ID: 206746 Sample Name: osquery- 4.1.2.msi Cookbook: default.jbs Time: 14:35:27 Date: 07/02/2020 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report osquery-4.1.2.msi 5 Overview 5 General Information 5 Detection 5 Confidence 6 Classification 6 Analysis Advice 6 Mitre Att&ck Matrix 7 Signature Overview 7 Spreading: 7 Networking: 7 System Summary: 7 Hooking and other Techniques for Hiding and Protection: 8 Analysis System Evasion: 8 Language, Device and Operating System Detection: 8 Malware Configuration 8 Behavior Graph 8 Simulations 8 Behavior and APIs 9 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 10 Memory Dumps 10 Unpacked PEs 10 Sigma Overview 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 11 Created / dropped Files 11 Domains and IPs 11 Contacted Domains 11 URLs from Memory and Binaries 11 Contacted IPs 14 Static File Info 14 General 14 File Icon 14 Static OLE Info 14 General 14 Authenticode Signature 14 OLE File "osquery-4.1.2.msi" 15 Indicators 15 Summary 15 Streams 15 Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 7178 15 General 15 Copyright Joe Security LLC 2020 Page 2 of 27 Stream Path: \x5MsiDigitalSignatureEx, File Type: data, Stream Size: 32 15 General 15 Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 520 15 General 16 Stream Path: \x16786\x17522\x15998\x17589\x17959\x17894\x16786\x17522\x17214\x17574, File Type: MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel, Stream Size: 1150 16 General 16 Stream Path: \x16944\x17191\x14436\x16830\x16740, File Type: Microsoft Cabinet archive data, 4595297 bytes, 18 files, Stream Size: 4595297 16 General 16 Stream Path: \x17163\x16689\x18229\x16446\x18156\x14988, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 207360 16 General 16 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15103\x17508\x16945\x18485, File Type: PC bitmap, Windows 3.x format, 493 x 58 x 8, Stream Size: 2746 16 General 17 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15231\x16684\x17583\x18474, File Type: PC bitmap, Windows 3.x format, 493 x 312 x 8, Stream Size: 68468 17 General 17 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15871\x18088, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318 General 1717 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x16319\x18483, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318 General 1717 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15295\x16827\x16687\x18480, File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors, Stream Size: 766 18 General 18 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15551\x17009\x18482, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors, Stream Size: 1078 18 General 18 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x17184\x16827\x18468, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 107008 General 1818 Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 1472 18 General 18 Stream Path: \x18496\x15518\x16925\x17915, File Type: data, Stream Size: 204 19 General 19 Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with CRLF, LF line terminators, Stream Size: 30123 19 General 19 Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 3464 19 General 19 Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 72 19 General 19 Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 4464 20 General 20 Stream Path: \x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481, File Type: data, Stream Size: 4 20 General 20 Stream Path: \x18496\x16667\x17191\x15090\x17912\x17591\x18481, File Type: data, Stream Size: 36 20 General 20 Stream Path: \x18496\x16786\x17522, File Type: data, Stream Size: 4 20 General 20 Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 48 20 General 20 Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42 20 General 21 Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42 21 General 21 Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 76 21 General 21 Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 16 21 General 21 Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 14 21 General 21 Stream Path: \x18496\x16923\x15722\x16818\x17892\x17778, File Type: iAPX 286 executable small model (COFF), Stream Size: 10 21 General 21 Stream Path: \x18496\x16924\x18037\x16812\x15144\x17522\x17783\x17394, File Type: data, Stream Size: 12 22 General 22 Stream Path: \x18496\x16924\x18037\x16812\x15528\x17841\x16695\x17391, File Type: data, Stream Size: 32 22 General 22 Stream Path: \x18496\x16925\x17915\x17884\x17404\x18472, File Type: data, Stream Size: 36 22 General 22 Stream Path: \x18496\x17100\x16808\x15086\x18162, File Type: data, Stream Size: 8 22 General 22 Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 32 22 General 22 Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: x86 executable (TV) not stripped, Stream Size: 42 22 General 22 Stream Path: \x18496\x17165\x17380\x17074, File Type: basic-16 executable (TV) not stripped, Stream Size: 484 23 General 23 Stream Path: \x18496\x17167\x16943, File Type: data, Stream Size: 360 23 General 23 Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 168 23 General 23 Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 114 23 General 23 Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 228 24 General 24 Stream Path: \x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522, File Type: data, Stream Size: 504 24 General 24 Stream Path: \x18496\x17548\x17905\x17589\x15279\x16953\x17905, File Type: basic-16 executable (TV) not stripped, Stream Size: 1536 24 General 24 Stream Path: \x18496\x17548\x17905\x17589\x18479, File Type: basic-16 executable (TV) not stripped, Stream Size: 5590 24 General 24 Stream Path: \x18496\x17557\x17318\x16921\x17461\x17836\x17206\x17522\x18486, File Type: data, Stream Size: 36 25 General 25 Stream Path: \x18496\x17610\x16179\x16680\x16821\x18475, File Type: x86 executable (TV), Stream Size: 4 25 General 25 Copyright Joe Security LLC 2020 Page 3 of 27 Stream Path: \x18496\x17630\x17770\x16868\x18472, File Type: data, Stream Size: 32 25 General 25 Stream Path: \x18496\x17740\x16680\x16951\x17551\x16879\x17768, File Type: data, Stream Size: 8 25 General 25 Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 60 25 General 25 Stream Path: \x18496\x17814\x15340\x17388\x15464\x17828\x18475, File Type: data, Stream Size: 360 25 General 25 Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 48 26 General 26 Stream Path: \x18496\x17998\x17512\x15799\x17636\x17203\x17073, File Type: data, Stream Size: 40 26 General 26 Network Behavior 26 Code Manipulations 26 Statistics 26 System Behavior 26 Analysis Process: msiexec.exe PID: 5952 Parent PID: 4388 26 General 26 File Activities 27 Disassembly 27 Code Analysis 27

Copyright Joe Security LLC 2020 Page 4 of 27 Analysis Report osquery-4.1.2.msi

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 206746 Start date: 07.02.2020 Start time: 14:35:27 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 58s Hypervisor based Inspection enabled: false Report type: light Sample file name: osquery-4.1.2.msi Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 2 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean1.winMSI@1/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .msi Stop behavior analysis, all processes terminated

Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 1 0 - 100 false

Copyright Joe Security LLC 2020 Page 5 of 27 Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 2 0 - 5 true

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Copyright Joe Security LLC 2020 Page 6 of 27 Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Replication Command- Winlogon Port DLL Side- Credential Peripheral Replication Data from Data Data Eavesdrop on Remotely Modify Through Line Helper DLL Monitors Loading 1 Dumping Device Through Local Compressed Obfuscation Insecure Track Device System Removable Interface 2 Discovery 1 1 Removable System Network Without Partition Media 1 Media 1 Communication Authorization Replication Graphical Port Accessibility Binary Network System Remote Data from Exfiltration Fallback Exploit SS7 to Remotely Device Through User Monitors Features Padding Sniffing Information Services Removable Over Other Channels Redirect Phone Wipe Data Lockout Removable Interface 1 Discovery 1 3 Media Network Calls/SMS Without Media Medium Authorization

Signature Overview

• Spreading • Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Language, Device and Operating System Detection

Click to jump to signature section

Spreading:

Checks for available system drives (often done to infect USB drives)

Networking:

Urls found in memory or binary data

System Summary:

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Classification label

Reads software policies

Sample is a Windows installer

Sample might require command line arguments

Uses an in-process (OLE) Automation server

Found graphical window changes (likely an installer)

PE / OLE file has a valid certificate

Copyright Joe Security LLC 2020 Page 7 of 27 Submission file is bigger than most known malware samples

Binary contains paths to debug symbols

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Checks the free space of harddrives

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Queries the cryptographic machine GUID

