Automated Malware Analysis Report for Keepassxc-2.5.4-Win64.Msi

Home , KeePassXC, Pass (software)

ID: 228573 Sample Name: KeePassXC- 2.5.4-Win64.msi Cookbook: default.jbs Time: 13:23:43 Date: 08/05/2020 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report KeePassXC-2.5.4-Win64.msi 5 Overview 5 General Information 5 Detection 5 Confidence 6 Classification Spiderchart 6 Analysis Advice 6 Mitre Att&ck Matrix 7 Signature Overview 7 Spreading: 7 Networking: 7 System Summary: 8 Persistence and Installation Behavior: 8 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 8 Anti Debugging: 8 HIPS / PFW / Operating System Protection Evasion: 8 Language, Device and Operating System Detection: 8 Malware Configuration 8 Behavior Graph 9 Simulations 9 Behavior and APIs 9 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 10 Domains 10 URLs 10 Yara Overview 10 Initial Sample 10 PCAP (Network Traffic) 10 Dropped Files 10 Memory Dumps 10 Unpacked PEs 10 Sigma Overview 10 Joe Sandbox View / Context 10 IPs 11 Domains 11 ASN 11 JA3 Fingerprints 11 Dropped Files 11 Screenshots 11 Thumbnails 11 Startup 12 Created / dropped Files 12 Domains and IPs 14 Contacted Domains 14 URLs from Memory and Binaries 14 Contacted IPs 16 Static File Info 16 General 16 File Icon 16 Static OLE Info 16 General 16 Authenticode Signature 16 OLE File "KeePassXC-2.5.4-Win64.msi" 17 Indicators 17 Summary 17 Copyright Joe Security LLC 2020 Page 2 of 32 Streams 17 Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 8615 17 General 17 Stream Path: \x5MsiDigitalSignatureEx, File Type: data, Stream Size: 32 17 General 17 Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 532 17 General 18 Stream Path: \x16786\x17522\x15998\x17589\x17959\x17894\x16786\x17522\x17214\x17574, File Type: MS Windows icon resource - 7 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel, Stream Size: 125408 18 General 18 Stream Path: \x16944\x17191\x14436\x16830\x16740, File Type: Microsoft Cabinet archive data, 43194054 bytes, 363 files, Stream Size: 43194054 18 General 18 Stream Path: \x17163\x16689\x18229\x16446\x18156\x14988, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 216496 18 General 18 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15103\x17508\x16945\x18485, File Type: PC bitmap, Windows 3.x format, 493 x 58 x 24, Stream Size: 85894 18 General 19 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15231\x16684\x17583\x18474, File Type: PC bitmap, Windows 3.x format, 493 x 312 x 24, Stream Size: 461814 19 General 19 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15871\x18088, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318 General 1919 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x16319\x18483, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318 General 1919 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15295\x16827\x16687\x18480, File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors, Stream Size: 766 20 General 20 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15551\x17009\x18482, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors, Stream Size: 1078 20 General 20 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x17184\x16827\x18468, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 116144 General 2020 Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 1496 20 General 20 Stream Path: \x18496\x15518\x16925\x17915, File Type: data, Stream Size: 204 21 General 21 Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with CRLF, LF line terminators, Stream Size: 106181 21 General 21 Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 9488 21 General 21 Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 72 21 General 21 Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 4536 21 General 21 Stream Path: \x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481, File Type: ISO-8859 text, with no line terminators, with overstriking, Stream Size: 4 22 General 22 Stream Path: \x18496\x16667\x17191\x15090\x17912\x17591\x18481, File Type: VAX-order 68k Blit mpx/mux executable, Stream Size: 36 22 General 22 Stream Path: \x18496\x16786\x17522, File Type: Applesoft BASIC program data, first line number 1, Stream Size: 4 22 General 22 Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 48 22 General 22 Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42 22 General 22 Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 48 23 General 23 Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 1460 23 General 23 Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 16 23 General 23 Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 14 23 General 23 Stream Path: \x18496\x16923\x15722\x16818\x17892\x17778, File Type: data, Stream Size: 10 23 General 23 Stream Path: \x18496\x16923\x17194\x17910\x18229, File Type: 370 sysV executable, Stream Size: 84 24 General 24 Stream Path: \x18496\x16923\x17584\x16953\x17167\x16943, File Type: data, Stream Size: 10 24 General 24 Stream Path: \x18496\x16925\x17915\x17884\x17404\x18472, File Type: data, Stream Size: 36 24 General 24 Stream Path: \x18496\x17100\x16808\x15086\x18162, File Type: data, Stream Size: 8 24 General 24 Stream Path: \x18496\x17116\x17778\x16823\x17912, File Type: data, Stream Size: 32 24 General 24 Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 32 24 General 24 Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 312 25 General 25 Stream Path: \x18496\x17165\x17380\x17074, File Type: data, Stream Size: 484 25 General 25 Stream Path: \x18496\x17167\x16943, File Type: data, Stream Size: 7260 25 General 25 Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 186 25 General 25 Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 108 26 General 26 Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: 370 XA sysV pure executable not stripped, Stream Size: 4380 26 General 26 Stream Path: \x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522, File Type: x86 executable not stripped, Stream Size: 504 26 General 26 Stream Path: \x18496\x17548\x17905\x17589\x15279\x16953\x17905, File Type: data, Stream Size: 1548 26 General 26 Stream Path: \x18496\x17548\x17905\x17589\x18479, File Type: data, Stream Size: 5590 27 Copyright Joe Security LLC 2020 Page 3 of 32 General 27 Stream Path: \x18496\x17610\x16179\x16680\x16821\x18475, File Type: data, Stream Size: 4 27 General 27 Stream Path: \x18496\x17630\x17770\x16868\x18472, File Type: data, Stream Size: 32 27 General 27 Stream Path: \x18496\x17740\x16680\x16951\x17551\x16879\x17768, File Type: data, Stream Size: 4 27 General 27 Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 84 27 General 27 Stream Path: \x18496\x17814\x15340\x17388\x15464\x17828\x18475, File Type: data, Stream Size: 6660 28 General 28 Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 96 28 General 28 Stream Path: \x18496\x17998\x17512\x15799\x17636\x17203\x17073, File Type: data, Stream Size: 40 28 General 28 Network Behavior 28 Code Manipulations 28 Statistics 28 Behavior 28 System Behavior 29 Analysis Process: msiexec.exe PID: 5148 Parent PID: 5500 29 General 29 File Activities 29 Registry Activities 29 Analysis Process: msiexec.exe PID: 5648 Parent PID: 1108 29 General 29 File Activities 30 Analysis Process: msiexec.exe PID: 5908 Parent PID: 1108 30 General 30 File Activities 30 Analysis Process: taskkill.exe PID: 5952 Parent PID: 5908 30 General 30 File Activities 30 Analysis Process: conhost.exe PID: 5968 Parent PID: 5952 31 General 31 Analysis Process: taskkill.exe PID: 5324 Parent PID: 5908 31 General 31 File Activities 31 Analysis Process: conhost.exe PID: 5172 Parent PID: 5324 31 General 31 Analysis Process: KeePassXC.exe PID: 3976 Parent PID: 5648 31 General 31 File Activities 32 Disassembly 32 Code Analysis 32

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 228573 Start date: 08.05.2020 Start time: 13:23:43 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 9s Hypervisor based Inspection enabled: false Report type: light Sample file name: KeePassXC-2.5.4-Win64.msi Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 11 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean2.winMSI@11/5@0/0 EGA Information: Successful, ratio: 50% HDC Information: Failed HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .msi Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 2 0 - 100 false

Strategy Score Range Further Analysis Required? Confidence

Threshold 2 0 - 5 true

Classification Spiderchart

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Copyright Joe Security LLC 2020 Page 6 of 32 Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Privilege Credential Lateral Command Network Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Replication Windows Winlogon Process Masquerading 1 Credential System Time Replication Data from Data Data Eavesdrop on Through Management Helper DLL Injection 1 2 Dumping Discovery 1 Through Local Compressed Obfuscation Insecure Removable Instrumentation 1 Removable System Network Media 1 Media 1 Communication Replication Command-Line Port Accessibility Disabling Security Network Virtualization/Sandbox Remote Data from Exfiltration Fallback Exploit SS7 to Through Interface 2 Monitors Features Tools 1 Sniffing Evasion 1 Services Removable Over Other Channels Redirect Phone Removable Media Network Calls/SMS Media Medium External Graphical User Accessibility Path Virtualization/Sandbox Input Capture Process Discovery 1 Windows Data from Automated Custom Exploit SS7 to Remote Interface 2 Features Interception Evasion 1 Remote Network Exfiltration Cryptographic Track Device Services Management Shared Protocol Location Drive Drive-by Scheduled Task System DLL Search Process Credentials in Peripheral Device Logon Input Data Multiband SIM Card Compromise Firmware Order Injection 1 2 Files Discovery 1 1 Scripts Capture Encrypted Communication Swap Hijacking Exploit Public- Command-Line Shortcut File System DLL Side-Loading 1 Account Security Software Shared Data Scheduled Standard Manipulate Facing Interface Modification Permissions Manipulation Discovery 1 1 Webroot Staged Transfer Cryptographic Device Application Weakness Protocol Communication

