Automated Malware Analysis Report For

ID: 39901 Sample Name: GUf5eGGUpw.000 Cookbook: default.jbs Time: 00:06:11 Date: 13/12/2017 Version: 20.0.0 Table of Contents

Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Signature Overview 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 Software Vulnerabilities: 6 Networking: 6 Boot Survival: 6 Persistence and Installation Behavior: 6 Data Obfuscation: 6 Spreading: 7 System Summary: 7 HIPS / PFW / Operating System Protection Evasion: 7 Anti Debugging: 7 Malware Analysis System Evasion: 7 Hooking and other Techniques for Hiding and Protection: 8 Language, Device and Operating System Detection: 8 Behavior Graph 8 Simulations 8 Behavior and APIs 8 Antivirus Detection 9 Initial Sample 9 Dropped Files 9 Domains 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 10 Dropped Files 10 Screenshot 11 Startup 11 Created / dropped Files 11 Contacted Domains/Contacted IPs 14 Contacted Domains 14 Contacted IPs 15 Static File Info 15 General 15 File Icon 15 Static PE Info 16 General 16 Entrypoint Preview 16 Data Directories 17 Sections 17 Resources 18 Copyright Joe Security LLC 2017 Page 2 of 34 Imports 18 Possible Origin 19 Network Behavior 19 Network Port Distribution 19 TCP Packets 19 UDP Packets 19 DNS Queries 20 DNS Answers 20 HTTP Request Dependency Graph 20 HTTP Packets 20 Code Manipulations 20 Statistics 20 Behavior 20 System Behavior 20 Analysis Process: GUf5eGGUpw.exe PID: 3256 Parent PID: 2972 21 General 21 File Activities 21 File Created 21 File Deleted 23 File Written 23 Analysis Process: DiskGenius.exe PID: 3272 Parent PID: 3256 33 General 33 File Activities 33 Registry Activities 33 Disassembly 33 Code Analysis 34

Overview

General Information

Joe Sandbox Version: 20.0.0 Analysis ID: 39901 Start time: 00:06:11 Joe Sandbox Product: CloudBasic Start date: 13.12.2017 Overall analysis duration: 0h 6m 9s Hypervisor based Inspection enabled: false Report type: light Sample file name: GUf5eGGUpw.000 (renamed file extension from 000 to exe) Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Detection: MAL Classification: mal60.evad.spyw.winEXE@3/20@1/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 2.9% (good quality ratio 2.9%) Quality average: 86.1% Quality standard deviation: 22.3% Warnings: Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy Score Range Reporting Detection

Threshold 60 0 - 100 Report FP / FN

Confidence

Threshold 5 0 - 5 false

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Copyright Joe Security LLC 2017 Page 5 of 34 Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Signature Overview

• Key, Mouse, Clipboard, Microphone and Screen Capturing • Software Vulnerabilities • Networking • Boot Survival • Persistence and Installation Behavior • Data Obfuscation • Spreading • System Summary • HIPS / PFW / Operating System Protection Evasion • Anti Debugging • Malware Analysis System Evasion • Hooking and other Techniques for Hiding and Protection • Language, Device and Operating System Detection

Click to jump to signature section

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Contains functionality to record screenshots

Creates a window with clipboard capturing capabilities

Contains functionality to register a low level keyboard hook

Installs a global keyboard hook

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Networking:

Contains functionality to download additional files from the internet

Downloads files

Downloads files from webservers via HTTP

Performs DNS lookups

Urls found in memory or binary data

Boot Survival:

Contains functionality to infect the boot sector

Persistence and Installation Behavior:

Creates license or readme file

Contains functionality to read ini properties file for application configuration

Drops PE files

May use bcdedit to modify the Windows boot settings

Contains functionality to infect the boot sector

Drops PE files with a suspicious file extension

Data Obfuscation:

Contains functionality to dynamically determine API calls

Uses code obfuscation techniques (call, push, ret)

Spreading:

Contains functionality to enumerate / list files inside a directory

Contains functionality to get notified if a device is plugged in / out

System Summary:

Executable creates window controls seldom found in malware

Uses Rich Edit Controls

Found graphical window changes (likely an installer)

Submission file is bigger than most known malware samples

PE file contains a debug data directory

Binary contains paths to debug symbols

Classification label

Contains functionality for error logging

Contains functionality to adjust token privileges (e.g. debug / backup)

Contains functionality to instantiate COM classes

Contains functionality to load and extract PE file embedded resources

Creates temporary files

PE file has an executable .text section and no other executable section

Reads ini files

Reads software policies

Sample is known by Antivirus (Virustotal or Metascan)

Spawns processes

Uses an in-process (OLE) Automation server

Contains functionality to communicate with device drivers

Creates driver files

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains strange resources

PE file does not import any functions

Reads the hosts file

Tries to load missing DLLs

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Malware Analysis System Evasion:

Contains functionality to enumerate / list files inside a directory

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Program exit points

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

Tries to detect virtual machines

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Extensive use of GetProcAddress (often used to hide API calls)

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Contains functionality to query windows version

Queries the cryptographic machine GUID

Contains functionality locales information (e.g. system language)

Behavior Graph

Hide Legend Behavior Graph Legend: ID: 39901 Process

Sample: GUf5eGGUpw.000 Signature

Startdate: 13/12/2017 Created File Architecture: WINDOWS DNS/IP Info Score: 60 Is Dropped

started Is Windows Process

GUf5eGGUpw.exe Number of created Registry Values Number of created Files

32 Visual Basic

dropped dropped dropped dropped Delphi Java Dropped files exeeded maximum capacity for this level. Hdrw.dll, PE32 HdrwImg.dll, PE32 Hdrwnt.dll, PE32 12 dropped files have been hidden. .Net C# or VB.NET

C, C++ or other language started Is malicious Drops PE files with a suspicious file extension

DiskGenius.exe

www.diskman.cc

120.27.53.36, 80 www.diskman.cc CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China

Contains functionality Contains functionality Installs a global to infect the to register keyboard hook boot sector a low level keyboard hook

Simulations

Behavior and APIs

No simulations

Initial Sample

Source Detection Cloud Link GUf5eGGUp.exe 3% virustotal Browse

Dropped Files

Source Detection Cloud Link C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\Charset.dll 0% virustotal Browse C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\DiskGenius.exe 0% virustotal Browse C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\Hdrw.dll 0% virustotal Browse C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\HdrwImg.dll 0% metadefender Browse C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\CTMOUSE.EXE 0% metadefender Browse C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\command.com 0% metadefender Browse C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\himem.exe 0% metadefender Browse

Domains

Source Detection Cloud Link www.diskman.cc 0% virustotal Browse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

ASN

Associated Sample Match Name / URL SHA 256 Detection Link Context CNNIC-ALIBABA-CN-NET- Exp1161.exe 9afd7f40c2bf760ad81f8363a435f malicious Browse 123.57.138.173 APHangzhouAlibabaAdvertisingCoLtd 53a7cc4069b18c70504a15f64d9 cb914bc6 www.777pan.cc/file-1 malicious Browse 140.205.61.85 11542.html #U673a#U56 5050cbbf2662d541b5b1d94afd51 malicious Browse 123.56.97.10 68#U7761#U 5bfa33087aa64ccce93e43d5b64 7720#U65e0 232bb16c7 #U6cd5#U55 24#U9192#U 4fee#U590d #U5de5#U5177V2.33.13 46621.exe 13Label_000132875.do b8357e1a710029b49cb412a0a32 malicious Browse 120.26.59.61 c.js 9f6ded1487fb9ef44b8a058ad33c adf08d290 43Delivery_Notificat 9a225d3c5c5628e32709a2971ce malicious Browse 120.26.59.61 ion_0000173357.doc.js 7f2856b05a60fe0ab4f9200ee742 980e23abb bbb.apk bbbe22024eb1e004f11002d0459 malicious Browse 140.205.218.52 07eea9b230d62979923a4be5a19 08dae5c412 https://login.alibab malicious Browse 106.11.172.8 a.com/?spm=a2700.829 3689.scGlobalHomeHea der.356.wlqbkw&trace log=hd_signin 19Shipping Detail pd f0f8f716b149aaea947ad021a3f71 malicious Browse 116.62.232.149 f.exe 26e5ecd898b6aa2559e38326276 4fe36bda 19Scan_012394 inquiry 3254a69a6925a970edce2644e01 malicious Browse 115.28.113.128 december .pdf.exe 170270f189e194f0fd11269f8f823 96629c7a 129Proforma Invoice f8a539f6fe9bdffdb9973e72a6ddf malicious Browse 120.26.41.100 SO-01201800025 TT Sl e0376e5e752c1afdbadf14ceef05 ip Pdf.exe c8d5e2f 43Delivery_Notificat 9a225d3c5c5628e32709a2971ce malicious Browse 120.26.59.61 ion_0000173357.doc.js 7f2856b05a60fe0ab4f9200ee742 980e23abb 61FedEx_ID c279559da3fb38a165627720c66 malicious Browse 120.27.127.184 _0000199962.doc.wsf 789e4f40194b419bdea837b960e 0de864c6be 3Documento n.0073209 ee69ba242b6feeeace8f211e71ffe malicious Browse 118.190.117.88 0-239423.pdf.js 6f0dda8b977fcc4c41a1dcc635b9 bb98df0 base.apk 2f225619be147f7b002bfe7e40bb malicious Browse 106.11.42.83 7f5c81d491247b57274a6880348 cd9cebe18 s0C79VUdSn.exe b3f432cd2baa239ede8bf72a0fbe malicious Browse 106.11.62.101 27268d659b31a46fd37cd1191bd 9cf850314 11SCANDOC007.exe 77f790b60a76bdc7c7b93fadc861 malicious Browse 120.55.85.137 acc396712c3b665cc8c3faf16ec8 98e14a3b 13Label_000132875.do b8357e1a710029b49cb412a0a32 malicious Browse 121.42.105.165 c.js 9f6ded1487fb9ef44b8a058ad33c adf08d290 Blood Pressure Nana_ 486577641ef88699c31902b407d malicious Browse 140.205.218.52 v1.0.7_apkpure.com.apk 05884c9fabfbe3c6516d88208586 da266acc7 TaAlarm_com.lynn.osc b13a415799c5a56e1cf3b6578f2f malicious Browse 140.205.248.8 illation_1.2.170926.apk eb574ebdc092cffcb6a79cfed2cc 72c929eb 18doc455567890999987 5e5821af8f9ea32c1f87219a5b9bf malicious Browse 116.62.232.149 .exe b7c79b5cf9cc4eebe6980fffe0af0 dfd943