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped

Is Windows Process

Behavior Graph Number of created Registry Values Number of created Files ID: 206746 Visual Basic Sample: osquery-4.1.2.msi Startdate: 07/02/2020 Delphi Architecture: WINDOWS Java Score: 1 .Net C# or VB.NET

C, C++ or other language

started Is malicious

Internet msiexec.exe

2

Simulations

Copyright Joe Security LLC 2020 Page 8 of 27 Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link osquery-4.1.2.msi 0% Virustotal Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/) 0% Virustotal Browse https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/) 0% Avira URL Cloud safe www.jonathanmedd.net/2014/01/testing-for-admin-privileges-in-powershell.html 0% Avira URL Cloud safe aobo.cc/aobo-mac-os-x-keylogger.html) 3% Virustotal Browse aobo.cc/aobo-mac-os-x-keylogger.html) 0% Avira URL Cloud safe https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/) 0% Virustotal Browse https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/) 0% Avira URL Cloud safe https://osquery.io 0% Virustotal Browse https://osquery.io 0% Avira URL Cloud safe www.blazingtools.com/mac_keylogger.html) 2% Virustotal Browse www.blazingtools.com/mac_keylogger.html) 0% Avira URL Cloud safe https://www.elitekeyloggers.com/elite-keylogger-mac) 0% Virustotal Browse https://www.elitekeyloggers.com/elite-keylogger-mac) 0% Avira URL Cloud safe https://www.virusbtn.com/virusbulletin/archive/2014/10/vb201410-iWorm) 0% Virustotal Browse https://www.virusbtn.com/virusbulletin/archive/2014/10/vb201410-iWorm) 0% Avira URL Cloud safe 169.254.169.254/latest/ 0% Virustotal Browse 169.254.169.254/latest/ 0% Avira URL Cloud safe https://clo.ng/blog/osquery_reverse_shell/) 0% Avira URL Cloud safe adios-hola.org) 0% Avira URL Cloud safe 169.254.169.254/latest//sys/hypervisor/uuid 0% Avira URL Cloud safe https://osquery.io/schema/# 0% Virustotal Browse https://osquery.io/schema/# 0% Avira URL Cloud safe https://vulnsec.com/2016/osx-apps-vulnerabilities/) 0% Virustotal Browse https://vulnsec.com/2016/osx-apps-vulnerabilities/) 0% Avira URL Cloud safe https://osquery.io/schema/#osquery 0% Virustotal Browse https://osquery.io/schema/#osquery 0% Avira URL Cloud safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

Copyright Joe Security LLC 2020 Page 9 of 27 No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2020 Page 10 of 27 Startup

System is w10x64 msiexec.exe (PID: 5952 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\osquery-4.1.2.msi' MD5: 4767B71A318E201188A0D0A420C8B608) cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation www.thesafemac.com/arg-spigot/) CM_FP_packs.osx_attacks.conf false high

Copyright Joe Security LLC 2020 Page 11 of 27 Name Source Malicious Antivirus Detection Reputation https://blog.fox-it.com/2017/05/03/snake-coming-soon- CM_FP_packs.osx_attacks.conf false 0%, Virustotal, Browse low in-mac-os-x-flavour/) Avira URL Cloud: safe https://github.com/PaloAltoNetworks- CM_FP_packs.osx_attacks.conf false high BD/WireLurkerDetector) https://threatpost.com/mac-adware-osx-pirrit-unleashes- CM_FP_packs.osx_attacks.conf false high ad-overload-for-now/117273/) https://www.f-secure.com/v-descs/inqtana_a.shtml) CM_FP_packs.osx_attacks.conf false high www.thesafemac.com/arg-downlite/) CM_FP_packs.osx_attacks.conf false high www.thesafemac.com/arg-buca-apps/) CM_FP_packs.osx_attacks.conf false high https://sensorstechforum.com/untabs-browser- CM_FP_packs.windows_attacks.conf false high extension-virus-remove-completely/) www.jonathanmedd.net/2014/01/testing-for-admin- CM_FP_manage_osqueryd.ps1 false Avira URL Cloud: safe low privileges-in-powershell.html https://blog.malwarebytes.com/threat- CM_FP_packs.osx_attacks.conf false high analysis/2017/01/new-mac-backdoor-using-antiquated-code/) https://blog.malwarebytes.com/threat- CM_FP_packs.osx_attacks.conf false high analysis/2018/10/mac-malware-intercepts-encrypted-web- traffic-f www..com/mac-security-blog/new-mac-trojan- CM_FP_packs.osx_attacks.conf false high discovered-related-to-syria/) https://objective-see.com/blog/blog_0x20.html) CM_FP_packs.osx_attacks.conf false high aobo.cc/aobo-mac-os-x-keylogger.html) CM_FP_packs.osx_attacks.conf false 3%, Virustotal, Browse low Avira URL Cloud: safe researchcenter.paloaltonetworks.com/2016/03/new-os- CM_FP_packs.osx_attacks.conf false high x-ransomware-keranger-infected-transmissio www.openssl.org/support/faq.html CM_FP_osqueryd.osqueryd.exe false high https://objective-see.com/blog/blog_0x1D.html CM_FP_packs.osx_attacks.conf false high https://www.alienvault.com/blogs/labs- CM_FP_packs.osx_attacks.conf false high research/oceanlotus-for-os-x-an-application-bundle- pretending- www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html) CM_FP_packs.vuln_management.conf false high https://isc.sans.edu/diary/23816) CM_FP_packs.osx_attacks.conf false high https://www.f-secure.com/v- CM_FP_packs.osx_attacks.conf false high descs/backdoor_osx_mackontrol_a.shtml) https://www.volexity.com/blog/2017/07/24/real-news- CM_FP_packs.osx_attacks.conf false 0%, Virustotal, Browse unknown fake-flash-mac-os-x-users-targeted/) Avira URL Cloud: safe https://objective-see.com/blog/blog_0x26.html) CM_FP_packs.osx_attacks.conf false high CM_FP_osquery.conf false high https://gist.github.com/cobbr/acbe5cc7a186726d4e309070187 beee6 https://www.f- CM_FP_packs.osx_attacks.conf false high secure.com/weblog/archives/00002546.html) https://sensorstechforum.com/ccleaner-trojan-floxif- CM_FP_packs.windows_attacks.conf false high malware-how-to-remove/) blog.kaspersky.com/the-mask-unveiling-the-worlds- CM_FP_packs.osx_attacks.conf false high most-sophisticated-apt-campaign/) https://www.f-secure.com/v- CM_FP_packs.osx_attacks.conf false high descs/backdoor_osx_sabpab_a.shtml) https://osquery.io CM_FP_osqueryd.osqueryd.exe false 0%, Virustotal, Browse low Avira URL Cloud: safe www.intego.com/mac-security-blog/os-x-malware-tibet- CM_FP_packs.osx_attacks.conf false high variant-found/) www.blazingtools.com/mac_keylogger.html) CM_FP_packs.osx_attacks.conf false 2%, Virustotal, Browse low Avira URL Cloud: safe https://www.virustotal.com/latest- CM_FP_packs.osx_attacks.conf false high scan/15966224C4E25C9787A4A8C984A863E9) www.thesafemac.com/osxfkcodec-a-in-action/ CM_FP_packs.osx_attacks.conf false high https://www.f-secure.com/v- CM_FP_packs.osx_attacks.conf false high descs/backdoor_osx_olyx_c.shtml) https://www.elitekeyloggers.com/elite-keylogger-mac) CM_FP_packs.osx_attacks.conf false 0%, Virustotal, Browse unknown Avira URL Cloud: safe https://blog.malwarebytes.com/threat- CM_FP_packs.osx_attacks.conf false high analysis/2016/07/cross-platform-malware-adwind-infects-mac/) CM_FP_packs.osx_attacks.conf false high https://www.virustotal.com/en/file/f261815905e77eebdb5c4ec 06a7acdda7b68644b1f5155049f133be866d8b179/ https://github.com/TrullJ/sticky-keys- CM_FP_packs.windows_attacks.conf false high scanner/blob/master/TestFor-StickyKey.ps1) www.thesafemac.com/arg-premier-opinion/) CM_FP_packs.osx_attacks.conf false high https://www.welivesecurity.com/2017/10/20/osx-proton- CM_FP_packs.osx_attacks.conf false high supply-chain-attack-elmedia/) researchcenter.paloaltonetworks.com/2015/09/novel- CM_FP_packs.osx_attacks.conf false high malware-xcodeghost-modifies-xcode-infects-a

