ID: 314925 Sample Name: WebCompanion.exe Cookbook: default.jbs Time: 05:11:03 Date: 12/11/2020 Version: 31.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report WebCompanion.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Analysis Advice 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 5 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 10 Public 11 Private 11 General Information 11 Simulations 12 Behavior and APIs 12 Joe Sandbox View / Context 12 IPs 12 Domains 12 ASN 13 JA3 Fingerprints 13 Dropped Files 13 Created / dropped Files 13 Static File Info 14 General 14 File Icon 14 Static PE Info 14 General 14 Authenticode Signature 15 Entrypoint Preview 15 Data Directories 16 Sections 17 Resources 17 Imports 17 Network Behavior 17 UDP Packets 17 Code Manipulations 18 Statistics 19 Behavior 19

Copyright null 2020 Page 2 of 20 System Behavior 19 Analysis Process: WebCompanion.exe PID: 7132 Parent PID: 5936 19 General 19 File Activities 19 File Created 19 File Read 19 Analysis Process: dw20.exe PID: 4164 Parent PID: 7132 20 General 20 File Activities 20 Registry Activities 20 Disassembly 20 Code Analysis 20

Copyright null 2020 Page 3 of 20 Analysis Report WebCompanion.exe

Overview

General Information Detection Signatures Classification

Sample WebCompanion.exe Name: CChheecckkss iiifff ttthhee ccuurrrrrreennttt pprrroocceessss iiiss bbeeiiinn…

Analysis ID: 314925 CCrrhreeeaactttkeess iafa t phprreroo cceuesrsrsse iniinnt spsuruosscppeesnnsdd eiesdd b meioon… MD5: 3496336940e172… OCnrneeea otoerrr s m aoo prrreero ppcrrreoosccsee sisnss esesus s ccprrraeasnshdhed mo

SHA1: ec254f19067046b… Ransomware POPEEn e fffii illoleer ccmoonontrttaeaii inpnsrso sscttterrraasnsngegese rcrreerassosohuurrrcceess Miner Spreading SHA256: f9e63f937f2636f1… QPEuue efrirliiee ssc oddniisstkak i ininnsffo osrrtmraaanttigiooenn r (e(oosfftoteeunnr c uuessseedd Quueerrriiieess ddiiisskk iiinnfffoorrrmaatttiiioonn (((oofffttteenn uusseedd… mmaallliiiccciiioouusss Most interesting Screenshot: malicious Evader Phishing

sssuusssppiiiccciiioouusss SQSaaumerppielllees fffdiiillleies kiiiss i nddfiiioffffffreemrrreeanntittto tttnhh aa(onnf tooerrrniiigg uiiinnsaaelll d … suspicious

cccllleeaann

clean SSttatoomrrreepssl e llla afrrirlggeee i s bb idiinniafafrerryyr e ddnaattt tatah ttatoon tt thoherei g rrreienggaiiisls ttt…

Exploiter Banker TSTrrtriioieersse stttoo l a llloorgaaedd bminiiissassriiyinn gdg a DDtaLL LLtoss the regist

Tries to load missing DLLs Spyware Trojan / Bot

Adware

Score: 3 Range: 0 - 100 Whitelisted: false Confidence: 40%

Analysis Advice

Sample crashes during execution, try analyze it on another analysis machine

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Startup

System is w10x64 WebCompanion.exe (PID: 7132 cmdline: 'C:\Users\user\Desktop\WebCompanion.exe' MD5: 3496336940E172B597FA057C258834F1) dw20.exe (PID: 4164 cmdline: dw20.exe -x -s 1312 MD5: 8D10DA8A3E11747E51F23C882C22BBC3) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Copyright null 2020 Page 4 of 20 Signature Overview

• Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Command DLL Side- Process Modify Registry 1 OS Security Software Remote Data from Exfiltration Data Eavesdrop on Remotely Accounts and Scripting Loading 1 Injection 1 1 Credential Discovery 2 1 Services Local Over Other Obfuscation Insecure Track Device Interpreter 2 Dumping System Network Network Without Medium Communication Authorization Default Scheduled Boot or DLL Side- Virtualization/Sandbox LSASS Virtualization/Sandbox Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Accounts Task/Job Logon Loading 1 Evasion 2 Memory Evasion 2 Desktop Removable Over Redirect Phone Wipe Data Initialization Protocol Media Bluetooth Calls/SMS Without Scripts Authorization Domain At (Linux) Logon Script Logon Script Disable or Modify Security System Information SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Accounts (Windows) (Windows) Tools 1 Account Discovery 1 2 Admin Shares Network Exfiltration Track Device Device Manager Shared Location Cloud Drive Backups Local At (Windows) Logon Script Logon Script Process NTDS Remote System Distributed Input Scheduled Protocol SIM Card Accounts (Mac) (Mac) Injection 1 1 Discovery 1 Component Capture Transfer Impersonation Swap Object Model Cloud Cron Network Network DLL Side-Loading 1 LSA Remote System SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Script Secrets Discovery Transfer Channels Device Size Limits Communication

