 0e3:fgti0e16:history_log_si 72 65 63 74 5f 74 6f zei 72 72 65 6e 74 5f 6d 100e18:history_time_limiti 61 78 5f 66 69 6c 65 30e2 5f 73 69 7a 65 69 31 5:install_modification_timei 30 34 38 35 37 36 0e 30 65 31 38 3a 64 12:install_timei0e24:is_we 69 73 6b 69 6f 5f 63 bui_credentials_set 61 63 68 65 5f 6c 69 6d 69 74 69 35 30 30 65 33 3a 66 67 74 69 30 65 31 36 3a 68 69 73 74 6f 72 79 5f 6c 6f 67 5f 73 69 7a 65 69 31 30 30 65 31 38 3a 68 69 73 74 6f 72 79 5f 74 69 6d 65 5f 6c 69 6d 69 74 69 33 30 65 32 35 3a 69 6e 73 74 61 6c 6c 5f 6d 6f 64 69 66 69 63 61 74 69 6f 6e 5f 74 69 6d 65 69 30 65 31 32 3a 69 6e 73 74 61 6c 6c 5f 74 69 6d 65 69 30 65 32 34 3a 69 73 5f 77 65 62 75 69 5f 63 72 65 64 65 6e 74 69 61 6c 73 5f 73 65 74

Copyright Joe Security LLC 2019 Page 48 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\Resilio unknown 23588360 4d 5a 90 00 03 00 MZ...... @..... success or wait 1 7FF74CAF9A0E WriteFile Sync.exe 00 00 04 00 00 00 ff ...... ff 00 00 b8 00 00 00 ...... !..L.!This program 00 00 00 00 40 00 cannot be run in DOS 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 $...... 00 00 00 00 00 00 ...... {...X.h...... 00 00 00 00 00 00 ...... 00 00 00 00 00 00 ...... z...... O... 00 00 00 00 18 01 ..P...... 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 82 df c1 9a c6 be af c9 c6 be af c9 c6 be af c9 b5 dc ab c8 d2 be af c9 b5 dc ac c8 cb be af c9 b5 dc aa c8 7b be af c9 58 1e 68 c9 c7 be af c9 8c db ac c8 ca be af c9 8c db aa c8 bd be af c9 8c db ab c8 ec be af c9 b5 dc a8 c8 c7 be af c9 b5 dc a9 c8 c8 be af c9 b5 dc ae c8 ef be af c9 c6 be ae c9 7a bc af c9 d5 d8 a6 c8 4f bf af c9 d5 d8 50 c9 c7 be af c9 d5 d8 ad c8 c7 be af C:\Users\user\AppData\Roaming\Resilio unknown 877568 4d 5a 90 00 03 00 MZ...... @..... success or wait 1 7FF74CAF9A0E WriteFile Sync\ShellExtensionPath86_53C.dll 00 00 04 00 00 00 ff ...... ff 00 00 b8 00 00 00 ...... !..L.!This program 00 00 00 00 40 00 cannot be run in DOS 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 $...... ,...B...B...B...A... 00 00 00 00 00 00 B...G.B.B...F...B...A...B...G 00 00 00 00 00 00 ...B...F...B...D...B...C...B... 00 00 00 00 00 00 C...B...K...B...B...B...... B. 00 00 00 00 08 01 [email protected] 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad ca 2c eb e9 ab 42 b8 e9 ab 42 b8 e9 ab 42 b8 9a c9 41 b9 f8 ab 42 b8 9a c9 47 b9 42 ab 42 b8 9a c9 46 b9 fe ab 42 b8 a3 ce 41 b9 f0 ab 42 b8 a3 ce 47 b9 84 ab 42 b8 a3 ce 46 b9 cc ab 42 b8 9a c9 44 b9 ec ab 42 b8 9a c9 43 b9 fc ab 42 b8 e9 ab 43 b8 d0 aa 42 b8 fa cd 4b b9 d5 ab 42 b8 fa cd 42 b9 e8 ab 42 b8 fa cd bd b8 e8 ab 42 b8 fa cd 40 b9 e8 ab 42 b8 52 69 63 68 e9 ab 42

Copyright Joe Security LLC 2019 Page 49 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio unknown 1009664 4d 5a 90 00 03 00 MZ...... @..... success or wait 1 7FF74CAF9A0E WriteFile Sync\ShellExtensionPath64_53C.dll 00 00 04 00 00 00 ff ...... ff 00 00 b8 00 00 00 ...... !..L.!This program 00 00 00 00 40 00 cannot be run in DOS 00 00 00 00 00 00 mode....$...... y.lj..?j..? 00 00 00 00 00 00 j..?.z.>a..?.z.>~..?.z.>...? 00 00 00 00 00 00 }.>`..? }.>...? 00 00 00 00 00 00 }.>L..?.z.>o..?.z.>...?j..? 00 00 00 00 00 00 W..?y~.>V..?y~.>k..?y~.? 00 00 00 00 18 01 k..?y~.>k..?Richj.. 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 2e 79 85 6c 6a 18 eb 3f 6a 18 eb 3f 6a 18 eb 3f 19 7a e8 3e 61 18 eb 3f 19 7a ef 3e 7e 18 eb 3f 19 7a ee 3e c1 18 eb 3f 20 7d e8 3e 60 18 eb 3f 20 7d ee 3e 06 18 eb 3f 20 7d ef 3e 4c 18 eb 3f 19 7a ed 3e 6f 18 eb 3f 19 7a ea 3e 7f 18 eb 3f 6a 18 ea 3f 57 19 eb 3f 79 7e e2 3e 56 18 eb 3f 79 7e eb 3e 6b 18 eb 3f 79 7e 14 3f 6b 18 eb 3f 79 7e e9 3e 6b 18 eb 3f 52 69 63 68 6a 18 eb C:\Users\user\AppData\Roaming\Resilio unknown 57 64 31 30 3a 2e 66 d10:.fileguard40:86003733 success or wait 1 7FF74C80565F WriteFile Sync\settings.dat.new 69 6c 65 67 75 61 C3FE6 72 64 34 30 3a 38 BF4A953593A3A8C404F8 36 30 30 33 37 33 A1E18DC 33 43 33 46 45 36 42 46 34 41 39 35 33 35 39 33 41 33 41 38 43 34 30 34 46 38 41 31 45 31 38 44 43

Copyright Joe Security LLC 2019 Page 50 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio unknown 2826 39 3a 61 75 74 6f 73 9:autostarti1e7:born_oni0e success or wait 1 7FF74C8052EF WriteFile Sync\settings.dat.new 74 61 72 74 69 31 14:b 65 37 3a 62 6f 72 6e orn_on_remotei0e17:chec 5f 6f 6e 69 30 65 31 k_updat 34 3a 62 6f 72 6e 5f e_betai0e11:computer_id1 6f 6e 5f 72 65 6d 6f 6:glBQ 74 65 69 30 65 31 6JQx70NYgrfi28:direct_tor 37 3a 63 68 65 63 rent_ 6b 5f 75 70 64 61 74 max_file_sizei10485760e1 65 5f 62 65 74 61 69 8:disk 30 65 31 31 3a 63 6f io_cache_limiti500e8:exe_ 6d 70 75 74 65 72 5f path5 69 64 31 36 3a 67 2:C:\Users\user\AppData\ 6c 42 51 36 4a 51 Roaming\Resilio 78 37 30 4e 59 67 Sync3:fgti0e16:history_lo 72 66 69 32 38 3a 64 69 72 65 63 74 5f 74 6f 72 72 65 6e 74 5f 6d 61 78 5f 66 69 6c 65 5f 73 69 7a 65 69 31 30 34 38 35 37 36 30 65 31 38 3a 64 69 73 6b 69 6f 5f 63 61 63 68 65 5f 6c 69 6d 69 74 69 35 30 30 65 38 3a 65 78 65 5f 70 61 74 68 35 32 3a 43 3a 5c 55 73 65 72 73 5c 53 75 7a 61 6e 6e 65 20 44 61 76 69 65 73 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 52 65 73 69 6c 69 6f 20 53 79 6e 63 33 3a 66 67 74 69 30 65 31 36 3a 68 69 73 74 6f 72 79 5f 6c 6f C:\Users\user\AppData\Roaming\Resilio unknown 57 64 31 30 3a 2e 66 d10:.fileguard40:7ECDE89 success or wait 1 7FF74C80565F WriteFile Sync\history.dat.new 69 6c 65 67 75 61 CE8A76 72 64 34 30 3a 37 BD4E137100AF0103D759 45 43 44 45 38 39 591ED80 43 45 38 41 37 36 42 44 34 45 31 33 37 31 30 30 41 46 30 31 30 33 44 37 35 39 35 39 31 45 44 38 30 C:\Users\user\AppData\Roaming\Resilio unknown 11 36 3a 65 76 65 6e 6:eventslee success or wait 1 7FF74C8052EF WriteFile Sync\history.dat.new 74 73 6c 65 65 C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 51 5b 32 30 31 39 2d [2019-08-12 18:17:46.368] success or wait 1 7FF74CCEC69E WriteFile 30 38 2d 31 32 20 saved history: 0 events.. 31 38 3a 31 37 3a 34 36 2e 33 36 38 5d 20 73 61 76 65 64 20 68 69 73 74 6f 72 79 3a 20 30 20 65 76 65 6e 74 73 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 66 5b 32 30 31 39 2d [2019-08-12 18:17:46.368] success or wait 1 7FF74CCEC69E WriteFile 30 38 2d 31 32 20 Torrent session shutdown: 31 38 3a 31 37 3a done waiting.. 34 36 2e 33 36 38 5d 20 54 6f 72 72 65 6e 74 20 73 65 73 73 69 6f 6e 20 73 68 75 74 64 6f 77 6e 3a 20 64 6f 6e 65 20 77 61 69 74 69 6e 67 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 52 5b 32 30 31 39 2d [2019-08-12 18:17:46.384] success or wait 1 7FF74CCEC69E WriteFile 30 38 2d 31 32 20 Stopping network threads.. 31 38 3a 31 37 3a 34 36 2e 33 38 34 5d 20 53 74 6f 70 70 69 6e 67 20 6e 65 74 77 6f 72 6b 20 74 68 72 65 61 64 73 0d 0a

Copyright Joe Security LLC 2019 Page 51 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 60 5b 32 30 31 39 2d [2019-08-12 18:17:46.403] success or wait 1 7FF74CCEC69E WriteFile 30 38 2d 31 32 20 Shutdown. Saving config 31 38 3a 31 37 3a sync.dat.. 34 36 2e 34 30 33 5d 20 53 68 75 74 64 6f 77 6e 2e 20 53 61 76 69 6e 67 20 63 6f 6e 66 69 67 20 73 79 6e 63 2e 64 61 74 0d 0a

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat.new unknown 811 success or wait 1 7FF74C805545 ReadFile C:\Users\user\Desktop\Resilio-Sync_x64.exe unknown 23588360 success or wait 1 7FF74C805545 ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat unknown 2762 success or wait 1 7FF74C805545 ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat.new unknown 2883 success or wait 1 7FF74C805545 ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\history.dat.new unknown 68 success or wait 1 7FF74C805545 ReadFile

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_CURRENT_USER_Classes\Applications\Resilio Sync.exe success or wait 1 7FF74C8952B2 RegCreateKeyExW HKEY_CURRENT_USER_Classes\Applications\Resilio Sync.exe\SupportedTypes success or wait 1 7FF74C8952B2 RegCreateKeyExW HKEY_CURRENT_USER_Classes\Applications\Resilio Sync.exe\SupportedTypes\.rsls success or wait 1 7FF74C8952B2 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\Applications\Resilio Sync.exe\SupportedTypes\.rslkey success or wait 1 7FF74C89538B RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\Applications\Resilio Sync.exe\SupportedTypes\.btskey success or wait 1 7FF74C89545D RegCreateKeyExW HKEY_CURRENT_USER_Classes\Applications\Resilio Sync.exe\shell success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_CURRENT_USER_Classes\Applications\Resilio Sync.exe\shell\open success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_CURRENT_USER_Classes\Applications\Resilio Sync.exe\shell\open\command success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\rslsync success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_CURRENT_USER_Classes\rslsync\shell success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_CURRENT_USER_Classes\rslsync\shell\open success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_CURRENT_USER_Classes\rslsync\shell\open\command success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\rslsync\DefaultIcon success or wait 1 7FF74C8A2388 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\btsync success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_CURRENT_USER_Classes\btsync\shell success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_CURRENT_USER_Classes\btsync\shell\open success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_CURRENT_USER_Classes\btsync\shell\open\command success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\btsync\DefaultIcon success or wait 1 7FF74C8A2388 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\.rsls success or wait 1 7FF74C8A3506 RegCreateKeyExW HKEY_CURRENT_USER_Classes\Resilio Sync success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_CURRENT_USER_Classes\Resilio Sync\DefaultIcon success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-resilio-rsls success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\MIME\Database\Content Type\application/x-resilio-rsls success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_CURRENT_USER_Classes\Resilio Sync\shell success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_CURRENT_USER_Classes\Resilio Sync\shell\open success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_CURRENT_USER_Classes\Resilio Sync\shell\open\command success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\Resilio Sync\Content Type success or wait 1 7FF74C8A3692 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\.rslkey success or wait 1 7FF74C8A3506 RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-resilio-btskey success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\MIME\Database\Content Type\application/x-resilio-btskey success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\.btskey success or wait 1 7FF74C8A3506 RegCreateKeyExW HKEY_CURRENT_USER\Software\Resilio success or wait 1 7FF74C8972FD RegCreateKeyExW HKEY_CURRENT_USER\Software\Resilio\Sync success or wait 1 7FF74C8972FD RegCreateKeyExW HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING success or wait 1 7FF74C89740F RegCreateKeyExW HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALIGNED_TIMERS success or wait 1 7FF74C897498 RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Resilio Sync success or wait 1 7FF74C894C9C RegCreateKeyExW