Copyright Joe Security LLC 2020 Page 12 of 27 Name Source Malicious Antivirus Detection Reputation CM_FP_packs.unwanted_chrome_ex false high https://www.bleepingcomputer.com/news/security/chrome- tensions.conf extension-with-over-one-million-users-hijacked https://blog.malwarebytes.com/threat-analysis/mac- CM_FP_packs.osx_attacks.conf false high threat-analysis/2017/11/osx-proton-spreading-throu https://www.bleepingcomputer.com/news/security/eight- CM_FP_packs.unwanted_chrome_ex false high chrome-extensions-hijacked-to-deliver-malicious tensions.conf CM_FP_packs.osx_attacks.conf false 0%, Virustotal, Browse low https://www.virusbtn.com/virusbulletin/archive/2014/10/vb2014 Avira URL Cloud: safe 10-iWorm) https://blog.malwarebytes.com/cybercrime/2016/07/new- CM_FP_packs.osx_attacks.conf false high mac-backdoor-malware-eleanor/) 169.254.169.254/latest/ CM_FP_osqueryd.osqueryd.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe CM_FP_packs.osx_attacks.conf false high https://www.virustotal.com/en/file/9530d481f7bb07aac98a463 57bfcff96e2936a90571b4629ae865a2ce63e5c8e/ https://sensorstechforum.com/windows-infected-2- CM_FP_packs.windows_attacks.conf false high viruses-scam-remove/) https://www.f-secure.com/v- CM_FP_packs.osx_attacks.conf false high descs/backdoor_osx_imuler_a.shtml) securelist.com/blog/research/57331/the-icefog-apt-a- CM_FP_packs.osx_attacks.conf false high tale-of-cloak-and-three-daggers/) www.trendmicro.com/vinfo/us/threat- CM_FP_packs.osx_attacks.conf false high encyclopedia/malware/osx_morcut.a) CM_FP_packs.unwanted_chrome_ex false high https://www.reddit.com/r/chrome/comments/6htzan/psawarnin tensions.conf g_giphy_extension_6172017_is_now_malware/) www.thesafemac.com/arg-conduit/) CM_FP_packs.osx_attacks.conf false high https://hg.mozilla.org/releases/mozilla-release/raw- CM_FP_certs.certs.pem false high file/default/security/nss/lib/ckfw/builtins/cert https://www.fireeye.com/blog/threat- CM_FP_packs.osx_attacks.conf false high research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on- os-x.htm https://clo.ng/blog/osquery_reverse_shell/) CM_FP_packs.osx_attacks.conf false Avira URL Cloud: safe unknown https://malwarefixes.com/remove-pronto-video- CM_FP_packs.osx_attacks.conf false high converter/) CM_FP_packs.unwanted_chrome_ex false high https://www.virustotal.com/#/file/5cab0821f597100dc1170bfef tensions.conf 704d8cebaf67743e9d509e83b0b208eb630d992/d CM_FP_packs.osx_attacks.conf false high https://github.com/EmpireProject/EmPyre/blob/master/lib/mod ules/persistence/osx/launchdaemonexecutab adios-hola.org) CM_FP_packs.unwanted_chrome_ex false Avira URL Cloud: safe low tensions.conf www.symantec.com/security_response/writeup.jsp? CM_FP_packs.osx_attacks.conf false high docid=2010-081606-4034-99&tabid=2) https://objective-see.com/blog/blog_0x32.html CM_FP_packs.osx_attacks.conf false high https://www.f-secure.com/v- CM_FP_packs.osx_attacks.conf false high descs/backdoor_osx_devilrobber_a.shtml) 169.254.169.254/latest//sys/hypervisor/uuid CM_FP_osqueryd.osqueryd.exe false Avira URL Cloud: safe unknown https://www.f-secure.com/v- CM_FP_packs.osx_attacks.conf false high descs/backdoor_osx_iworkserv_a.shtml) blog.checkpoint.com/2017/04/27/osx-malware-catching- CM_FP_packs.osx_attacks.conf false high wants-read-https-traffic/) www.trendmicro.com/vinfo/us/threat- CM_FP_packs.osx_attacks.conf false high encyclopedia/malware/osx_dockster.a) researchcenter.paloaltonetworks.com/2016/09/unit42- CM_FP_packs.osx_attacks.conf false high sofacys-komplex-os-x-trojan/) www.thesafemac.com/arg-bundlore/) CM_FP_packs.osx_attacks.conf false high https://osquery.io/schema/# CM_FP_osqueryd.osqueryd.exe false 0%, Virustotal, Browse low Avira URL Cloud: safe www.thesafemac.com/arg-genieo/) CM_FP_packs.osx_attacks.conf false high https://securelist.com/blog/research/75990/the-missing- CM_FP_packs.osx_attacks.conf false high piece-sophisticated-os-x-backdoor-discovered/ https://vulnsec.com/2016/osx-apps-vulnerabilities/) CM_FP_packs.vuln_management.conf false 0%, Virustotal, Browse unknown Avira URL Cloud: safe https://osquery.io/schema/#osquery CM_FP_osqueryd.osqueryd.exe false 0%, Virustotal, Browse low Avira URL Cloud: safe www.welivesecurity.com/2016/07/06/new-osxkeydnap- CM_FP_packs.osx_attacks.conf false high malware-hungry-credentials) https://objective-see.com/blog/blog_0x2A.html) CM_FP_packs.osx_attacks.conf false high www.thesafemac.com/osxfkcodec-a-in-action/) CM_FP_packs.osx_attacks.conf false high

Copyright Joe Security LLC 2020 Page 13 of 27 Name Source Malicious Antivirus Detection Reputation CM_FP_packs.unwanted_chrome_ex false high https://www.bleepingcomputer.com/news/security/copyfish- tensions.conf chrome-extension-hijacked-to-show-adware/)

Contacted IPs

No contacted IP infos

Static File Info

General File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: osquery, Au thor: osquery, Keywords: Installer, Comments: This installer database contains the logic and data required to install osquery., Template: x64;1033, Revision Num ber: {923DE643-686A-460A-A350-64EF3FAA756F}, Create Time/Date: Wed Dec 18 06:50:52 2019, Last Saved Time/Date: Wed Dec 18 06:50:52 2019, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.231 8), Security: 2 Entropy (8bit): 7.936678090722484 TrID: Microsoft Windows Installer (638509/1) 93.55% ClickyMouse macro set (36024/1) 5.28% Generic OLE2 / Multistream Compound File (8008/1) 1.17% File name: osquery-4.1.2.msi File size: 5087232 MD5: 3c9527b1721318d469596f6c19986785 SHA1: c425880b2007052280a491ff71a6b5ca78505a22 SHA256: 376398b110dad560167b0915598a50551b902ad46bb420 bad297faa6d56659ee SHA512: 51393d10a79d2e8ed2e4f39fb170a25ffdbf272c355c0919 dfb53f135378e5f204991f22d56a76687c3c4a98a83fe189 ce23202143bbb7ad37ca091e782c4b64 SSDEEP: 98304:vlR5gKZ1ssnMT1CmPcR25UPn50J5qDigkg83+ scWsIcaAEKn03uGux3EWOlSnaKG:vlR59PshCoc7iBg 7I+sRrRZQePlSa File Content Preview: ...... >......