Dropped Files

No context

Startup

System is w7 GUf5eGGUpw.exe (PID: 3256 cmdline: 'C:\Users\user\Desktop\GUf5eGGUpw.exe' MD5: 1E367A08E3111FA78845D2DEC7C120E7) DiskGenius.exe (PID: 3272 cmdline: 'C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\DiskGenius.exe' MD5: 7518702B58AB7ED45F4B130C5A2FB567) cleanup

Created / dropped Files

C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\Att.dat File Type: data MD5: B961E373D784CC64464DD9D74CA76CD6 SHA1: 3EF8CE3DAC46FDF34AB9B98A711F724A37397F3A SHA-256: 773C9E993DBC959132CB158CACAE6772E3152FAADA8B13A8BEBAD43C59A668C4 SHA-512: EC317F7249BBA8A61248E3605B033F5B3ACAA93C781296E2289205C766400704AF98760AF9EE951A785982DEE22F50B508 DF40A8C096BABAA9E9499252983D1D Malicious: false Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\Charset.dll File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5: 2F328160799529A39306D22C6ADA0D91 Copyright Joe Security LLC 2017 Page 11 of 34 C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\Charset.dll SHA1: 781433CE3807DD1D8A5A9EF94F67A1A88B948444 SHA-256: 710B51FA973D161479DA62A83EFF7C4C1A528FBAAC7CB621E1E2F001082268CD SHA-512: F9CDDBCA8F9358A34356F39A25FAD79A6A009974E9C81A24D37784096B22373539AE03BD35DB04D01C7099F705DE4BA5A D696B244545452E5239CEFE4A18120F Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\DiskGenius.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows MD5: 7518702B58AB7ED45F4B130C5A2FB567 SHA1: 8F4DCF1CFDBE8E0C78F0451A76B58974E3B49AA5 SHA-256: 8C1FF539B6FFAB0DD4475142BF91FF20281E1842A41BBB0AB3F87A7DB0B35D4E SHA-512: EC10D2AC32A7BFA24C1E333F06864A1136A019F4FAFC92C4821AB8FCA94C8CD6B4E59AD2411AB7BB1D1747F3522D47D9 44E44DBBE9CEEE928E1AF1246D537D11 Malicious: true Antivirus: Antivirus: virustotal, Detection: 0%, Browse Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\Hdrw.dll File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5: 8B19038A882B983B96F2123C4AC95E98 SHA1: 8447D47C0FE13C289BC35DFBB226D7FE9EAA0A29 SHA-256: F186FBAADEE92808ECEAB09337861EB960F371397012B7756C52B7DC35148DCE SHA-512: DEA0EBDBAEF054ECAA98AE0A35AC36DC6448179A16E460676BB092128961271DC2B55F6E8E5955AB960E25713A4E6798 781D400570F8943693C1FCAB510F4432 Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\HdrwImg.dll File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5: 2B4FB94A692F819CEC9F655D175AC80B SHA1: A04F44EF8F1B5839F037C6CF963BDDF871A70FD6 SHA-256: F60A823E3180BCA97DF428829E3C6794F955F27E53C1BFB40501C49BC326079F SHA-512: 5F23523D5358D8EDAAED541721943FF573851A5AA6F02F279208CC5F0C8155EB9F6859EB9FD3790FF872EE539670B2A44F 74073C4024BC149658D2C8DDF54213 Malicious: false Antivirus: Antivirus: metadefender, Detection: 0%, Browse Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\Hdrwnt.dll File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5: 5FDA1B7EEEA7E28A20E00624B641D0F6 SHA1: 7B8E91D93B2D201BC0E556E21DCD85FCA39FFBAD SHA-256: 55E70D36BE67BDE016CB9ED7DBCD1649E994AB9A4F63D89FE7FF0BFB5B3A5C1A SHA-512: F332AE017CBA66FCED0F7D6BED0602D3F5BCA7E0B6018DB18ABF1F2F3E8614421C0FC41674A2525ECED09015FBE714B 50F7BAFDAFF40E06BA2CE5CAAF3CACCE8 Malicious: false Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\Hdrwvm.dll File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5: 10B654E1178D662682FEA35738367EB4 SHA1: FCC8742AEDCD86C364A15E293149F034D0546086 SHA-256: 5C60FB3325F50627F7D77465CBC390B408FC480FD88C857F61B29FCBB7DF6622 SHA-512: 284AF70DCABB206C5426826DBF122090919DD88C338D00D009D4BF01EA023447F85D90AC51C5041ED2AFCDDA6756A3420 0015724401636E9964E2958DDB8290E Malicious: false Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\LangEng.dll File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5: 00C4501B6FE5133BA8B4062429889749 SHA1: FCF2ED27134BF89A9B397CC795F0CE49EF8A1205 SHA-256: 46AEA0187D43F7A7C52CC5C42B63D09D9754396F3E331206D9AFBFDB3E701E0E

Copyright Joe Security LLC 2017 Page 12 of 34 C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\LangEng.dll SHA-512: FE6A691E29FF7CDF0BDFD3102A2DE7D9C65E36315952EBEEE071085E2E7C99500E7887225A7ACB37A363B6C162223190 E487C17F7B74708C178002B00E2646CA Malicious: false Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\CTMOUSE.EXE File Type: MS-DOS executable, MZ for MS-DOS MD5: B76FE48CCD424461A569B56FE7B1D526 SHA1: 5FB5A93C8722334A9D1080F3E4176620825F7FA8 SHA-256: DC815A7AB8307C2D1F2994EBA83AC4E5E0E3BA6D7EA41CC7D0A9C2ED3D3A0197 SHA-512: 979094E07F3466B95D3958F9223220BE34A56B61E1A5302FF71275E27B0D42A13473F2A06E67E0FE456E9C11F26E9EBAC0 97CB9F03941875ED401AA9187ED2C6 Malicious: false Antivirus: Antivirus: metadefender, Detection: 0%, Browse Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\HELP.HLP File Type: ASCII text, with CRLF line terminators MD5: 5270427C5955CEACA3A9DBF735441C3A SHA1: CEDD3FFFCA7BB163C8CF6F7F145E6F3AFF1ECF28 SHA-256: 0A5212FF22474F552C0FE16AAD9F87F6BA8A831D0741B122263ECA18662E6E38 SHA-512: D21DF6E56327088FA9928625B63BB48CC4B4D7672920304DF5470A8A72F876E0C89973B87CA0E01E3AEF2F919F04A23D5B BFD0FE67E39377C18736E5778D2422 Malicious: false Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\LICENSE.TXT File Type: ASCII text, with CRLF line terminators MD5: DE3A37002416DA68837472221F6C89DB SHA1: 2842646128A244E52CDF7FD2F55309ECF960AACE SHA-256: A849A99CE1A95D3C9CF20C0A07AA655E4491DFBDA7136EDF9B1FBE34D414B01E SHA-512: 980C98B3A3783B5FE2E408361D27D9F44344E123A7DBD56B50DB66C4E6C3289347AB421775CA8AF5B43B877DCDB0B7FC 1632EA57C356257DABEA9769A7C712DA Malicious: false Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\command.com File Type: MS-DOS executable, MZ for MS-DOS MD5: F730339B0A5F461B530D93BD57050DFF SHA1: 0733DB7BABADD73A1B98E8983C83B96EACEF4E68 SHA-256: BB27B9EFBE08B4AD85E6D41663C8C6572ACDD61C45E2731EC5A288EA21B3EF4C SHA-512: 98B50B6012EFA66AF89B8ACD5F84C4EB35BBF9DD14815643FD8EE99E92133FF5339C70CA4EA90C4460B7F2A95F0ED951 93822A698FECE43DC2D3F8A5EC9A772C Malicious: true Antivirus: Antivirus: metadefender, Detection: 0%, Browse Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\diskgen.exe File Type: MS-DOS executable, LE executable for MS-DOS, PMODE/W DOS extender MD5: C39334BC825B3F2621B5B37BACF4C6D5 SHA1: C2A71AFA382E43625362C2D5FB8CB5563CBEE7F3 SHA-256: 4EE0F802EDA8E72E4889026B7B1733E1D1548C42B3E5EE3BC2BDEF45A32D778B SHA-512: 79B75944EE92A7903E7B53CCEDD4838BD854C9A8CD3ECD1925DDE691C30D7C7DE9BFC91BD5F45D7BE94E49EB9092A48 BDC1F1F4EB2EE3968224D7C0689B42181 Malicious: false Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\fdauto.bat File Type: DOS batch file, ASCII text, with CRLF line terminators MD5: D3B9539C60848F538D58E893867C20BE SHA1: 2A85ED28C70157C131169C3253543C14397310D0 SHA-256: 4A728E49394F7DF2E6F34BCD02F23EB174872780368A2E194049980DD0CC9EA1 SHA-512: D88C9A4A3DBDEAE71FEE17BC8CDF136F2C5EE917BF35A42B01503240E93D4A4EB185F2DF3AC517DA3FF83DE4F2437C5 4628977AFE7B55456CEA5D467BD73FFF8 Malicious: false Reputation: low