Behavior Graph

Copyright null 2020 Page 5 of 20 Hide Legend Legend: Process Behavior Graph Signature ID: 314925 Created File Sample: WebCompanion.exe DNS/IP Info Startdate: 12/11/2020 Is Dropped Architecture: WINDOWS Score: 3 Is Windows Process Number of created Registry Values

started Number of created Files

Visual Basic

WebCompanion.exe Delphi Java

.Net C# or VB.NET 2 C, C++ or other language

Is malicious started Internet

dw20.exe

22 6

192.168.2.1 unknown unknown

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright null 2020 Page 6 of 20 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link WebCompanion.exe 3% Metadefender Browse WebCompanion.exe 4% ReversingLabs ByteCode- MSIL.PUA.WebCompanion

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link tempuri.org/TrackDataT 0% Avira URL Cloud safe tempuri.org/GetComponentsVersionInfoT 0% Avira URL Cloud safe

Copyright null 2020 Page 7 of 20 Source Detection Scanner Label Link tempuri.org/IWCAssistantService/CreatUninstallInfoT 0% Avira URL Cloud safe tempuri.org/IWCAssistantService/RunProcessT 0% Avira URL Cloud safe www.smartassembly.com/webservices/Reporting/UploadReport2 0% Avira URL Cloud safe tempuri.org/ 0% Avira URL Cloud safe tempuri.org/IWCAssistantService/ProcessRemoteFeatureT 0% Avira URL Cloud safe tempuri.org/IWCAssistantService/SilentUninstallT 0% Avira URL Cloud safe tempuri.org/SendWCFeedbackT 0% Avira URL Cloud safe tempuri.org/FirstRunT 0% Avira URL Cloud safe tempuri.org/IWCAssistantService/RunasAdminResponse 0% Avira URL Cloud safe tempuri.org/IWCAssistantService/SetHomePageIEResponse 0% Avira URL Cloud safe tempuri.org/IWCAssistantService/GetCurrentHomePageIEResponse 0% Avira URL Cloud safe www.lavasoftsupport.com/index.php?/forum/191-web-companion/ 0% Avira URL Cloud safe tempuri.org/IWCAssistantService/UpdateUninstallInfoResponse 0% Avira URL Cloud safe tempuri.org/IWCAssistantService/GetCurrentSearchIEResponse 0% Avira URL Cloud safe tempuri.org/IWCAssistantService/GetCurrentHomePageIET 0% Avira URL Cloud safe tempuri.org/IWCAssistantService/SetHomePageIET 0% Avira URL Cloud safe tempuri.org/IWCAssistantService/UpdateUninstallInfoT 0% Avira URL Cloud safe tempuri.org/IWCAssistantService/SetNewTabIET 0% Avira URL Cloud safe tempuri.org/IWCAssistantService/GetCurrentSearchIET 0% Avira URL Cloud safe tempuri.org/IWCAssistantService/SetAutoRestoreSessionIET 0% Avira URL Cloud safe tempuri.org/WcSendAutoResponseEmailT 0% Avira URL Cloud safe www.smartassembly.com/webservices/UploadReportLogin/ 0% Avira URL Cloud safe tempuri.org/SignZipInstallerT 0% Avira URL Cloud safe tempuri.org/IWCAssistantService/CopyFilesResponse 0% Avira URL Cloud safe tempuri.org/GetComponentsInfoT 0% Avira URL Cloud safe tempuri.org/A 0% Avira URL Cloud safe tempuri.org/; 0% Avira URL Cloud safe tempuri.org/AddT 0% Avira URL Cloud safe 10.45.0.17:8341/api/v1/activeFeatures/filter/partnerId/ 0% Avira URL Cloud safe www.smartassembly.com/webservices/Reporting/ 0% Avira URL Cloud safe www.smartassembly.com/webservices/UploadReportLogin/GetServerURL 0% Avira URL Cloud safe tempuri.org/SendEmailT 0% Avira URL Cloud safe tempuri.org/IWCAssistantService/SetNewTabIEResponse 0% Avira URL Cloud safe tempuri.org/IWCAssistantService/CopyFilesT 0% Avira URL Cloud safe tempuri.org/IWCAssistantService/SetSearchEngineIET 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation lavasoft.com/GetCountryISO2ByNameT WebCompanion.exe false high tempuri.org/TrackDataT WebCompanion.exe false Avira URL Cloud: safe unknown webcompanion.com/installed.php?extinstall=1 WebCompanion.exe false high tempuri.org/GetComponentsVersionInfoT WebCompanion.exe false Avira URL Cloud: safe unknown tempuri.org/IWCAssistantService/CreatUninstallInfoT WebCompanion.exe false Avira URL Cloud: safe unknown securedsearch.lavasoft.com WebCompanion.exe false