Spearphishing Graphical User Modify New Service DLL Search Order Brute Force File and Directory Third-party Screen Data Commonly Jamming or Link Interface Existing Hijacking Discovery 1 Software Capture Transfer Used Port Denial of Service Size Limits Service Spearphishing Scripting Path Scheduled Software Packing Two-Factor System Information Pass the Email Exfiltration Uncommonly Rogue Wi-Fi Attachment Interception Task Authentication Discovery 2 6 Hash Collection Over Used Port Access Points Interception Command and Control Channel

Signature Overview

• Spreading • Networking • System Summary • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

Spreading:

Checks for available system drives (often done to infect USB drives)

Networking:

System Summary:

Tries to load missing DLLs

Classification label

Creates files inside the user directory

Creates mutexes

Creates temporary files

Queries process information (via WMI, Win32_Process)

Reads ini files

Reads software policies

Sample is a Windows installer

Sample might require command line arguments

Spawns processes

Uses an in-process (OLE) Automation server

Found GUI installer (many successful clicks)

Found graphical window changes (likely an installer)

PE / OLE file has a valid certificate

Submission file is bigger than most known malware samples

Binary contains paths to debug symbols

Persistence and Installation Behavior:

Drops PE files

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Queries disk information (often used to detect virtual machines)

Checks the free space of harddrives

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Queries a list of all running drivers

Anti Debugging:

Enables debug privileges

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Uses taskkill to terminate processes

May try to detect the Windows Explorer process (often used for injection)

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Contains functionality to query local / system time

Queries the cryptographic machine GUID

Malware Configuration

Behavior Graph

Hide Legend Legend: Process Signature Behavior Graph

ID: 228573 Created File Sample: KeePassXC-2.5.4-Win64.msi DNS/IP Info Startdate: 08/05/2020 Is Dropped Architecture: WINDOWS Score: 2 Is Windows Process

Number of created Registry Values started started started Number of created Files

msiexec.exe msiexec.exe Visual Basmicsiexec.exe

Delphi 7 1 Java

dropped dropped .Net C# or VB.NET C, C++ or other language

started started C:\Users\user\AppData\Local\...\MSI7D16.tmp, PE32 C:\Users\user\AppData\Local\...\IMsS mI2Ca1l7ic.timopu, sPE32 started

Internet

taskkill.exe taskkill.exe KeePassXC.exe

1 1 14

started started

conhost.exe conhost.exe

Simulations

Behavior and APIs

Time Type Description 13:25:39 API Interceptor 7x Sleep call for process: KeePassXC.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link KeePassXC-2.5.4-Win64.msi 0% Virustotal Browse KeePassXC-2.5.4-Win64.msi 0% Metadefender Browse

Dropped Files

Source Detection Scanner Label Link C:\Users\user\AppData\Local\Temp\MSI2C17.tmp 0% Virustotal Browse C:\Users\user\AppData\Local\Temp\MSI2C17.tmp 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\MSI7D16.tmp 0% Virustotal Browse Copyright Joe Security LLC 2020 Page 9 of 32 Source Detection Scanner Label Link C:\Users\user\AppData\Local\Temp\MSI7D16.tmp 0% Metadefender Browse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link ocsp.sectigo.com0 0% URL Reputation safe https://...)) 0% Avira URL Cloud safe purl.o 0% Avira URL Cloud safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% Virustotal Browse crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe fontfabrik.com 0% Virustotal Browse fontfabrik.com 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% Virustotal Browse crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe https://sectigo.com/CPS0D 0% Virustotal Browse https://sectigo.com/CPS0D 0% URL Reputation safe https://...)Only 0% Avira URL Cloud safe https://%1security/IconDownloadFallbackhttps://icons.duckduckgo.com/ip3/.ico:///favicon.ico 0% Avira URL Cloud safe https://...) 0% Avira URL Cloud safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

System is w10x64 msiexec.exe (PID: 5148 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\KeePassXC-2.5.4-Win64.msi' MD5: 4767B71A318E201188A0D0A420C8B608) msiexec.exe (PID: 5648 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding DD284C049303FD5DD13157E426F8E503 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2) KeePassXC.exe (PID: 3976 cmdline: 'C:\Program Files\KeePassXC\KeePassXC.exe' MD5: 7C1F760E9656B24F1C0783437AD43F28) msiexec.exe (PID: 5908 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F6D9D2409E57572A5FF470B9E2327465 MD5: 12C17B5A5C2A7B97342C362CA467E9A2) taskkill.exe (PID: 5952 cmdline: 'Taskkill' /IM KeePassXC.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1) conhost.exe (PID: 5968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) taskkill.exe (PID: 5324 cmdline: 'Taskkill' /IM keepassxc-proxy.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1) conhost.exe (PID: 5172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cleanup

Created / dropped Files

C:\Users\user\AppData\Local\KeePassXC\keepassxc.ini.lock Process: C:\Program Files\KeePassXC\KeePassXC.exe File Type: ASCII text Size (bytes): 53 Entropy (8bit): 4.223229776037643 Encrypted: false MD5: 37240598438BB26ADEDB80F692976717 SHA1: BFA3EE0F336195ECDC8135A15C30C3982B338A97 SHA-256: 70C1DA2E8ED623BB734E35B0D64DACA644DBB0995BA53F907017948FB99D0D1C

Copyright Joe Security LLC 2020 Page 12 of 32 C:\Users\user\AppData\Local\KeePassXC\keepassxc.ini.lock SHA-512: DDCB0ACA58060C9EBAD5A5FDACCF7266B7DFE0961DB7D99572A0746017B412FEF12FAF12049CF8E386F8F0FDDDC519AB9B182E69C89C86F74C82A5F2E2135E 22 Malicious: false Reputation: low Preview: 3976..user-PC.59407d34-c8c5-44df-a766-ba8a11cb1cb0..

C:\Users\user\AppData\Local\KeePassXC\keepassxc.ini.xCshPN Process: C:\Program Files\KeePassXC\KeePassXC.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 56 Entropy (8bit): 4.539609949563124 Encrypted: false MD5: 5D0715A99928902E1541C351E2917CDA SHA1: ED91ABDD38868A82E7EEBB847B79D6C26848A94B SHA-256: 312953EE287471CFE79F16546378ED21DCE4309EB7978EF6B7A0499262DBFB40 SHA-512: 5FC91506D7E4497756948A7419D0CBF1E1F929F9B7D92CA619CD00A26B98998A4FDBF113FEA0383410FF4B32651D6A48D9DD9823F58503565CCD9E290A0CB389 Malicious: false Reputation: low Preview: [General]..HideWindowOnCopy=false..MinimizeOnCopy=true..

C:\Users\user\AppData\Local\Temp\MSI2C17.tmp

Process: C:\Windows\System32\msiexec.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 116144 Entropy (8bit): 6.633672738599962 Encrypted: false MD5: 4FDD16752561CF585FED1506914D73E0 SHA1: F00023B9AE3C8CE5B7BB92F25011EAEBE6F9D424 SHA-256: AECD2D2FE766F6D439ACC2BBF1346930ECC535012CF5AD7B3273D2875237B7E7 SHA-512: 3695E7EB1E35EC959243A91AB5B4454EB59AEEF0F2699AA5DE8E03DE8FBB89F756A89130526DA5C08815408CB700284A17936522AD2CAD594C3E6E9D18A3F600 Malicious: false Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... z.b...1...1...1/.^1...1/.\1...1/.]1...1.s.0...1.s.0...1.s.0...1.c<1...1 ...1^..1.r.0...1.r.0...1.rP1...1..81...1.r.0...1Rich...1...... PE..L....p.]...... !...... 4...... Y.....@...... p...\...... x...... T...... 8...@...... (...... text...k...... `.rdata...w...... x...... @[email protected]...<"...... @....rsrc...x...... @[email protected]...... @..B......

C:\Users\user\AppData\Local\Temp\MSI7D16.tmp

Process: C:\Windows\System32\msiexec.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 216496 Entropy (8bit): 6.646208142644182 Encrypted: false MD5: A3AE5D86ECF38DB9427359EA37A5F646 SHA1: EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90 SHA-256: C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74 SHA-512: 96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E 0 Malicious: false Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... ^...... \...... ]...... ,...... <...... L...'.....'.....'.P...... 8.....'.....Rich...... PE..L...Ap.]...... !...... P...... @...... @...... P..x...... `...... T...... @...... <...... text...[...... `.rdata...... @[email protected]...."...... @....rsrc...x....P...... @[email protected]...... `...... @..B......