File Icon

Icon Hash: a2a0b496b2caca72

Static OLE Info

General Document Type: OLE Number of OLE Files: 1

Authenticode Signature

Signature Valid: true Signature Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 1/27/2019 4:00:00 PM 2/19/2020 4:00:00 AM Subject Chain CN=Nick Anderson, O=Nick Anderson, L=Sunnyvale, S=California, C=US Version: 3 Thumbprint MD5: DF17F6CC6852F1D9CEDF7D79E35EA3D1

Copyright Joe Security LLC 2020 Page 14 of 27 Thumbprint SHA-1: 8D666B9192EF9E3929289C12316478D51F25DB27 Thumbprint SHA-256: 9C23D72F34904131ADDA3151E42EC4DE293B646962D7879A63F5C0616252ED3C Serial: 069BE7BDD9AA1C4CEA4437E73DB4CEF6

OLE File "osquery-4.1.2.msi"

Indicators Has Summary Info: True Application Name: Windows Installer XML Toolset (3.11.1.2318) Encrypted Document: False Contains Word Document Stream: False Contains Workbook/Book Stream: False Contains PowerPoint Document Stream: False Contains Visio Document Stream: False Contains ObjectPool Stream: Flash Objects Count: Contains VBA Macros: False

Summary Code Page: 1252 Title: Installation Database Subject: osquery Author: osquery Keywords: Installer Comments: This installer database contains the logic and data required to install osquery. Template: x64;1033 Revion Number: {923DE643-686A-460A-A350-64EF3FAA756F} Create Time: 2019-12-18 06:50:52 Last Saved Time: 2019-12-18 06:50:52 Number of Pages: 301 Number of Words: 2 Creating Application: Windows Installer XML Toolset (3.11.1.2318) Security: 2

Streams

Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 7178

General Stream Path: \x5DigitalSignature File Type: data Stream Size: 7178 Entropy: 7.25203818536 Base64 Encoded: True Data ASCII: 0 . . . . . * . H ...... 0 ...... 1 . 0 . . . ` . H . e ...... 0 w . . + . . . . . 7 . . . . i 0 g 0 2 . . + . . . . . 7 . . . 0 $ ...... F ...... 0 1 0 . . . ` . H . e ...... G h . ) ...... x . . y S i ...... a 0 . . ) 0 ...... L . D 7 . = . . . 0 . . . * . H ...... 0 r 1 . 0 . . . U . . . . U S 1 . 0 . . . U . . . . D i g i C e r t I n c 1 . 0 . Data Raw: 30 82 1c 06 06 09 2a 86 48 86 f7 0d 01 07 02 a0 82 1b f7 30 82 1b f3 02 01 01 31 0f 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 30 77 06 0a 2b 06 01 04 01 82 37 02 01 04 a0 69 30 67 30 32 06 0a 2b 06 01 04 01 82 37 02 01 1e 30 24 02 01 02 04 10 f1 10 0c 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 01 00 02 01 00 02 01 00 02 01 00 02 01 00 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01

Stream Path: \x5MsiDigitalSignatureEx, File Type: data, Stream Size: 32

General Stream Path: \x5MsiDigitalSignatureEx File Type: data Stream Size: 32 Entropy: 4.875 Base64 Encoded: False Data ASCII: . . . a . . 9 . . a s h - . y ...... Data Raw: 89 b0 d9 61 a8 c6 39 92 9a 61 73 68 2d a8 79 ca 00 1c d1 16 fc 9e 11 1f 1d 9f 15 80 cf 02 ce b2

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 520

Copyright Joe Security LLC 2020 Page 15 of 27 General Stream Path: \x5SummaryInformation File Type: data Stream Size: 520 Entropy: 4.55820424223 Base64 Encoded: True Data ASCII: ...... O h . . . . . + ' . . 0 ...... x ...... 0 ...... D ...... t ...... I n s t a l l a t i o n D a t a b a s e ...... o s q u e r y ...... o s q u e r y ...... I n s t a l l e Data Raw: fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d8 01 00 00 0e 00 00 00 01 00 00 00 78 00 00 00 02 00 00 00 80 00 00 00 03 00 00 00 a0 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 d4 00 00 00 07 00 00 00 30 01 00 00 09 00 00 00 44 01 00 00 0c 00 00 00 74 01 00 00

Stream Path: \x16786\x17522\x15998\x17589\x17959\x17894\x16786\x17522\x17214\x17574, File Type: MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel, Stream Size: 1150

General Stream Path: \x16786\x17522\x15998\x17589\x17959\x17894\x16786\x17522\x17214\x17574 File Type: MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel Stream Size: 1150 Entropy: 2.83319036111 Base64 Encoded: False Data ASCII: ...... h ...... ( ...... ~ ...... ~ ...... ~ ...... ~ ...... ~ ...... Data Raw: 00 00 01 00 01 00 10 10 00 00 01 00 20 00 68 04 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 12 17 00 00 12 17 00 00 00 00 00 00 00 00 00 00 ff 96 a5 7e fe 95 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7e 00 00 00 03 00 00 00 00 ff 96 a5 00 ff 96 a5 81 ff 96 a5 fc ff 96 a5 fc ff 96 a5 fc ff 96 a5 7e ff 96

Stream Path: \x16944\x17191\x14436\x16830\x16740, File Type: Microsoft Cabinet archive data, 4595297 bytes, 18 files, Stream Size: 4595297

General Stream Path: \x16944\x17191\x14436\x16830\x16740 File Type: Microsoft Cabinet archive data, 4595297 bytes, 18 files Stream Size: 4595297 Entropy: 7.99129225005 Base64 Encoded: True Data ASCII: M S C F . . . . a . F . . . . . 4 ...... \\ ...... S . . . U k ...... O . . . C M _ F P _ c e r t s . c e r t s . p e m . . . . . U k . . . . . O . . . C M _ F P _ m a n a g e _ o s q u e r y d . p s 1 . G . . . ] ...... O . . . C M _ F P _ o s q u e r y . c o n f ...... O W . . C M _ F P _ o s q u e r y . f l a g s ...... O . . . C M _ F P _ o s q u e r y . m a n . q ) . . O ...... O . . . C M _ Data Raw: 4d 53 43 46 00 00 00 00 61 1e 46 00 00 00 00 00 34 00 00 00 00 00 00 00 03 01 02 00 12 00 00 00 00 00 00 00 5c 03 00 00 08 00 01 00 af 10 02 00 53 01 01 00 55 6b 03 00 00 00 00 00 00 00 89 4f 10 b4 20 00 43 4d 5f 46 50 5f 63 65 72 74 73 2e 63 65 72 74 73 2e 70 65 6d 00 08 18 00 00 55 6b 03 00 00 00 89 4f 10 b4 20 00 43 4d 5f 46 50 5f 6d 61 6e 61 67 65 5f 6f 73 71 75 65 72 79 64 2e

Stream Path: \x17163\x16689\x18229\x16446\x18156\x14988, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 207360

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x14988 File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Stream Size: 207360 Entropy: 6.57420936449 Base64 Encoded: True Data ASCII: M Z ...... @ ...... ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ ...... ! E s . . . . . ! E q . . . . . ! E p . . . . . L ...... L ...... L ...... h . . . 1 ...... 1 ...... 1 . } ...... 1 ...... Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15103\x17508\x16945\x18485, File Type: PC bitmap, Windows 3.x format, 493 x 58 x 8, Stream Size: 2746 Copyright Joe Security LLC 2020 Page 16 of 27 General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15103\x17508\x16945\x184 85 File Type: PC bitmap, Windows 3.x format, 493 x 58 x 8 Stream Size: 2746 Entropy: 3.75121365933 Base64 Encoded: False Data ASCII: B M ...... 6 . . . ( ...... : ...... @ . . ` ...... @ . . . @ . . @ @ . . @ ` . . @ . . . @ . . . @ . . . @ . . . ` . . . ` . . ` @ . . ` ` . . ` . . . ` . . . ` . . . ` ...... @ . . . ` ...... @ . . . ` ...... Data Raw: 42 4d ba 0a 00 00 00 00 00 00 36 04 00 00 28 00 00 00 ed 01 00 00 3a 00 00 00 01 00 08 00 01 00 00 00 84 06 00 00 c4 0e 00 00 c4 0e 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 c0 dc c0 00 f0 ca a6 00 00 20 40 00 00 20 60 00 00 20 80 00 00 20 a0 00 00 20 c0 00 00 20 e0 00 00 40 00 00 00 40 20 00 00 40

Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15231\x16684\x17583\x18474, File Type: PC bitmap, Windows 3.x format, 493 x 312 x 8, Stream Size: 68468

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15231\x16684\x17583\x184 74 File Type: PC bitmap, Windows 3.x format, 493 x 312 x 8 Stream Size: 68468 Entropy: 1.24734496207 Base64 Encoded: False Data ASCII: B M t ...... 6 . . . ( ...... 8 ...... > ...... @ . . ` ...... @ . . . @ . . @ @ . . @ ` . . @ . . . @ . . . @ . . . @ . . . ` . . . ` . . ` @ . . ` ` . . ` . . . ` . . . ` . . . ` ...... @ . . . ` ...... @ . . . ` ...... Data Raw: 42 4d 74 0b 01 00 00 00 00 00 36 04 00 00 28 00 00 00 ed 01 00 00 38 01 00 00 01 00 08 00 01 00 00 00 3e 07 01 00 c4 0e 00 00 c4 0e 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 c0 dc c0 00 f0 ca a6 00 00 20 40 00 00 20 60 00 00 20 80 00 00 20 a0 00 00 20 c0 00 00 20 e0 00 00 40 00 00 00 40 20 00 00 40

Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15871\x18088, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15871\x18088 File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors Stream Size: 318 Entropy: 2.03444158006 Base64 Encoded: False Data ASCII: ...... ( ...... ( ...... Data Raw: 00 00 01 00 01 00 10 10 10 00 00 00 00 00 28 01 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x16319\x18483, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x16319\x18483 File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors Stream Size: 318 Entropy: 2.03693614652 Base64 Encoded: False Data ASCII: ...... ( ...... ( ...... Data Raw: 00 00 01 00 01 00 10 10 10 00 00 00 00 00 28 01 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Copyright Joe Security LLC 2020 Page 17 of 27 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15295\x16827\x16687\x18480, File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors, Stream Size: 766

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15295\x16827\x16687\x184 80 File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors Stream Size: 766 Entropy: 3.3484862649 Base64 Encoded: True Data ASCII: ...... ( ...... @ ...... 3 3 1 ...... 3 3 2 3 3 3 3 3 3 3 3 3 3 3 3 . 3 3 $ D D D D D D D D D D D @ 1 . 2 D D D D D D D D D D D D D . . 2 D D D D D D @ D D D D D D C . 2 D D D D D D 3 4 D D D D D C . 2 D D D D D @ 3 0 D D D D D . . 3 $ D D D D D 3 4 D D D D D 1 . 3 $ Data Raw: 00 00 01 00 01 00 20 20 10 00 00 00 00 00 e8 02 00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 c0 c0 00 80 80 80 00 00 80 80 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 33

Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15551\x17009\x18482, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors, Stream Size: 1078

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15551\x17009\x18482 File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors Stream Size: 1078 Entropy: 2.86422695486 Base64 Encoded: False Data ASCII: ...... & ...... ( ...... ( ...... @ ...... p ...... w p ...... p ...... p ...... p ...... p ...... w w . . . w w ...... Data Raw: 00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 10 10 10 00 00 00 00 00 28 01 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 80 80 80 00 c0 c0 c0 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x17184\x16827\x18468, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 107008

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x17184\x16827\x18468 File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Stream Size: 107008 Entropy: 6.51826752526 Base64 Encoded: True Data ASCII: M Z ...... @ ...... ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ ...... ; . . . . k . V . k . V . k . V . . b V v k . V . . ` V . k . V . . a V g k . V . . . W n k . V . . . W o k . V . . . W i k . V v . . V l k . V . k . V . k . V . . . W o k . V . . . W ~ k . V . . l V ~ k . V . k . V ~ k . V . . . W ~ k . V R i c h . k . V Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 1472

General Stream Path: \x18496\x15167\x17394\x17464\x17841 File Type: data Stream Size: 1472 Entropy: 5.07749237 Base64 Encoded: False Data ASCII: ...... " . " . " . ) . ) . ) . * . * . * . + . + . , . , . 1 . 1 . 5 . 5 . 9 . 9 . 9 . 9 . 9 . 9 . ? . ? . ? . G . G . G . G . G . G . G . G . G . G . G . G . I . I . I . I . I . I . I . I . I . I . [ . [ . [ . [ . b . b . b . b . b . b . k . k . o . o . o . o . o ......

Copyright Joe Security LLC 2020 Page 18 of 27 General Data Raw: 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2c 00 2c 00 31 00 31 00 35 00 35 00 39 00 39 00 39 00 39 00 39 00 39 00 3f 00 3f 00 3f 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 5b 00 5b 00 5b 00 5b 00 62 00 62 00

Stream Path: \x18496\x15518\x16925\x17915, File Type: data, Stream Size: 204

General Stream Path: \x18496\x15518\x16925\x17915 File Type: data Stream Size: 204 Entropy: 4.26998828371 Base64 Encoded: False Data ASCII: ...... " . $ . & . ( . * . , . . . 0 . 2 . 4 . 6 . 8 . : . < . > . @ . B . D . F . H . J . L . N . P . R . T . V . X . Z . \\ . ^ ...... ! . # . % . ' . ) . + . - . / . 1 . 3 . 5 . 7 . 9 . ; . = . ? . A . C . E . G . I . K . M . O . Q . S . U . W . Y . [ . ] . _ . Data Raw: 9b 01 00 03 01 03 02 03 03 03 04 03 05 03 07 03 09 03 0b 03 0d 03 0f 03 11 03 13 03 16 03 18 03 1a 03 1c 03 1e 03 20 03 22 03 24 03 26 03 28 03 2a 03 2c 03 2e 03 30 03 32 03 34 03 36 03 38 03 3a 03 3c 03 3e 03 40 03 42 03 44 03 46 03 48 03 4a 03 4c 03 4e 03 50 03 52 03 54 03 56 03 58 03 5a 03 5c 03 5e 03 15 03 00 00 01 03 02 03 03 03 04 03 06 03 08 03 0a 03 0c 03 0e 03 10 03 12 03

Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with CRLF, LF line terminators, Stream Size: 30123

General Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468 File Type: ASCII text, with very long lines, with CRLF, LF line terminators Stream Size: 30123 Entropy: 5.08074668299 Base64 Encoded: True Data ASCII: N a m e T a b l e T y p e C o l u m n N _ V a l i d a t i o n P r o p e r t y I d _ S u m m a r y I n f o r m a t i o n D e s c r i p t i o n S e t C a t e g o r y K e y C o l u m n M a x V a l u e N u l l a b l e K e y T a b l e M i n V a l u e V a l u e I d e n t i f i e r N a m e o f t a b l e N a m e o f c o l u m n Y ; N W h e t h e r t h e c o l u m n i s n u l l a b l e Y M i n i m u m v a l u e a l l o w e d M a x i m u m v a l u e a l l o w e d F o r f o r e i g n k e y Data Raw: 4e 61 6d 65 54 61 62 6c 65 54 79 70 65 43 6f 6c 75 6d 6e 4e 5f 56 61 6c 69 64 61 74 69 6f 6e 50 72 6f 70 65 72 74 79 49 64 5f 53 75 6d 6d 61 72 79 49 6e 66 6f 72 6d 61 74 69 6f 6e 44 65 73 63 72 69 70 74 69 6f 6e 53 65 74 43 61 74 65 67 6f 72 79 4b 65 79 43 6f 6c 75 6d 6e 4d 61 78 56 61 6c 75 65 4e 75 6c 6c 61 62 6c 65 4b 65 79 54 61 62 6c 65 4d 69 6e 56 61 6c 75 65 56 61 6c 75 65

Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 3464

General Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479 File Type: data Stream Size: 3464 Entropy: 3.49337496928 Base64 Encoded: False Data ASCII: ...... n ...... : ...... T ...... 6 . . . $ ...... r ...... B ...... o ...... ( ...... 5 ...... ' ...... ( ...... * ...... ; ...... > ...... Data Raw: e4 04 00 00 04 00 0a 00 05 00 04 00 00 00 00 00 04 00 06 00 06 00 02 00 01 00 6e 00 0b 00 15 00 0a 00 01 00 13 00 02 00 0b 00 1a 00 03 00 02 00 08 00 02 00 09 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 05 00 09 00 0a 00 3a 00 0d 00 01 00 0e 00 01 00 03 00 01 00 1e 00 01 00 01 00 54 00 15 00 01 00 15 00 01 00 36 00 01 00 24 00 01 00 f5 00 01 00 0f 00 01 00 04 00 72 00

Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 72

General Stream Path: \x18496\x16255\x16740\x16943\x18486 File Type: data Stream Size: 72 Entropy: 3.80881389033 Base64 Encoded: False Data ASCII: . . " . ) . * . + . , . 1 . 5 . 9 . ? . G . I . [ . b . k . o ...... ! . + . . .

Copyright Joe Security LLC 2020 Page 19 of 27 General Data Raw: 07 00 22 00 29 00 2a 00 2b 00 2c 00 31 00 35 00 39 00 3f 00 47 00 49 00 5b 00 62 00 6b 00 6f 00 8e 00 93 00 a1 00 a5 00 b3 00 b6 00 b7 00 b8 00 bb 00 c1 00 cc 00 d8 00 e3 00 ec 00 f5 00 fe 00 10 01 21 01 2b 01 2e 01

Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 4464

General Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481 File Type: data Stream Size: 4464 Entropy: 2.57495424958 Base64 Encoded: False Data ASCII: ...... " . " . " . ) . ) . ) . * . * . * . + . + . , . , . 1 . 1 . 5 . 5 . 9 . 9 . 9 . 9 . 9 . 9 . ? . ? . ? . G . G . G . G . G . G . G . G . G . G . G . G . I . I . I . I . I . I . I . I . I . I . [ . [ . [ . [ . b . b . b . b . b . b . k . k . o . o . o . o . o ...... Data Raw: 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 09 00 09 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2c 00 2c 00 31 00 31 00 35 00 35 00 39 00 39 00 39 00 39 00 39 00 39 00 3f 00 3f 00 3f 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 5b 00 5b 00 5b 00 5b 00

Stream Path: \x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481, File Type: data, Stream Size: 4

General Stream Path: \x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481 File Type: data Stream Size: 4 Entropy: 1.5 Base64 Encoded: False Data ASCII: . . . . Data Raw: dc 02 dd 02

Stream Path: \x18496\x16667\x17191\x15090\x17912\x17591\x18481, File Type: data, Stream Size: 36

General Stream Path: \x18496\x16667\x17191\x15090\x17912\x17591\x18481 File Type: data Stream Size: 36 Entropy: 3.2805913228 Base64 Encoded: False Data ASCII: ...... ' . ' ...... Data Raw: d0 01 d0 01 01 80 02 80 f3 02 f7 02 00 80 00 80 00 80 14 80 27 81 27 81 10 80 10 80 f6 02 f8 02 00 00 00 00

Stream Path: \x18496\x16786\x17522, File Type: data, Stream Size: 4

General Stream Path: \x18496\x16786\x17522 File Type: data Stream Size: 4 Entropy: 2.0 Base64 Encoded: False Data ASCII: . . . . Data Raw: c6 02 01 00

Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 48

General Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934 File Type: data Stream Size: 48 Entropy: 3.52756901109 Base64 Encoded: False Data ASCII: ; . < . = . > . ? . @ . A . B ...... x . . . < . . . . . Data Raw: 3b 01 3c 01 3d 01 3e 01 3f 01 40 01 41 01 42 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 78 85 dc 85 3c 8f a0 8f c8 99

Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42 Copyright Joe Security LLC 2020 Page 20 of 27 General Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472 File Type: data Stream Size: 42 Entropy: 3.42888341403 Base64 Encoded: False Data ASCII: ; . < . = . C . D . E . F ...... Data Raw: 3b 01 3c 01 3d 01 43 01 44 01 45 01 46 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 fd 7f fe 7f ff 7f 14 85

Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42

General Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472 File Type: data Stream Size: 42 Entropy: 3.38624972305 Base64 Encoded: False Data ASCII: ; . = . > . ? . B . G . H ...... x ...... Data Raw: 3b 01 3d 01 3e 01 3f 01 42 01 47 01 48 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 e8 83 78 85 dc 85 c8 99 9c 98 00 99

Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 76

General Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486 File Type: data Stream Size: 76 Entropy: 3.06198187836 Base64 Encoded: False Data ASCII: ...... V . Z . ] . ` . c . f . i . m . p . s . w . z . } ...... Data Raw: b3 02 b3 02 b3 02 b3 02 b3 02 b3 02 b3 02 b3 02 b3 02 b3 02 b3 02 b3 02 b3 02 b3 02 b3 02 b3 02 b3 02 b3 02 b3 02 56 01 5a 01 5d 01 60 01 63 01 66 01 69 01 6d 01 70 01 73 01 77 01 7a 01 7d 01 80 01 83 01 86 01 89 01 8c 01 8f 01

Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 16

General Stream Path: \x18496\x16911\x17892\x17784\x18472 File Type: data Stream Size: 16 Entropy: 2.78063906223 Base64 Encoded: False Data ASCII: ...... I . . . Data Raw: b3 02 00 00 ac 02 00 00 01 80 01 80 49 01 10 80

Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 14

General Stream Path: \x18496\x16918\x17191\x18468 File Type: MIPSEB Ucode Stream Size: 14 Entropy: 1.95021206491 Base64 Encoded: False Data ASCII: ...... Data Raw: 01 80 12 00 00 80 00 00 e1 02 00 00 00 00

Stream Path: \x18496\x16923\x15722\x16818\x17892\x17778, File Type: iAPX 286 executable small model (COFF), Stream Size: 10

General Stream Path: \x18496\x16923\x15722\x16818\x17892\x17778 File Type: iAPX 286 executable small model (COFF) Stream Size: 10 Entropy: 2.64643934467 Base64 Encoded: False

Copyright Joe Security LLC 2020 Page 21 of 27 General Data ASCII: J ...... Data Raw: 4a 01 02 80 f9 02 fa 02 12 80

Stream Path: \x18496\x16924\x18037\x16812\x15144\x17522\x17783\x17394, File Type: data, Stream Size: 12

General Stream Path: \x18496\x16924\x18037\x16812\x15144\x17522\x17783\x17394 File Type: data Stream Size: 12 Entropy: 2.68872187554 Base64 Encoded: False Data ASCII: ...... i . Data Raw: a9 02 a9 02 a3 80 00 00 00 80 69 01

Stream Path: \x18496\x16924\x18037\x16812\x15528\x17841\x16695\x17391, File Type: data, Stream Size: 32

General Stream Path: \x18496\x16924\x18037\x16812\x15528\x17841\x16695\x17391 File Type: data Stream Size: 32 Entropy: 2.43084376848 Base64 Encoded: False Data ASCII: ...... i . . . Data Raw: a9 02 a9 02 00 00 10 00 00 80 02 00 00 80 01 80 00 80 00 00 00 00 fb 02 00 00 fc 02 69 01 00 00