high webcompanion.com/ WebCompanion.exe false high sawebservice.red-gate.com/ WebCompanion.exe false high tempuri.org/IWCAssistantService/RunProcessT WebCompanion.exe false Avira URL Cloud: safe unknown WebCompanion.exe false Avira URL Cloud: safe unknown www.smartassembly.com/webservices/Reporting/UploadRepo rt2 www.codeproject.com/Articles/28093/Using- WebCompanion.exe false high RoutedCommands-with-a-ViewModel-in-WPF webcompanion.com/feedback? WebCompanion.exe false high utm_source=wc&utm_medium=wc&utm_campaign=wc www.lavasoft.com/terms_of_use/ WebCompanion.exe false high tempuri.org/ WebCompanion.exe false Avira URL Cloud: safe unknown Copyright null 2020 Page 8 of 20 Name Source Malicious Antivirus Detection Reputation WebCompanion.exe false Avira URL Cloud: safe unknown tempuri.org/IWCAssistantService/ProcessRemoteFeatureT adaware.com/browser/ff/index.phpAPrivacy WebCompanion.exe false high tempuri.org/IWCAssistantService/SilentUninstallT WebCompanion.exe false Avira URL Cloud: safe unknown upclick.com/GetGeoInfoByHeadersT WebCompanion.exe false high www.apache.org/licenses/LICENSE-2.0Copyright WebCompanion.exe false high tempuri.org/SendWCFeedbackT WebCompanion.exe false Avira URL Cloud: safe unknown twitter.com/intent/tweet?text= WebCompanion.exe false high webcompanion.com/ff_extension/ffLanguages.json WebCompanion.exe false high in.adaware.com/wc/extension_install.php? WebCompanion.exe false high exiturl=aHR0cDovL3dlYmNvbXBhbmlvbi5jb20vaW5zdGFsbC 5wa WebCompanion.exe false high webcompanion.com/1http://www.lavasoft.com/Ghttp://webcom panion.com/unsafe?url=Qhttps://appdow extservice.adaware.com/extensionAShow WebCompanion.exe false high https://twitter.com/lavasoft WebCompanion.exe false high lavasoft.com/GetLocationT WebCompanion.exe false high upclick.com/GetCountryNameByISO2T WebCompanion.exe false high WebCompanion.exe false high www.lavasoft.com/terms_of_use/Ohttp://www.lavasoft.com/pri vacy_policy/ www.lavasoft.com/mylavasoft/contact WebCompanion.exe false high tempuri.org/FirstRunT WebCompanion.exe false Avira URL Cloud: safe unknown WebCompanion.exe false Avira URL Cloud: safe unknown tempuri.org/IWCAssistantService/RunasAdminResponse lavasoft.com/GetIpLocation_2_0T WebCompanion.exe false high WebCompanion.exe false Avira URL Cloud: safe unknown tempuri.org/IWCAssistantService/SetHomePageIEResponse webcompanion.com WebCompanion.exe false high WebCompanion.exe false Avira URL Cloud: safe unknown tempuri.org/IWCAssistantService/GetCurrentHomePageIERes ponse lavasoft.com/T WebCompanion.exe false high webcompanion.com/wc_onboarding_software_noab? WebCompanion.exe false high lang= www.lavasoftsupport.com/index.php?/forum/191-web- WebCompanion.exe false Avira URL Cloud: safe unknown companion/ WebCompanion.exe false Avira URL Cloud: safe unknown tempuri.org/IWCAssistantService/UpdateUninstallInfoRespons e webcompanion.com/help#119Help WebCompanion.exe false high https://notiftrigger.adaware.com/notification-trigger- WebCompanion.exe false high service/api/v1?partner= upclick.com/GetCountryISO2T WebCompanion.exe false high www.symauth.com/cps0( WebCompanion.exe false high WebCompanion.exe false Avira URL Cloud: safe unknown tempuri.org/IWCAssistantService/GetCurrentSearchIERespon se WebCompanion.exe false Avira URL Cloud: safe unknown tempuri.org/IWCAssistantService/GetCurrentHomePageIET WebCompanion.exe false high https://www.adaware.com/sites/default/files/installers/H2OAuto Update/WCU006_s.exe tempuri.org/IWCAssistantService/SetHomePageIET WebCompanion.exe false Avira URL Cloud: safe unknown webcompanion.com/feedback? WebCompanion.exe false high utm_source=wc&utm_medium=wc&utm_campaign=wcg/Web Companion;component webcompanion.com/privacy WebCompanion.exe false high tempuri.org/IWCAssistantService/UpdateUninstallInfoT WebCompanion.exe false Avira URL Cloud: safe