Key Value Created

Copyright Joe Security LLC 2019 Page 52 of 85 Source Key Path Name Type Data Completion Count Address Symbol HKEY_CURRENT_USER_Classes\rslsync URL Protocol unicode success or wait 1 7FF74C8A2584 RegSetValueExW HKEY_CURRENT_USER_Classes\rslsync Content Type unicode application/x-resilio-btsync success or wait 1 7FF74CAFE253 RegSetValueExW HKEY_CURRENT_USER_Classes\btsync URL Protocol unicode success or wait 1 7FF74C8A2584 RegSetValueExW HKEY_CURRENT_USER_Classes\btsync Content Type unicode application/x-resilio-btsync success or wait 1 7FF74CAFE253 RegSetValueExW HKEY_CURRENT_USER_Classes\.rsls Content Type unicode application/x-resilio-rsls success or wait 1 7FF74CAFE253 RegSetValueExW HKEY_LOCAL_MACHINE\SOFTWARE\Cl Extension unicode .rsls success or wait 1 7FF74CAFE253 RegSetValueExW asses\MIME\Database\Content Ty pe\application/x-resilio-rsls HKEY_CURRENT_USER_Classes\MIME Extension unicode .rsls success or wait 1 7FF74CAFE253 RegSetValueExW \Database\Content Type\application/x-resilio- rsls HKEY_CURRENT_USER_Classes\.rslkey Content Type unicode application/x-resilio-btskey success or wait 1 7FF74CAFE253 RegSetValueExW HKEY_LOCAL_MACHINE\SOFTWARE\Cl Extension unicode .rslkey success or wait 1 7FF74CAFE253 RegSetValueExW asses\MIME\Database\Content Ty pe\application/x-resilio-btskey HKEY_CURRENT_USER_Classes\MIME Extension unicode .rslkey success or wait 1 7FF74CAFE253 RegSetValueExW \Database\Content Type\application/x-resilio- btskey HKEY_CURRENT_USER_Classes\.btskey Content Type unicode application/x-resilio-btskey success or wait 1 7FF74CAFE253 RegSetValueExW HKEY_CURRENT_USER\Software\Res EnableOverlay dword 1 success or wait 1 7FF74C897336 RegSetValueExW ilio\Sync HKEY_CURRENT_USER\Software\Mic Resilio Sync.exe dword 8000 success or wait 1 7FF74C8973BF RegSetValueExW rosoft\Internet Explorer\Main\ FeatureControl\FEATURE_BROWSER _EMULATION HKEY_CURRENT_USER\Software\Mic Resilio Sync.exe dword 1 success or wait 1 7FF74C897448 RegSetValueExW rosoft\Internet Explorer\Main\ FeatureControl\FEATURE_GPU_RENDERING HKEY_CURRENT_USER\Software\Mic Resilio Sync.exe dword 1 success or wait 1 7FF74C8974D1 RegSetValueExW rosoft\Internet Explorer\Main\ FeatureControl\FEATURE_ALIGNED_TIMERS HKEY_CURRENT_USER_Classes\Resilio EditFlags dword 1048576 success or wait 1 7FF74C89755A RegSetValueExW Sync HKEY_CURRENT_USER\Software\Res ShellExtensionPath86 unicode C:\Users\user\AppData\Roaming\ success or wait 1 7FF74CAFE253 RegSetValueExW ilio\Sync Resilio Sync\ShellExtensionPat h86_53C.dll HKEY_CURRENT_USER\Software\Res ShellExtensionPath64 unicode C:\Users\user\AppData\Roaming\ success or wait 1 7FF74CAFE253 RegSetValueExW ilio\Sync Resilio Sync\ShellExtensionPat h64_53C.dll HKEY_CURRENT_USER\Software\Mic DisplayIcon unicode C:\Users\user\AppData\Roaming\ success or wait 1 7FF74C894D8D RegSetValueExW rosoft\Windows\CurrentVersion\ Resilio Sync\Resilio Sync.exe,0 Uninstall\Resilio Sync HKEY_CURRENT_USER\Software\Mic DisplayName unicode Resilio Sync success or wait 1 7FF74C894DE7 RegSetValueExW rosoft\Windows\CurrentVersion\ Uninstall\Resilio Sync HKEY_CURRENT_USER\Software\Mic DisplayVersion unicode 2.6.3 success or wait 1 7FF74C894E4D RegSetValueExW rosoft\Windows\CurrentVersion\ Uninstall\Resilio Sync HKEY_CURRENT_USER\Software\Mic UninstallString unicode "C:\Users\user\AppData\Roaming success or wait 1 7FF74C894EAF RegSetValueExW rosoft\Windows\CurrentVersion\ \Resilio Sync\Resilio Sync.exe" Uninstall\Resilio Sync /UNINSTALL HKEY_CURRENT_USER\Software\Mic InstallLocation unicode C:\Users\user\AppData\Roaming\ success or wait 1 7FF74C894F11 RegSetValueExW rosoft\Windows\CurrentVersion\ Resilio Sync Uninstall\Resilio Sync HKEY_CURRENT_USER\Software\Mic NoModify dword 1 success or wait 1 7FF74C894F67 RegSetValueExW rosoft\Windows\CurrentVersion\ Uninstall\Resilio Sync HKEY_CURRENT_USER\Software\Mic NoRepair dword 1 success or wait 1 7FF74C894F9C RegSetValueExW rosoft\Windows\CurrentVersion\ Uninstall\Resilio Sync HKEY_CURRENT_USER\Software\Mic URLInfoAbout unicode http://helpfiles.resilio.com/h success or wait 1 7FF74C894FCB RegSetValueExW rosoft\Windows\CurrentVersion\ elpcenter2 Uninstall\Resilio Sync HKEY_CURRENT_USER\Software\Mic Publisher unicode Resilio, Inc. success or wait 1 7FF74C894FFA RegSetValueExW rosoft\Windows\CurrentVersion\ Uninstall\Resilio Sync HKEY_CURRENT_USER\Software\Mic HelpLink unicode http://helpfiles.resilio.com/h success or wait 1 7FF74C895022 RegSetValueExW rosoft\Windows\CurrentVersion\ elpcenter2 Uninstall\Resilio Sync HKEY_CURRENT_USER\Software\Mic EstimatedSize dword 23035 success or wait 1 7FF74C89507C RegSetValueExW rosoft\Windows\CurrentVersion\ Uninstall\Resilio Sync HKEY_CURRENT_USER\Software\Mic Resilio Sync unicode C:\Users\user\AppData\Roaming\ success or wait 1 7FF74CAFE253 RegSetValueExW rosoft\Windows\CurrentVersion\Run Resilio Sync\Resilio Sync.exe /MINIMIZED

Copyright Joe Security LLC 2019 Page 53 of 85 Source Key Path Name Type Data Completion Count Address Symbol HKEY_CURRENT_USER\Software\Res Revision dword 33947651 success or wait 1 7FF74C89E1F5 RegSetValueExW ilio\Sync HKEY_CURRENT_USER\Software\Res Build dword 1340 success or wait 1 7FF74C89E228 RegSetValueExW ilio\Sync

Key Value Modified

Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_CURRENT_USER_Clas NULL unicode success or wait 1 7FF74C8952DE RegSetValueExW ses\Applications\Resilio Sync.exe\SupportedTypes\.rsls HKEY_CURRENT_USER_Clas NULL unicode success or wait 1 7FF74C8953B0 RegSetValueExW ses\Applications\Resilio Sync.exe\Supp ortedTypes\.rslkey HKEY_CURRENT_USER_Clas NULL unicode success or wait 1 7FF74C895482 RegSetValueExW ses\Applications\Resilio Sync.exe\Supp ortedTypes\.btskey HKEY_CURRENT_USER_Clas NULL unicode "C:\Users\user\AppData\Roamin success or wait 1 7FF74CAFE253 RegSetValueExW ses\Applications\Resilio g\Resilio Sync\Resilio Sync.exe" Sync.exe\shell\open\command /OPEN "%1" HKEY_CURRENT_USER_Clas NULL unicode "C:\Users\user\AppData\Roamin success or wait 1 7FF74CAFE253 RegSetValueExW ses\Applications\Resilio g\Resilio Sync\Resilio Sync.exe" Sync.exe\shell\open\command /OPEN "%1" HKEY_CURRENT_USER_Clas NULL unicode rslsync URI success or wait 1 7FF74CAFE253 RegSetValueExW ses\rslsync HKEY_CURRENT_USER_Clas NULL unicode "C:\Users\user\AppData\Roamin success or wait 1 7FF74CAFE253 RegSetValueExW ses\rsls g\Resilio Sync\Resilio Sync.exe" ync\shell\open\command /ADDURL "%1" HKEY_CURRENT_USER_Clas NULL unicode open success or wait 1 7FF74C8A279B RegSetValueExW ses\rslsync\shell HKEY_CURRENT_USER_Clas NULL unicode "C:\Users\user\AppData\Roamin success or wait 1 7FF74C8A23C8 RegSetValueExW ses\rslsync\DefaultIcon g\Resilio Sync\Resilio Sync.exe" /ADDURL,0 HKEY_CURRENT_USER_Clas NULL unicode "C:\Users\user\AppData\Roamin success or wait 1 7FF74C8A23C8 RegSetValueExW ses\rslsync\DefaultIcon g\Resilio Sync\Resilio Sync.exe" /ADDURL,0 HKEY_CURRENT_USER_Clas NULL unicode btsync URI success or wait 1 7FF74CAFE253 RegSetValueExW ses\btsync HKEY_CURRENT_USER_Clas NULL unicode "C:\Users\user\AppData\Roamin success or wait 1 7FF74CAFE253 RegSetValueExW ses\btsync\shell\open\command g\Resilio Sync\Resilio Sync.exe" /ADDURL "%1" HKEY_CURRENT_USER_Clas NULL unicode open success or wait 1 7FF74C8A279B RegSetValueExW ses\btsync\shell HKEY_CURRENT_USER_Clas NULL unicode "C:\Users\user\AppData\Roamin success or wait 1 7FF74C8A23C8 RegSetValueExW ses\btsync\DefaultIcon g\Resilio Sync\Resilio Sync.exe" /ADDURL,0 HKEY_CURRENT_USER_Clas NULL unicode "C:\Users\user\AppData\Roamin success or wait 1 7FF74C8A23C8 RegSetValueExW ses\btsync\DefaultIcon g\Resilio Sync\Resilio Sync.exe" /ADDURL,0 HKEY_CURRENT_USER_Clas NULL unicode Resilio Sync success or wait 1 7FF74C8A3532 RegSetValueExW ses\.rsls HKEY_CURRENT_USER_Clas NULL unicode "C:\Users\user\AppData\Roamin success or wait 1 7FF74CAFE253 RegSetValueExW ses\Resilio Sync\DefaultIcon g\Resilio Sync\Resilio Sync.exe ",0 HKEY_CURRENT_USER_Clas NULL unicode "C:\Users\user\AppData\Roamin success or wait 1 7FF74CAFE253 RegSetValueExW ses\Resilio g\Resilio Sync\Resilio Sync.exe" Sync\shell\open\command /OPEN "%1" HKEY_CURRENT_USER_Clas NULL unicode open success or wait 1 7FF74C8A373A RegSetValueExW ses\Resilio Sync\shell HKEY_CURRENT_USER_Clas NULL unicode application/x-resilio-sync success or wait 1 7FF74C8A36BD RegSetValueExW ses\Resilio Sync\Content Type HKEY_CURRENT_USER_Clas NULL unicode Resilio Sync success or wait 1 7FF74C8A3532 RegSetValueExW ses\.rslkey HKEY_CURRENT_USER_Clas NULL unicode "C:\Users\user\AppData\Roamin success or wait 1 7FF74CAFE253 RegSetValueExW ses\Resilio Sync\DefaultIcon g\Resilio Sync\Resilio Sync.exe ",0 HKEY_CURRENT_USER_Clas NULL unicode "C:\Users\user\AppData\Roamin success or wait 1 7FF74CAFE253 RegSetValueExW ses\Resilio g\Resilio Sync\Resilio Sync.exe" Sync\shell\open\command /OPEN "%1" HKEY_CURRENT_USER_Clas NULL unicode open success or wait 1 7FF74C8A373A RegSetValueExW ses\Resilio Sync\shell HKEY_CURRENT_USER_Clas NULL unicode application/x-resilio-sync success or wait 1 7FF74C8A36BD RegSetValueExW ses\Resilio Sync\Content Type