Copyright Joe Security LLC 2017 Page 13 of 34 C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\fdconfig.sys File Type: ISO-8859 text, with CRLF line terminators MD5: DA9F969D16BDD4B430B0B89DD79AD4BB SHA1: D8A6FBB75455ECA010775387DF07683747C021F1 SHA-256: 2B6CC1ABCDF3555CA761F694DD55294AA5C3665B33ACDA1FA86518F6512FEF6E SHA-512: 158578A8DC40642AF82330DF3B32F13E48784159CF1B4C5850FE3507F3604CB2E8E822FD2E64BC3D9FE25343318AF5942E C5D5DF164330FCA99D8A7881420D92 Malicious: false Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\himem.exe File Type: MS-DOS executable, MZ for MS-DOS MD5: 738C9970441873717E954BAF4A9A97F9 SHA1: 1A16E559A85B6409C90239AAB4C4DC9240CA8480 SHA-256: 7B312EF953F1C6AC3EBF6098D18CB3A26D96E936E5E96A6C30B1837BD431AD6B SHA-512: 8729037FDC29392BA26A090C7AE4892965827DA29F68C9BA4B7889CE45F5B630ADA1B54CB8955D3D0F26E542762F2C31C 520158D6528184D0176C8AF51644491 Malicious: false Antivirus: Antivirus: metadefender, Detection: 0%, Browse Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\kernel.sys File Type: DOS executable (COM), UPX compressed MD5: 18D296F40F06C8A26EDA606C0031F677 SHA1: 42568B259AD201BBBC20602AFF4139171FEF0D10 SHA-256: F0EE1605AAD08DD327502AF98374BC237F4ACEB953F26BA5432ECF4DB34AEEBF SHA-512: C00DF3EC0B767A9597F8A64BD287E5602D458DBCD963D69C98AC77EE531956CC3AFE41EF726D901BD2E1A831C1A27B26 B26D92F70CE3B7F4C8678442D377F008 Malicious: false Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\shsucdx.com File Type: FREE-DOS executable (COM), UPX compressed MD5: 9135B1D3F92243170F243A677340444A SHA1: C5A9E50CA098FEE83D3D09F5A716ABF42561219F SHA-256: 81872EE962D6143F52F97E32E10366DCD0177856B36CEC978BEB7132BE65D6F8 SHA-512: 04CA2CAB3945F2092E7EAD7224F4D7348EADB46CDC7581D45E6647FA701D56108562942B3F97F684837EBB1C524BBD5FE 6BB067F0C79340DA21EA4C314B0D960 Malicious: false Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\xcdrom.sys File Type: DOS executable (character device driver FDCD0001,close media-,control strings-support) MD5: EC7DA94CB533155FC0FFA4E1E595811D SHA1: F8E7F70B75CAC50E62FE8071678CEEF245764370 SHA-256: F6C3F3C048FAF61E37793DDF789765D8CAB315636BE75073DEB047D89E8BEA31 SHA-512: 685E8231692004DC1C3F877B67B3F5287ECC4EB57B9F4ED5E6543A8F39CED8E854C636149C1741014DAC1EB3E4BADB66 19E207DEA2B42BA2CE50D32907FCC7D1 Malicious: false Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\update.dll File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5: 4FDE321B07029C53C8F023509D1865BC SHA1: 042CBF67C9400680ED4C8F8FF132BD3773951689 SHA-256: 8F04B5FB5F85605AD500AF3B00454B5E6DCB23CF85D5322C70328E598A0059D1 SHA-512: 349E7B01FBBCB936B18D4044240765CA7147BED1D9DA08BDD3D72C2121C8CF1F5C820FB6DBEBB997F89E461E2A78967C 6261616882D7D6B33FA1DF554D76BE11 Malicious: false Reputation: low

Contacted Domains/Contacted IPs

Contacted Domains

Copyright Joe Security LLC 2017 Page 14 of 34 Name IP Active Malicious Antivirus Detection www.diskman.cc 120.27.53.36 true false 0%, virustotal, Browse

Contacted IPs

No. of IPs < 25% 25% < No. of IPs < 50%

50% < No. of IPs < 75% 75% < No. of IPs

IP Country Flag ASN ASN Name Malicious 120.27.53.36 China 37963 CNNIC-ALIBABA-CN-NET- false APHangzhouAlibabaAdvertisingCo Ltd

Static File Info

General

File type: PE32 executable (GUI) Intel 80386, for MS Windows TrID: Win32 Executable (generic) a (10002005/4) 99.94% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Java Script embedded in Visual Basic Script (1500/0) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%

File name: GUf5eGGUp.exe File size: 2125037 MD5: 1e367a08e3111fa78845d2dec7c120e7 SHA1: f96854d1e2267b039d5f1972773f76f49d245830 SHA256: b94521b76628ea2a43379f8d50d6c0e1a9187cf45286d73 9408da09319d75deb SHA512: 3aa369e9aee797648f4a8fa8e0f5933295ee83a37ac676f 0a488736307cf51cb054bd9a2aabf699330d40d01b4b9eb 2c6fd8d992b1901dcedbd2a8d5b31fc8fb File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... }.A.9./.9. /.9./..aB.1./..aT.*./.9...../.'...<./.0...8./.0...../.0...8./.'...8./.0... 8./.Rich9./...... PE..L...p.IJ...

File Icon

General Entrypoint: 0x40a7ca Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED DLL Characteristics: NO_SEH, TERMINAL_SERVER_AWARE, NX_COMPAT Time Stamp: 0x4A49AD70 [Tue Jun 30 06:15:12 2009 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 0 File Version Major: 5 File Version Minor: 0 Subsystem Version Major: 5 Subsystem Version Minor: 0 Import Hash: 30b144ee15c70ef78b44b4645fd4c35f

Entrypoint Preview

Instruction call 00007F8210F71B88h xor eax, eax push eax push eax push eax push eax call 00007F8210F747E7h ret push esi push edi mov edi, dword ptr [esp+0Ch] mov esi, ecx mov ecx, edi mov dword ptr [esi], edi call 00007F8210F6C487h mov dword ptr [esi+08h], eax mov dword ptr [esi+0Ch], edx mov eax, dword ptr [edi+00000C1Ch] mov dword ptr [esi+10h], eax pop edi mov eax, esi pop esi retn 0004h mov eax, ecx mov ecx, dword ptr [eax] mov edx, dword ptr [eax+10h] cmp edx, dword ptr [ecx+00000C1Ch] jne 00007F8210F71CAFh push 00000000h push dword ptr [eax+0Ch] push dword ptr [eax+08h] call 00007F8210F6C966h ret push ebp mov ebp, esp sub esp, 1Ch push esi xor esi, esi Copyright Joe Security LLC 2017 Page 16 of 34 Instruction push esi push esi push esi push esi lea eax, dword ptr [ebp-1Ch] push eax call dword ptr [00412230h] test eax, eax je 00007F8210F71CC3h push esi push esi push esi lea eax, dword ptr [ebp-1Ch] push eax call dword ptr [00412234h] lea eax, dword ptr [ebp-1Ch] push eax call dword ptr [00412238h] lea eax, dword ptr [ebp-1Ch] push eax call dword ptr [00412280h] pop esi leave ret push ebp mov ebp, esp sub esp, 64h push 00000064h lea eax, dword ptr [ebp-64h] push eax push 0000000Fh push 00000400h call dword ptr [004120C8h] movsx eax, byte ptr [ebp-64h] leave ret push ebp mov ebp, esp sub esp, 34h push ebx xor ebx, ebx push esi push edi