unknown www.lavasoft.com WebCompanion.exe false high lavasoft.com/ WebCompanion.exe false high webcompanion.com/version_logs WebCompanion.exe false high https://twitter.com/officialadaware WebCompanion.exe false high www.symauth.com/rpa00 WebCompanion.exe false high tempuri.org/IWCAssistantService/SetNewTabIET WebCompanion.exe false Avira URL Cloud: safe unknown www.lavasoft.com/privacy_policy/ WebCompanion.exe false high tempuri.org/IWCAssistantService/GetCurrentSearchIET WebCompanion.exe false Avira URL Cloud: safe unknown WebCompanion.exe false Avira URL Cloud: safe unknown tempuri.org/IWCAssistantService/SetAutoRestoreSessionIET webcompanion.com/terms WebCompanion.exe false high Copyright null 2020 Page 9 of 20 Name Source Malicious Antivirus Detection Reputation in.adaware.com/wc/extension_install.php? WebCompanion.exe false high exiturl=aHR0cDovL3d3dy53ZWJjb21wYW5pb24uY29t&utm_c amp lavasoft.com? WebCompanion.exe false high utm_source=wc&utm_medium=wc&utm_campaign=wc tempuri.org/WcSendAutoResponseEmailT WebCompanion.exe false Avira URL Cloud: safe unknown webcompanion.com/faq WebCompanion.exe false high webcompanion.com/gw/gateway.php?pid= WebCompanion.exe false high WebCompanion.exe false Avira URL Cloud: safe unknown www.smartassembly.com/webservices/UploadReportLogin/ tempuri.org/SignZipInstallerT WebCompanion.exe false Avira URL Cloud: safe unknown tempuri.org/IWCAssistantService/CopyFilesResponse WebCompanion.exe false Avira URL Cloud: safe unknown adaware.com/browser/ff/index.php WebCompanion.exe false high tempuri.org/GetComponentsInfoT WebCompanion.exe false Avira URL Cloud: safe unknown tempuri.org/A WebCompanion.exe false Avira URL Cloud: safe unknown upclick.com/GetGeoInfoByIpAddressesT WebCompanion.exe false high tempuri.org/; WebCompanion.exe false Avira URL Cloud: safe unknown tempuri.org/AddT WebCompanion.exe false Avira URL Cloud: safe unknown lavasoft.com/GetIpLocationT WebCompanion.exe false high webcompanion.com/help#11 WebCompanion.exe false high 10.45.0.17:8341/api/v1/activeFeatures/filter/partnerId/ WebCompanion.exe false Avira URL Cloud: safe unknown lavasoft.com/GetCountryNameByISO2T WebCompanion.exe false high https://www.adaware.com/privacy-policy WebCompanion.exe false high www.red-gate.com/products/dotnet- WebCompanion.exe false high development/smartassembly/? utm_source=smartassemblyui&utm_me webcompanion.com/images/email/wc-title-header.png WebCompanion.exe false high www.smartassembly.com/webservices/Reporting/ WebCompanion.exe false Avira URL Cloud: safe unknown https://sdl.adaware.com/? WebCompanion.exe false high bundleid=WCU001&savename=WCUpdater.exe WebCompanion.exe false Avira URL Cloud: safe unknown www.smartassembly.com/webservices/UploadReportLogin/Ge tServerURL tempuri.org/SendEmailT WebCompanion.exe false Avira URL Cloud: safe unknown webcompanion.com/notification?timestamp= WebCompanion.exe false high WebCompanion.exe false Avira URL Cloud: safe unknown tempuri.org/IWCAssistantService/SetNewTabIEResponse tempuri.org/IWCAssistantService/CopyFilesT WebCompanion.exe false Avira URL Cloud: safe unknown crl.thawte.com/ThawteTimestampingCA.crl0 WebCompanion.exe false high webcompanion.com/mail-report-reply WebCompanion.exe false high upclick.com/GetCountryISO2ByNameT WebCompanion.exe false high tempuri.org/IWCAssistantService/SetSearchEngineIET WebCompanion.exe false Avira URL Cloud: safe unknown webcompanion.com/mz/browser_download.php? WebCompanion.exe false high partner= webcompanion.com/help WebCompanion.exe false high webcompanion.com/images/email/tw-icon.png WebCompanion.exe false high webcompanion.com/unsafe?url= WebCompanion.exe false high https://adaware.com/ext/inline.php?pid= WebCompanion.exe false high https://ext.adaware.com/ WebCompanion.exe false high https://appdownload.lavasoft.com/malsync WebCompanion.exe false high