Copyright Joe Security LLC 2019 Page 54 of 85 Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_CURRENT_USER_Clas NULL unicode Resilio Sync success or wait 1 7FF74C8A3532 RegSetValueExW ses\.btskey HKEY_CURRENT_USER_Clas NULL unicode "C:\Users\user\AppData\Roamin success or wait 1 7FF74CAFE253 RegSetValueExW ses\Resilio Sync\DefaultIcon g\Resilio Sync\Resilio Sync.exe ",0 HKEY_CURRENT_USER_Clas Extension unicode .rslkey .btskey success or wait 1 7FF74CAFE253 RegSetValueExW ses\MIME\Database\Content Type\application/x-resilio-btskey HKEY_CURRENT_USER_Clas NULL unicode "C:\Users\user\AppData\Roamin success or wait 1 7FF74CAFE253 RegSetValueExW ses\Resilio g\Resilio Sync\Resilio Sync.exe" Sync\shell\open\command /OPEN "%1" HKEY_CURRENT_USER_Clas NULL unicode open success or wait 1 7FF74C8A373A RegSetValueExW ses\Resilio Sync\shell HKEY_CURRENT_USER_Clas NULL unicode application/x-resilio-sync success or wait 1 7FF74C8A36BD RegSetValueExW ses\Resilio Sync\Content Type

Analysis Process: regsvr32.exe PID: 4460 Parent PID: 3896

General

Start time: 18:17:28 Start date: 12/08/2019 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: regsvr32.exe /s /i 'C:\Users\user\AppData\Roaming\Resilio Sync\ShellExtensionPath86_53C.dl l' Imagebase: 0x7ff748be0000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\ShellExtensionPath86_53C.dll unknown 64 success or wait 1 7FF748BE10E3 ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\ShellExtensionPath86_53C.dll unknown 264 success or wait 1 7FF748BE1125 ReadFile

Analysis Process: regsvr32.exe PID: 3844 Parent PID: 4460

General

Start time: 18:17:29 Start date: 12/08/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: /s /i 'C:\Users\user\AppData\Roaming\Resilio Sync\ShellExtensionPath86_53C.dll' Imagebase: 0xa40000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Registry Activities

Key Created

Copyright Joe Security LLC 2019 Page 55 of 85 Source Key Path Completion Count Address Symbol HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{581FFA00-FC33-0003-0602-95003A5CDE89} success or wait 1 7340C455 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{581FFA00-FC33-0003-0602-95003A5CDE89 success or wait 1 7340C455 RegCreateKeyExW }\InprocServer32 HKEY_CURRENT_USER\Software\Classes\*\shellex\ContextMenuHandlers\Resilio Sync 2.6.3 success or wait 1 7340C455 RegCreateKeyExW HKEY_CURRENT_USER_Classes\lnkfile success or wait 1 7340C455 RegCreateKeyExW HKEY_CURRENT_USER_Classes\lnkfile\shellex success or wait 1 7340C455 RegCreateKeyExW HKEY_CURRENT_USER_Classes\lnkfile\shellex\ContextMenuHandlers success or wait 1 7340C455 RegCreateKeyExW HKEY_CURRENT_USER_Classes\lnkfile\shellex\ContextMenuHandlers\Resilio Sync 2.6.3 success or wait 1 7340C455 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\Directory\shellex\ContextMenuHandlers\Resilio Sync 2.6.3 success or wait 1 7340C455 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{581FFA01-FC33-0003-0602-95003A5CDE89} success or wait 1 7340C455 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{581FFA01-FC33-0003-0602-95003A5CDE89 success or wait 1 7340C455 RegCreateKeyExW }\InprocServer32 HKEY_CURRENT_USER_Classes\Resilio Sync\shellex success or wait 1 7340C455 RegCreateKeyExW HKEY_CURRENT_USER_Classes\Resilio Sync\shellex\IconHandler success or wait 1 7340C455 RegCreateKeyExW

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_CURRENT_USER_Classes\WOW6 ThreadingModel unicode Apartment success or wait 1 7340C491 RegSetValueExW 432Node\CLSID\{581FFA00-FC33-0003-0602- 95003A5CDE89}\InprocServer32 HKEY_CURRENT_USER_Classes\WOW6 ThreadingModel unicode Apartment success or wait 1 7340C491 RegSetValueExW 432Node\CLSID\{581FFA01-FC33-0003-0602- 95003A5CDE89}\InprocServer32

Key Value Modified

Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_CURRENT_USER_Class NULL unicode Resilio Sync 2.6.3 success or wait 1 7340C491 RegSetValueExW es\WOW6432Node\CLSID\ {581FFA00-FC33-0003-0602- 95003A5CDE89} HKEY_CURRENT_USER_Class NULL unicode C:\Users\user\AppData\Roaming\ success or wait 1 7340C491 RegSetValueExW es\WOW6432Node\CLSID\ Resilio Sync\ShellExtensionPat {581FFA00-FC33-0003-0602- h86_53C.dll 95003A5CDE89}\InprocServer32 HKEY_CURRENT_USER_Class NULL unicode {581FFA00-FC33-0003-0602- success or wait 1 7340C491 RegSetValueExW es\*\sh 95003A5CDE89} ellex\ContextMenuHandlers\Resi lio Sync 2.6.3 HKEY_CURRENT_USER_Class NULL unicode {581FFA00-FC33-0003-0602- success or wait 1 7340C491 RegSetValueExW es\lnkf 95003A5CDE89} ile\shellex\ContextMenuHandler s\Resilio Sync 2.6.3 HKEY_CURRENT_USER_Class NULL unicode {581FFA00-FC33-0003-0602- success or wait 1 7340C491 RegSetValueExW es\Dire 95003A5CDE89} ctory\shellex\ContextMenuHandl ers\Resilio Sync 2.6.3 HKEY_CURRENT_USER_Class NULL unicode Resilio Sync 2.6.3 success or wait 1 7340C491 RegSetValueExW es\WOW6432Node\CLSID\ {581FFA01-FC33-0003-0602- 95003A5CDE89} HKEY_CURRENT_USER_Class NULL unicode C:\Users\user\AppData\Roaming\ success or wait 1 7340C491 RegSetValueExW es\WOW6432Node\CLSID\ Resilio Sync\ShellExtensionPat {581FFA01-FC33-0003-0602- h86_53C.dll 95003A5CDE89}\InprocServer32 HKEY_CURRENT_USER_Class NULL unicode {581FFA01-FC33-0003-0602- success or wait 1 7340C491 RegSetValueExW es\Resilio 95003A5CDE89} Sync\shellex\IconHandler

Analysis Process: regsvr32.exe PID: 2704 Parent PID: 3896

General

Start time: 18:17:30 Start date: 12/08/2019 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Copyright Joe Security LLC 2019 Page 56 of 85 Commandline: regsvr32.exe /s /i 'C:\Users\user\AppData\Roaming\Resilio Sync\ShellExtensionPath64_53C.dl l' Imagebase: 0x7ff748be0000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_CURRENT_USER\Software\Classes\CLSID\{581FFA00-FC33-0003-0602-95003A5CDE89} success or wait 1 7FFEF1E2D380 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\CLSID\{581FFA00-FC33-0003-0602-95003A5CDE89}\InprocServer32 success or wait 1 7FFEF1E2D380 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\*\shellex\ContextMenuHandlers\Resilio Sync 2.6.3 success or wait 1 7FFEF1E2D380 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\lnkfile\shellex\ContextMenuHandlers\Resilio Sync 2.6.3 success or wait 1 7FFEF1E2D380 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\Directory\shellex\ContextMenuHandlers\Resilio Sync 2.6.3 success or wait 1 7FFEF1E2D380 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\CLSID\{581FFA01-FC33-0003-0602-95003A5CDE89} success or wait 1 7FFEF1E2D380 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\CLSID\{581FFA01-FC33-0003-0602-95003A5CDE89}\InprocServer32 success or wait 1 7FFEF1E2D380 RegCreateKeyExW HKEY_CURRENT_USER\Software\Classes\Resilio Sync\shellex\IconHandler success or wait 1 7FFEF1E2D380 RegCreateKeyExW

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_CURRENT_USER_Classes\CLSID\ ThreadingModel unicode Apartment success or wait 1 7FFEF1E2D3CD RegSetValueExW {581FFA00-FC33-0003-0602-950 03A5CDE89}\InprocServer32 HKEY_CURRENT_USER_Classes\CLSID\ ThreadingModel unicode Apartment success or wait 1 7FFEF1E2D3CD RegSetValueExW {581FFA01-FC33-0003-0602-950 03A5CDE89}\InprocServer32

Key Value Modified

Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_CURRENT_USER_Class NULL unicode Resilio Sync 2.6.3 success or wait 1 7FFEF1E2D3CD RegSetValueExW es\CLSID\{581FFA00-FC33- 0003-0602-95003A5CDE89} HKEY_CURRENT_USER_Class NULL unicode C:\Users\user\AppData\Roaming success or wait 1 7FFEF1E2D3CD RegSetValueExW es\CLSID\{581FFA00-FC33- \Resilio Sync\ShellExtensionPat 0003-0602-950 h64_53C.dll 03A5CDE89}\InprocServer32 HKEY_CURRENT_USER_Class NULL unicode {581FFA00-FC33-0003-0602- success or wait 1 7FFEF1E2D3CD RegSetValueExW es\*\sh 95003A5CDE89} ellex\ContextMenuHandlers\Res ilio Sync 2.6.3 HKEY_CURRENT_USER_Class NULL unicode {581FFA00-FC33-0003-0602- success or wait 1 7FFEF1E2D3CD RegSetValueExW es\lnkf 95003A5CDE89} ile\shellex\ContextMenuHandler s\Resilio Sync 2.6.3 HKEY_CURRENT_USER_Class NULL unicode {581FFA00-FC33-0003-0602- success or wait 1 7FFEF1E2D3CD RegSetValueExW es\Dire 95003A5CDE89} ctory\shellex\ContextMenuHandl ers\Resilio Sync 2.6.3 HKEY_CURRENT_USER_Class NULL unicode Resilio Sync 2.6.3 success or wait 1 7FFEF1E2D3CD RegSetValueExW es\CLSID\{581FFA01-FC33- 0003-0602-95003A5CDE89} HKEY_CURRENT_USER_Class NULL unicode C:\Users\user\AppData\Roaming success or wait 1 7FFEF1E2D3CD RegSetValueExW es\CLSID\{581FFA01-FC33- \Resilio Sync\ShellExtensionPat 0003-0602-950 h64_53C.dll 03A5CDE89}\InprocServer32 HKEY_CURRENT_USER_Class NULL unicode {581FFA01-FC33-0003-0602- success or wait 1 7FFEF1E2D3CD RegSetValueExW es\Resilio 95003A5CDE89} Sync\shellex\IconHandler

Analysis Process: Resilio-Sync_x64.exe PID: 2404 Parent PID: 3896

Start time: 18:17:31 Start date: 12/08/2019 Path: C:\Users\user\Desktop\Resilio-Sync_x64.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\Desktop\Resilio-Sync_x64.exe' /ADMINTASKS NRSDEOTJMRUT AZJUHJXGC3LFGE2DUU3VPJQW43TFEBCGC5TJMVZTIOTQMF2GQNRZHJBTUXCV ONSXE424KN2XUYLONZSSARDBOZUWK424IFYHARDBORQVYUTPMFWWS3THLRJG K43JNRUW6ICTPFXGGXCSMVZWS3DJN4QFG6LOMMXGK6DFMVSDEOTJMRUTIZJU HJ2XGZLSGE2DUU3VPJQW43TFEBCGC5TJMVZWKZI Imagebase: 0x7ff74c500000 File size: 23588360 bytes MD5 hash: 97E86D489C0D6D6185C890257CF87BE7 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Copyright Joe Security LLC 2019 Page 58 of 85 Source File Path Access Attributes Options Completion Count Address Symbol C:\ProgramData\Resilio Sync\ShellExtensionOverlay86_53C.dll read attributes | normal synchronous io success or wait 1 7FF74CAF99E5 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\ProgramData\Resilio Sync\done.ico read attributes | normal synchronous io success or wait 1 7FF74C8A5543 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\ProgramData\Resilio Sync\ro.ico read attributes | normal synchronous io success or wait 1 7FF74C8A5543 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\ProgramData\Resilio Sync\rw.ico read attributes | normal synchronous io success or wait 1 7FF74C8A5543 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\ProgramData\Resilio Sync\ShellExtensionOverlay64_53C.dll read attributes | normal synchronous io success or wait 1 7FF74CAF99E5 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Roaming\Resilio Sync\history.dat.new read attributes | normal synchronous io success or wait 1 7FF74C8055DA CreateFileW synchronize | non alert | non generic read | directory file generic write