C:\Users\user\AppData\Local\Temp\keepassxc-user.lock Process: C:\Program Files\KeePassXC\KeePassXC.exe File Type: ASCII text Size (bytes): 62 Copyright Joe Security LLC 2020 Page 13 of 32 C:\Users\user\AppData\Local\Temp\keepassxc-user.lock Entropy (8bit): 4.466473230426756 Encrypted: false MD5: 224AE010DD8EA9ECBD37F89399795C91 SHA1: 790CF1EE6D0E0773131720C2DB646F4D62951280 SHA-256: 33A9D78828E294FC9D1B7D2B8E6CE8F73E41714025EC41189A4AC4AFA4B0B2FE SHA-512: 2DD9A64598FD5C8B4C1E80C7D18C515881E4C59F67152134E662EB7897650959390D98A00E5143BD12910B8FD080581D99ADCEB045E5967FF137E51D1F695C22 Malicious: false Reputation: low Preview: 3976.KeePassXC.user-PC.59407d34-c8c5-44df-a766-ba8a11cb1cb0..

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation https://keepassxc.org/docs#faq-cat-yubikey KeePassXC.exe false high KeePassXC.exe, KeePassXC.exe, false high https://github.com/keepassxreboot/keepassxc/graphs/contribut 0000000A.00000000.934569276.00 ors 00000000CFB000.00000002.000200 00.sdmp, KeePassXC.exe, 000000 0A.00000002.1261125567.000002A 46B5F8000.00000004.00000001.sdmp https://github.com/TheZ3ro KeePassXC.exe, KeePassXC.exe, false high 0000000A.00000000.934569276.00 00000000CFB000.00000002.000200 00.sdmp https://github.com/weslly KeePassXC.exe, KeePassXC.exe, false high 0000000A.00000000.934569276.00 00000000CFB000.00000002.000200 00.sdmp https://icons.duckduckgo.com KeePassXC.exe false high https://addons.mozilla.org/firefox/addon/keepassxc- KeePassXC.exe, KeePassXC.exe, false high browser/ 0000000A.00000002.1266761413.0 00002A46CA3A000.00000004.00000 001.sdmp ocsp.sectigo.com0 msiexec.exe, 00000000.00000003 false URL Reputation: safe unknown .939831857.0000015C7AC37000.00 000004.00000001.sdmp https://github.com/keepassxreboot/keepassxc/issues KeePassXC.exe, KeePassXC.exe, false high 0000000A.00000000.934569276.00 00000000CFB000.00000002.000200 00.sdmp https://keepassxc.org/docs#faq-cat- KeePassXC.exe, 0000000A.000000 false high yubikeyhttps://keepassxc.org/docs#faq-cat-keyfilepassword- 00.934569276.0000000000CFB000. showact 00000002.00020000.sdmp KeePassXC.exe false high https://github.com/keepassxreboot/keepassxc/blob/develop/do cs/KEYBINDS.md https://github.com KeePassXC.exe, KeePassXC.exe, false high 0000000A.00000000.934569276.00 00000000CFB000.00000002.000200 00.sdmp https://...)) KeePassXC.exe, 0000000A.000000 false Avira URL Cloud: safe low 02.1266076686.000002A46C8C0000 .00000004.00000001.sdmp KeePassXC.exe, 0000000A.000000 false high https://keepassxc.org/donatehttps://github.com/keepassxreboo 00.934569276.0000000000CFB000. t/keepassxc/issuesfile:///%1docs/KeePass 00000002.00020000.sdmp purl.o KeePassXC.exe, 0000000A.000000 false Avira URL Cloud: safe unknown 02.1265120305.000002A46C640000 .00000004.00000001.sdmp https://github.com/phoerious KeePassXC.exe, KeePassXC.exe, false high 0000000A.00000000.934569276.00 00000000CFB000.00000002.000200 00.sdmp

Copyright Joe Security LLC 2020 Page 14 of 32 Name Source Malicious Antivirus Detection Reputation https://github.com/varjolintu KeePassXC.exe, 0000000A.000000 false high 00.934569276.0000000000CFB000. 00000002.00020000.sdmp https://keepassxc.org/ KeePassXC.exe, KeePassXC.exe, false high 0000000A.00000000.934569276.00 00000000CFB000.00000002.000200 00.sdmp https://addons.mozilla.org/firefox/addon/keepassxc- KeePassXC.exe, 0000000A.000000 false high browser/M 02.1266761413.000002A46CA3A000 .00000004.00000001.sdmp https://github.com/louib KeePassXC.exe, KeePassXC.exe, false high 0000000A.00000000.934569276.00 00000000CFB000.00000002.000200 00.sdmp https://www.yubico.com/products/services- KeePassXC.exe false high software/personalization-tools/challenge-re https://github.com/hifi KeePassXC.exe, KeePassXC.exe, false high 0000000A.00000000.934569276.00 00000000CFB000.00000002.000200 00.sdmp KeePassXC.exe, 0000000A.000000 false high https://api.github.com/repos/keepassxreboot/keepassxc/releas 00.934569276.0000000000CFB000. esGUI/CheckForUpdatesIncludeBetas/latest 00000002.00020000.sdmp crl.sectigo.com/SectigoRSATimeStampingCA.crl0t msiexec.exe, 00000000.00000003 false 0%, Virustotal, Browse low .939831857.0000015C7AC37000.00 URL Reputation: safe 000004.00000001.sdmp https://keepassxc.org/docs#faq-cat-keyfile KeePassXC.exe false high fontfabrik.com KeePassXC.exe, 0000000A.000000 false 0%, Virustotal, Browse low 02.1265022230.000002A46C262000 URL Reputation: safe .00000004.00000001.sdmp https://www.yubico.com/products/services- KeePassXC.exe, 0000000A.000000 false high software/personalization-tools/challenge-response/ 02.1261125567.000002A46B5F8000 .00000004.00000001.sdmp wixtoolset.org msiexec.exe, 00000000.00000003 false high .935957063.0000015C00CA7000.00 000004.00000001.sdmp, MSI7D16. tmp.0.dr KeePassXC.exe false high https://api.github.com/repos/keepassxreboot/keepassxc/releas es https://keepassxc.org/docs/ KeePassXC.exe false high crt.sectigo.com/SectigoRSATimeStampingCA.crt0# msiexec.exe, 00000000.00000003 false 0%, Virustotal, Browse low .939831857.0000015C7AC37000.00 URL Reputation: safe 000004.00000001.sdmp https://keepassxc.org/download/ KeePassXC.exe, KeePassXC.exe, false high 0000000A.00000000.934569276.00 00000000CFB000.00000002.000200 00.sdmp https://keepassxc.org msiexec.exe, 00000000.00000003 false high .809086592.0000015C7AC4D000.00 000004.00000001.sdmp, KeePassX C.exe, KeePassXC.exe, 0000000A .00000000.934569276.0000000000 CFB000.00000002.00020000.sdmp KeePassXC.exe false high https://github.com/keepassxreboot/keepassxc/wiki/Autotype- Custom-Sequence https://sectigo.com/CPS0D msiexec.exe, 00000000.00000003 false 0%, Virustotal, Browse low .939831857.0000015C7AC37000.00 URL Reputation: safe 000004.00000001.sdmp https://haveibeenpwned.com/Passwords. KeePassXC.exe, 0000000A.000000 false high 02.1261125567.000002A46B5F8000 .00000004.00000001.sdmp https://keepassxc.org/donate KeePassXC.exe false high https://www.yubico.com/ KeePassXC.exe, 0000000A.000000 false high 02.1261125567.000002A46B5F8000 .00000004.00000001.sdmp https://...)Only KeePassXC.exe, 0000000A.000000 false Avira URL Cloud: safe low 00.934569276.0000000000CFB000. 00000002.00020000.sdmp KeePassXC.exe, 0000000A.000000 false Avira URL Cloud: safe low https://%1security/IconDownloadFallbackhttps://icons.duckduc 00.934569276.0000000000CFB000. kgo.com/ip3/.ico:///favicon.ico 00000002.00020000.sdmp https://...) KeePassXC.exe, 0000000A.000000 false Avira URL Cloud: safe low 02.1261125567.000002A46B5F8000 .00000004.00000001.sdmp

Copyright Joe Security LLC 2020 Page 15 of 32 Name Source Malicious Antivirus Detection Reputation https://github.com/droidmonkey KeePassXC.exe, KeePassXC.exe, false high 0000000A.00000000.934569276.00 00000000CFB000.00000002.000200 00.sdmp