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x13750 0x33 .rdata IMAGE_DIRECTORY_ENTRY_IMPORT 0x128dc 0xc8 .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x21000 0x19c10 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x122a0 0x1c .rdata IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x12000 0x2a0 .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections Copyright Joe Security LLC 2017 Page 17 of 34 Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x1062b 0x10800 False 0.633774266098 8086 relocatable (Microsoft) 6.55628571575 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x12000 0x17d5 0x1800 False 0.483723958333 data 5.51221256251 IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_MEM_READ .data 0x14000 0xbff4 0x200 False 0.509765625 data 3.54344062801 IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .CRT 0x20000 0x10 0x200 False 0.048828125 dBase IV DBT of 0.219439394857 IMAGE_SCN_CNT_INITIALIZED \367\025A.DBF, blocks size _DATA, 4265441, next free block index IMAGE_SCN_MEM_READ 4265431 .rsrc 0x21000 0x1a000 0x19e00 False 0.502368282005 data 7.48622191484 IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_BITMAP 0x2145c 0x14f30 data RT_ICON 0x3638c 0x368 GLS_BINARY_LSB_FIRST Korean North Korea RT_ICON 0x3638c 0x368 GLS_BINARY_LSB_FIRST Korean South Korea RT_ICON 0x366f4 0xca8 data Korean North Korea RT_ICON 0x366f4 0xca8 data Korean South Korea RT_ICON 0x3739c 0x1ca8 data Korean North Korea RT_ICON 0x3739c 0x1ca8 data Korean South Korea RT_DIALOG 0x39044 0x282 data English United States RT_DIALOG 0x392c8 0x136 data English United States RT_DIALOG 0x39400 0xe8 data English United States RT_DIALOG 0x394e8 0x12a data English United States RT_DIALOG 0x39614 0x334 data English United States RT_DIALOG 0x39948 0x21e data English United States RT_STRING 0x39b68 0x22c data English United States RT_STRING 0x39d94 0x3b2 data English United States RT_STRING 0x3a148 0x212 Hitachi SH big-endian COFF object, not stripped English United States RT_STRING 0x3a35c 0x27e data English United States RT_STRING 0x3a5dc 0x4c data English United States RT_GROUP_ICON 0x3a628 0x30 MS Windows icon resource - 3 icons, 16x16, 256- Korean North Korea colors RT_GROUP_ICON 0x3a628 0x30 MS Windows icon resource - 3 icons, 16x16, 256- Korean South Korea colors RT_MANIFEST 0x3a658 0x5b8 XML document text English United States

Imports

DLL Import COMCTL32.dll KERNEL32.dll DeleteFileA, DeleteFileW, CreateDirectoryA, CreateDirectoryW, FindClose, FindNextFileA, FindFirstFileA, FindNextFileW, FindFirstFileW, GetTickCount, WideCharToMultiByte, MultiByteToWideChar, GetVersionExA, GlobalAlloc, lstrlenA, GetModuleFileNameA, FindResourceA, GetModuleHandleA, HeapAlloc, GetProcessHeap, HeapFree, HeapReAlloc, CompareStringA, ExitProcess, GetLocaleInfoA, GetNumberFormatA, GetProcAddress, DosDateTimeToFileTime, GetDateFormatA, GetTimeFormatA, FileTimeToSystemTime, FileTimeToLocalFileTime, ExpandEnvironmentStringsA, WaitForSingleObject, SetCurrentDirectoryA, Sleep, GetTempPathA, MoveFileExA, GetModuleFileNameW, SetEnvironmentVariableA, GetCommandLineA, LocalFileTimeToFileTime, SystemTimeToFileTime, GetSystemTime, IsDBCSLeadByte, GetCPInfo, FreeLibrary, LoadLibraryA, GetCurrentDirectoryA, GetFullPathNameA, SetFileAttributesW, SetFileAttributesA, GetFileAttributesW, GetFileAttributesA, WriteFile, GetStdHandle, SetLastError, ReadFile, CreateFileW, CreateFileA, GetFileType, SetEndOfFile, SetFilePointer, MoveFileA, SetFileTime, GetCurrentProcess, CloseHandle, GetLastError, lstrcmpiA USER32.dll ReleaseDC, GetDC, SendMessageA, wsprintfA, SetDlgItemTextA, EndDialog, DestroyIcon, SendDlgItemMessageA, GetDlgItemTextA, DialogBoxParamA, IsWindowVisible, WaitForInputIdle, GetSysColor, PostMessageA, SetMenu, SetFocus, LoadBitmapA, LoadIconA, CharToOemA, OemToCharA, GetWindow, GetClassNameA, GetWindowRect, GetParent, MapWindowPoints, CreateWindowExA, UpdateWindow, SetWindowTextA, LoadCursorA, RegisterClassExA, SetWindowLongA, GetWindowLongA, DefWindowProcA, PeekMessageA, GetMessageA, TranslateMessage, DestroyWindow, GetClientRect, CopyRect, IsWindow, MessageBoxA, ShowWindow, GetDlgItem, EnableWindow, FindWindowExA, wvsprintfA, CharToOemBuffA, LoadStringA, SetWindowPos, GetWindowTextA, CharUpperA, GetSystemMetrics, OemToCharBuffA, DispatchMessageA GDI32.dll GetDeviceCaps, GetObjectA, CreateCompatibleBitmap, SelectObject, StretchBlt, CreateCompatibleDC, DeleteObject, DeleteDC COMDLG32.dll GetSaveFileNameA, CommDlgExtendedError, GetOpenFileNameA ADVAPI32.dll LookupPrivilegeValueA, RegOpenKeyExA, RegQueryValueExA, RegCreateKeyExA, RegSetValueExA, RegCloseKey, SetFileSecurityW, SetFileSecurityA, OpenProcessToken, AdjustTokenPrivileges

Copyright Joe Security LLC 2017 Page 18 of 34 DLL Import SHELL32.dll ShellExecuteExA, SHFileOperationA, SHGetFileInfoA, SHGetSpecialFolderLocation, SHGetMalloc, SHBrowseForFolderA, SHGetPathFromIDListA, SHChangeNotify ole32.dll CreateStreamOnHGlobal, OleInitialize, CoCreateInstance, OleUninitialize, CLSIDFromString OLEAUT32.dll VariantInit

Possible Origin

Language of compilation system Country where language is spoken Map

Korean North Korea

Korean South Korea

English United States

Network Behavior

Network Port Distribution

Total Packets: 6 • 80 (HTTP) • 53 (DNS)

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Dec 13, 2017 00:06:56.072033882 CET 63266 53 192.168.2.2 8.8.8.8 Dec 13, 2017 00:06:56.447366953 CET 53 63266 8.8.8.8 192.168.2.2 Dec 13, 2017 00:06:56.457693100 CET 49165 80 192.168.2.2 120.27.53.36 Dec 13, 2017 00:06:56.457715034 CET 80 49165 120.27.53.36 192.168.2.2 Dec 13, 2017 00:06:56.457798004 CET 49165 80 192.168.2.2 120.27.53.36 Dec 13, 2017 00:06:56.458472013 CET 49165 80 192.168.2.2 120.27.53.36 Dec 13, 2017 00:06:56.458484888 CET 80 49165 120.27.53.36 192.168.2.2 Dec 13, 2017 00:07:26.499046087 CET 49165 80 192.168.2.2 120.27.53.36

UDP Packets Copyright Joe Security LLC 2017 Page 19 of 34 Timestamp Source Port Dest Port Source IP Dest IP Dec 13, 2017 00:06:56.072033882 CET 63266 53 192.168.2.2 8.8.8.8 Dec 13, 2017 00:06:56.447366953 CET 53 63266 8.8.8.8 192.168.2.2

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Dec 13, 2017 00:06:56.072033882 CET 192.168.2.2 8.8.8.8 0x16fb Standard query www.diskman.cc A (IP address) IN (0x0001) (0)

DNS Answers

Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class Dec 13, 2017 8.8.8.8 192.168.2.2 0x16fb No error (0) www.diskman.cc 120.27.53.36 A (IP address) IN (0x0001) 00:06:56.447366953 CET

HTTP Request Dependency Graph

www.diskman.cc

HTTP Packets

Total Bytes Source Dest Transfered Timestamp Port Port Source IP Dest IP Header (KB) Dec 13, 2017 00:06:56.458472013 CET 49165 80 192.168.2.2 120.27.53.36 GET /en/pro/dgupdate/update.ini HTTP/1.1 0 User-Agent: MERONG(0.9/;p) Accept: */* Host: www.diskman.cc Connection: Keep-Alive