File Moved

File Written

Copyright Joe Security LLC 2019 Page 59 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio unknown 754 37 3a 62 6f 72 6e 5f 7:born_oni0e14:born_on_r success or wait 1 7FF74C8052EF WriteFile Sync\settings.dat.new 6f 6e 69 30 65 31 34 emotei 3a 62 6f 72 6e 5f 6f 0e17:check_update_betai0 6e 5f 72 65 6d 6f 74 e28:di 65 69 30 65 31 37 3a rect_torrent_max_file_sizei 63 68 65 63 6b 5f 75 104 70 64 61 74 65 5f 62 85760e18:diskio_cache_li 65 74 61 69 30 65 32 miti50 38 3a 64 69 72 65 63 0e3:fgti0e16:history_log_si 74 5f 74 6f 72 72 65 zei 6e 74 5f 6d 61 78 5f 100e18:history_time_limiti 66 69 6c 65 5f 73 69 30e2 7a 65 69 31 30 34 38 5:install_modification_timei 35 37 36 30 65 31 38 0e 3a 64 69 73 6b 69 6f 12:install_timei0e24:is_we 5f 63 61 63 68 65 5f bui_credentials_set 6c 69 6d 69 74 69 35 30 30 65 33 3a 66 67 74 69 30 65 31 36 3a 68 69 73 74 6f 72 79 5f 6c 6f 67 5f 73 69 7a 65 69 31 30 30 65 31 38 3a 68 69 73 74 6f 72 79 5f 74 69 6d 65 5f 6c 69 6d 69 74 69 33 30 65 32 35 3a 69 6e 73 74 61 6c 6c 5f 6d 6f 64 69 66 69 63 61 74 69 6f 6e 5f 74 69 6d 65 69 30 65 31 32 3a 69 6e 73 74 61 6c 6c 5f 74 69 6d 65 69 30 65 32 34 3a 69 73 5f 77 65 62 75 69 5f 63 72 65 64 65 6e 74 69 61 6c 73 5f 73 65 74 C:\ProgramData\Resilio Sync\Sh unknown 480768 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 7FF74CAF9A0E WriteFile ellExtensionOverlay86_53C.dll 00 04 00 00 00 ff ff ...... 00 00 b8 00 00 00 00 ...... !..L.!This program 00 00 00 40 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... 00 00 00 00 00 00 00 ...... h...... 00 00 00 00 00 00 00 ...... 00 00 00 00 18 01 00 .."...... Z..... 00 0e 1f ba 0e 00 b4 ...... Rich... 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 87 90 cb de c3 f1 a5 8d c3 f1 a5 8d c3 f1 a5 8d b0 93 a6 8c ce f1 a5 8d b0 93 a0 8c 68 f1 a5 8d b0 93 a1 8c d5 f1 a5 8d 89 94 a6 8c da f1 a5 8d 89 94 a0 8c f2 f1 a5 8d 89 94 a1 8c e0 f1 a5 8d b0 93 a3 8c c6 f1 a5 8d b0 93 a4 8c d0 f1 a5 8d c3 f1 a4 8d 22 f1 a5 8d d0 97 ac 8c ff f1 a5 8d d0 97 a5 8c c2 f1 a5 8d d0 97 5a 8d c2 f1 a5 8d d0 97 a7 8c c2 f1 a5 8d 52 69 63 68 c3 f1 a5

Copyright Joe Security LLC 2019 Page 60 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\ProgramData\Resilio Sync\done.ico unknown 25945 00 00 01 00 05 00 00 ...... Q!..V...... success or wait 1 7FF74C8052EF WriteFile 00 00 00 01 00 20 00 h....!...... &...... 51 21 00 00 56 00 00 ...... /..00...... %...?...PNG 00 10 10 00 00 01 00 ...... IHDR...... \r.f.. 20 00 68 04 00 00 a7 .IDATx...y\Te.?...a..`...... 21 00 00 00 00 00 00 Pp...~..i..i...Z.i...... !....W 01 00 20 00 fa 08 00 )....VTjn...... "...6.3.l.?.Cd 00 0f 26 00 00 20 20 ..3.>3s..Kf...... =g.B.2h...... 00 00 01 00 20 00 a8 .^..7z]Z...8... 10 00 00 09 2f 00 00 30 30 00 00 01 00 20 00 a8 25 00 00 b1 3f 00 00 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 00 00 00 01 00 08 06 00 00 00 5c 72 a8 66 00 00 20 00 49 44 41 54 78 9c ed dd 79 5c 54 65 fb 3f f0 eb 9c 61 80 19 60 d8 14 8c 1d 17 b4 50 70 c1 84 80 7e 88 a9 69 a6 88 69 8f bb 01 5a 8f 69 9a 99 e6 f2 b5 f2 21 b7 8a b4 cc 57 29 a0 b8 96 e6 56 54 6a 6e 05 0a a5 82 20 98 80 22 ab 09 ca 36 0c 33 c0 6c bf 3f 0a 43 64 9b 99 33 e7 3e 33 73 bd ff 4b 66 ce f9 e4 8b cf e5 3d 67 ce 42 01 32 68 c9 fe 03 1c aa a3 a4 5e d1 bb 37 7a 5d 5a 9b df ab 38 a5 ca b1 C:\ProgramData\Resilio Sync\ro.ico unknown 88092 00 00 01 00 08 00 10 ...... h...... success or wait 1 7FF74C8052EF WriteFile 10 00 00 01 00 20 00 ...... v...((.... .h...... 68 04 00 00 86 00 00 .."...9..@@.... .(B...\..``.... 00 18 18 00 00 01 00 .....V...... %...2..(...... 20 00 88 09 00 00 ee ...... 04 00 00 20 20 00 00 ..333N333.333.QQQ.\\\.aa 01 00 20 00 a8 10 00 a.fff.fff.fff.fff.ffg.fff.fff.fff... 00 76 0e 00 00 28 28 ..333.XXX...... 00 00 01 00 20 00 68 1a 00 00 1e 1f 00 00 2e 2e 00 00 01 00 20 00 a8 22 00 00 86 39 00 00 40 40 00 00 01 00 20 00 28 42 00 00 2e 5c 00 00 60 60 00 00 01 00 20 00 a8 94 00 00 56 9e 00 00 00 00 00 00 01 00 20 00 1e 25 00 00 fe 32 01 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 00 ff ff ff 00 33 33 33 4e 33 33 33 be 33 33 33 f4 51 51 51 fa 5c 5c 5c ef 61 61 61 d2 66 66 66 bf 66 66 66 bf 66 66 66 bf 66 66 66 bf 66 66 67 bf 66 66 66 bf 66 66 66 bf 66 66 66 93 ff ff ff 00 33 33 33 84 58 58 58 ff c6 c6 c6 ff fa

Copyright Joe Security LLC 2019 Page 61 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\ProgramData\Resilio Sync\rw.ico unknown 85750 00 00 01 00 08 00 10 ...... h...... success or wait 1 7FF74C8052EF WriteFile 10 00 00 01 00 20 00 ...... v...((.... .h...... 68 04 00 00 86 00 00 .."...9..@@.... .(B...\..``.... 00 18 18 00 00 01 00 .....V...... 2..(...... 20 00 88 09 00 00 ee ...... 04 00 00 20 20 00 00 ..333N333.333.333.333.33 01 00 20 00 a8 10 00 3Mfff.fff...... 00 76 0e 00 00 28 28 ..333.XXX...... 00 00 01 00 20 00 68 1a 00 00 1e 1f 00 00 2e 2e 00 00 01 00 20 00 a8 22 00 00 86 39 00 00 40 40 00 00 01 00 20 00 28 42 00 00 2e 5c 00 00 60 60 00 00 01 00 20 00 a8 94 00 00 56 9e 00 00 00 00 00 00 01 00 20 00 f8 1b 00 00 fe 32 01 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 00 ff ff ff 00 33 33 33 4e 33 33 33 be 33 33 33 f4 33 33 33 f4 33 33 33 be 33 33 33 4d 66 66 66 00 66 66 66 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 33 33 33 84 58 58 58 ff c6 c6 c6 ff fa C:\ProgramData\Resilio Sync\Sh unknown 542208 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 7FF74CAF9A0E WriteFile ellExtensionOverlay64_53C.dll 00 04 00 00 00 ff ff ...... 00 00 b8 00 00 00 00 ...... !..L.!This program 00 00 00 40 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... a..k%kw8%kw8%kw 00 00 00 00 00 00 00 8V.t9/k 00 00 00 00 00 00 00 w8V.s97kw8V.r9.kw8o.t9/k 00 00 00 00 10 01 00 w8o.r9.kw8o.s9.kw8V.q9 00 0e 1f ba 0e 00 b4 kw8V.v96kw8%k 09 cd 21 b8 01 4c cd v8.kw86.~9.kw86.w9$kw8 21 54 68 69 73 20 70 6..8$kw8 72 6f 67 72 61 6d 20 6.u9$kw8Rich%kw 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 61 0a 19 6b 25 6b 77 38 25 6b 77 38 25 6b 77 38 56 09 74 39 2f 6b 77 38 56 09 73 39 37 6b 77 38 56 09 72 39 8e 6b 77 38 6f 0e 74 39 2f 6b 77 38 6f 0e 72 39 15 6b 77 38 6f 0e 73 39 01 6b 77 38 56 09 71 39 20 6b 77 38 56 09 76 39 36 6b 77 38 25 6b 76 38 c0 6b 77 38 36 0d 7e 39 19 6b 77 38 36 0d 77 39 24 6b 77 38 36 0d 88 38 24 6b 77 38 36 0d 75 39 24 6b 77 38 52 69 63 68 25 6b 77 C:\Users\user\AppData\Roaming\Resilio unknown 57 64 31 30 3a 2e 66 69 d10:.fileguard40:7ECDE89 success or wait 1 7FF74C80565F WriteFile Sync\history.dat.new 6c 65 67 75 61 72 64 CE8A76 34 30 3a 37 45 43 44 BD4E137100AF0103D759 45 38 39 43 45 38 41 591ED80 37 36 42 44 34 45 31 33 37 31 30 30 41 46 30 31 30 33 44 37 35 39 35 39 31 45 44 38 30 C:\Users\user\AppData\Roaming\Resilio unknown 11 36 3a 65 76 65 6e 74 6:eventslee success or wait 1 7FF74C8052EF WriteFile Sync\history.dat.new 73 6c 65 65

Copyright Joe Security LLC 2019 Page 62 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 51 5b 32 30 31 39 2d 30 [2019-08-12 18:17:38.867] success or wait 1 7FF74CCEC69E WriteFile 38 2d 31 32 20 31 38 saved history: 0 events.. 3a 31 37 3a 33 38 2e 38 36 37 5d 20 73 61 76 65 64 20 68 69 73 74 6f 72 79 3a 20 30 20 65 76 65 6e 74 73 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 66 5b 32 30 31 39 2d 30 [2019-08-12 18:17:38.883] success or wait 1 7FF74CCEC69E WriteFile 38 2d 31 32 20 31 38 Torrent session shutdown: 3a 31 37 3a 33 38 2e done waiting.. 38 38 33 5d 20 54 6f 72 72 65 6e 74 20 73 65 73 73 69 6f 6e 20 73 68 75 74 64 6f 77 6e 3a 20 64 6f 6e 65 20 77 61 69 74 69 6e 67 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 52 5b 32 30 31 39 2d 30 [2019-08-12 18:17:38.883] success or wait 1 7FF74CCEC69E WriteFile 38 2d 31 32 20 31 38 Stopping network threads.. 3a 31 37 3a 33 38 2e 38 38 33 5d 20 53 74 6f 70 70 69 6e 67 20 6e 65 74 77 6f 72 6b 20 74 68 72 65 61 64 73 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 60 5b 32 30 31 39 2d 30 [2019-08-12 18:17:38.883] success or wait 1 7FF74CCEC69E WriteFile 38 2d 31 32 20 31 38 Shutdown. Saving config 3a 31 37 3a 33 38 2e sync.dat.. 38 38 33 5d 20 53 68 75 74 64 6f 77 6e 2e 20 53 61 76 69 6e 67 20 63 6f 6e 66 69 67 20 73 79 6e 63 2e 64 61 74 0d 0a

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\debug.txt unknown 11 success or wait 1 7FF74C805545 ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat unknown 811 success or wait 1 7FF74C805545 ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat unknown 811 success or wait 1 7FF74C805545 ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat.new unknown 811 success or wait 1 7FF74C805545 ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\history.dat.new unknown 68 success or wait 1 7FF74C805545 ReadFile

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Resilio success or wait 1 7FF74CAFE206 RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Resilio\Sync success or wait 1 7FF74CAFE206 RegCreateKeyExW

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Re ShellExtensionOverlay86 unicode C:\ProgramData\Resilio Sync\Sh success or wait 1 7FF74CAFE253 RegSetValueExW silio\Sync ellExtensionOverlay86_53C.dll HKEY_LOCAL_MACHINE\SOFTWARE\Re ShellExtensionOverlay64 unicode C:\ProgramData\Resilio Sync\Sh success or wait 1 7FF74CAFE253 RegSetValueExW silio\Sync ellExtensionOverlay64_53C.dll HKEY_LOCAL_MACHINE\SOFTWARE\Re Users unicode l14:usere success or wait 1 7FF74CAFE253 RegSetValueExW silio\Sync

Analysis Process: regsvr32.exe PID: 2880 Parent PID: 2404

General

Start time: 18:17:37

Copyright Joe Security LLC 2019 Page 63 of 85 Start date: 12/08/2019 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: regsvr32.exe /s /i 'C:\ProgramData\Resilio Sync\ShellExtensionOverlay86_53C.dll' Imagebase: 0x7ff748be0000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

File Read

Source File Path Offset Length Completion Count Address Symbol C:\ProgramData\Resilio Sync\ShellExtensionOverlay86_53C.dll unknown 64 success or wait 1 7FF748BE10E3 ReadFile C:\ProgramData\Resilio Sync\ShellExtensionOverlay86_53C.dll unknown 264 success or wait 1 7FF748BE1125 ReadFile

Analysis Process: regsvr32.exe PID: 2536 Parent PID: 2880

General

Start time: 18:17:37 Start date: 12/08/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: /s /i 'C:\ProgramData\Resilio Sync\ShellExtensionOverlay86_53C.dll' Imagebase: 0xa40000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: regsvr32.exe PID: 2864 Parent PID: 2404

General

Start time: 18:17:38 Start date: 12/08/2019 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: regsvr32.exe /s /i 'C:\ProgramData\Resilio Sync\ShellExtensionOverlay64_53C.dll' Imagebase: 0x7ff748be0000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate Copyright Joe Security LLC 2019 Page 64 of 85 Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: Resilio Sync.exe PID: 4524 Parent PID: 2956