Contacted IPs

No contacted IP infos

Static File Info

General File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: KeePassXC, Author: KeePassXC Team, Keywords: Installer, Comme nts: This installer database contains the logic and data required to install KeePassXC., Template: x64;1033, R evision Number: {08A3E5D7-8EFC-4962-88F7- 443F53682E54}, Create Time/Date: Thu Apr 9 19:35 :38 2020, Last Saved Time/Date: Thu Apr 9 19:35:38 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2 Entropy (8bit): 7.984497938195521 TrID: Microsoft Windows Installer (77509/1) 63.77% ClickyMouse macro set (36024/1) 29.64% Generic OLE2 / Multistream Compound File (8008/1) 6.59% File name: KeePassXC-2.5.4-Win64.msi File size: 44453888 MD5: 5f02ca3fda3ad9828973bfc5d51dcd97 SHA1: 11ffdac69ed9e7316221c3dce0dc08361cdead45 SHA256: 01bf1b593efc4a9b92e0ca7148414f6d4f0e63521aefa64d 1f8caa0327d35e91 SHA512: 43f77ffbc4e229af5849784633ff93e4859fddffdcbdf2bdcb 377ae507b0073159eff9788ea8a892556f403952e6f0ebc 8ce0a7a63a0b404af89b5aff90d3ef9 SSDEEP: 786432:HNVFLiy/upcNnb7RGNv7ekVJNemaevTRVBli QWfvEyVpWT9A:/WpcNXuI/6VBERvEyVpW File Content Preview: ...... >...... $...(......

File Icon

Icon Hash: a2a0b496b2caca72

Static OLE Info

General Document Type: OLE Number of OLE Files: 1

Authenticode Signature

Signature Valid: true Signature Issuer: CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 4/4/2017 5:00:00 PM 4/5/2021 4:59:59 PM Subject Chain CN="DroidMonkey Apps, LLC", O="DroidMonkey Apps, LLC", STREET=3474 Raintree Circle, L=Suffolk, S=VA, PostalCode=23435, C=US Version: 3

Copyright Joe Security LLC 2020 Page 16 of 32 Thumbprint MD5: ED1A33F5134338C65AF8E28A8AA68C32 Thumbprint SHA-1: A30384736E7741F4257E33F5F41946AE77B7DDE7 Thumbprint SHA-256: D2A7305390DFE2398AAF608CB2CAFC240962443E9E55AD0DEF6429F75CCF9AA1 Serial: 5C75272D789D794EBD7C244552AE9D07

OLE File "KeePassXC-2.5.4-Win64.msi"

Indicators Has Summary Info: True Application Name: Windows Installer XML Toolset (3.11.2.4516) Encrypted Document: False Contains Word Document Stream: False Contains Workbook/Book Stream: False Contains PowerPoint Document Stream: False Contains Visio Document Stream: False Contains ObjectPool Stream: Flash Objects Count: Contains VBA Macros: False

Summary Code Page: 1252 Title: Installation Database Subject: KeePassXC Author: KeePassXC Team Keywords: Installer Comments: This installer database contains the logic and data required to install KeePassXC. Template: x64;1033 Revion Number: {08A3E5D7-8EFC-4962-88F7-443F53682E54} Create Time: 2020-04-09 18:35:38 Last Saved Time: 2020-04-09 18:35:38 Number of Pages: 301 Number of Words: 2 Creating Application: Windows Installer XML Toolset (3.11.2.4516) Security: 2

Streams

Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 8615

General Stream Path: \x5DigitalSignature File Type: data Stream Size: 8615 Entropy: 7.5038494213 Base64 Encoded: True Data ASCII: 0 . ! . . . * . H ...... ! . 0 . ! . . . . 1 . 0 . . . ` . H . e ...... 0 w . . + . . . . . 7 . . . . i 0 g 0 2 . . + . . . . . 7 . . . 0 $ ...... F ...... 0 1 0 . . . ` . H . e ...... L ...... Q = l . _ . \\ . . $ . . } . . S U . n 9 Z . . . . . 8 0 . . P 0 . . 8 ...... \\ u ' - x . y N . | $ E R . . . 0 . . . * . H ...... 0 } 1 . 0 . . . U . . . . G B 1 . 0 . . . U . . . . G r e a t e r M a n c h e s t Data Raw: 30 82 21 a3 06 09 2a 86 48 86 f7 0d 01 07 02 a0 82 21 94 30 82 21 90 02 01 01 31 0f 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 30 77 06 0a 2b 06 01 04 01 82 37 02 01 04 a0 69 30 67 30 32 06 0a 2b 06 01 04 01 82 37 02 01 1e 30 24 02 01 02 04 10 f1 10 0c 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 01 00 02 01 00 02 01 00 02 01 00 02 01 00 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01

Stream Path: \x5MsiDigitalSignatureEx, File Type: data, Stream Size: 32

General Stream Path: \x5MsiDigitalSignatureEx File Type: data Stream Size: 32 Entropy: 4.875 Base64 Encoded: False Data ASCII: _ . . . . & S . . . V . W . _ v ) . " Q . \\ * g . | . . x 4 . . Data Raw: 5f 08 93 e0 c5 26 53 ea 97 90 56 00 57 b3 5f 76 29 92 22 51 d2 5c 2a 67 a3 7c cc b5 78 34 8c e0

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 532

Copyright Joe Security LLC 2020 Page 17 of 32 General Stream Path: \x5SummaryInformation File Type: data Stream Size: 532 Entropy: 4.62527004079 Base64 Encoded: True Data ASCII: ...... O h . . . . . + ' . . 0 ...... x ...... < ...... P ...... I n s t a l l a t i o n D a t a b a s e ...... K e e P a s s X C ...... K e e P a s s X C T e a m ...... Data Raw: fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 e4 01 00 00 0e 00 00 00 01 00 00 00 78 00 00 00 02 00 00 00 80 00 00 00 03 00 00 00 a0 00 00 00 04 00 00 00 b4 00 00 00 05 00 00 00 cc 00 00 00 06 00 00 00 e0 00 00 00 07 00 00 00 3c 01 00 00 09 00 00 00 50 01 00 00 0c 00 00 00 80 01 00 00

Stream Path: \x16786\x17522\x15998\x17589\x17959\x17894\x16786\x17522\x17214\x17574, File Type: MS Windows icon resource - 7 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel, Stream Size: 125408

General Stream Path: \x16786\x17522\x15998\x17589\x17959\x17894\x16786\x17522\x17214\x17574 File Type: MS Windows icon resource - 7 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel Stream Size: 125408 Entropy: 5.56019541347 Base64 Encoded: True Data ASCII: ...... h . . . v ...... f . . . 0 0 ...... % ...... @ @ . . . . . ( B . . . D ...... ( ...... Z ...... ( ...... ] . . . ] ...... > > > b O O O . O O O . > > > b ...... n n n ...... Data Raw: 00 00 01 00 07 00 10 10 00 00 01 00 20 00 68 04 00 00 76 00 00 00 18 18 00 00 01 00 20 00 88 09 00 00 de 04 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 66 0e 00 00 30 30 00 00 01 00 20 00 a8 25 00 00 0e 1f 00 00 40 40 00 00 01 00 20 00 28 42 00 00 b6 44 00 00 80 80 00 00 01 00 20 00 28 08 01 00 de 86 00 00 00 00 00 00 01 00 20 00 da 5a 00 00 06 8f 01 00 28 00 00 00 10 00 00 00 20 00

Stream Path: \x16944\x17191\x14436\x16830\x16740, File Type: Microsoft Cabinet archive data, 43194054 bytes, 363 files, Stream Size: 43194054

General Stream Path: \x16944\x17191\x14436\x16830\x16740 File Type: Microsoft Cabinet archive data, 43194054 bytes, 363 files Stream Size: 43194054 Entropy: 7.99678442529 Base64 Encoded: True Data ASCII: M S C F ...... T ...... & . k ...... X X ...... Z . . . . . W . Z ...... [ . . . . . & " [ ...... ) [ ...... [ ...... [ ...... C \\ ...... ) ] ...... 9 ] ...... C ] . . . . . n \\ ] ...... ] . . . . . c . ] ...... ] ...... ^ . . . . . ) U b ...... c . . . . . / > g ...... y ...... 7 { ...... { ...... | ...... } ...... V ~ ...... ; . . Data Raw: 4d 53 43 46 00 00 00 00 c6 16 93 02 00 00 00 00 54 01 00 00 00 00 00 00 03 01 26 00 6b 01 00 00 00 00 00 00 58 58 00 00 b9 0b 01 00 99 8b 5a 02 01 00 01 00 57 d7 5a 02 01 00 01 00 bf 00 5b 02 01 00 01 00 26 22 5b 02 01 00 01 00 18 29 5b 02 01 00 01 00 ec 8e 5b 02 01 00 01 00 85 9a 5b 02 02 00 01 00 99 43 5c 02 02 00 01 00 a5 29 5d 02 01 00 01 00 96 39 5d 02 01 00 01 00 a9 43 5d 02