Code Manipulations

Statistics

Behavior

• GUf5eGGUpw.exe • DiskGenius.exe

Click to jump to process

System Behavior

General

Start time: 00:06:20 Start date: 13/12/2017 Path: C:\Users\user\Desktop\GUf5eGGUpw.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\Desktop\GUf5eGGUpw.exe' Imagebase: 0x71c30000 File size: 2125037 bytes MD5 hash: 1E367A08E3111FA78845D2DEC7C120E7 Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\Desktop read data or list normal directory file and object name collision 1 4058BA CreateDirectoryA directory and synchronous io synchronize non alert and open for backup ident and open reparse point C:\Users read data or list normal directory file and object name collision 1 4058BA CreateDirectoryA directory and synchronous io synchronize non alert and open for backup ident and open reparse point C:\Users\HERBBL~1 read data or list normal directory file and object name collision 1 4058BA CreateDirectoryA directory and synchronous io synchronize non alert and open for backup ident and open reparse point C:\Users\HERBBL~1\AppData read data or list normal directory file and object name collision 1 4058BA CreateDirectoryA directory and synchronous io synchronize non alert and open for backup ident and open reparse point C:\Users\HERBBL~1\AppData\Local read data or list normal directory file and object name collision 1 4058BA CreateDirectoryA directory and synchronous io synchronize non alert and open for backup ident and open reparse point C:\Users\HERBBL~1\AppData\Local\Temp read data or list normal directory file and object name collision 1 4058BA CreateDirectoryA directory and synchronous io synchronize non alert and open for backup ident and open reparse point C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0 read data or list normal directory file and success or wait 1 4058BA CreateDirectoryA directory and synchronous io synchronize non alert and open for backup ident and open reparse point C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_a read attributes none synchronous io success or wait 1 405229 CreateFileA ccess_check_405312 and synchroniz non alert and n e and generic on directory file read and generic write C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\Hdrw.dll read attributes none synchronous io success or wait 1 405211 CreateFileW and synchroniz non alert and n e and generic on directory file read and generic write C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\HdrwImg.dll read attributes none synchronous io success or wait 1 405211 CreateFileW and synchroniz non alert and n e and generic on directory file read and generic write Copyright Joe Security LLC 2017 Page 21 of 34 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\Hdrwnt.dll read attributes none synchronous io success or wait 1 405211 CreateFileW and synchroniz non alert and n e and generic on directory file read and generic write C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\Hdrwvm.dll read attributes none synchronous io success or wait 1 405211 CreateFileW and synchroniz non alert and n e and generic on directory file read and generic write C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\LangEng.dll read attributes none synchronous io success or wait 1 405211 CreateFileW and synchroniz non alert and n e and generic on directory file read and generic write C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\update.dll read attributes none synchronous io success or wait 1 405211 CreateFileW and synchroniz non alert and n e and generic on directory file read and generic write C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\Att.dat read attributes none synchronous io success or wait 1 405211 CreateFileW and synchroniz non alert and n e and generic on directory file read and generic write C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos read data or list normal directory file and success or wait 1 4058AD CreateDirectoryW directory and synchronous io synchronize non alert and open for backup ident and open reparse point C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\command.com read attributes none synchronous io success or wait 1 405211 CreateFileW and synchroniz non alert and n e and generic on directory file read and generic write C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\CTMOUSE.EXE read attributes none synchronous io success or wait 1 405211 CreateFileW and synchroniz non alert and n e and generic on directory file read and generic write C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\fdauto.bat read attributes none synchronous io success or wait 1 405211 CreateFileW and synchroniz non alert and n e and generic on directory file read and generic write C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\fdconfig.sys read attributes none synchronous io success or wait 1 405211 CreateFileW and synchroniz non alert and n e and generic on directory file read and generic write C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\himem.exe read attributes none synchronous io success or wait 1 405211 CreateFileW and synchroniz non alert and n e and generic on directory file read and generic write C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\kernel.sys read attributes none synchronous io success or wait 1 405211 CreateFileW and synchroniz non alert and n e and generic on directory file read and generic write C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\shsucdx.com read attributes none synchronous io success or wait 1 405211 CreateFileW and synchroniz non alert and n e and generic on directory file read and generic write C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\xcdrom.sys read attributes none synchronous io success or wait 1 405211 CreateFileW and synchroniz non alert and n e and generic on directory file read and generic write C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\HELP.HLP read attributes none synchronous io success or wait 1 405211 CreateFileW and synchroniz non alert and n e and generic on directory file read and generic write C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\LICENSE.TXT read attributes none synchronous io success or wait 1 405211 CreateFileW and synchroniz non alert and n e and generic on directory file read and generic write

Copyright Joe Security LLC 2017 Page 22 of 34 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos\diskgen.exe read attributes none synchronous io success or wait 1 405211 CreateFileW and synchroniz non alert and n e and generic on directory file read and generic write C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\DiskGenius.exe read attributes none synchronous io success or wait 1 405211 CreateFileW and synchroniz non alert and n e and generic on directory file read and generic write C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\Charset.dll read attributes none synchronous io success or wait 1 405211 CreateFileW and synchroniz non alert and n e and generic on directory file read and generic write C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos read data or list normal directory file and object name collision 1 4058AD CreateDirectoryW directory and synchronous io synchronize non alert and open for backup ident and open reparse point C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\dos read data or list normal directory file and object name collision 1 4058AD CreateDirectoryW directory and synchronous io synchronize non alert and open for backup ident and open reparse point

File Deleted

Source File Path Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_405312 success or wait 1 405882 DeleteFileA

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\Hdrw.dll unknown 32768 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 31 405603 WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... &L..G"..G"..G"..[...G 00 00 00 00 00 00 00 "..[,..G"..X(..G"..X&..G"..X). 00 00 00 00 00 00 00 .G"..a(..G"..G#..G".ud;..G".. 00 00 00 08 01 00 00 a 0e 1f ba 0e 00 b4 09 )..G".HA$..G".pg&..G".Rich cd 21 b8 01 4c cd 21 .G"...... 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cb 26 4c 84 8f 47 22 d7 8f 47 22 d7 8f 47 22 d7 f4 5b 2e d7 89 47 22 d7 0c 5b 2c d7 86 47 22 d7 e0 58 28 d7 8b 47 22 d7 e0 58 26 d7 8d 47 22 d7 e0 58 29 d7 8d 47 22 d7 b9 61 28 d7 85 47 22 d7 8f 47 23 d7 f6 47 22 d7 75 64 3b d7 8a 47 22 d7 b9 61 29 d7 a9 47 22 d7 48 41 24 d7 8e 47 22 d7 70 67 26 d7 8c 47 22 d7 52 69 63 68 8f 47 22 d7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2017 Page 23 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Loca unknown 28672 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 405603 WriteFile l\Temp\RarSFX0\HdrwImg.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... 7X..s9..s9..s9...%..w 00 00 00 00 00 00 00 9...&..w9...&..q9..s9..j9...... 00 00 00 00 00 00 00 v9..E...p9...?..r9...... p9..Ri 00 00 00 f0 00 00 00 chs9...... 0e 1f ba 0e 00 b4 09 PE..L...../I... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 37 58 e0 de 73 39 8e 8d 73 39 8e 8d 73 39 8e 8d f0 25 80 8d 77 39 8e 8d 1c 26 84 8d 77 39 8e 8d 1c 26 8a 8d 71 39 8e 8d 73 39 8f 8d 6a 39 8e 8d 89 1a 97 8d 76 39 8e 8d 45 1f 85 8d 70 39 8e 8d b4 3f 88 8d 72 39 8e 8d 8c 19 8a 8d 70 39 8e 8d 52 69 63 68 73 39 8e 8d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 83 b2 2f 49 00 00 00 C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\Hdrwnt.dll unknown 40960 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 405603 WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... vP..21..21..21...-..41 00 00 00 00 00 00 00 ..]...61..]...01..21...1...... 00 00 00 00 00 00 00 71...... 01...7..31...... 31..Ri 00 00 00 e0 00 00 00 ch21...... PE..L...r./I.... 0e 1f ba 0e 00 b4 09 ...... !.....P. cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 76 50 80 dc 32 31 ee 8f 32 31 ee 8f 32 31 ee 8f b1 2d e0 8f 34 31 ee 8f 5d 2e e4 8f 36 31 ee 8f 5d 2e ea 8f 30 31 ee 8f 32 31 ef 8f 02 31 ee 8f c8 12 f7 8f 37 31 ee 8f 04 17 e5 8f 30 31 ee 8f f5 37 e8 8f 33 31 ee 8f cd 11 ea 8f 33 31 ee 8f 52 69 63 68 32 31 ee 8f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 72 b2 2f 49 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 06 00 00 50 00