Stream Path: \x18496\x16925\x17915\x17884\x17404\x18472, File Type: data, Stream Size: 36

General Stream Path: \x18496\x16925\x17915\x17884\x17404\x18472 File Type: data Stream Size: 36 Entropy: 2.6070177096 Base64 Encoded: False Data ASCII: ...... Data Raw: ef 02 fe 02 ff 02 fd 02 fd 02 fd 02 08 80 0c 80 09 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 80

Stream Path: \x18496\x17100\x16808\x15086\x18162, File Type: data, Stream Size: 8

General Stream Path: \x18496\x17100\x16808\x15086\x18162 File Type: data Stream Size: 8 Entropy: 1.75 Base64 Encoded: False Data ASCII: S . U . T . T . Data Raw: 53 01 55 01 54 01 54 01

Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 32

General Stream Path: \x18496\x17163\x16689\x18229 File Type: data Stream Size: 32 Entropy: 2.25 Base64 Encoded: False Data ASCII: K . L . M . N . O . P . Q . R ...... Data Raw: 4b 01 4c 01 4d 01 4e 01 4f 01 50 01 51 01 52 01 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00

Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: x86 executable (TV) not stripped, Stream Size: 42

General Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492 File Type: x86 executable (TV) not stripped Stream Size: 42 Copyright Joe Security LLC 2020 Page 22 of 27 General Entropy: 3.38772901105 Base64 Encoded: False Data ASCII: I . X . \\ . k . u ...... I . I . I . I ...... Data Raw: 49 01 58 01 5c 01 6b 01 75 01 ab 02 ad 02 ab 02 49 01 49 01 49 01 49 01 ad 02 00 00 ac 02 a7 02 a8 02 a9 02 aa 02 ae 02 af 02

Stream Path: \x18496\x17165\x17380\x17074, File Type: basic-16 executable (TV) not stripped, Stream Size: 484

General Stream Path: \x18496\x17165\x17380\x17074 File Type: basic-16 executable (TV) not stripped Stream Size: 484 Entropy: 4.14721985407 Base64 Encoded: False Data ASCII: C . D . E ...... > . G . Y . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . r . r . r . r . r . . . r . r . r . . . r . r . . . r . r . . . r . r . r . r . r . r ...... i ...... U . . . . . U . . . . . U ...... Data Raw: 43 01 44 01 45 01 92 01 a8 01 af 01 c3 01 cd 01 d2 01 d9 01 dd 01 f6 01 fc 01 01 02 05 02 09 02 11 02 15 02 1f 02 3e 02 47 02 59 02 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80

Stream Path: \x18496\x17167\x16943, File Type: data, Stream Size: 360

General Stream Path: \x18496\x17167\x16943 File Type: data Stream Size: 360 Entropy: 4.02190363563 Base64 Encoded: False Data ASCII: Y . _ . b . e . h . l . o . r . v . y . | ...... V . ] . ` . c . f . i . m . p . s . w . z . } ...... U k ...... G ...... q ) . . h . . . 0 6 . . . ' ...... H D . . . w ...... 2 ...... 7 2 ...... Data Raw: 59 01 5f 01 62 01 65 01 68 01 6c 01 6f 01 72 01 76 01 79 01 7c 01 7f 01 82 01 85 01 88 01 8b 01 8e 01 91 01 56 01 5d 01 60 01 63 01 66 01 69 01 6d 01 70 01 73 01 77 01 7a 01 7d 01 80 01 83 01 86 01 89 01 8c 01 8f 01 b4 02 b5 02 b6 02 b7 02 b8 02 b9 02 ba 02 bb 02 bc 02 bd 02 be 02 bf 02 c0 02 c1 02 c2 02 c3 02 c4 02 c5 02 55 6b 03 80 08 18 00 80 47 18 00 80 00 00 00 80 ab 10 00 80

Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 168

General Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x169 34 File Type: data Stream Size: 168 Entropy: 4.69640008621 Base64 Encoded: False Data ASCII: + . ; . < . = . > . ? . A . B . G . H ...... 2 ...... x ...... 3 . . . d . . . . . @ . . . l ...... t . . . . . p . . . . . Data Raw: 2b 00 3b 01 3c 01 3d 01 3e 01 3f 01 41 01 42 01 47 01 48 01 a0 02 a5 02 c7 02 c8 02 c9 02 ca 02 cb 02 cc 02 cd 02 cf 02 d0 02 d1 02 d2 02 d3 02 d4 02 d5 02 d6 02 d8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d7 02 00 00 00 00 00 00 00 00 00 00 00 00 ce 02 ce 02 00 00 00 00 00 00 ce 02 ce 02 00 00 00 00 00 00 32 80 20 83 84 83 e8 83 78 85 dc 85 a0 8f c8 99

Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 114

General Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472 File Type: data Stream Size: 114 Entropy: 4.46628400512 Base64 Encoded: False Data ASCII: + . ; . < . = . C . D . E . F ...... Y ...... 2 ...... 1 ...... 3 . . . d . . . . .

Copyright Joe Security LLC 2020 Page 23 of 27 General Data Raw: 2b 00 3b 01 3c 01 3d 01 43 01 44 01 45 01 46 01 d2 01 dd 01 f6 01 11 02 59 02 a0 02 a5 02 c7 02 c8 02 c9 02 ca 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 da 02 d9 02 db 02 00 00 d7 02 00 00 00 00 00 00 00 00 32 80 20 83 84 83 e8 83 fd 7f fe 7f ff 7f 14 85 31 80 13 85 11 85 12 85 10 85 e9 83 33 80 19 80 64 80 bc 82 b0 84

Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 228

General Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487 File Type: data Stream Size: 228 Entropy: 3.66883317403 Base64 Encoded: False Data ASCII: V . Z . ] . ` . c . f . i . m . p . s . w . z . } ...... W . [ . ^ . a . d . g . j . n . q . t . x . { . ~ ...... X . \\ . I . I . I . I . k . I . I . u . u . u . u . u . u . u . u . u . u ...... Y . . . _ . b . e . h . l . o . r . v . y . | ...... Data Raw: 56 01 5a 01 5d 01 60 01 63 01 66 01 69 01 6d 01 70 01 73 01 77 01 7a 01 7d 01 80 01 83 01 86 01 89 01 8c 01 8f 01 57 01 5b 01 5e 01 61 01 64 01 67 01 6a 01 6e 01 71 01 74 01 78 01 7b 01 7e 01 81 01 84 01 87 01 8a 01 8d 01 90 01 58 01 5c 01 49 01 49 01 49 01 49 01 6b 01 49 01 49 01 75 01 75 01 75 01 75 01 75 01 75 01 75 01 75 01 75 01 75 01 00 81 00 81 00 81 00 81 00 81 00 81 00 81

Stream Path: \x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522, File Type: data, Stream Size: 504

General Stream Path: \x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522 File Type: data Stream Size: 504 Entropy: 3.97018259796 Base64 Encoded: False Data ASCII: E . E ...... G . G . G . G . G . G . G . G . G ...... 7 . 7 ...... " . " . " . # . # . # . & . & . ' . ' . ) . ) . * . , . . . 0 . 2 . 4 . 6 . 8 . : . < . 0 . 4 . 8 . H . I . L . N . Q . U . [ . [ . Data Raw: 45 01 45 01 dd 01 dd 01 dd 01 dd 01 dd 01 dd 01 dd 01 dd 01 dd 01 dd 01 f6 01 f6 01 11 02 11 02 11 02 11 02 15 02 15 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 47 02 47 02 47 02 47 02 47 02 47 02 47 02 47 02 47 02 0b 02

Stream Path: \x18496\x17548\x17905\x17589\x15279\x16953\x17905, File Type: basic-16 executable (TV) not stripped, Stream Size: 1536