Contacted IPs

Copyright null 2020 Page 10 of 20 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

Public

IP Domain Country Flag ASN ASN Name Malicious

Private

IP 192.168.2.1

General Information

Joe Sandbox Version: 31.0.0 Red Diamond Analysis ID: 314925 Start date: 12.11.2020 Start time: 05:11:03 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 12m 40s Hypervisor based Inspection enabled: false Report type: light Sample file name: WebCompanion.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 28 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout

Copyright null 2020 Page 11 of 20 Detection: CLEAN Classification: clean3.winEXE@3/3@0/1 EGA Information: Successful, ratio: 100% HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 40.88.32.150, 51.104.139.180, 52.155.217.156, 20.54.26.129, 67.27.157.254, 67.27.159.126, 67.27.158.254, 8.253.204.120, 8.248.115.254, 92.122.213.194, 92.122.213.247, 40.90.23.206, 40.90.137.120, 40.90.137.124, 40.90.23.208, 40.90.23.247, 40.90.137.126, 40.90.137.125, 40.90.23.153, 51.11.168.232, 51.104.144.132 Excluded domains from analysis (whitelisted): displaycatalog- europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, www.tm.lg.prod.aadmsa.akadns.net, ctldl.windowsupdate.com, settings- win.data.microsoft.com, a1449.dscg2.akamai.net, arc.msn.com, login.msa.msidentity.com, settingsfd- geo.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadn s.net, ris.api.iris.microsoft.com, skypedataprdcoleus15.cloudapp.net, umwatsonrouting.trafficmanager.net, login.live.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.n et, img-prod-cms-rt-microsoft-com.akamaized.net, skypedataprdcolwus16.cloudapp.net, au-bg- shim.trafficmanager.net Report size getting too big, too many NtOpenKeyEx calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/31492 5/sample/WebCompanion.exe

Simulations

Behavior and APIs

Time Type Description 05:12:01 API Interceptor 1x Sleep call for process: dw20.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

Copyright null 2020 Page 12 of 20 ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_WebCompanion.exe_4ab25dc569c18c2d98012e117ff459ff1d3b277_00000000_1018 ad86\Report.wer Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File Type: Little-endian UTF-16 Unicode text, with CRLF line terminators Category: dropped Size (bytes): 13034 Entropy (8bit): 3.7662687854904013 Encrypted: false SSDEEP: 192:HAL2q2Y+sVmcd/eDH/qwaPLk9MJzPOuTuBqWUlZ9/u7smS274ItFw:HACtqd2zafC6j/u7smX4ItG MD5: 64DF5189FAB0C15587585969C044F39B SHA1: A33749E40AF3076CD5FBDE66B2B04D53F2A2A85C SHA-256: AA9F29828974598BAAD293CB030B295F4DA0207F4B43A3452CBE7CC0BCABC255 SHA-512: 879368FD4903B6EDD990CDEF77221F919C7C8EF4F0F75355F7C40002ED1F4BD66EF80BE96F160749CEACE51050732E43A9BB166C531925248E64BB730EAA4F7C Malicious: false Reputation: low Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.4.9.6.2.7.9.1.7.7.5.7.5.4.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i. m.e.=.1.3.2.4.9.6.2.7.9.1.9.3.9.8.1.7.4.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.8.a.a.f.1.e.2.-.e.6.4.3.-.4.a.6.8.-.8.e.b.c.-.6.c.f.9.5.6.0. 5.5.3.5.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.e.b.C.o.m.p.a.n.i.o.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=. 0.0.0.0.1.b.d.c.-.0.0.0.1.-.0.0.1.b.-.f.8.a.7.-.6.e.f.4.a.9.b.8.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.4.a.1.2.3.e.a.d.e.5.c.0.9.7.1.a.8.2.3.2.3.1.c.2.d.3.8.5.e.8.d.0.0. 0.0.0.0.0.0.!.0.0.0.0.e.c.2.5.4.f.1.9.0.6.7.0.4.6.b.6.5.d.c.1.2.a.9.9.c.9.1.8.4.0.2.4.5.8.5.2.c.0.8.c.!.W.e.b.C.o.m.p.a.n.i.o.n...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.8././.0. 5././.1.0.:.1.1.:.5.7.:.1.1.!.7.6.1.6.2.c.!.W.e.b.C.o.m.p.a.n.i.o.n...e.x.e.....