General

Start time: 18:17:39 Start date: 12/08/2019 Path: C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe' /MINIMIZED Imagebase: 0x7ff640cc0000 File size: 23588360 bytes MD5 hash: 97E86D489C0D6D6185C890257CF87BE7 Has administrator privileges: false Programmed in: C, C++ or other language Antivirus matches: Detection: 0%, virustotal, Browse Detection: 0%, metadefender, Browse Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Resilio Sync read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Resilio Sync read data or list normal directory file | object name collision 1 7FF640E7093F CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Copyright Joe Security LLC 2019 Page 65 of 85 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat.new read attributes | normal synchronous io success or wait 1 7FF640FC55DA CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Roaming\Resilio Sync\FileDelayConfig read attributes | normal synchronous io success or wait 1 7FF6412B99E5 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat.new read attributes | normal synchronous io success or wait 1 7FF640FC55DA CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat.new read attributes | normal synchronous io success or wait 1 7FF640FC55DA CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Roaming\Resilio Sync\storage.db read attributes | normal synchronous io success or wait 1 7FF64131A5FF CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Roaming\Resilio Sync\storage.db-journal read attributes | normal synchronous io success or wait 1 7FF64131A5FF CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Roaming\Resilio Sync\storage.db-wal read attributes | normal synchronous io success or wait 1 7FF64131A5FF CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Users read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Resilio Sync read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point Copyright Joe Security LLC 2019 Page 66 of 85 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list normal directory file | object name collision 2 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData read data or list normal directory file | object name collision 2 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list normal directory file | object name collision 2 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Resilio Sync read data or list normal directory file | object name collision 2 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Resilio Sync\ie read data or list normal directory file | success or wait 1 7FF64103FF09 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\storage.db-journal success or wait 1 7FF64131A8A3 DeleteFileW

File Moved

Source Old File Path New File Path Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat.old. success or wait 1 7FF640FC5BC4 MoveFileExW C:\Users\user\AppData\Roaming\Resilio C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat.o success or wait 1 7FF640FC5BE4 MoveFileExW Sync\settings.dat.new C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat.old. success or wait 1 7FF640FC5BC4 MoveFileExW C:\Users\user\AppData\Roaming\Resilio C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat&. success or wait 1 7FF640FC5BE4 MoveFileExW Sync\settings.dat.new C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat C:\Users\user\AppData\Roaming\Resilio success or wait 1 7FF640FC5BC4 MoveFileExW Sync\settings.dat.oldZE C:\Users\user\AppData\Roaming\Resilio C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat&. success or wait 1 7FF640FC5BE4 MoveFileExW Sync\settings.dat.new

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 67 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.478] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 Debug log mask has been 3a 31 37 3a 34 32 2e set to FFFFFFFF.. 34 37 38 5d 20 44 65 62 75 67 20 6c 6f 67 20 6d 61 73 6b 20 68 61 73 20 62 65 65 6e 20 73 65 74 20 74 6f 20 46 46 46 46 46 46 46 46 0d 0a Copyright Joe Security LLC 2019 Page 67 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 59 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.494] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 Features mask has been 3a 31 37 3a 34 32 2e set to 0.. 34 39 34 5d 20 46 65 61 74 75 72 65 73 20 6d 61 73 6b 20 68 61 73 20 62 65 65 6e 20 73 65 74 20 74 6f 20 30 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 75 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.494] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 ZIP: Can't locate [version] 3a 31 37 3a 34 32 2e in zip, error -100... 34 39 34 5d 20 5a 49 50 3a 20 43 61 6e 27 74 20 6c 6f 63 61 74 65 20 5b 76 65 72 73 69 6f 6e 5d 20 69 6e 20 7a 69 70 2c 20 65 72 72 6f 72 20 2d 31 30 30 2e 0d 0a C:\Users\user\AppData\Roaming\Resilio unknown 57 64 31 30 3a 2e 66 69 d10:.fileguard40:B4948E6 success or wait 1 7FF640FC565F WriteFile Sync\settings.dat.new 6c 65 67 75 61 72 64 BFC1ED 34 30 3a 42 34 39 34 3EF548F134B1331EF2579 38 45 36 42 46 43 31 8DB9B7 45 44 33 45 46 35 34 38 46 31 33 34 42 31 33 33 31 45 46 32 35 37 39 38 44 42 39 42 37 C:\Users\user\AppData\Roaming\Resilio unknown 754 37 3a 62 6f 72 6e 5f 7:born_oni0e14:born_on_re success or wait 1 7FF640FC52EF WriteFile Sync\settings.dat.new 6f 6e 69 30 65 31 34 motei 3a 62 6f 72 6e 5f 6f 0e17:check_update_betai0 6e 5f 72 65 6d 6f 74 e28:di 65 69 30 65 31 37 3a rect_torrent_max_file_sizei 63 68 65 63 6b 5f 75 104 70 64 61 74 65 5f 62 85760e18:diskio_cache_li 65 74 61 69 30 65 32 miti50 38 3a 64 69 72 65 63 0e3:fgti0e16:history_log_si 74 5f 74 6f 72 72 65 zei 6e 74 5f 6d 61 78 5f 100e18:history_time_limiti 66 69 6c 65 5f 73 69 30e2 7a 65 69 31 30 34 38 5:install_modification_timei 35 37 36 30 65 31 38 0e 3a 64 69 73 6b 69 6f 12:install_timei0e24:is_we 5f 63 61 63 68 65 5f bui_credentials_set 6c 69 6d 69 74 69 35 30 30 65 33 3a 66 67 74 69 30 65 31 36 3a 68 69 73 74 6f 72 79 5f 6c 6f 67 5f 73 69 7a 65 69 31 30 30 65 31 38 3a 68 69 73 74 6f 72 79 5f 74 69 6d 65 5f 6c 69 6d 69 74 69 33 30 65 32 35 3a 69 6e 73 74 61 6c 6c 5f 6d 6f 64 69 66 69 63 61 74 69 6f 6e 5f 74 69 6d 65 69 30 65 31 32 3a 69 6e 73 74 61 6c 6c 5f 74 69 6d 65 69 30 65 32 34 3a 69 73 5f 77 65 62 75 69 5f 63 72 65 64 65 6e 74 69 61 6c 73 5f 73 65 74 C:\Users\user\AppData\Roaming\Resilio Sync\sync.pid unknown 5 34 35 32 34 0a 4524. success or wait 1 7FF640E88662 WriteFile

Copyright Joe Security LLC 2019 Page 68 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 138 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.712] success or wait 3 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 VerifyFileWithHash failed 3a 31 37 3a 34 32 2e on file 37 31 32 5d 20 56 65 C:\Users\user\AppData\Ro 72 69 66 79 46 69 6c aming\Resilio 65 57 69 74 68 48 61 Sync\sync.dat with status 73 68 20 66 61 69 6c 2... 65 64 20 6f 6e 20 66 69 6c 65 20 43 3a 5c 55 73 65 72 73 5c 53 75 7a 61 6e 6e 65 20 44 61 76 69 65 73 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 52 65 73 69 6c 69 6f 20 53 79 6e 63 5c 73 79 6e 63 2e 64 61 74 20 77 69 74 68 20 73 74 61 74 75 73 20 32 2e 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 60 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.712] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 Failed to find/load sync.dat 3a 31 37 3a 34 32 2e - 2.. 37 31 32 5d 20 46 61 69 6c 65 64 20 74 6f 20 66 69 6e 64 2f 6c 6f 61 64 20 73 79 6e 63 2e 64 61 74 20 2d 20 32 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 79 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.712] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 test sha1: 3a 31 37 3a 34 32 2e AE5BD8EFEA5322C4D99 37 31 32 5d 20 74 65 86D0 73 74 20 73 68 61 31 6680A781392F9A642.. 3a 20 41 45 35 42 44 38 45 46 45 41 35 33 32 32 43 34 44 39 39 38 36 44 30 36 36 38 30 41 37 38 31 33 39 32 46 39 41 36 34 32 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 103 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.712] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 test sha2: 3a 31 37 3a 34 32 2e 630DCD2966C4336691125 37 31 32 5d 20 74 65 44 73 74 20 73 68 61 32 8BBB25B4FF412A49C732 3a 20 36 33 30 44 43 DB2C8ABC1B 44 32 39 36 36 43 34 8581BD710DD.. 33 33 36 36 39 31 31 32 35 34 34 38 42 42 42 32 35 42 34 46 46 34 31 32 41 34 39 43 37 33 32 44 42 32 43 38 41 42 43 31 42 38 35 38 31 42 44 37 31 30 44 44 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 102 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.727] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 test aes: 3a 31 37 3a 34 32 2e 0A940BB5416EF045F1C3 37 32 37 5d 20 74 65 9458 73 74 20 61 65 73 3a C653EA5A07FEEF74E1D 20 30 41 39 34 30 42 5036E900EEE 42 35 34 31 36 45 46 118E949293.. 30 34 35 46 31 43 33 39 34 35 38 43 36 35 33 45 41 35 41 30 37 46 45 45 46 37 34 45 31 44 35 30 33 36 45 39 30 30 45 45 45 31 31 38 45 39 34 39 32 39 33 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 75 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.727] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 unable to get handle to 3a 31 37 3a 34 32 2e drive \\.\, error = 123.. 37 32 37 5d 20 75 6e 61 62 6c 65 20 74 6f 20 67 65 74 20 68 61 6e 64 6c 65 20 74 6f 20 64 72 69 76 65 20 5c 5c 2e 5c 2c 20 65 72 72 6f 72 20 3d 20 31 32 33 0d 0a

Copyright Joe Security LLC 2019 Page 69 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 139 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.727] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 DISK 3a 31 37 3a 34 32 2e IO[0x000001bfd48b3a80]: 37 32 37 5d 20 44 49 Create diskio pool for drive 53 4b 49 4f 5b 30 78 with id 30 30 30 30 30 31 62 18446744073709551614, 66 64 34 38 62 33 61 path: , type: 0, size: 1.. 38 30 5d 3a 20 43 72 65 61 74 65 20 64 69 73 6b 69 6f 20 70 6f 6f 6c 20 66 6f 72 20 64 72 69 76 65 20 77 69 74 68 20 69 64 20 31 38 34 34 36 37 34 34 30 37 33 37 30 39 35 35 31 36 31 34 2c 20 70 61 74 68 3a 20 2c 20 74 79 70 65 3a 20 30 2c 20 73 69 7a 65 3a 20 31 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 63 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.727] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 WORK 3a 31 37 3a 34 32 2e ER[0x000001bfd48823f0]: 37 32 37 5d 20 57 4f created.. 52 4b 45 52 5b 30 78 30 30 30 30 30 31 62 66 64 34 38 38 32 33 66 30 5d 3a 20 63 72 65 61 74 65 64 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 63 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.727] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 DISK 3a 31 37 3a 34 32 2e IO[0x000001bfd48b3a80]: 37 32 37 5d 20 44 49 created.. 53 4b 49 4f 5b 30 78 30 30 30 30 30 31 62 66 64 34 38 62 33 61 38 30 5d 3a 20 63 72 65 61 74 65 64 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 132 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.727] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 DISK 3a 31 37 3a 34 32 2e _WORKER[0x000001bfd4 37 32 37 5d 20 44 49 8823f0]: diskio thread start, 53 4b 5f 57 4f 52 4b drive_id = 45 52 5b 30 78 30 30 18446744073709551614, 30 30 30 31 62 66 64 priority = normal.. 34 38 38 32 33 66 30 5d 3a 20 64 69 73 6b 69 6f 20 74 68 72 65 61 64 20 73 74 61 72 74 2c 20 64 72 69 76 65 5f 69 64 20 3d 20 31 38 34 34 36 37 34 34 30 37 33 37 30 39 35 35 31 36 31 34 2c 20 70 72 69 6f 72 69 74 79 20 3d 20 6e 6f 72 6d 61 6c 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 63 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.727] success or wait 2 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 WORK 3a 31 37 3a 34 32 2e ER[0x000001bfd48b43e0]: 37 32 37 5d 20 57 4f created.. 52 4b 45 52 5b 30 78 30 30 30 30 30 31 62 66 64 34 38 62 34 33 65 30 5d 3a 20 63 72 65 61 74 65 64 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 68 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.743] success or wait 3 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 WORK 3a 31 37 3a 34 32 2e ER[0x000001bfd48b43e0]: 37 34 33 5d 20 57 4f thread start.. 52 4b 45 52 5b 30 78 30 30 30 30 30 31 62 66 64 34 38 62 34 33 65 30 5d 3a 20 74 68 72 65 61 64 20 73 74 61 72 74 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 63 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.743] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 WORK 3a 31 37 3a 34 32 2e ER[0x000001bfd48e8800]: 37 34 33 5d 20 57 4f created.. 52 4b 45 52 5b 30 78 30 30 30 30 30 31 62 66 64 34 38 65 38 38 30 30 5d 3a 20 63 72 65 61 74 65 64 0d 0a