General Stream Path: \x18496\x17548\x17905\x17589\x15279\x16953\x17905 File Type: basic-16 executable (TV) not stripped Stream Size: 1536 Entropy: 4.23190601591 Base64 Encoded: False Data ASCII: C . D . E ...... > . > . > . > . > . > . > . > . G . G . G . G . G . G . G . Y . Y . Y . Data Raw: 43 01 44 01 45 01 92 01 92 01 92 01 92 01 92 01 92 01 92 01 92 01 a8 01 af 01 af 01 af 01 af 01 af 01 af 01 af 01 c3 01 c3 01 c3 01 cd 01 cd 01 cd 01 d2 01 d9 01 d9 01 dd 01 f6 01 f6 01 f6 01 f6 01 f6 01 f6 01 f6 01 f6 01 f6 01 f6 01 f6 01 f6 01 f6 01 fc 01 01 02 01 02 01 02 05 02 09 02 11 02 11 02 11 02 11 02 15 02 15 02 15 02 15 02 15 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02 1f 02

Stream Path: \x18496\x17548\x17905\x17589\x18479, File Type: basic-16 executable (TV) not stripped, Stream Size: 5590

General Stream Path: \x18496\x17548\x17905\x17589\x18479 File Type: basic-16 executable (TV) not stripped Stream Size: 5590 Entropy: 4.2735554127 Base64 Encoded: False Data ASCII: C . C . C . C . C . C . C . D . D . D . D . D . D . D . E . E . E . E . E . E . E . E . E ......

Copyright Joe Security LLC 2020 Page 24 of 27 General Data Raw: 43 01 43 01 43 01 43 01 43 01 43 01 43 01 44 01 44 01 44 01 44 01 44 01 44 01 44 01 45 01 45 01 45 01 45 01 45 01 45 01 45 01 45 01 45 01 92 01 92 01 92 01 92 01 92 01 92 01 92 01 92 01 92 01 92 01 92 01 92 01 92 01 92 01 a8 01 a8 01 a8 01 a8 01 a8 01 a8 01 a8 01 a8 01 af 01 af 01 af 01 af 01 af 01 af 01 af 01 af 01 af 01 c3 01 c3 01 c3 01 c3 01 c3 01 c3 01 c3 01 c3 01 c3 01 c3 01

Stream Path: \x18496\x17557\x17318\x16921\x17461\x17836\x17206\x17522\x18486, File Type: data, Stream Size: 36

General Stream Path: \x18496\x17557\x17318\x16921\x17461\x17836\x17206\x17522\x18486 File Type: data Stream Size: 36 Entropy: 2.64160416787 Base64 Encoded: False Data ASCII: k . k . k . k . k . k ...... Data Raw: 6b 01 6b 01 6b 01 6b 00 6b 00 6b 00 00 00 00 00 00 00 de 02 df 02 e0 02 a9 00 12 80 00 00 00 90 00 00 00 90

Stream Path: \x18496\x17610\x16179\x16680\x16821\x18475, File Type: x86 executable (TV), Stream Size: 4

General Stream Path: \x18496\x17610\x16179\x16680\x16821\x18475 File Type: x86 executable (TV) Stream Size: 4 Entropy: 1.5 Base64 Encoded: False Data ASCII: I . J . Data Raw: 49 01 4a 01

Stream Path: \x18496\x17630\x17770\x16868\x18472, File Type: data, Stream Size: 32

General Stream Path: \x18496\x17630\x17770\x16868\x18472 File Type: data Stream Size: 32 Entropy: 2.43396456442 Base64 Encoded: False Data ASCII: ...... ` . a . Data Raw: ed 02 ed 02 00 00 ec 02 ec 02 00 00 00 00 00 00 01 02 00 80 02 00 00 80 00 00 00 00 60 03 61 03

Stream Path: \x18496\x17740\x16680\x16951\x17551\x16879\x17768, File Type: data, Stream Size: 8

General Stream Path: \x18496\x17740\x16680\x16951\x17551\x16879\x17768 File Type: data Stream Size: 8 Entropy: 2.0 Base64 Encoded: False Data ASCII: \\ . k . Z . i . Data Raw: 5c 01 6b 01 5a 01 69 01

Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 60

General Stream Path: \x18496\x17753\x17650\x17768\x18231 File Type: data Stream Size: 60 Entropy: 3.7451231753 Base64 Encoded: False Data ASCII: / . . . D . v ...... I . T ...... Data Raw: 2f 01 d0 01 44 02 76 02 e2 02 e3 02 e5 02 e6 02 e8 02 ea 02 eb 02 ee 02 f0 02 f2 02 f4 02 ed 02 f3 02 49 01 54 01 c6 02 e4 02 ac 02 e7 02 e9 02 ac 02 ec 02 ef 02 f1 02 af 01 f5 02

Stream Path: \x18496\x17814\x15340\x17388\x15464\x17828\x18475, File Type: data, Stream Size: 360

General Stream Path: \x18496\x17814\x15340\x17388\x15464\x17828\x18475

Copyright Joe Security LLC 2020 Page 25 of 27 General File Type: data Stream Size: 360 Entropy: 6.71942611611 Base64 Encoded: False Data ASCII: Y . _ . b . e . h . l . o . r . v . y . | ...... l . y e X - P . . = X s ...... 5 . . p . . . p . . Q ) . . 5 . . . . . a . . . . A . . 0 . T 6 # . p ? . . . . . i . . . . \\ p P . . . . ; u ] . ] 0 . . . w . 4 a ...... M D . . c . Y ...... H . h . . > . . . ? ...... c . . . . . w . . . . ; ...... ] . . . . c . ; . c . ; 0 . . B . A } . . F $ . Data Raw: 59 01 5f 01 62 01 65 01 68 01 6c 01 6f 01 72 01 76 01 79 01 7c 01 7f 01 82 01 85 01 88 01 8b 01 8e 01 91 01 00 80 00 80 00 80 00 80 00 80 00 80 00 80 00 80 00 80 00 80 00 80 00 80 00 80 00 80 00 80 00 80 00 80 00 80 6c 87 79 65 58 2d 50 d0 e9 3d 58 73 00 00 00 80 a4 c0 35 d8 03 70 ce fa 03 70 ce fa 51 29 96 9a 35 01 08 fe f6 f9 61 b0 c4 e8 1f 41 e4 cd 30 dd 54 36 23 90 70 3f a0 98

Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 48

General Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522 File Type: data Stream Size: 48 Entropy: 3.26654140666 Base64 Encoded: False Data ASCII: z ...... A . A . 3 . . . K . K . . . R ...... Data Raw: 7a 02 9b 02 a0 02 a5 02 41 80 41 80 33 80 01 81 4b 01 4b 01 a1 02 52 01 a3 02 a4 02 a2 02 a5 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x18496\x17998\x17512\x15799\x17636\x17203\x17073, File Type: data, Stream Size: 40

General Stream Path: \x18496\x17998\x17512\x15799\x17636\x17203\x17073 File Type: data Stream Size: 40 Entropy: 3.28154081138 Base64 Encoded: False Data ASCII: ...... Data Raw: 92 01 d2 01 d2 01 dd 01 dd 01 9a 01 d7 01 d8 01 d8 01 f2 01 b0 02 d7 01 d8 01 d8 01 b1 02 b0 02 1f 00 1f 00 1f 00 b2 02

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: msiexec.exe PID: 5952 Parent PID: 4388

General

Start time: 14:36:40 Start date: 07/02/2020

Copyright Joe Security LLC 2020 Page 26 of 27 Path: C:\Windows\System32\msiexec.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\osquery-4.1.2.msi' Imagebase: 0x7ff7abff0000 File size: 66048 bytes MD5 hash: 4767B71A318E201188A0D0A420C8B608 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Disassembly

Code Analysis

Copyright Joe Security LLC 2020 Page 27 of 27