Copyright Joe Security LLC 2017 Page 24 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\Hdrwvm.dll unknown 45056 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 405603 WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... G...G...G...... B... 00 00 00 00 00 00 00 (...C...(...E...(...E...G... 00 00 00 00 00 00 00 l...... B...q...D...... F..... 00 00 00 e8 00 00 00 ..B...RichG...... PE..L... 0e 1f ba 0e 00 b4 09 ]./I...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 03 f4 91 c5 47 95 ff 96 47 95 ff 96 47 95 ff 96 c4 89 f1 96 42 95 ff 96 28 8a f5 96 43 95 ff 96 28 8a fb 96 45 95 ff 96 28 8a f4 96 45 95 ff 96 47 95 fe 96 6c 95 ff 96 bd b6 e6 96 42 95 ff 96 71 b3 f4 96 44 95 ff 96 80 93 f9 96 46 95 ff 96 b8 b5 fb 96 42 95 ff 96 52 69 63 68 47 95 ff 96 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5d b2 2f 49 00 00 00 00 00 00 00 00 e0 00 0e C:\Users\HERBBL~1\AppData\Loca unknown 6144 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 105 405603 WriteFile l\Temp\RarSFX0\LangEng.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... 00 00 00 00 00 00 00 5..A[..A[..A[.hG]..A 00 00 00 00 00 00 00 [.Rich.A[...... PE.. 00 00 00 00 00 00 00 L....Y;I...... !...... P 00 00 00 b0 00 00 00 ...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 eb 20 35 db af 41 5b 88 af 41 5b 88 af 41 5b 88 68 47 5d 88 ae 41 5b 88 52 69 63 68 af 41 5b 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 02 00 ff 59 3b 49 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 06 00 00 00 00 00 00 50 18 00 00 00 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00

Copyright Joe Security LLC 2017 Page 25 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\update.dll unknown 28672 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 405603 WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... H...H...H...3...I. 00 00 00 00 00 00 00 ...... K...'...L...'...J...'... 00 00 00 00 00 00 00 J...H...... E...~...K..... 00 00 00 f0 00 00 00 ..I...RichH...... 0e 1f ba 0e 00 b4 09 PE..L...+./I... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0c 96 f1 fd 48 f7 9f ae 48 f7 9f ae 48 f7 9f ae 33 eb 93 ae 49 f7 9f ae cb eb 91 ae 4b f7 9f ae 27 e8 95 ae 4c f7 9f ae 27 e8 9b ae 4a f7 9f ae 27 e8 94 ae 4a f7 9f ae 48 f7 9e ae 0b f7 9f ae b2 d4 86 ae 45 f7 9f ae 7e d1 94 ae 4b f7 9f ae b7 d7 9b ae 49 f7 9f ae 52 69 63 68 48 f7 9f ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 2b a6 2f 49 00 00 00 C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\Att.dat unknown 356101 4e 41 49 46 00 00 00 NAIF...... v...L. success or wait 1 405603 WriteFile 00 00 20 00 00 d6 08 ..L...... *...... ~....m.. ... 00 00 d6 08 00 00 00 v....n...... g...... 00 02 00 76 cd 01 00 ...... 4c d6 01 00 4c 10 00 ...... x..W}lS..?~.y....-,... 00 de 02 00 00 2a d9 .e..^;JX6.)..(0....)...1ttP'H. 01 00 b0 02 04 00 7e 6...... %..Vl.&.A.Pg.U..". 94 03 00 a8 6d 05 00 .P.&5.i...6h.8...9.I..&M.c..D 20 01 00 00 76 00 00 y..{.=..s~..k... 00 1e 6e 05 00 f8 00 00 00 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 da ed 57 7d 6c 53 d7 15 3f 7e cf 79 b6 f3 e1 e7 2d 2c a4 94 19 af 65 fe a3 5e 3b 4a 58 36 92 29 84 80 28 30 c4 12 07 f2 29 85 a6 c0 31 74 74 50 27 48 d5 36 a9 09 b6 99 c8 83 e0 aa 7f ec cf 25 cd aa 56 6c 93 26 15 41 f8 50 67 c7 55 f8 c8 22 01 93 50 e8 26 35 84 69 ba d9 d3 36 68 ba 38 1f c4 de 39 d7 49 9a 80 26 4d fb 63 7f f9 44 79 ef de 7b ce 3d e7 dc 73 7e e7 bc 6b d3 1f dd

Copyright Joe Security LLC 2017 Page 26 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Loca unknown 42240 4d 5a c8 00 50 00 01 MZ..P...... J...... success or wait 3 405603 WriteFile l\Temp\RarSFX0\dos\command.com 00 02 00 7f 09 7f 09 4a (O.N...... m...... 10 00 02 00 00 00 00 ..l..s...... U.UPX!. 00 00 1c 00 00 00 0d ...4...E7H.~.....sj.....#....5 00 e9 09 b9 28 4f be ...0.!...... ,...... o. 4e 9e 89 f7 1e a9 b5 .....=..>...... aC&.8.u 80 8c c8 05 05 00 8e ...... 4..<.+. d8 05 6d 06 8e c0 fd f3 ..>...... s...... r(.>...r" a5 fc 2e 80 6c 12 10 ....G;..r...v.t 73 e7 92 af ad 0e 0e 0e 06 1f 07 16 bd 01 00 bb 0f 80 55 cb 55 50 58 21 0d 03 03 0a 34 0e 9b a3 45 37 48 07 7e 02 01 80 9d 00 73 6a 01 00 f8 ff ba 23 0f 2e 89 16 35 02 ff b4 30 cd 21 8b 2e 02 00 ff 8b 1e 2c 00 8e da a3 90 ff 00 8c 06 8e 00 89 1e 8a 6f 03 2e a6 00 fd e8 3d 01 c4 3e 88 bf 1b c7 8b d8 b9 ff ff 7f fc f2 ae e3 61 43 26 ff 38 05 75 f6 80 cd 80 f7 ed d9 89 0e 1a ff b9 01 00 d3 e3 83 c3 08 ed 83 e3 f8 34 b7 8c 3c da 2b ff ea 8b 3e b4 0e 81 ff 00 f6 02 73 07 bf 04 df 89 0c c7 ff d8 10 72 28 03 3e ac 0e ff 72 22 b1 04 d3 ef 47 3b f7 ef 72 19 83 18 76 00 74 C:\Users\HERBBL~1\AppData\Loca unknown 5012 4d 5a 94 01 0a 00 01 MZ...... e...... success or wait 1 405603 WriteFile l\Temp\RarSFX0\dos\CTMOUSE.EXE 00 02 00 c1 01 c1 01 6...... 6...... 65 01 2e 19 00 00 00 ..l..s...... ?.U..UPX!. 00 00 00 1c 00 00 00 ....q7...cZ...... N...~.....A_. 0b 00 36 01 b9 8f 09 .....w.w...?...... ?. be 1c 13 89 f7 1e a9 .....0...... "@.`.p..x.|.~. .. b5 80 8c c8 05 05 00 ..l.F...... k)..I.....].]...4 8e d8 05 36 00 8e c0 ...]...c..a....7...... ,...... fd f3 a5 fc 2e 80 6c 12 .&.#.....Z..... 10 73 e7 92 af ad 0e 0e 06 1f 07 16 bd 04 00 bb 3f 80 55 cb 00 55 50 58 21 0b 03 03 09 85 71 37 91 b6 bd 63 5a 2e 16 00 a3 12 00 4e 16 00 00 7e f2 e9 e9 0b 00 41 5f 08 00 10 fb 00 ff 77 00 77 0b ff ff 3f ff 1f ff 0f ff ff 07 ff 03 ff 01 ff 00 fd 7f 00 3f 00 1f 00 fe 09 ff 30 7f f8 dd 01 ff fc df 22 40 00 60 00 70 fd 00 78 00 7c 00 7e bb 20 80 7f 07 bf 6c 00 46 00 06 00 bb 03 01 00 01 6b 29 00 9e 49 fd 05 01 01 b3 5d 06 5d 01 03 03 34 04 d3 05 5d 08 01 02 63 09 01 61 15 cd 01 ff 37 0f d4 03 ff ec 00 2c 01 19 00 c4 03 f6 e6 00 26 01 23 ff ce 03 1a 01 5a 01 09 e5 00 c0