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F7C.tmp.WERInternalMetadata.xml Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File Type: XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators Category: dropped Size (bytes): 7624 Entropy (8bit): 3.7051640035898243 Encrypted: false SSDEEP: 192:Rrl7r3GLNiOhH6K6YruSUIsQugmf6ST8ST+p1H+7/1fyqXNm:RrlsNio6K6YiSUIshgmfpYSWH+7tfyv MD5: 72362553A22700D787E3E377B769A646 SHA1: 6E103DC4656E79AA82FE999A203CA22EDC6BB9E2 SHA-256: C07BBAD1E70A59F9B9A37A0169C8D6CF3A114613F1533E8E01C62FF2325D89B4 SHA-512: B5EB335404C3C5C99A99D4BE63DA012D87E27AAE53C0DEA3DB9B8EBDBC8949A3501CB41AD246DAA42A151207838A22061CD93B18D2C165C4F8C2013A441D61 EB Malicious: false Reputation: low Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>...... <.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>...... <.W.i.n.d. o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>...... <.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>...... <.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o. <./.P.r.o.d.u.c.t.>...... <.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>...... <.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4. <./.B.u.i.l.d.S.t.r.i.n.g.>...... <.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>...... <.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>...... <.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./. A.r.c.h.i.t.e.c.t.u.r.e.>...... <.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>...... <./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>...... <.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>...... <.P.i.d.>.7.1.3.2.<./.P.i. d.>......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA019.tmp.xml Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File Type: XML 1.0 document, ASCII text, with CRLF line terminators Category: dropped Size (bytes): 4615 Entropy (8bit): 4.493615141399591 Encrypted: false Copyright null 2020 Page 13 of 20 C:\ProgramData\Microsoft\Windows\WER\Temp\WERA019.tmp.xml SSDEEP: 48:cvIwSD8zs5JgtWI9dksWSC8BG8fm8M4JFKfHwJoF91+q8bXsny+p85fUfd:uITfL4kFSNlJFKomgGy+p85fUfd MD5: 4368629672A88409927AC75B9BD236D0 SHA1: 264EC391BAF8DBC20B780A7FD460DBBC034C30F2 SHA-256: 269F39B4BB7778F5DF667A563E0C42F122F6C392C859B4B804C0146CA3775FF8 SHA-512: C7AAB543B349F765A41AA268FE284FB5D9A85383B566CF80E1859945B52D6C2C36C60E12C67E615D231FA652E8CDE5D99DD24176A561812CFFE1031DA6DE34D0 Malicious: false Reputation: low Preview: .... .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..

Static File Info

General File type: PE32 executable (GUI) Intel 80386 Mono/.Net assemb ly, for MS Windows Entropy (8bit): 3.510829496406176 TrID: Win32 Executable (generic) Net Framework (10011505/4) 49.87% Win32 Executable (generic) a (10002005/4) 49.83% InstallShield setup (43055/19) 0.21% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% File name: WebCompanion.exe File size: 7717480 MD5: 3496336940e172b597fa057c258834f1 SHA1: ec254f19067046b65dc12a99c91840245852c08c SHA256: f9e63f937f2636f109339127751be4a8a88b3b0efbfdf536f 6340271f689e1ce SHA512: fddc19b42a4e1b92c81dd1156f2f396d8eb0586efc46458 384d907cea20c7fb8708e49eb64478508124ddeb2375a5 52631b02247e1874273afab803b6838da12 SSDEEP: 24576:FmjoIwqRrTRXMWE3BLJb7a7pr2foDWRFwGc9 SYic4JRFxSREK1H8YBrQbhlM7fzz:FmD8N3Vw7J23R Fa6KFPBrQ/mr File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... PE..L.... 3.Z...... u..t...... n>u.. ...@u...@...... u. ....,.v...@......