Copyright Joe Security LLC 2019 Page 70 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio unknown 187 ef bb bf 7b 22 2a 2e ... success or wait 1 7FF6412B9A0E WriteFile Sync\FileDelayConfig 61 63 63 64 62 22 3a {"*.accdb":10,"*.doc":10,"* 31 30 2c 22 2a 2e 64 .docx":10,"*.dwg":10,"*.dxf" 6f 63 22 3a 31 30 2c :1 22 2a 2e 64 6f 63 78 0,"*.indd":10,"*.laccdb":10, 22 3a 31 30 2c 22 2a "* 2e 64 77 67 22 3a 31 .ppt":10,"*.pptx":10,"*.psd": 30 2c 22 2a 2e 64 78 1 66 22 3a 31 30 2c 22 0,"*.stl":10,"*.vsd":10,"*.xls 2a 2e 69 6e 64 64 22 ":10,"*.xlsx":10,"root_acl_e 3a 31 30 2c 22 2a 2e ntry":10} 6c 61 63 63 64 62 22 3a 31 30 2c 22 2a 2e 70 70 74 22 3a 31 30 2c 22 2a 2e 70 70 74 78 22 3a 31 30 2c 22 2a 2e 70 73 64 22 3a 31 30 2c 22 2a 2e 73 74 6c 22 3a 31 30 2c 22 2a 2e 76 73 64 22 3a 31 30 2c 22 2a 2e 78 6c 73 22 3a 31 30 2c 22 2a 2e 78 6c 73 78 22 3a 31 30 2c 22 72 6f 6f 74 5f 61 63 6c 5f 65 6e 74 72 79 22 3a 31 30 7d C:\Users\user\AppData\Roaming\Resilio unknown 57 64 31 30 3a 2e 66 69 d10:.fileguard40:8E154644 success or wait 1 7FF640FC565F WriteFile Sync\settings.dat.new 6c 65 67 75 61 72 64 54A34 34 30 3a 38 45 31 35 BE2711C02EDDDE4442F 34 36 34 34 35 34 41 BD81D897 33 34 42 45 32 37 31 31 43 30 32 45 44 44 44 45 34 34 34 32 46 42 44 38 31 44 38 39 37 C:\Users\user\AppData\Roaming\Resilio unknown 2687 37 3a 62 6f 72 6e 5f 7:born_oni0e14:born_on_re success or wait 1 7FF640FC52EF WriteFile Sync\settings.dat.new 6f 6e 69 30 65 31 34 motei 3a 62 6f 72 6e 5f 6f 0e17:check_update_betai0 6e 5f 72 65 6d 6f 74 e11:co 65 69 30 65 31 37 3a mputer_id16:tP79arYZR2q 63 68 65 63 6b 5f 75 6Caoq28 70 64 61 74 65 5f 62 :direct_torrent_max_file_si 65 74 61 69 30 65 31 zei 31 3a 63 6f 6d 70 75 10485760e18:diskio_cach 74 65 72 5f 69 64 31 e_limit 36 3a 74 50 37 39 61 i500e3:fgti0e16:history_log 72 59 5a 52 32 71 36 _si 43 61 6f 71 32 38 3a zei100e18:history_time_li 64 69 72 65 63 74 5f miti3 74 6f 72 72 65 6e 74 0e25:install_modification_ti 5f 6d 61 78 5f 66 69 mei0e12:install_t 6c 65 5f 73 69 7a 65 69 31 30 34 38 35 37 36 30 65 31 38 3a 64 69 73 6b 69 6f 5f 63 61 63 68 65 5f 6c 69 6d 69 74 69 35 30 30 65 33 3a 66 67 74 69 30 65 31 36 3a 68 69 73 74 6f 72 79 5f 6c 6f 67 5f 73 69 7a 65 69 31 30 30 65 31 38 3a 68 69 73 74 6f 72 79 5f 74 69 6d 65 5f 6c 69 6d 69 74 69 33 30 65 32 35 3a 69 6e 73 74 61 6c 6c 5f 6d 6f 64 69 66 69 63 61 74 69 6f 6e 5f 74 69 6d 65 69 30 65 31 32 3a 69 6e 73 74 61 6c 6c 5f 74 C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 63 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.868] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 register completion queue 3a 31 37 3a 34 32 2e with id 0.. 38 36 38 5d 20 72 65 67 69 73 74 65 72 20 63 6f 6d 70 6c 65 74 69 6f 6e 20 71 75 65 75 65 20 77 69 74 68 20 69 64 20 30 0d 0a

Copyright Joe Security LLC 2019 Page 71 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 63 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.868] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 register completion queue 3a 31 37 3a 34 32 2e with id 0.. 38 36 38 5d 20 72 65 67 69 73 74 65 72 20 63 6f 6d 70 6c 65 74 69 6f 6e 20 71 75 65 75 65 20 77 69 74 68 20 69 64 20 30 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 63 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.868] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 register completion queue 3a 31 37 3a 34 32 2e with id 0.. 38 36 38 5d 20 72 65 67 69 73 74 65 72 20 63 6f 6d 70 6c 65 74 69 6f 6e 20 71 75 65 75 65 20 77 69 74 68 20 69 64 20 30 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 144 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.900] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 class 3a 31 37 3a 34 32 2e PeerListenConnection::So 39 30 30 5d 20 63 6c cket 61 73 73 20 50 65 65 ::listen[0x000001bfd48da8f 72 4c 69 73 74 65 6e 0][1116] bound listening 43 6f 6e 6e 65 63 74 socket 1116 to IP 69 6f 6e 3a 3a 53 6f 0.0.0.0:26146.. 63 6b 65 74 3a 3a 6c 69 73 74 65 6e 5b 30 78 30 30 30 30 30 31 62 66 64 34 38 64 61 38 66 30 5d 5b 31 31 31 36 5d 20 62 6f 75 6e 64 20 6c 69 73 74 65 6e 69 6e 67 20 73 6f 63 6b 65 74 20 31 31 31 36 20 74 6f 20 49 50 20 30 2e 30 2e 30 2e 30 3a 32 36 31 34 36 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 141 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.918] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 class 3a 31 37 3a 34 32 2e PeerListenConnection::So 39 31 38 5d 20 63 6c cket 61 73 73 20 50 65 65 ::listen[0x000001bfd48da9 72 4c 69 73 74 65 6e 30][1120] bound listening 43 6f 6e 6e 65 63 74 socket 1120 to IP 69 6f 6e 3a 3a 53 6f [::]:26146.. 63 6b 65 74 3a 3a 6c 69 73 74 65 6e 5b 30 78 30 30 30 30 30 31 62 66 64 34 38 64 61 39 33 30 5d 5b 31 31 32 30 5d 20 62 6f 75 6e 64 20 6c 69 73 74 65 6e 69 6e 67 20 73 6f 63 6b 65 74 20 31 31 32 30 20 74 6f 20 49 50 20 5b 3a 3a 5d 3a 32 36 31 34 36 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 85 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.934] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 UDP: UDP: bound 3a 31 37 3a 34 32 2e listening socket 1124 to IP 39 33 34 5d 20 55 44 0.0.0.0:26146.. 50 3a 20 55 44 50 3a 20 62 6f 75 6e 64 20 6c 69 73 74 65 6e 69 6e 67 20 73 6f 63 6b 65 74 20 31 31 32 34 20 74 6f 20 49 50 20 30 2e 30 2e 30 2e 30 3a 32 36 31 34 36 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 82 5b 32 30 31 39 2d 30 [2019-08-12 18:17:42.934] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 UDP: UDP: bound 3a 31 37 3a 34 32 2e listening socket 1128 to IP 39 33 34 5d 20 55 44 [::]:26146.. 50 3a 20 55 44 50 3a 20 62 6f 75 6e 64 20 6c 69 73 74 65 6e 69 6e 67 20 73 6f 63 6b 65 74 20 31 31 32 38 20 74 6f 20 49 50 20 5b 3a 3a 5d 3a 32 36 31 34 36 0d 0a

Copyright Joe Security LLC 2019 Page 72 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio unknown 57 64 31 30 3a 2e 66 69 d10:.fileguard40:F8AD133 success or wait 1 7FF640FC565F WriteFile Sync\settings.dat.new 6c 65 67 75 61 72 64 5C7541 34 30 3a 46 38 41 44 04491D75D4847A2D57839 31 33 33 35 43 37 35 9BBEB9 34 31 30 34 34 39 31 44 37 35 44 34 38 34 37 41 32 44 35 37 38 33 39 39 42 42 45 42 39 C:\Users\user\AppData\Roaming\Resilio unknown 2705 39 3a 62 69 6e 64 5f 9:bind_porti26146e7:born_ success or wait 1 7FF640FC52EF WriteFile Sync\settings.dat.new 70 6f 72 74 69 32 36 oni0e 31 34 36 65 37 3a 62 14:born_on_remotei0e17:c 6f 72 6e 5f 6f 6e 69 heck_u 30 65 31 34 3a 62 6f pdate_betai0e11:computer 72 6e 5f 6f 6e 5f 72 _id16: 65 6d 6f 74 65 69 30 tP79arYZR2q6Caoq28:dire 65 31 37 3a 63 68 65 ct_torr 63 6b 5f 75 70 64 61 ent_max_file_sizei104857 74 65 5f 62 65 74 61 60e18: 69 30 65 31 31 3a 63 diskio_cache_limiti500e3:f 6f 6d 70 75 74 65 72 gti0 5f 69 64 31 36 3a 74 e16:history_log_sizei100e 50 37 39 61 72 59 5a 18:hi 52 32 71 36 43 61 6f story_time_limiti30e25:inst 71 32 38 3a 64 69 72 all_modification_t 65 63 74 5f 74 6f 72 72 65 6e 74 5f 6d 61 78 5f 66 69 6c 65 5f 73 69 7a 65 69 31 30 34 38 35 37 36 30 65 31 38 3a 64 69 73 6b 69 6f 5f 63 61 63 68 65 5f 6c 69 6d 69 74 69 35 30 30 65 33 3a 66 67 74 69 30 65 31 36 3a 68 69 73 74 6f 72 79 5f 6c 6f 67 5f 73 69 7a 65 69 31 30 30 65 31 38 3a 68 69 73 74 6f 72 79 5f 74 69 6d 65 5f 6c 69 6d 69 74 69 33 30 65 32 35 3a 69 6e 73 74 61 6c 6c 5f 6d 6f 64 69 66 69 63 61 74 69 6f 6e 5f 74 C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 63 5b 32 30 31 39 2d 30 [2019-08-12 18:17:43.028] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 register completion queue 3a 31 37 3a 34 33 2e with id 1.. 30 32 38 5d 20 72 65 67 69 73 74 65 72 20 63 6f 6d 70 6c 65 74 69 6f 6e 20 71 75 65 75 65 20 77 69 74 68 20 69 64 20 31 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 63 5b 32 30 31 39 2d 30 [2019-08-12 18:17:43.046] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 register completion queue 3a 31 37 3a 34 33 2e with id 1.. 30 34 36 5d 20 72 65 67 69 73 74 65 72 20 63 6f 6d 70 6c 65 74 69 6f 6e 20 71 75 65 75 65 20 77 69 74 68 20 69 64 20 31 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 63 5b 32 30 31 39 2d 30 [2019-08-12 18:17:43.046] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 register completion queue 3a 31 37 3a 34 33 2e with id 1.. 30 34 36 5d 20 72 65 67 69 73 74 65 72 20 63 6f 6d 70 6c 65 74 69 6f 6e 20 71 75 65 75 65 20 77 69 74 68 20 69 64 20 31 0d 0a

Copyright Joe Security LLC 2019 Page 73 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\storage.db- 0 512 00 00 00 00 00 00 00 ...... !v...... success or wait 1 7FF6413182DF WriteFile journal 00 00 00 00 00 1e fc ...... 21 76 00 00 00 00 00 ...... 00 02 00 00 00 10 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Roaming\Resilio Sync\storage.db- 0 12 d9 d5 05 f9 20 a1 63 .... .c..... success or wait 1 7FF6413182DF WriteFile journal d7 00 00 00 00 C:\Users\user\AppData\Roaming\Resilio Sync\storage.db 0 4096 53 51 4c 69 74 65 20 SQLite format 3...... @ ...... success or wait 1 7FF6413182DF WriteFile 66 6f 72 6d 61 74 20 ...... 33 00 10 00 02 02 00 ...... 40 20 20 00 00 00 01 ...... Y...... 00 00 00 01 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 2e 01 59 0d 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Roaming\Resilio Sync\storage.db- 0 32 37 7f 06 82 00 2d e2 7....-...... 2.,9...... success or wait 1 7FF6413182DF WriteFile wal 18 00 00 10 00 00 00 00 00 bf c7 fd 32 0a 2c 39 c2 07 e4 ca d2 82 05 ce 81 C:\Users\user\AppData\Roaming\Resilio Sync\storage.db- 32 24 00 00 00 01 00 00 00 ...... 2.,9...2.8`.C success or wait 3 7FF6413182DF WriteFile wal 00 bf c7 fd 32 0a 2c 39 c2 d2 e8 32 dd 38 60 0e 43