Copyright Joe Security LLC 2017 Page 27 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Loca unknown 372 40 65 63 68 6f 20 6f 66 @echo off..SET success or wait 1 405603 WriteFile l\Temp\RarSFX0\dos\fdauto.bat 66 0d 0a 53 45 54 20 DEBUG=N..set dircmd=/P 44 45 42 55 47 3d 4e /OGN /4 ..set lang=EN....if 0d 0a 73 65 74 20 64 !%config%==!1 goto safem 69 72 63 6d 64 3d 2f ode..if !%config%==!2 goto 50 20 2f 4f 47 4e 20 2f livecd..if !%config%==!3 34 20 0d 0a 73 65 74 goto dgen....goto 20 6c 61 6e 67 3d 45 safemode....:livecd. 4e 0d 0a 0d 0a 69 66 .SHSUCDX.COM /QQ /R 20 21 25 63 6f 6e 66 /D:FDCD0000..rem /L:X..if 69 67 25 3d 3d 21 31 not exist FDCD0000 goto 20 67 6f 74 6f 20 73 61 nocd. 66 65 6d 6f 64 65 0d 0a 69 66 20 21 25 63 6f 6e 66 69 67 25 3d 3d 21 32 20 67 6f 74 6f 20 6c 69 76 65 63 64 0d 0a 69 66 20 21 25 63 6f 6e 66 69 67 25 3d 3d 21 33 20 67 6f 74 6f 20 64 67 65 6e 0d 0a 0d 0a 67 6f 74 6f 20 73 61 66 65 6d 6f 64 65 0d 0a 0d 0a 3a 6c 69 76 65 63 64 0d 0a 53 48 53 55 43 44 58 2e 43 4f 4d 20 2f 51 51 20 2f 52 20 2f 44 3a 46 44 43 44 30 30 30 30 0d 0a 72 65 6d 20 2f 4c 3a 58 0d 0a 69 66 20 6e 6f 74 20 65 78 69 73 74 20 46 44 43 44 30 30 30 30 20 67 6f 74 6f 20 6e 6f 63 64 0d C:\Users\HERBBL~1\AppData\Loca unknown 1014 3b 20 46 72 65 65 44 ; FreeDOS 1.0 Final distro success or wait 1 405603 WriteFile l\Temp\RarSFX0\dos\fdconfig.sys 4f 53 20 31 2e 30 20 by Blair Campbell 46 69 6e 61 6c 20 64 [[email protected]], ..; 69 73 74 72 6f 20 20 last update 2005-08-02 by 62 79 20 42 6c 61 69 Blair Campbell [Blair 72 20 43 61 6d 70 62 [email protected]]..; 65 6c 6c 20 5b 42 6c config.sys loads system 61 69 72 64 75 64 65 drivers. Please edit to suit 40 67 6d 61 69 6c 2e your needs...;!SWI 63 6f 6d 5d 2c 20 0d TCHES=/E..!SWITCHES=/ 0a 3b 20 6c 61 73 74 N..menucolor=7,0..MENU 20 75 70 64 61 74 65 20 32 30 30 35 2d 30 38 2d 30 32 20 62 79 20 42 6c 61 69 72 20 43 61 6d 70 62 65 6c 6c 20 5b 42 6c 61 69 72 64 75 64 65 40 67 6d 61 69 6c 2e 63 6f 6d 5d 0d 0a 3b 20 63 6f 6e 66 69 67 2e 73 79 73 20 6c 6f 61 64 73 20 73 79 73 74 65 6d 20 64 72 69 76 65 72 73 2e 20 50 6c 65 61 73 65 20 65 64 69 74 20 74 6f 20 73 75 69 74 20 79 6f 75 72 20 6e 65 65 64 73 2e 0d 0a 3b 21 53 57 49 54 43 48 45 53 3d 2f 45 0d 0a 21 53 57 49 54 43 48 45 53 3d 2f 4e 0d 0a 6d 65 6e 75 63 6f 6c 6f 72 3d 37 2c 30 0d 0a 4d 45 4e 55 20 20

Copyright Joe Security LLC 2017 Page 28 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Loca unknown 8058 4d 5a 7a 01 10 00 01 MZz...... success or wait 1 405603 WriteFile l\Temp\RarSFX0\dos\himem.exe 00 02 00 f2 01 ff ff a8 ...... ^.S....6..PSQR...... 03 00 04 00 00 2e 00 ...... QRVWU..r...l...... 00 00 1c 00 00 00 05 ...... lB.s...... 00 f5 01 ff ff ff ff 00 80 ...... U.UPX!.....=+#..... 0c 00 5e 00 53 00 0e 1.....2..M.....S.^.XMSX60.A 2e ff 36 0a 00 50 53 51 ... .[%...... H...H...... 52 8c c8 05 a8 03 bb ...... P...... _....OPR.. 00 04 8c d1 89 e2 8e ...3...H...&... d0 89 dc 51 52 56 57 55 1e 06 72 f9 9c b9 6c 0f be d6 1e 89 f7 1e a9 b5 80 8c c8 05 08 00 8e d8 05 c0 01 8e c0 fd f3 a5 fc 2e 80 6c 42 10 73 e7 92 af ad 0e 0e 0e 06 1f 07 16 bd 0c 00 bb bf 80 55 cb 55 50 58 21 0d 03 03 08 f0 3d 2b 23 01 9a 98 eb 13 31 00 0b 1e 00 e1 32 00 00 4d 9b ff 00 80 ff 53 00 5e 00 58 4d 53 58 36 30 00 41 f2 18 00 20 00 5b 25 9b 07 9a 20 f6 92 cf 00 00 13 ac fd 07 48 00 fd 0a 48 9f 0c 01 2e 8c ff 06 14 00 2e 89 1e 12 00 ff cb e8 e0 0f cb 50 b4 02 da eb 03 04 dd 5f c3 00 95 00 4f 50 52 1e ff 06 9c fa 33 c0 8e d8 48 ff 8e c0 26 a1 10 00 C:\Users\HERBBL~1\AppData\Loca unknown 45341 eb 1b 43 4f 4e 46 49 ..CONFIG...... nused...... success or wait 1 405603 WriteFile l\Temp\RarSFX0\dos\kernel.sys 47 13 00 00 01 02 00 ...CX...... l...... 01 00 6e 75 73 65 64 ..l..s...... U.UPX!. 08 07 06 05 04 03 02 ...... l.....~...2...CONFI 01 e9 d8 b0 b9 43 58 G...... PS..1...... [.X.... be 84 b0 89 f7 1e a9 .Y.A]q..1...... $...... b5 80 8c c8 05 05 00 ...... t....&...<.u...... ,.. 8e d8 05 6c 06 8e c0 ...... u...... t.=.ru...... &. fd f3 a5 fc 2e 80 6c 12 ...... >.t 10 73 e7 92 af ad 0e 0e 0e 06 1f 07 16 bd 10 00 bb ff 80 55 cb 55 50 58 21 0b 03 03 0a f4 d0 96 0e d4 c1 01 92 6c 05 01 bf af 00 7e 05 01 00 32 ff eb 0e 43 4f 4e 46 49 47 fb 06 00 00 01 02 02 7f 00 50 53 9c b8 31 ff 0e bb f0 00 cd 10 9d 5b fb 58 ea b0 a0 da 13 59 00 41 5d 71 df 12 31 c0 8e d8 a0 ff 96 04 24 10 2e a2 11 00 ff e9 7f 02 e3 06 e8 18 00 ff aa e2 fa e9 74 02 2e 8a 97 26 cd 16 fd 3c e0 75 06 08 e4 bd 0e b0 00 c3 bf 2c 2e 86 06 10 00 ff 08 c0 75 17 e8 e0 ff 09 fe c0 74 ee 3d 00 72 75 db 19 10 11 bd 05 2e 88 26 bd 1a c3 2e a0 8f 1f 1e b4 01 d8 2e 02 3e fb 74

Copyright Joe Security LLC 2017 Page 29 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Loca unknown 5612 81 fc c2 1c 77 02 cd 20 ....w...... b...... success or wait 1 405603 WriteFile l\Temp\RarSFX0\dos\shsucdx.com b9 ec 15 be ec 16 bf .WW...UPX!...... hRE.....T... 62 1c bb 00 80 fd f3 a4 ...... SHCDX33A, 2..6-Dec- fc 87 f7 83 ee c6 19 ed 2005. ..Based on V3.03 57 57 e9 e1 1a 55 50 .n'SU) by ..J 58 21 0d 01 04 0a b5 ..Hoo...and.+#..1.4b..oh"G f0 68 52 45 87 14 b4 f4 McCo..y[Sam0us..t8State 1a 54 15 06 a5 ff ff e9 Univ..ersi 13 ad 0d 0d 53 48 43 ty.....?..C.}..DK.E.K..L...M.. 44 58 33 33 41 2c 20 Q..RS....U.V..~L....d.1...Y. 32 f2 ff 36 2d 44 65 63 >o.)....St...... 2d 32 30 30 35 2e 20 ff ff 42 61 73 65 64 20 6f 6e 20 56 33 2e 30 33 20 ef 6e 27 53 55 29 20 62 79 20 dd b5 4a 19 16 48 6f 6f e6 be 1e 61 6e 64 0d 2b 23 09 f9 31 2e 34 62 df dc 6f 68 22 47 4d 63 43 6f bb b7 79 5b 53 61 6d 30 75 73 ff bb 74 38 53 74 61 74 65 20 55 6e 69 76 ff ff 65 72 73 69 74 79 2e 01 1a 94 18 3f 9e 18 43 ed 7d fb 18 44 4b 18 45 02 4b a7 19 4c cb bf 08 4d a3 18 51 c6 18 52 53 ff ed 99 18 55 05 56 b4 18 7e 4c 18 ff 00 03 64 00 31 ff ff c0 59 8b 3e 6f 0e 29 f9 f3 aa b8 53 74 b9 b3 00 c8 ff bf 90 C:\Users\HERBBL~1\AppData\Loca unknown 3745 ff ff ff ff 00 c8 18 01 e0 ...... FDCD0001...... success or wait 1 405603 WriteFile l\Temp\RarSFX0\dos\xcdrom.sys 05 46 44 43 44 30 30 ..0...... 30 31 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... p...... 00 00 30 00 00 00 00 ...... 09 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... $.$..... 00 00 00 00 00 00 00 A...... '.`.....g.....%*o6.... 00 00 00 00 00 80 00 ....>+-"..k..>. 00 00 00 00 00 00 00 00 00 00 00 14 03 00 00 b0 07 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 b0 07 70 00 ff ff 00 00 f1 ff 00 00 00 ff 06 0d ff ff ff ff ff ff 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 ff ff ff ff ff ff ff ff ff ff ff ff ff 0f 00 9d 01 15 02 15 02 15 02 a4 01 15 02 15 02 15 02 15 02 15 02 15 02 15 02 15 02 a9 01 24 02 24 02 09 00 15 02 41 02 15 02 f2 05 f2 05 27 06 60 06 15 02 15 02 67 06 10 00 15 02 25 2a 6f 36 15 02 15 02 15 02 15 02 3e 2b 2d 22 8c 2e 6b 13 a4 3e b9