File Icon

Icon Hash: 04818acce469a840

Static PE Info

General Entrypoint: 0xb53e6e Entrypoint Section: .text Digitally signed: true Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE DLL Characteristics: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x5AF43397 [Thu May 10 11:57:11 2018 UTC] TLS Callbacks: CLR (.Net) Version: v2.0.50727 OS Version Major: 4 OS Version Minor: 0

Copyright null 2020 Page 14 of 20 General File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid: true Signature Issuer: CN=GlobalSign CodeSigning CA - G3, O=GlobalSign nv-sa, C=BE Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 7/20/2016 4:12:37 PM 7/21/2018 4:12:37 PM Subject Chain [email protected], CN=Lavasoft Software Canada, O=Lavasoft Software Canada, L=Saint-Laurent, S=Quebec, C=CA

Version: 3 Thumbprint MD5: 32B8E4DB7B8A577939FBEC139F68AB7F Thumbprint SHA-1: 14A654624B209331FEE3123B654BF5887F02B6F2 Thumbprint SHA-256: 1784B436622EE5C5030D1722847EDF72FB2E9125364893361DA4A1198A16C92F Serial: 6DE41F889CF84643F324B3D5

Entrypoint Preview

Instruction jmp dword ptr [00402000h] add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al

Copyright null 2020 Page 15 of 20 Instruction add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x753e24 0x4a .text IMAGE_DIRECTORY_ENTRY_RESOURCE 0x754000 0x70b2 .rsrc

Copyright null 2020 Page 16 of 20 Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x759600 0x2c68 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x75c000 0xc .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x2000 0x8 .text IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x2008 0x48 .text IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x2000 0x751e74 0x752000 unknown unknown unknown unknown IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rsrc 0x754000 0x70b2 0x7200 False 0.388637609649 data 4.77227942457 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0x75c000 0xc 0x200 False 0.044921875 data 0.101910425663 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_DISCARDABLE , IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_ICON 0x75408c 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x754518 0x988 data RT_ICON 0x754ec4 0x10a8 dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0 RT_ICON 0x755f90 0x25a8 dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0 RT_ICON 0x75855c 0x1a7b PNG image data, 256 x 256, 8-bit/color RGBA, non- interlaced RT_GROUP_ICON 0x75a013 0x4c data RT_VERSION 0x75a09b 0x36c data RT_MANIFEST 0x75a443 0xc6f XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL Import mscoree.dll _CorExeMain

Network Behavior

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP Nov 12, 2020 05:11:49.289266109 CET 56794 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:11:49.325299025 CET 53 56794 8.8.8.8 192.168.2.4 Nov 12, 2020 05:11:50.409432888 CET 56534 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:11:50.436736107 CET 53 56534 8.8.8.8 192.168.2.4 Nov 12, 2020 05:11:51.116318941 CET 56627 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:11:51.143543959 CET 53 56627 8.8.8.8 192.168.2.4 Nov 12, 2020 05:11:51.832112074 CET 56621 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:11:51.859338045 CET 53 56621 8.8.8.8 192.168.2.4 Nov 12, 2020 05:11:53.094137907 CET 63116 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:11:53.121283054 CET 53 63116 8.8.8.8 192.168.2.4 Nov 12, 2020 05:11:54.167325020 CET 64078 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:11:54.203059912 CET 53 64078 8.8.8.8 192.168.2.4 Nov 12, 2020 05:11:54.910485029 CET 64801 53 192.168.2.4 8.8.8.8 Copyright null 2020 Page 17 of 20 Timestamp Source Port Dest Port Source IP Dest IP