Copyright Joe Security LLC 2019 Page 74 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\storage.db- 56 4096 53 51 4c 69 74 65 20 SQLite format 3...... @ ...... success or wait 3 7FF6413182DF WriteFile wal 66 6f 72 6d 61 74 20 ...... 33 00 10 00 02 02 00 ...... 40 20 20 00 00 00 02 ...... Y...... t....t...... 00 00 00 03 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 02 00 00 00 04 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 02 00 00 00 ...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 01 59 0d 00 00 00 02 0e 74 00 0f 09 0e 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 45 5b 32 30 31 39 2d 30 [2019-08-12 18:17:43.155] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 IPv6 is installed.. 3a 31 37 3a 34 33 2e 31 35 35 5d 20 49 50 76 36 20 69 73 20 69 6e 73 74 61 6c 6c 65 64 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 62 5b 32 30 31 39 2d 30 [2019-08-12 18:17:43.155] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 Unsupported or empty 3a 31 37 3a 34 33 2e sync.dat file.. 31 35 35 5d 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6f 72 20 65 6d 70 74 79 20 73 79 6e 63 2e 64 61 74 20 66 69 6c 65 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 79 5b 32 30 31 39 2d 30 [2019-08-12 18:17:43.155] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 My PeerID: 3a 31 37 3a 34 33 2e 10CFB832DD2808A7EAA 31 35 35 5d 20 4d 79 6110 20 50 65 65 72 49 44 FFD1465D3DC24787A.. 3a 20 31 30 43 46 42 38 33 32 44 44 32 38 30 38 41 37 45 41 41 36 31 31 30 46 46 44 31 34 36 35 44 33 44 43 32 34 37 38 37 41 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 69 5b 32 30 31 39 2d 30 [2019-08-12 18:17:43.155] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 LC: LoadLicenses: there is 3a 31 37 3a 34 33 2e no pro license.. 31 35 35 5d 20 4c 43 3a 20 4c 6f 61 64 4c 69 63 65 6e 73 65 73 3a 20 74 68 65 72 65 20 69 73 20 6e 6f 20 70 72 6f 20 6c 69 63 65 6e 73 65 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 52 5b 32 30 31 39 2d 30 [2019-08-12 18:17:43.171] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 loaded history: 0 events.. 3a 31 37 3a 34 33 2e 31 37 31 5d 20 6c 6f 61 64 65 64 20 68 69 73 74 6f 72 79 3a 20 30 20 65 76 65 6e 74 73 0d 0a

Copyright Joe Security LLC 2019 Page 75 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 87 5b 32 30 31 39 2d 30 [2019-08-12 18:17:43.233] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 Joining on interface 3a 31 37 3a 34 33 2e {64D805FC-FF79-417D- 32 33 33 5d 20 4a 6f B378-894833CD520B}.. 69 6e 69 6e 67 20 6f 6e 20 69 6e 74 65 72 66 61 63 65 20 7b 36 34 44 38 30 35 46 43 2d 46 46 37 39 2d 34 31 37 44 2d 42 33 37 38 2d 38 39 34 38 33 33 43 44 35 32 30 42 7d 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 100 5b 32 30 31 39 2d 30 [2019-08-12 18:17:43.251] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 Joining to the multicast 3a 31 37 3a 34 33 2e group 239.192.0.0:3838 on 32 35 31 5d 20 4a 6f interface 192.168.2.7.. 69 6e 69 6e 67 20 74 6f 20 74 68 65 20 6d 75 6c 74 69 63 61 73 74 20 67 72 6f 75 70 20 32 33 39 2e 31 39 32 2e 30 2e 30 3a 33 38 33 38 20 6f 6e 20 69 6e 74 65 72 66 61 63 65 20 31 39 32 2e 31 36 38 2e 32 2e 37 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 94 5b 32 30 31 39 2d 30 [2019-08-12 18:17:43.365] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 Scheduler: Apply global 3a 31 37 3a 34 33 2e rule, download limit: -1, 33 36 35 5d 20 53 63 upload limit: -1.. 68 65 64 75 6c 65 72 3a 20 41 70 70 6c 79 20 67 6c 6f 62 61 6c 20 72 75 6c 65 2c 20 64 6f 77 6e 6c 6f 61 64 20 6c 69 6d 69 74 3a 20 2d 31 2c 20 75 70 6c 6f 61 64 20 6c 69 6d 69 74 3a 20 2d 31 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 48 5b 32 30 31 39 2d 30 [2019-08-12 18:17:43.380] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 message thread start.. 3a 31 37 3a 34 33 2e 33 38 30 5d 20 6d 65 73 73 61 67 65 20 74 68 72 65 61 64 20 73 74 61 72 74 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 80 5b 32 30 31 39 2d 30 [2019-08-12 18:17:43.396] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 [CmdPipeController]: Pipe 3a 31 37 3a 34 33 2e name \\. 33 39 36 5d 20 5b 43 \pipe\synccmd_sync.. 6d 64 50 69 70 65 43 6f 6e 74 72 6f 6c 6c 65 72 5d 3a 20 50 69 70 65 20 6e 61 6d 65 20 5c 5c 2e 5c 70 69 70 65 5c 73 79 6e 63 63 6d 64 5f 73 79 6e 63 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 116 5b 32 30 31 39 2d 30 [2019-08-12 18:17:43.396] success or wait 2 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 SYS_RES: drive "\\?\C:", 3a 31 37 3a 34 33 2e id: 1011744768, capacity: 33 39 36 5d 20 53 59 119990648832, 53 5f 52 45 53 3a 20 free_space: 64 72 69 76 65 20 22 85898301440.. 5c 5c 3f 5c 43 3a 22 2c 20 69 64 3a 20 31 30 31 31 37 34 34 37 36 38 2c 20 63 61 70 61 63 69 74 79 3a 20 31 31 39 39 39 30 36 34 38 38 33 32 2c 20 66 72 65 65 5f 73 70 61 63 65 3a 20 38 35 38 39 38 33 30 31 34 34 30 0d 0a

Copyright Joe Security LLC 2019 Page 76 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 68 5b 32 30 31 39 2d 30 [2019-08-12 18:17:43.396] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 [CmdPipeController]: Pipe 3a 31 37 3a 34 33 2e thread started.. 33 39 36 5d 20 5b 43 6d 64 50 69 70 65 43 6f 6e 74 72 6f 6c 6c 65 72 5d 3a 20 50 69 70 65 20 74 68 72 65 61 64 20 73 74 61 72 74 65 64 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 100 5b 32 30 31 39 2d 30 [2019-08-12 18:17:43.577] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 Power: subscribed to 3a 31 37 3a 34 33 2e suspend and resume 35 37 37 5d 20 50 6f notifications 0x000001bf 77 65 72 3a 20 73 75 d48f6ae0.. 62 73 63 72 69 62 65 64 20 74 6f 20 73 75 73 70 65 6e 64 20 61 6e 64 20 72 65 73 75 6d 65 20 6e 6f 74 69 66 69 63 61 74 69 6f 6e 73 20 30 78 30 30 30 30 30 31 62 66 64 34 38 66 36 61 65 30 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 90 5b 32 30 31 39 2d 30 [2019-08-12 18:17:43.594] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 Power: subscribed to 3a 31 37 3a 34 33 2e power settings changes 35 39 34 5d 20 50 6f 0x000001bfd492f0e0.. 77 65 72 3a 20 73 75 62 73 63 72 69 62 65 64 20 74 6f 20 70 6f 77 65 72 20 73 65 74 74 69 6e 67 73 20 63 68 61 6e 67 65 73 20 30 78 30 30 30 30 30 31 62 66 64 34 39 32 66 30 65 30 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 55 5b 32 30 31 39 2d 30 [2019-08-12 18:17:43.610] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 Got power broadcast: 3a 31 37 3a 34 33 2e 0x8013.. 36 31 30 5d 20 47 6f 74 20 70 6f 77 65 72 20 62 72 6f 61 64 63 61 73 74 3a 20 30 78 38 30 31 33 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 71 5b 32 30 31 39 2d 30 [2019-08-12 18:17:43.610] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 Power broadcast: monitor 3a 31 37 3a 34 33 2e state changed to 1.. 36 31 30 5d 20 50 6f 77 65 72 20 62 72 6f 61 64 63 61 73 74 3a 20 6d 6f 6e 69 74 6f 72 20 73 74 61 74 65 20 63 68 61 6e 67 65 64 20 74 6f 20 31 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 67 5b 32 30 31 39 2d 30 [2019-08-12 18:17:45.456] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 Debug log mask has been 3a 31 37 3a 34 35 2e set to FFFFFFFF.. 34 35 36 5d 20 44 65 62 75 67 20 6c 6f 67 20 6d 61 73 6b 20 68 61 73 20 62 65 65 6e 20 73 65 74 20 74 6f 20 46 46 46 46 46 46 46 46 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 59 5b 32 30 31 39 2d 30 [2019-08-12 18:17:45.456] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 Features mask has been 3a 31 37 3a 34 35 2e set to 0.. 34 35 36 5d 20 46 65 61 74 75 72 65 73 20 6d 61 73 6b 20 68 61 73 20 62 65 65 6e 20 73 65 74 20 74 6f 20 30 0d 0a

Copyright Joe Security LLC 2019 Page 77 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 67 5b 32 30 31 39 2d 30 [2019-08-12 18:17:46.873] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 IE: Create new frame 3a 31 37 3a 34 36 2e 0x000001bfd49452c0.. 38 37 33 5d 20 49 45 3a 20 43 72 65 61 74 65 20 6e 65 77 20 66 72 61 6d 65 20 30 78 30 30 30 30 30 31 62 66 64 34 39 34 35 32 63 30 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 69 5b 32 30 31 39 2d 30 [2019-08-12 18:17:55.173] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 NAT-PMP: Unable to map 3a 31 37 3a 35 35 2e port with NAT-PMP... 31 37 33 5d 20 4e 41 54 2d 50 4d 50 3a 20 55 6e 61 62 6c 65 20 74 6f 20 6d 61 70 20 70 6f 72 74 20 77 69 74 68 20 4e 41 54 2d 50 4d 50 2e 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 67 5b 32 30 31 39 2d 30 [2019-08-12 18:18:15.694] success or wait 4 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 API: --> 3a 31 38 3a 31 35 2e licenseagreed(t=15656590 36 39 34 5d 20 41 50 95662).. 49 3a 20 2d 2d 3e 20 6c 69 63 65 6e 73 65 61 67 72 65 65 64 28 74 3d 31 35 36 35 36 35 39 30 39 35 36 36 32 29 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 80 5b 32 30 31 39 2d 30 [2019-08-12 18:18:15.694] success or wait 4 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 API: action 3a 31 38 3a 31 35 2e "licenseagreed" proces 36 39 34 5d 20 41 50 sing synchronously.. 49 3a 20 61 63 74 69 6f 6e 20 22 6c 69 63 65 6e 73 65 61 67 72 65 65 64 22 20 70 72 6f 63 65 73 73 69 6e 67 20 73 79 6e 63 68 72 6f 6e 6f 75 73 6c 79 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 421 5b 32 30 31 39 2d 30 [2019-08-12 18:18:15.694] success or wait 4 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 API: <-- 3a 31 38 3a 31 35 2e licenseagreed({"status":2 36 39 34 5d 20 41 50 00,"value": 49 3a 20 3c 2d 2d 20 {"allowemptypasswor 6c 69 63 65 6e 73 65 d":true,"currentusertermsv 61 67 72 65 65 64 28 ersi 7b 22 73 74 61 74 75 on":1,"eulaurl":"http://helpfi 73 22 3a 32 30 30 2c les.resilio.com/eula","isfirst 22 76 61 6c 75 65 22 runwindowshown":false,"is 3a 7b 22 61 6c 6c 6f webui 77 65 6d 70 74 79 70 ":false,"iswebuicredentialss 61 73 73 77 6f 72 64 et":true,"license 22 3a 74 72 75 65 2c 22 63 75 72 72 65 6e 74 75 73 65 72 74 65 72 6d 73 76 65 72 73 69 6f 6e 22 3a 31 2c 22 65 75 6c 61 75 72 6c 22 3a 22 68 74 74 70 3a 2f 2f 68 65 6c 70 66 69 6c 65 73 2e 72 65 73 69 6c 69 6f 2e 63 6f 6d 2f 65 75 6c 61 22 2c 22 69 73 66 69 72 73 74 72 75 6e 77 69 6e 64 6f 77 73 68 6f 77 6e 22 3a 66 61 6c 73 65 2c 22 69 73 77 65 62 75 69 22 3a 66 61 6c 73 65 2c 22 69 73 77 65 62 75 69 63 72 65 64 65 6e 74 69 61 6c 73 73 65 74 22 3a 74 72 75 65 2c 22 6c 69 63 65 6e 73 65

Copyright Joe Security LLC 2019 Page 78 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 86 5b 32 30 31 39 2d 30 [2019-08-12 18:18:15.761] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 ZIP: Can't locate 3a 31 38 3a 31 35 2e [locales/en-US.json] in zip, 37 36 31 5d 20 5a 49 error -100... 50 3a 20 43 61 6e 27 74 20 6c 6f 63 61 74 65 20 5b 6c 6f 63 61 6c 65 73 2f 65 6e 2d 55 53 2e 6a 73 6f 6e 5d 20 69 6e 20 7a 69 70 2c 20 65 72 72 6f 72 20 2d 31 30 30 2e 0d 0a

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\debug.txt unknown 11 success or wait 1 7FF640FC5545 ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat unknown 811 success or wait 1 7FF640FC5545 ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat unknown 811 success or wait 1 7FF640FC5545 ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat.new unknown 811 success or wait 1 7FF640FC5545 ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\FileDelayConfig unknown 187 success or wait 1 7FF640FC5545 ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat unknown 811 success or wait 1 7FF640FC5545 ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat.new unknown 2744 success or wait 1 7FF640FC5545 ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat unknown 2744 success or wait 1 7FF640FC5545 ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat.new unknown 2762 success or wait 1 7FF640FC5545 ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\storage.db 0 100 end of file 1 7FF64131817F ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\storage.db-journal 512 8 end of file 1 7FF64131817F ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\storage.db 0 4096 success or wait 1 7FF64131817F ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\history.dat unknown 68 success or wait 1 7FF640FC5545 ReadFile C:\Users\user\AppData\Roaming\Resilio Sync\debug.txt unknown 11 success or wait 1 7FF640FC5545 ReadFile