Copyright Joe Security LLC 2017 Page 30 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Loca unknown 18352 20 20 20 20 20 20 2a ************************ success or wait 1 405603 WriteFile l\Temp\RarSFX0\dos\HELP.HLP 2a 2a 2a 2a 2a 2a 2a **************************.. 2a 2a 2a 2a 2a 2a 2a * I. Introduction 2a 2a 2a 2a 2a 2a 2a *.. 2a 2a 2a 2a 2a 2a 2a **************************** 2a 2a 2a 2a 2a 2a 2a **********************.... D 2a 2a 2a 2a 2a 2a 2a isk Genius is a powerful 2a 2a 2a 2a 2a 2a 2a tool which not only allows 0d 0a 20 20 20 20 20 you to..manage your har 20 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 49 2e 20 49 6e 74 72 6f 64 75 63 74 69 6f 6e 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2a 0d 0a 20 20 20 20 20 20 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 0d 0a 20 20 20 44 69 73 6b 20 47 65 6e 69 75 73 20 69 73 20 61 20 70 6f 77 65 72 66 75 6c 20 74 6f 6f 6c 20 77 68 69 63 68 20 6e 6f 74 20 6f 6e 6c 79 20 61 6c 6c 6f 77 73 20 79 6f 75 20 74 6f 0d 0a 6d 61 6e 61 67 65 20 79 6f 75 72 20 68 61 72 C:\Users\HERBBL~1\AppData\Loca unknown 2791 44 69 73 6b 20 47 65 Disk Genius success or wait 1 405603 WriteFile l\Temp\RarSFX0\dos\LICENSE.TXT 6e 69 75 73 20 56 32 V2.0..Copyright (c) 1999- 2e 30 0d 0a 43 6f 70 2002 Dahai Lee. All rights 79 72 69 67 68 74 20 reserved...Email: lidah@h 28 63 29 20 31 39 39 einfo.net.... END- 39 2d 32 30 30 32 20 USER LICENSE 44 61 68 61 69 20 4c AGREEMENT FOR THIS 65 65 2e 20 41 6c 6c SOFTWARE.... The 20 72 69 67 68 74 73 software is protected 20 72 65 73 65 72 76 by copyright laws 65 64 2e 0d 0a 45 6d and..international co 61 69 6c 3a 20 20 6c pyright treat 69 64 61 68 40 68 65 69 6e 66 6f 2e 6e 65 74 0d 0a 0d 0a 20 20 20 20 20 20 20 45 4e 44 2d 55 53 45 52 20 4c 49 43 45 4e 53 45 20 41 47 52 45 45 4d 45 4e 54 20 46 4f 52 20 54 48 49 53 20 53 4f 46 54 57 41 52 45 0d 0a 0d 0a 20 20 20 54 68 65 20 20 73 6f 66 74 77 61 72 65 20 20 69 73 20 20 20 70 72 6f 74 65 63 74 65 64 20 20 20 62 79 20 20 20 63 6f 70 79 72 69 67 68 74 20 20 20 6c 61 77 73 20 20 20 61 6e 64 0d 0a 69 6e 74 65 72 6e 61 74 69 6f 6e 61 6c 20 20 20 63 6f 70 79 72 69 67 68 74 20 20 20 74 72 65 61 74

Copyright Joe Security LLC 2017 Page 31 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Loca unknown 146728 4d 5a fc 00 17 00 00 MZ...... ^...@..... success or wait 1 405603 WriteFile l\Temp\RarSFX0\dos\diskgen.exe 00 04 00 b4 06 ff ff d7 ...... - 03 00 01 00 00 5e 00 .....@...... PMODE/W 00 00 40 00 00 00 00 v1.33 DOS extender - 00 00 00 00 00 00 00 Copyright 1994-1997, 00 00 00 00 00 00 00 Daredevil and T 00 00 00 00 00 00 00 ran.}...... W.^...... _.". 00 00 00 00 00 00 00 ...... P.....u...... s 00 00 00 00 2d 00 00 ...... r.... 04 00 01 40 00 80 00 ..s...... 2.. 08 08 20 01 01 00 00 00 ff ff ff 7f 00 00 50 4d 4f 44 45 2f 57 20 76 31 2e 33 33 20 44 4f 53 20 65 78 74 65 6e 64 65 72 20 2d 20 43 6f 70 79 72 69 67 68 74 20 31 39 39 34 2d 31 39 39 37 2c 20 44 61 72 65 64 65 76 69 6c 20 61 6e 64 20 54 72 61 6e 2e 7d 04 1c 02 fc 16 07 bf 00 01 8b f7 57 b9 5e 16 f3 a5 06 1e 07 1f 5f be 22 02 06 0e a4 ad 8b e8 b2 10 1e b8 d9 01 50 cb d1 ed fe ca 75 05 ad 8b e8 b2 10 c3 e8 f1 ff 73 0f e8 ec ff 80 d1 01 d0 e1 e8 e4 ff d0 d7 e2 f9 b6 02 b1 04 fe c6 e8 d7 ff 72 1d e2 f7 e8 d0 ff 73 08 ac 8a c8 83 c1 0f eb 14 32 f6 b1 C:\Users\HERBBL~1\AppData\Loca unknown 32768 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 29 405603 WriteFile l\Temp\RarSFX0\DiskGenius.exe 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... p.gH4...4...4...... $. 00 00 00 00 00 00 00 ...... 2...[...?...[...6...... 00 00 00 00 00 00 00 6...4...Z...... 3...... 00 00 00 e8 00 00 00 ..5...Rich4...... PE..L.... 0e 1f ba 0e 00 b4 09 [;I...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 70 fc 67 48 34 9d 09 1b 34 9d 09 1b 34 9d 09 1b ce be 10 1b 24 9d 09 1b b7 81 07 1b 32 9d 09 1b 5b 82 03 1b 3f 9d 09 1b 5b 82 0d 1b 36 9d 09 1b 02 bb 0d 1b 36 9d 09 1b 34 9d 08 1b 5a 9e 09 1b cb bd 0d 1b 33 9d 09 1b 02 bb 02 1b 0e 9d 09 1b f3 9b 0f 1b 35 9d 09 1b 52 69 63 68 34 9d 09 1b 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 a4 5b 3b 49 00 00 00 00 00 00 00 00 e0 00 0f

Copyright Joe Security LLC 2017 Page 32 of 34 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\Charset.dll unknown 20480 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 405603 WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... 7...s...s...s...... w. 00 00 00 00 00 00 00 ...... q...s...... p...E... 00 00 00 00 00 00 00 q...... r...Richs...... 00 00 00 e0 00 00 00 ...... PE..L...../I.... 0e 1f ba 0e 00 b4 09 ...... !...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 37 c2 91 ca 73 a3 ff 99 73 a3 ff 99 73 a3 ff 99 1c bc f5 99 77 a3 ff 99 1c bc fb 99 71 a3 ff 99 73 a3 fe 99 7f a3 ff 99 89 80 e6 99 70 a3 ff 99 45 85 f4 99 71 a3 ff 99 8c 83 fb 99 72 a3 ff 99 52 69 63 68 73 a3 ff 99 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d5 b2 2f 49 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 06 00 00 10 00

Analysis Process: DiskGenius.exe PID: 3272 Parent PID: 3256

General

Start time: 00:06:20 Start date: 13/12/2017 Path: C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\DiskGenius.exe Wow64 process (32bit): false Commandline: 'C:\Users\HERBBL~1\AppData\Local\Temp\RarSFX0\DiskGenius.exe' Imagebase: 0x755c0000 File size: 450560 bytes MD5 hash: 7518702B58AB7ED45F4B130C5A2FB567 Programmed in: C, C++ or other language Antivirus matches: Detection: 0%, virustotal, Browse Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Disassembly