Stream Path: \x17163\x16689\x18229\x16446\x18156\x14988, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 216496

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x14988 File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Stream Size: 216496 Entropy: 6.64620814264 Base64 Encoded: True Data ASCII: M Z ...... @ ...... ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ ...... ^ ...... \\ ...... ] ...... , ...... < ...... L . . . ' ...... ' ...... ' . P ...... 8 . . . . . ' ...... Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15103\x17508\x16945\x18485, File Type: PC bitmap, Windows 3.x format, 493 x 58 x 24, Stream Size: 85894

Copyright Joe Security LLC 2020 Page 18 of 32 General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15103\x17508\x16945\x184 85 File Type: PC bitmap, Windows 3.x format, 493 x 58 x 24 Stream Size: 85894 Entropy: 0.685790981423 Base64 Encoded: False Data ASCII: B M . O ...... 6 . . . ( ...... : ...... P O ...... Data Raw: 42 4d 86 4f 01 00 00 00 00 00 36 00 00 00 28 00 00 00 ed 01 00 00 3a 00 00 00 01 00 18 00 00 00 00 00 50 4f 01 00 c4 0e 00 00 c4 0e 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15231\x16684\x17583\x18474, File Type: PC bitmap, Windows 3.x format, 493 x 312 x 24, Stream Size: 461814

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15231\x16684\x17583\x184 74 File Type: PC bitmap, Windows 3.x format, 493 x 312 x 24 Stream Size: 461814 Entropy: 2.8259775816 Base64 Encoded: True Data ASCII: B M ...... 6 . . . ( ...... 8 ...... A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A . _ A Data Raw: 42 4d f6 0b 07 00 00 00 00 00 36 00 00 00 28 00 00 00 ed 01 00 00 38 01 00 00 01 00 18 00 00 00 00 00 c0 0b 07 00 c4 0e 00 00 c4 0e 00 00 00 00 00 00 00 00 00 00 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5 5f 41 a5

Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15871\x18088, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15871\x18088 File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors Stream Size: 318 Entropy: 2.03444158006 Base64 Encoded: False Data ASCII: ...... ( ...... ( ...... Data Raw: 00 00 01 00 01 00 10 10 10 00 00 00 00 00 28 01 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x16319\x18483, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x16319\x18483 File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors Stream Size: 318 Entropy: 2.03693614652 Base64 Encoded: False Data ASCII: ...... ( ...... ( ...... Data Raw: 00 00 01 00 01 00 10 10 10 00 00 00 00 00 28 01 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Copyright Joe Security LLC 2020 Page 19 of 32 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15295\x16827\x16687\x18480, File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors, Stream Size: 766

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15295\x16827\x16687\x184 80 File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors Stream Size: 766 Entropy: 3.3484862649 Base64 Encoded: True Data ASCII: ...... ( ...... @ ...... 3 3 1 ...... 3 3 2 3 3 3 3 3 3 3 3 3 3 3 3 . 3 3 $ D D D D D D D D D D D @ 1 . 2 D D D D D D D D D D D D D . . 2 D D D D D D @ D D D D D D C . 2 D D D D D D 3 4 D D D D D C . 2 D D D D D @ 3 0 D D D D D . . 3 $ D D D D D 3 4 D D D D D 1 . 3 $ Data Raw: 00 00 01 00 01 00 20 20 10 00 00 00 00 00 e8 02 00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 c0 c0 00 80 80 80 00 00 80 80 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 33

Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15551\x17009\x18482, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors, Stream Size: 1078

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15551\x17009\x18482 File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors Stream Size: 1078 Entropy: 2.86422695486 Base64 Encoded: False Data ASCII: ...... & ...... ( ...... ( ...... @ ...... p ...... w p ...... p ...... p ...... p ...... p ...... w w . . . w w ...... Data Raw: 00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 10 10 10 00 00 00 00 00 28 01 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 80 80 80 00 c0 c0 c0 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x17184\x16827\x18468, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 116144

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x17184\x16827\x18468 File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Stream Size: 116144 Entropy: 6.6336727386 Base64 Encoded: True Data ASCII: M Z ...... @ ...... ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ ...... z . b . . . 1 . . . 1 . . . 1 / . ^ 1 . . . 1 / . \\ 1 . . . 1 / . ] 1 . . . 1 . s . 0 . . . 1 . s . 0 . . . 1 . s . 0 . . . 1 . c < 1 . . . 1 . . . 1 ^ . . 1 . r . 0 . . . 1 . r . 0 . . . 1 . r P 1 . . . 1 . . 8 1 . . . 1 . r . 0 . . . 1 R i c h . . . 1 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 1496

General Stream Path: \x18496\x15167\x17394\x17464\x17841 File Type: data Stream Size: 1496 Entropy: 5.08201055496 Base64 Encoded: False Data ASCII: ...... " . " . " . ) . ) . ) . * . * . * . + . + . , . , . 1 . 1 . 5 . 5 . 9 . 9 . 9 . 9 . 9 . 9 . ? . ? . ? . G . G . G . G . G . G . G . G . G . G . G . G . I . I . I . I . I . I . I . I . I . I . [ . [ . [ . [ . b . b . b . b . b . b . k . k . o . o . o . o . o ...... Data Raw: 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2c 00 2c 00 31 00 31 00 35 00 35 00 39 00 39 00 39 00 39 00 39 00 39 00 3f 00 3f 00 3f 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 5b 00 5b 00 5b 00 5b 00 62 00 62 00 Copyright Joe Security LLC 2020 Page 20 of 32 Stream Path: \x18496\x15518\x16925\x17915, File Type: data, Stream Size: 204

General Stream Path: \x18496\x15518\x16925\x17915 File Type: data Stream Size: 204 Entropy: 4.72777941621 Base64 Encoded: False Data ASCII: ...... " . $ . & . ( . * . , . . . 0 . 2 . 4 . 6 . 8 . : . < . > . @ ...... ! . # . % . ' . ) . + . - . / . 1 . 3 . 5 . 7 . 9 . ; . = . ? . A . Data Raw: cc 05 e2 08 e3 08 e4 08 e5 08 e6 08 e7 08 e9 08 eb 08 ed 08 ef 08 f1 08 f3 08 f5 08 f8 08 fa 08 fc 08 fe 08 00 09 02 09 04 09 06 09 08 09 0a 09 0c 09 0e 09 10 09 12 09 14 09 16 09 18 09 1a 09 1c 09 1e 09 20 09 22 09 24 09 26 09 28 09 2a 09 2c 09 2e 09 30 09 32 09 34 09 36 09 38 09 3a 09 3c 09 3e 09 40 09 f7 08 00 00 e3 08 e4 08 e5 08 e6 08 e8 08 ea 08 ec 08 ee 08 f0 08 f2 08 f4 08

Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with CRLF, LF line terminators, Stream Size: 106181

General Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468 File Type: ASCII text, with very long lines, with CRLF, LF line terminators Stream Size: 106181 Entropy: 5.42977905333 Base64 Encoded: True Data ASCII: N a m e T a b l e T y p e C o l u m n V a l u e _ V a l i d a t i o n N P r o p e r t y I d _ S u m m a r y I n f o r m a t i o n D e s c r i p t i o n S e t C a t e g o r y K e y C o l u m n M a x V a l u e N u l l a b l e K e y T a b l e M i n V a l u e I d e n t i f i e r N a m e o f t a b l e N a m e o f c o l u m n Y ; N W h e t h e r t h e c o l u m n i s n u l l a b l e Y M i n i m u m v a l u e a l l o w e d M a x i m u m v a l u e a l l o w e d F o r f o r e i g n k e y Data Raw: 4e 61 6d 65 54 61 62 6c 65 54 79 70 65 43 6f 6c 75 6d 6e 56 61 6c 75 65 5f 56 61 6c 69 64 61 74 69 6f 6e 4e 50 72 6f 70 65 72 74 79 49 64 5f 53 75 6d 6d 61 72 79 49 6e 66 6f 72 6d 61 74 69 6f 6e 44 65 73 63 72 69 70 74 69 6f 6e 53 65 74 43 61 74 65 67 6f 72 79 4b 65 79 43 6f 6c 75 6d 6e 4d 61 78 56 61 6c 75 65 4e 75 6c 6c 61 62 6c 65 4b 65 79 54 61 62 6c 65 4d 69 6e 56 61 6c 75 65

Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 9488

General Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479 File Type: data Stream Size: 9488 Entropy: 3.3543109635 Base64 Encoded: False Data ASCII: ...... n ...... > ...... W ...... 6 . . . $ ...... r ...... B ...... o ...... ( ...... 5 ...... ' ...... ( ...... * ...... ; ...... > ...... Data Raw: e4 04 00 00 04 00 0a 00 05 00 02 00 00 00 00 00 04 00 06 00 06 00 02 00 05 00 0b 00 0b 00 15 00 01 00 6e 00 0a 00 01 00 13 00 02 00 0b 00 1a 00 03 00 02 00 08 00 02 00 09 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 0a 00 3e 00 0d 00 01 00 0e 00 01 00 03 00 01 00 1e 00 01 00 01 00 57 00 15 00 01 00 15 00 01 00 36 00 01 00 24 00 01 00 f5 00 01 00 0f 00 01 00 04 00 72 00

Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 72

General Stream Path: \x18496\x16255\x16740\x16943\x18486 File Type: data Stream Size: 72 Entropy: 3.80881389033 Base64 Encoded: False Data ASCII: . . " . ) . * . + . , . 1 . 5 . 9 . ? . G . I . [ . b . k . o ...... $ . . . 1 . Data Raw: 07 00 22 00 29 00 2a 00 2b 00 2c 00 31 00 35 00 39 00 3f 00 47 00 49 00 5b 00 62 00 6b 00 6f 00 8e 00 93 00 a1 00 a5 00 b3 00 b6 00 b7 00 b8 00 bb 00 c1 00 cd 00 d8 00 e1 00 eb 00 ee 00 f9 00 13 01 24 01 2e 01 31 01

Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 4536

General Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481

Copyright Joe Security LLC 2020 Page 21 of 32 General File Type: data Stream Size: 4536 Entropy: 2.580401595 Base64 Encoded: False Data ASCII: ...... " . " . " . ) . ) . ) . * . * . * . + . + . , . , . 1 . 1 . 5 . 5 . 9 . 9 . 9 . 9 . 9 . 9 . ? . ? . ? . G . G . G . G . G . G . G . G . G . G . G . G . I . I . I . I . I . I . I . I . I . I . [ . [ . [ . [ . b . b . b . b . b . b . k . k . o . o . o . o . o ...... Data Raw: 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 0a 00 0a 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2c 00 2c 00 31 00 31 00 35 00 35 00 39 00 39 00 39 00 39 00 39 00 39 00 3f 00 3f 00 3f 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 5b 00 5b 00 5b 00 5b 00

Stream Path: \x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481, File Type: ISO-8859 text, with no line terminators, with overstriking, Stream Size: 4

General Stream Path: \x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481 File Type: ISO-8859 text, with no line terminators, with overstriking Stream Size: 4 Entropy: 1.5 Base64 Encoded: False Data ASCII: . . . . Data Raw: a5 08 a6 08

Stream Path: \x18496\x16667\x17191\x15090\x17912\x17591\x18481, File Type: VAX-order 68k Blit mpx/mux executable, Stream Size: 36

General Stream Path: \x18496\x16667\x17191\x15090\x17912\x17591\x18481 File Type: VAX-order 68k Blit mpx/mux executable Stream Size: 36 Entropy: 3.38085911376 Base64 Encoded: False Data ASCII: ...... ' . ' ...... Data Raw: 01 06 01 06 01 80 02 80 c1 08 c5 08 00 80 00 80 00 80 14 80 27 81 27 81 10 80 10 80 c4 08 c6 08 00 00 00 00

Stream Path: \x18496\x16786\x17522, File Type: Applesoft BASIC program data, first line number 1, Stream Size: 4

General Stream Path: \x18496\x16786\x17522 File Type: Applesoft BASIC program data, first line number 1 Stream Size: 4 Entropy: 2.0 Base64 Encoded: False Data ASCII: . . . . Data Raw: 91 08 01 00

Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 48

General Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934 File Type: data Stream Size: 48 Entropy: 3.56923567776 Base64 Encoded: False Data ASCII: > . ? . @ . A . B . C . D . E ...... x . . . < . . . . . Data Raw: 3e 01 3f 01 40 01 41 01 42 01 43 01 44 01 45 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 78 85 dc 85 3c 8f a0 8f c8 99

Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42

General Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472 File Type: data Stream Size: 42 Entropy: 3.42888341403 Copyright Joe Security LLC 2020 Page 22 of 32 General Base64 Encoded: False Data ASCII: > . ? . @ . F . G . H . I ...... Data Raw: 3e 01 3f 01 40 01 46 01 47 01 48 01 49 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 fd 7f fe 7f ff 7f 14 85

Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 48

General Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472 File Type: data Stream Size: 48 Entropy: 3.51231941111 Base64 Encoded: False Data ASCII: > . @ . A . B . E . J . K . L ...... x ...... Data Raw: 3e 01 40 01 41 01 42 01 45 01 4a 01 4b 01 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 e8 83 78 85 dc 85 c8 99 94 91 9c 98 00 99

Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 1460

General Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486 File Type: data Stream Size: 1460 Entropy: 4.42643052746 Base64 Encoded: False Data ASCII: ...... Data Raw: 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07 1b 07

Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 16

General Stream Path: \x18496\x16911\x17892\x17784\x18472 File Type: data Stream Size: 16 Entropy: 2.78063906223 Base64 Encoded: False Data ASCII: ...... M . . . Data Raw: 1b 07 00 00 1c 07 00 00 01 80 01 80 4d 01 10 80

Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 14

General Stream Path: \x18496\x16918\x17191\x18468 File Type: MIPSEB Ucode Stream Size: 14 Entropy: 2.11796317531 Base64 Encoded: False Data ASCII: . . k ...... Data Raw: 01 80 6b 01 00 80 00 00 a7 08 00 00 00 00

Stream Path: \x18496\x16923\x15722\x16818\x17892\x17778, File Type: data, Stream Size: 10

General Stream Path: \x18496\x16923\x15722\x16818\x17892\x17778 File Type: data Stream Size: 10 Entropy: 2.92192809489 Base64 Encoded: False Data ASCII: N ...... Data Raw: 4e 01 02 80 db 08 dc 08 12 80

Copyright Joe Security LLC 2020 Page 23 of 32 Stream Path: \x18496\x16923\x17194\x17910\x18229, File Type: 370 sysV executable, Stream Size: 84

General Stream Path: \x18496\x16923\x17194\x17910\x18229 File Type: 370 sysV executable Stream Size: 84 Entropy: 3.65662599323 Base64 Encoded: False Data ASCII: ] ...... Z ...... Data Raw: 5d 01 ca 08 cd 08 d0 08 d3 08 d6 08 d8 08 01 80 00 80 00 80 00 80 00 80 00 80 00 80 c7 08 cb 08 ce 08 d1 08 d1 08 d2 08 d9 08 c8 08 00 00 00 00 00 00 d4 08 00 00 00 00 c9 08 cc 08 cf 08 d2 08 d5 08 d7 08 da 08 5a 01 8b 01 8b 01 8b 01 8b 01 8b 01 8b 01

Stream Path: \x18496\x16923\x17584\x16953\x17167\x16943, File Type: data, Stream Size: 10

General Stream Path: \x18496\x16923\x17584\x16953\x17167\x16943 File Type: data Stream Size: 10 Entropy: 2.44643934467 Base64 Encoded: False Data ASCII: \\ . Z . . . \\ . . . Data Raw: 5c 01 5a 01 00 00 5c 01 02 80

Stream Path: \x18496\x16925\x17915\x17884\x17404\x18472, File Type: data, Stream Size: 36

General Stream Path: \x18496\x16925\x17915\x17884\x17404\x18472 File Type: data Stream Size: 36 Entropy: 2.49197022487 Base64 Encoded: False Data ASCII: ...... Data Raw: bd 08 e0 08 e1 08 df 08 df 08 df 08 08 80 0c 80 09 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 80

Stream Path: \x18496\x17100\x16808\x15086\x18162, File Type: data, Stream Size: 8

General Stream Path: \x18496\x17100\x16808\x15086\x18162 File Type: data Stream Size: 8 Entropy: 1.75 Base64 Encoded: False Data ASCII: W . Y . X . X . Data Raw: 57 01 59 01 58 01 58 01

Stream Path: \x18496\x17116\x17778\x16823\x17912, File Type: data, Stream Size: 32

General Stream Path: \x18496\x17116\x17778\x16823\x17912 File Type: data Stream Size: 32 Entropy: 2.00161447181 Base64 Encoded: False Data ASCII: . . \\ . . . Z ...... M ...... Data Raw: dd 08 5c 01 de 08 5a 01 ae 08 00 00 00 00 00 00 00 00 00 00 00 00 4d 01 00 00 00 00 00 00 00 00

Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 32

General Stream Path: \x18496\x17163\x16689\x18229 File Type: data Stream Size: 32 Entropy: 2.25 Base64 Encoded: False Data ASCII: O . P . Q . R . S . T . U . V ...... Copyright Joe Security LLC 2020 Page 24 of 32 General Data Raw: 4f 01 50 01 51 01 52 01 53 01 54 01 55 01 56 01 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00

Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 312

General Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492 File Type: data Stream Size: 312 Entropy: 4.81812767405 Base64 Encoded: False Data ASCII: M . \\ . ` . d . h ...... $ ...... } ...... o . s . w . { ...... M . M . M . M ...... M . M . . . . . M ...... M ...... Data Raw: 4d 01 5c 01 60 01 64 01 68 01 f0 01 06 02 0d 02 10 02 20 02 24 02 8b 02 98 02 9c 02 e8 02 ec 02 f6 02 03 03 10 03 7d 03 93 03 97 03 9b 03 9f 03 ac 03 b9 03 bd 03 c4 03 d4 03 d8 03 a8 04 6f 05 73 05 77 05 7b 05 7f 05 e0 06 e2 06 e9 06 eb 06 ee 06 f0 06 f4 06 f8 06 fa 06 fc 06 00 07 02 07 05 07 08 07 10 07 15 07 15 07 e0 06 4d 01 4d 01 4d 01 4d 01 e9 06 06 02 eb 06 eb 06 f0 06 f0 06

Stream Path: \x18496\x17165\x17380\x17074, File Type: data, Stream Size: 484

General Stream Path: \x18496\x17165\x17380\x17074 File Type: data Stream Size: 484 Entropy: 4.10796690389 Base64 Encoded: False Data ASCII: F . G . H ...... ' . - . 2 . 6 . : . B . F . P . o . x . . . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . r . r . r . r . r . . . r . r . r . . . r . r . . . r . r . . . r . r . r . r . r . r ...... i ...... U . . . . . U . . . . . U ...... Data Raw: 46 01 47 01 48 01 c3 05 d9 05 e0 05 f4 05 fe 05 03 06 0a 06 0e 06 27 06 2d 06 32 06 36 06 3a 06 42 06 46 06 50 06 6f 06 78 06 8a 06 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80

Stream Path: \x18496\x17167\x16943, File Type: data, Stream Size: 7260

General Stream Path: \x18496\x17167\x16943 File Type: data Stream Size: 7260 Entropy: 4.83095998544 Base64 Encoded: False Data ASCII: a . e . i . l . o . r . u . x . { . ~ ...... ! . % . ( . + . . . 1 . 4 . 7 . : . = . @ . C . F . I . L . O . R . U . X . [ . ^ . a . d . g . j . m . p . s . v . y . | ...... Data Raw: 61 01 65 01 69 01 6c 01 6f 01 72 01 75 01 78 01 7b 01 7e 01 81 01 84 01 87 01 8a 01 8d 01 90 01 93 01 96 01 99 01 9c 01 9f 01 a2 01 a5 01 a8 01 ab 01 ae 01 b1 01 b4 01 b7 01 ba 01 bd 01 c0 01 c3 01 c6 01 c9 01 cc 01 cf 01 d2 01 d5 01 d8 01 db 01 de 01 e1 01 e4 01 e7 01 ea 01 ed 01 f1 01 f4 01 f7 01 fa 01 fd 01 00 02 03 02 07 02 0a 02 11 02 14 02 17 02 1a 02 1d 02 21 02 25 02 28 02

Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 186

General Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x169 34 File Type: data Stream Size: 186 Entropy: 4.63476550924 Base64 Encoded: False Data ASCII: + . > . ? . @ . A . B . D . E . J . K . L ...... 2 ...... x ...... v . . . w . . . d . . . . . @ . . . ( ...... t . . . p . . . . .

Copyright Joe Security LLC 2020 Page 25 of 32 General Data Raw: 2b 00 3e 01 3f 01 40 01 41 01 42 01 44 01 45 01 4a 01 4b 01 4c 01 d3 06 d7 06 d9 06 da 06 dc 06 92 08 93 08 94 08 95 08 96 08 97 08 98 08 99 08 9a 08 9b 08 9c 08 9d 08 9e 08 9f 08 a1 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 08 00 00 a0 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 80 20 83

Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 108

General Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472 File Type: data Stream Size: 108 Entropy: 4.50713419187 Base64 Encoded: False Data ASCII: + . > . ? . @ . F . G . H . I . . . . . ' . B ...... 2 ...... 1 ...... d . . . . . Data Raw: 2b 00 3e 01 3f 01 40 01 46 01 47 01 48 01 49 01 03 06 0e 06 27 06 42 06 8a 06 d3 06 92 08 93 08 94 08 95 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a3 08 a2 08 a4 08 00 00 00 00 00 00 00 00 00 00 32 80 20 83 84 83 e8 83 fd 7f fe 7f ff 7f 14 85 31 80 13 85 11 85 12 85 10 85 e9 83 19 80 64 80 bc 82 b0 84

Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: 370 XA sysV pure executable not stripped, Stream Size: 4380

General Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487 File Type: 370 XA sysV pure executable not stripped Stream Size: 4380 Entropy: 5.07214734716 Base64 Encoded: False Data ASCII: Z . ^ . b . f . j . m . p . s . v . y . | ...... " . & . ) . , . / . 2 . 5 . 8 . ; . > . A . D . G . J . M . P . S . V . Y . \\ . _ . b . e . h . k . n . q . t . w . z . } ...... Data Raw: 5a 01 5e 01 62 01 66 01 6a 01 6d 01 70 01 73 01 76 01 79 01 7c 01 7f 01 82 01 85 01 88 01 8b 01 8e 01 91 01 94 01 97 01 9a 01 9d 01 a0 01 a3 01 a6 01 a9 01 ac 01 af 01 b2 01 b5 01 b8 01 bb 01 be 01 c1 01 c4 01 c7 01 ca 01 cd 01 d0 01 d3 01 d6 01 d9 01 dc 01 df 01 e2 01 e5 01 e8 01 eb 01 ee 01 f2 01 f5 01 f8 01 fb 01 fe 01 01 02 04 02 08 02 0b 02 0e 02 12 02 15 02 18 02 1b 02 1e 02

Stream Path: \x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522, File Type: x86 executable not stripped, Stream Size: 504

General Stream Path: \x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522 File Type: x86 executable not stripped Stream Size: 504 Entropy: 3.71422271192 Base64 Encoded: False Data ASCII: H . H ...... ' . ' . B . B . B . B . F . F . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . x . x . x . x . x . x . x . x . x . < . ? ...... ! . ( . * . . . . . D . D . . . . . : . : . . . ( . ( . ( . * . * . * . Q . Q . Q . S . S . S . T . T . T . W . W . X . X . Z . Z . [ . ] . _ . a . c . e . g . i . k . m . a . e . i . y . z . } ...... Data Raw: 48 01 48 01 0e 06 0e 06 0e 06 0e 06 0e 06 0e 06 0e 06 0e 06 0e 06 0e 06 27 06 27 06 42 06 42 06 42 06 42 06 46 06 46 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 50 06 78 06 78 06 78 06 78 06 78 06 78 06 78 06 78 06 78 06 3c 06

Stream Path: \x18496\x17548\x17905\x17589\x15279\x16953\x17905, File Type: data, Stream Size: 1548

General Stream Path: \x18496\x17548\x17905\x17589\x15279\x16953\x17905 File Type: data Stream Size: 1548 Entropy: 4.338767829 Base64 Encoded: False Data ASCII: F . G . H . H ...... ' . ' . ' . ' . ' . ' . ' . ' . ' . ' . ' . ' . ' . - . 2 . 2 . 2 . 6 . : . B . B . B . B . F . F . F . F . F . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . P . o . o . o . o . o . o . o . o . x . x . x . x . x . x . x . . . . .