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: Resilio Sync.exe PID: 2584 Parent PID: 3896

General

Start time: 18:17:44 Start date: 12/08/2019 Path: C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe Wow64 process (32bit): false Commandline: Resilio Sync.exe /NOINSTALL /BRINGTOFRONT Imagebase: 0x7ff640cc0000 File size: 23588360 bytes MD5 hash: 97E86D489C0D6D6185C890257CF87BE7 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Copyright Joe Security LLC 2019 Page 79 of 85 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Resilio Sync read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Resilio Sync read data or list normal directory file | object name collision 1 7FF640E7093F CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat.new read attributes | normal synchronous io success or wait 1 7FF640FC55DA CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Roaming\Resilio Sync\history.dat.new read attributes | normal synchronous io success or wait 1 7FF640FC55DA CreateFileW synchronize | non alert | non generic read | directory file generic write

File Moved

File Written

Copyright Joe Security LLC 2019 Page 80 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 75 5b 32 30 31 39 2d 30 [2019-08-12 18:17:46.555] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 ZIP: Can't locate [version] 3a 31 37 3a 34 36 2e in zip, error -100... 35 35 35 5d 20 5a 49 50 3a 20 43 61 6e 27 74 20 6c 6f 63 61 74 65 20 5b 76 65 72 73 69 6f 6e 5d 20 69 6e 20 7a 69 70 2c 20 65 72 72 6f 72 20 2d 31 30 30 2e 0d 0a C:\Users\user\AppData\Roaming\Resilio unknown 57 64 31 30 3a 2e 66 69 d10:.fileguard40:86003733 success or wait 1 7FF640FC565F WriteFile Sync\settings.dat.new 6c 65 67 75 61 72 64 C3FE6 34 30 3a 38 36 30 30 BF4A953593A3A8C404F8 33 37 33 33 43 33 46 A1E18DC 45 36 42 46 34 41 39 35 33 35 39 33 41 33 41 38 43 34 30 34 46 38 41 31 45 31 38 44 43 C:\Users\user\AppData\Roaming\Resilio unknown 2826 39 3a 61 75 74 6f 73 9:autostarti1e7:born_oni0e success or wait 1 7FF640FC52EF WriteFile Sync\settings.dat.new 74 61 72 74 69 31 65 14:b 37 3a 62 6f 72 6e 5f orn_on_remotei0e17:check 6f 6e 69 30 65 31 34 _updat 3a 62 6f 72 6e 5f 6f e_betai0e11:computer_id1 6e 5f 72 65 6d 6f 74 6:glBQ 65 69 30 65 31 37 3a 6JQx70NYgrfi28:direct_tor 63 68 65 63 6b 5f 75 rent_ 70 64 61 74 65 5f 62 max_file_sizei10485760e1 65 74 61 69 30 65 31 8:disk 31 3a 63 6f 6d 70 75 io_cache_limiti500e8:exe_ 74 65 72 5f 69 64 31 path5 36 3a 67 6c 42 51 36 2:C:\Users\user\AppData\ 4a 51 78 37 30 4e 59 Roaming\Resilio 67 72 66 69 32 38 3a Sync3:fgti0e16:history_lo 64 69 72 65 63 74 5f 74 6f 72 72 65 6e 74 5f 6d 61 78 5f 66 69 6c 65 5f 73 69 7a 65 69 31 30 34 38 35 37 36 30 65 31 38 3a 64 69 73 6b 69 6f 5f 63 61 63 68 65 5f 6c 69 6d 69 74 69 35 30 30 65 38 3a 65 78 65 5f 70 61 74 68 35 32 3a 43 3a 5c 55 73 65 72 73 5c 53 75 7a 61 6e 6e 65 20 44 61 76 69 65 73 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 52 65 73 69 6c 69 6f 20 53 79 6e 63 33 3a 66 67 74 69 30 65 31 36 3a 68 69 73 74 6f 72 79 5f 6c 6f C:\Users\user\AppData\Roaming\Resilio unknown 57 64 31 30 3a 2e 66 69 d10:.fileguard40:7ECDE89 success or wait 1 7FF640FC565F WriteFile Sync\history.dat.new 6c 65 67 75 61 72 64 CE8A76 34 30 3a 37 45 43 44 BD4E137100AF0103D759 45 38 39 43 45 38 41 591ED80 37 36 42 44 34 45 31 33 37 31 30 30 41 46 30 31 30 33 44 37 35 39 35 39 31 45 44 38 30 C:\Users\user\AppData\Roaming\Resilio unknown 11 36 3a 65 76 65 6e 74 6:eventslee success or wait 1 7FF640FC52EF WriteFile Sync\history.dat.new 73 6c 65 65 C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 51 5b 32 30 31 39 2d 30 [2019-08-12 18:17:46.756] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 saved history: 0 events.. 3a 31 37 3a 34 36 2e 37 35 36 5d 20 73 61 76 65 64 20 68 69 73 74 6f 72 79 3a 20 30 20 65 76 65 6e 74 73 0d 0a

Copyright Joe Security LLC 2019 Page 81 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 66 5b 32 30 31 39 2d 30 [2019-08-12 18:17:46.756] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 Torrent session shutdown: 3a 31 37 3a 34 36 2e done waiting.. 37 35 36 5d 20 54 6f 72 72 65 6e 74 20 73 65 73 73 69 6f 6e 20 73 68 75 74 64 6f 77 6e 3a 20 64 6f 6e 65 20 77 61 69 74 69 6e 67 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 52 5b 32 30 31 39 2d 30 [2019-08-12 18:17:46.756] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 Stopping network threads.. 3a 31 37 3a 34 36 2e 37 35 36 5d 20 53 74 6f 70 70 69 6e 67 20 6e 65 74 77 6f 72 6b 20 74 68 72 65 61 64 73 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 60 5b 32 30 31 39 2d 30 [2019-08-12 18:17:46.756] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 Shutdown. Saving config 3a 31 37 3a 34 36 2e sync.dat.. 37 35 36 5d 20 53 68 75 74 64 6f 77 6e 2e 20 53 61 76 69 6e 67 20 63 6f 6e 66 69 67 20 73 79 6e 63 2e 64 61 74 0d 0a

File Read

Analysis Process: Resilio Sync.exe PID: 2448 Parent PID: 2956

General

Start time: 18:17:48 Start date: 12/08/2019 Path: C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\AppData\Roaming\Resilio Sync\Resilio Sync.exe' /MINIMIZED Imagebase: 0x7ff640cc0000 File size: 23588360 bytes MD5 hash: 97E86D489C0D6D6185C890257CF87BE7 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Copyright Joe Security LLC 2019 Page 82 of 85 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Resilio Sync read data or list normal directory file | object name collision 1 7FF6412B211C CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Resilio Sync read data or list normal directory file | object name collision 1 7FF640E7093F CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat.new read attributes | normal synchronous io success or wait 1 7FF640FC55DA CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Roaming\Resilio Sync\history.dat.new read attributes | normal synchronous io success or wait 1 7FF640FC55DA CreateFileW synchronize | non alert | non generic read | directory file generic write

File Moved

Source Old File Path New File Path Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\settings.dat C:\Users\user\AppData\Roaming\Resilio success or wait 1 7FF640FC5BC4 MoveFileExW Sync\settings.dat.oldu' C:\Users\user\AppData\Roaming\Resilio C:\Users\user\AppData\Roaming\Resilio Sync\settings.dattx success or wait 1 7FF640FC5BE4 MoveFileExW Sync\settings.dat.new C:\Users\user\AppData\Roaming\Resilio Sync\history.dat C:\Users\user\AppData\Roaming\Resilio Sync\history.dat.old success or wait 1 7FF640FC5BC4 MoveFileExW C:\Users\user\AppData\Roaming\Resilio Sync\history.dat.new C:\Users\user\AppData\Roaming\Resilio Sync\history.dat.o success or wait 1 7FF640FC5BE4 MoveFileExW

File Written

Copyright Joe Security LLC 2019 Page 83 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 75 5b 32 30 31 39 2d 30 [2019-08-12 18:17:54.724] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 ZIP: Can't locate [version] 3a 31 37 3a 35 34 2e in zip, error -100... 37 32 34 5d 20 5a 49 50 3a 20 43 61 6e 27 74 20 6c 6f 63 61 74 65 20 5b 76 65 72 73 69 6f 6e 5d 20 69 6e 20 7a 69 70 2c 20 65 72 72 6f 72 20 2d 31 30 30 2e 0d 0a C:\Users\user\AppData\Roaming\Resilio unknown 57 64 31 30 3a 2e 66 69 d10:.fileguard40:86003733 success or wait 1 7FF640FC565F WriteFile Sync\settings.dat.new 6c 65 67 75 61 72 64 C3FE6 34 30 3a 38 36 30 30 BF4A953593A3A8C404F8 33 37 33 33 43 33 46 A1E18DC 45 36 42 46 34 41 39 35 33 35 39 33 41 33 41 38 43 34 30 34 46 38 41 31 45 31 38 44 43 C:\Users\user\AppData\Roaming\Resilio unknown 2826 39 3a 61 75 74 6f 73 9:autostarti1e7:born_oni0e success or wait 1 7FF640FC52EF WriteFile Sync\settings.dat.new 74 61 72 74 69 31 65 14:b 37 3a 62 6f 72 6e 5f orn_on_remotei0e17:check 6f 6e 69 30 65 31 34 _updat 3a 62 6f 72 6e 5f 6f e_betai0e11:computer_id1 6e 5f 72 65 6d 6f 74 6:glBQ 65 69 30 65 31 37 3a 6JQx70NYgrfi28:direct_tor 63 68 65 63 6b 5f 75 rent_ 70 64 61 74 65 5f 62 max_file_sizei10485760e1 65 74 61 69 30 65 31 8:disk 31 3a 63 6f 6d 70 75 io_cache_limiti500e8:exe_ 74 65 72 5f 69 64 31 path5 36 3a 67 6c 42 51 36 2:C:\Users\user\AppData\ 4a 51 78 37 30 4e 59 Roaming\Resilio 67 72 66 69 32 38 3a Sync3:fgti0e16:history_lo 64 69 72 65 63 74 5f 74 6f 72 72 65 6e 74 5f 6d 61 78 5f 66 69 6c 65 5f 73 69 7a 65 69 31 30 34 38 35 37 36 30 65 31 38 3a 64 69 73 6b 69 6f 5f 63 61 63 68 65 5f 6c 69 6d 69 74 69 35 30 30 65 38 3a 65 78 65 5f 70 61 74 68 35 32 3a 43 3a 5c 55 73 65 72 73 5c 53 75 7a 61 6e 6e 65 20 44 61 76 69 65 73 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 52 65 73 69 6c 69 6f 20 53 79 6e 63 33 3a 66 67 74 69 30 65 31 36 3a 68 69 73 74 6f 72 79 5f 6c 6f C:\Users\user\AppData\Roaming\Resilio unknown 57 64 31 30 3a 2e 66 69 d10:.fileguard40:7ECDE89 success or wait 1 7FF640FC565F WriteFile Sync\history.dat.new 6c 65 67 75 61 72 64 CE8A76 34 30 3a 37 45 43 44 BD4E137100AF0103D759 45 38 39 43 45 38 41 591ED80 37 36 42 44 34 45 31 33 37 31 30 30 41 46 30 31 30 33 44 37 35 39 35 39 31 45 44 38 30 C:\Users\user\AppData\Roaming\Resilio unknown 11 36 3a 65 76 65 6e 74 6:eventslee success or wait 1 7FF640FC52EF WriteFile Sync\history.dat.new 73 6c 65 65 C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 51 5b 32 30 31 39 2d 30 [2019-08-12 18:17:55.064] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 saved history: 0 events.. 3a 31 37 3a 35 35 2e 30 36 34 5d 20 73 61 76 65 64 20 68 69 73 74 6f 72 79 3a 20 30 20 65 76 65 6e 74 73 0d 0a

Copyright Joe Security LLC 2019 Page 84 of 85 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 66 5b 32 30 31 39 2d 30 [2019-08-12 18:17:55.064] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 Torrent session shutdown: 3a 31 37 3a 35 35 2e done waiting.. 30 36 34 5d 20 54 6f 72 72 65 6e 74 20 73 65 73 73 69 6f 6e 20 73 68 75 74 64 6f 77 6e 3a 20 64 6f 6e 65 20 77 61 69 74 69 6e 67 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 52 5b 32 30 31 39 2d 30 [2019-08-12 18:17:55.064] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 Stopping network threads.. 3a 31 37 3a 35 35 2e 30 36 34 5d 20 53 74 6f 70 70 69 6e 67 20 6e 65 74 77 6f 72 6b 20 74 68 72 65 61 64 73 0d 0a C:\Users\user\AppData\Roaming\Resilio Sync\sync.log unknown 60 5b 32 30 31 39 2d 30 [2019-08-12 18:17:55.064] success or wait 1 7FF6414AC69E WriteFile 38 2d 31 32 20 31 38 Shutdown. Saving config 3a 31 37 3a 35 35 2e sync.dat.. 30 36 34 5d 20 53 68 75 74 64 6f 77 6e 2e 20 53 61 76 69 6e 67 20 63 6f 6e 66 69 67 20 73 79 6e 63 2e 64 61 74 0d 0a

File Read

Disassembly

Code Analysis