Nov 12, 2020 05:11:54.945766926 CET 53 64801 8.8.8.8 192.168.2.4 Nov 12, 2020 05:11:56.886925936 CET 61721 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:11:56.914014101 CET 53 61721 8.8.8.8 192.168.2.4 Nov 12, 2020 05:11:57.668265104 CET 51255 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:11:57.704134941 CET 53 51255 8.8.8.8 192.168.2.4 Nov 12, 2020 05:11:58.438186884 CET 61522 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:11:58.465348005 CET 53 61522 8.8.8.8 192.168.2.4 Nov 12, 2020 05:12:00.819495916 CET 52337 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:12:00.846662998 CET 53 52337 8.8.8.8 192.168.2.4 Nov 12, 2020 05:12:14.749753952 CET 55046 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:12:14.776969910 CET 53 55046 8.8.8.8 192.168.2.4 Nov 12, 2020 05:12:29.166146994 CET 49612 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:12:29.201956034 CET 53 49612 8.8.8.8 192.168.2.4 Nov 12, 2020 05:12:31.350070000 CET 49285 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:12:31.385509014 CET 53 49285 8.8.8.8 192.168.2.4 Nov 12, 2020 05:12:31.765508890 CET 50601 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:12:31.801215887 CET 53 50601 8.8.8.8 192.168.2.4 Nov 12, 2020 05:12:32.084214926 CET 60875 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:12:32.119687080 CET 53 60875 8.8.8.8 192.168.2.4 Nov 12, 2020 05:12:32.428169012 CET 56448 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:12:32.443512917 CET 59172 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:12:32.455353022 CET 53 56448 8.8.8.8 192.168.2.4 Nov 12, 2020 05:12:32.479108095 CET 53 59172 8.8.8.8 192.168.2.4 Nov 12, 2020 05:12:32.847909927 CET 62420 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:12:32.885544062 CET 53 62420 8.8.8.8 192.168.2.4 Nov 12, 2020 05:12:33.295936108 CET 60579 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:12:33.331583023 CET 53 60579 8.8.8.8 192.168.2.4 Nov 12, 2020 05:12:33.846874952 CET 50183 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:12:33.882494926 CET 53 50183 8.8.8.8 192.168.2.4 Nov 12, 2020 05:12:34.577613115 CET 61531 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:12:34.615307093 CET 53 61531 8.8.8.8 192.168.2.4 Nov 12, 2020 05:12:34.947022915 CET 49228 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:12:34.974205971 CET 53 49228 8.8.8.8 192.168.2.4 Nov 12, 2020 05:12:39.438080072 CET 59794 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:12:39.465465069 CET 53 59794 8.8.8.8 192.168.2.4 Nov 12, 2020 05:12:48.746943951 CET 55916 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:12:48.774039984 CET 53 55916 8.8.8.8 192.168.2.4 Nov 12, 2020 05:12:49.013258934 CET 52752 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:12:49.064739943 CET 53 52752 8.8.8.8 192.168.2.4 Nov 12, 2020 05:12:51.883846045 CET 60542 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:12:51.931978941 CET 53 60542 8.8.8.8 192.168.2.4 Nov 12, 2020 05:13:23.264566898 CET 60689 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:13:23.291634083 CET 53 60689 8.8.8.8 192.168.2.4 Nov 12, 2020 05:13:25.626847982 CET 64206 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:13:25.662519932 CET 53 64206 8.8.8.8 192.168.2.4 Nov 12, 2020 05:16:36.516627073 CET 50904 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:16:36.639765024 CET 53 50904 8.8.8.8 192.168.2.4 Nov 12, 2020 05:16:37.226537943 CET 57525 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:16:37.276673079 CET 53 57525 8.8.8.8 192.168.2.4 Nov 12, 2020 05:16:40.702528954 CET 53814 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:16:40.737945080 CET 53 53814 8.8.8.8 192.168.2.4 Nov 12, 2020 05:16:44.931169033 CET 53418 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:16:44.966963053 CET 53 53418 8.8.8.8 192.168.2.4 Nov 12, 2020 05:16:45.151307106 CET 62833 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:16:45.195902109 CET 53 62833 8.8.8.8 192.168.2.4 Nov 12, 2020 05:18:55.729342937 CET 59260 53 192.168.2.4 8.8.8.8 Nov 12, 2020 05:18:55.756598949 CET 53 59260 8.8.8.8 192.168.2.4

Code Manipulations

Copyright null 2020 Page 18 of 20 Statistics

Behavior

• WebCompanion.exe • dw20.exe

Click to jump to process

System Behavior

Analysis Process: WebCompanion.exe PID: 7132 Parent PID: 5936

General

Start time: 05:11:55 Start date: 12/11/2020 Path: C:\Users\user\Desktop\WebCompanion.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\WebCompanion.exe' Imagebase: 0xc10000 File size: 7717480 bytes MD5 hash: 3496336940E172B597FA057C258834F1 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user read data or list device directory file | object name collision 1 722760AC unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list device directory file | object name collision 1 722760AC unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point

File Read

Copyright null 2020 Page 19 of 20 Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4095 success or wait 1 722A5544 unknown C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 6304 success or wait 3 722A5544 unknown C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4095 success or wait 1 722A8738 ReadFile C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll unknown 4096 success or wait 1 7234BF06 unknown C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll unknown 512 success or wait 1 7234BF06 unknown C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf385 unknown 4096 success or wait 1 7234BF06 unknown 6ad364e35\PresentationCore.dll C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf385 unknown 512 success or wait 1 7234BF06 unknown 6ad364e35\PresentationCore.dll

Analysis Process: dw20.exe PID: 4164 Parent PID: 7132

General

Start time: 05:11:57 Start date: 12/11/2020 Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Wow64 process (32bit): true Commandline: dw20.exe -x -s 1312 Imagebase: 0x10000000 File size: 33936 bytes MD5 hash: 8D10DA8A3E11747E51F23C882C22BBC3 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Disassembly

Code Analysis

Copyright null 2020 Page 20 of 20