Copyright Joe Security LLC 2020 Page 26 of 32 General Data Raw: 46 01 47 01 48 01 48 01 c3 05 c3 05 c3 05 c3 05 c3 05 c3 05 c3 05 c3 05 d9 05 e0 05 e0 05 e0 05 e0 05 e0 05 e0 05 e0 05 f4 05 f4 05 f4 05 fe 05 fe 05 fe 05 03 06 0a 06 0a 06 0e 06 27 06 27 06 27 06 27 06 27 06 27 06 27 06 27 06 27 06 27 06 27 06 27 06 27 06 2d 06 32 06 32 06 32 06 36 06 3a 06 42 06 42 06 42 06 42 06 46 06 46 06 46 06 46 06 46 06 50 06 50 06 50 06 50 06 50 06 50 06

Stream Path: \x18496\x17548\x17905\x17589\x18479, File Type: data, Stream Size: 5590

General Stream Path: \x18496\x17548\x17905\x17589\x18479 File Type: data Stream Size: 5590 Entropy: 4.35004028318 Base64 Encoded: False Data ASCII: F . F . F . F . F . F . F . G . G . G . G . G . G . G . H . H . H . H . H . H . H . H . H ...... ' . ' . ' . ' . ' . ' . ' . ' . - . - . - . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 6 . 6 . Data Raw: 46 01 46 01 46 01 46 01 46 01 46 01 46 01 47 01 47 01 47 01 47 01 47 01 47 01 47 01 48 01 48 01 48 01 48 01 48 01 48 01 48 01 48 01 48 01 c3 05 c3 05 c3 05 c3 05 c3 05 c3 05 c3 05 c3 05 c3 05 c3 05 c3 05 c3 05 c3 05 c3 05 d9 05 d9 05 d9 05 d9 05 d9 05 d9 05 d9 05 d9 05 e0 05 e0 05 e0 05 e0 05 e0 05 e0 05 e0 05 e0 05 e0 05 f4 05 f4 05 f4 05 f4 05 f4 05 f4 05 f4 05 f4 05 f4 05 f4 05

Stream Path: \x18496\x17610\x16179\x16680\x16821\x18475, File Type: data, Stream Size: 4

General Stream Path: \x18496\x17610\x16179\x16680\x16821\x18475 File Type: data Stream Size: 4 Entropy: 1.5 Base64 Encoded: False Data ASCII: M . N . Data Raw: 4d 01 4e 01

Stream Path: \x18496\x17630\x17770\x16868\x18472, File Type: data, Stream Size: 32

General Stream Path: \x18496\x17630\x17770\x16868\x18472 File Type: data Stream Size: 32 Entropy: 2.60614503331 Base64 Encoded: False Data ASCII: ...... B . C . Data Raw: bb 08 bb 08 00 00 ba 08 ba 08 00 00 00 00 00 00 01 02 00 80 02 00 00 80 00 00 00 00 42 09 43 09

Stream Path: \x18496\x17740\x16680\x16951\x17551\x16879\x17768, File Type: data, Stream Size: 4

General Stream Path: \x18496\x17740\x16680\x16951\x17551\x16879\x17768 File Type: data Stream Size: 4 Entropy: 1.5 Base64 Encoded: False Data ASCII: . . . . Data Raw: 0d 02 0b 02

Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 84

General Stream Path: \x18496\x17753\x17650\x17768\x18231 File Type: data Stream Size: 84 Entropy: 4.30555765117 Base64 Encoded: False Data ASCII: 2 . W . . . u ...... X . . . M . X . X ......

Copyright Joe Security LLC 2020 Page 27 of 32 General Data Raw: 32 01 57 01 01 06 75 06 92 06 a7 06 a8 08 a9 08 ab 08 ad 08 af 08 b1 08 b3 08 b5 08 b7 08 b8 08 b9 08 bc 08 be 08 c0 08 c2 08 bb 08 58 01 c1 08 4d 01 58 01 58 01 91 08 aa 08 ac 08 ae 08 b0 08 b2 08 b4 08 b6 08 1f 07 1c 07 ba 08 bd 08 bf 08 e0 05 c3 08

Stream Path: \x18496\x17814\x15340\x17388\x15464\x17828\x18475, File Type: data, Stream Size: 6660

General Stream Path: \x18496\x17814\x15340\x17388\x15464\x17828\x18475 File Type: data Stream Size: 6660 Entropy: 7.6379317377 Base64 Encoded: True Data ASCII: ...... ! . % . ( . + . . . 1 . 4 . 7 . : . = . @ . C . F . I . L . O . R . U . X . [ . ^ . a . d . g . j . m . p . s . v . y . | ...... # . & . ) . , . / . 2 . 5 . 8 . ; . > . A . D . G . Data Raw: 87 01 8a 01 90 01 96 01 9c 01 a8 01 ab 01 b1 01 b4 01 b7 01 bd 01 c0 01 c3 01 c6 01 c9 01 cc 01 cf 01 d2 01 d5 01 db 01 de 01 e1 01 e7 01 ea 01 ed 01 07 02 0a 02 11 02 14 02 17 02 1a 02 1d 02 21 02 25 02 28 02 2b 02 2e 02 31 02 34 02 37 02 3a 02 3d 02 40 02 43 02 46 02 49 02 4c 02 4f 02 52 02 55 02 58 02 5b 02 5e 02 61 02 64 02 67 02 6a 02 6d 02 70 02 73 02 76 02 79 02 7c 02 7f 02

Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 96

General Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522 File Type: data Stream Size: 96 Entropy: 3.34948037801 Base64 Encoded: False Data ASCII: ...... A . A . 3 . A . A . A . A . V . O . O . . . V . V . V . V ...... Data Raw: ab 06 ad 06 ce 06 d3 06 d7 06 d9 06 da 06 dc 06 01 80 41 80 41 80 33 80 41 80 41 80 41 80 41 80 56 01 4f 01 4f 01 d4 06 56 01 56 01 56 01 56 01 d6 06 dd 06 de 06 d5 06 d8 06 d8 06 db 06 db 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x18496\x17998\x17512\x15799\x17636\x17203\x17073, File Type: data, Stream Size: 40

General Stream Path: \x18496\x17998\x17512\x15799\x17636\x17203\x17073 File Type: data Stream Size: 40 Entropy: 3.48284002465 Base64 Encoded: False Data ASCII: ...... # ...... Data Raw: c3 05 03 06 03 06 0e 06 0e 06 cb 05 08 06 09 06 09 06 23 06 18 07 08 06 09 06 09 06 19 07 18 07 1f 00 1f 00 1f 00 1a 07

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Copyright Joe Security LLC 2020 Page 28 of 32 • msiexec.exe • msiexec.exe • msiexec.exe • taskkill.exe • conhost.exe • taskkill.exe • conhost.exe • KeePassXC.exe

Click to jump to process

System Behavior

Analysis Process: msiexec.exe PID: 5148 Parent PID: 5500

General

Start time: 13:25:00 Start date: 08/05/2020 Path: C:\Windows\System32\msiexec.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\KeePassXC-2.5.4-Win64.msi' Imagebase: 0x7ff6577f0000 File size: 66048 bytes MD5 hash: 4767B71A318E201188A0D0A420C8B608 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: msiexec.exe PID: 5648 Parent PID: 1108

General

Start time: 13:25:16 Start date: 08/05/2020 Copyright Joe Security LLC 2020 Page 29 of 32 Path: C:\Windows\SysWOW64\msiexec.exe Wow64 process (32bit): true Commandline: C:\Windows\syswow64\MsiExec.exe -Embedding DD284C049303FD5DD13157E426F8E503 C Imagebase: 0xfe0000 File size: 59904 bytes MD5 hash: 12C17B5A5C2A7B97342C362CA467E9A2 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: msiexec.exe PID: 5908 Parent PID: 1108

General

Start time: 13:25:24 Start date: 08/05/2020 Path: C:\Windows\SysWOW64\msiexec.exe Wow64 process (32bit): true Commandline: C:\Windows\syswow64\MsiExec.exe -Embedding F6D9D2409E57572A5FF470B9E2327465 Imagebase: 0xfe0000 File size: 59904 bytes MD5 hash: 12C17B5A5C2A7B97342C362CA467E9A2 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: taskkill.exe PID: 5952 Parent PID: 5908

General

Start time: 13:25:25 Start date: 08/05/2020 Path: C:\Windows\SysWOW64\taskkill.exe Wow64 process (32bit): true Commandline: 'Taskkill' /IM KeePassXC.exe Imagebase: 0xc10000 File size: 74752 bytes MD5 hash: 15E2E0ACD891510C6268CB8899F2A1A1 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

General

Start time: 13:25:25 Start date: 08/05/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7c77e0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

Analysis Process: taskkill.exe PID: 5324 Parent PID: 5908

General

Start time: 13:25:25 Start date: 08/05/2020 Path: C:\Windows\SysWOW64\taskkill.exe Wow64 process (32bit): true Commandline: 'Taskkill' /IM keepassxc-proxy.exe /F Imagebase: 0xc10000 File size: 74752 bytes MD5 hash: 15E2E0ACD891510C6268CB8899F2A1A1 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: conhost.exe PID: 5172 Parent PID: 5324

General

Start time: 13:25:26 Start date: 08/05/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7c77e0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

Analysis Process: KeePassXC.exe PID: 3976 Parent PID: 5648

General

Copyright Joe Security LLC 2020 Page 31 of 32 Start time: 13:25:37 Start date: 08/05/2020 Path: C:\Program Files\KeePassXC\KeePassXC.exe Wow64 process (32bit): false Commandline: 'C:\Program Files\KeePassXC\KeePassXC.exe' Imagebase: 0xaa0000 File size: 6763192 bytes MD5 hash: 7C1F760E9656B24F1C0783437AD43F28 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Completion Count Address Symbol

Source Old File Path New File Path Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Disassembly

Code Analysis