Automated Malware Analysis Report For

ID: 195574 Sample Name: FileOpenInstaller64.msi Cookbook: default.jbs Time: 23:32:33 Date: 11/12/2019 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report FileOpenInstaller64.msi 5 Overview 5 General Information 5 Detection 5 Confidence 6 Classification 6 Analysis Advice 6 Mitre Att&ck Matrix 7 Signature Overview 7 Spreading: 7 Networking: 7 System Summary: 7 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 8 Language, Device and Operating System Detection: 8 Malware Configuration 8 Behavior Graph 8 Simulations 9 Behavior and APIs 9 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Sigma Overview 9 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 11 Created / dropped Files 11 Domains and IPs 11 Contacted Domains 11 URLs from Memory and Binaries 11 Contacted IPs 12 Static File Info 12 General 12 File Icon 12 Static OLE Info 12 General 12 Authenticode Signature 13 OLE File "FileOpenInstaller64.msi" 13 Indicators 13 Summary 13 Streams 13 Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 7246 13 General 13 Copyright Joe Security LLC 2019 Page 2 of 26 Stream Path: \x5MsiDigitalSignatureEx, File Type: data, Stream Size: 32 14 General 14 Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 560 14 General 14 Stream Path: \x16786\x17522\x17022\x18418\x17583\x17578\x17214\x17574, File Type: MS Windows icon resource - 19 icons, 256x256, 32 bits/pixel, 128x128, 32 bits/pixel, Stream Size: 544750 14 General 14 Stream Path: \x17163\x16689\x18229\x15358\x15128\x17848\x17591\x15024\x17894\x17580\x17841\x15693\x18453, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 1735680 14 General 14 Stream Path: \x17163\x16689\x18229\x15358\x17388\x15912\x16947\x15793\x15516\x17886\x17388\x18486, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 90112 14 General 14 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15103\x17508\x16945\x18485, File Type: PC bitmap, Windows 3.x format, 500 x 63 x 24, Stream Size: 94556 15 General 15 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15231\x16684\x17583\x18474, File Type: PC bitmap, Windows 3.x format, 503 x 314 x 24, Stream Size: 474824 15 General 15 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15871\x18088, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318 General 1515 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x16319\x18483, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318 General 1615 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15295\x16827\x16687\x18480, File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors, Stream Size: 766 16 General 16 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15551\x17009\x18482, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors, Stream Size: 1078 16 General 16 Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x17184\x16827\x18468, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 107008 General 1616 Stream Path: \x17167\x16943\x17624\x17512\x17490\x17910\x17380\x16943\x18357\x14923\x14537\x16830\x16740, File Type: Microsoft Cabinet archive data, 1397022 bytes, 20 files, Stream Size: 1397022 17 General 17 Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 1576 17 General 17 Stream Path: \x18496\x15518\x16925\x17915, File Type: data, Stream Size: 204 17 General 17 Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ISO-8859 text, with very long lines, Stream Size: 36704 17 General 17 Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 3672 18 General 18 Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 78 18 General 18 Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 4776 18 General 18 Stream Path: \x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481, File Type: data, Stream Size: 12 18 General 18 Stream Path: \x18496\x16667\x17191\x15090\x17912\x17591\x18481, File Type: data, Stream Size: 36 18 General 18 Stream Path: \x18496\x16786\x17522, File Type: data, Stream Size: 4 19 General 19 Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: x86 executable not stripped, Stream Size: 48 19 General 19 Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: x86 executable not stripped, Stream Size: 42 19 General 19 Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: x86 executable not stripped, Stream Size: 42 19 General 19 Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 80 19 General 19 Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 80 19 General 20 Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 14 20 General 20 Stream Path: \x18496\x16923\x15722\x16818\x17892\x17778, File Type: data, Stream Size: 30 20 General 20 Stream Path: \x18496\x16923\x17194\x17910\x18229, File Type: data, Stream Size: 12 20 General 20 Stream Path: \x18496\x16924\x18037\x16812\x15144\x17522\x17783\x17394, File Type: data, Stream Size: 12 20 General 20 Stream Path: \x18496\x16924\x18037\x16812\x15528\x17841\x16695\x17391, File Type: data, Stream Size: 32 20 General 20 Stream Path: \x18496\x16925\x17915\x17884\x17404\x18472, File Type: data, Stream Size: 36 21 General 21 Stream Path: \x18496\x17100\x16808\x15086\x18162, File Type: data, Stream Size: 8 21 General 21 Stream Path: \x18496\x17163\x16689\x18229, File Type: MIPSEB-LE MIPS-II ECOFF executable not stripped - version 0.1, Stream Size: 36 21 General 21 Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 90 21 General 21 Stream Path: \x18496\x17165\x17380\x17074, File Type: data, Stream Size: 396 21 General 21 Stream Path: \x18496\x17167\x16943, File Type: data, Stream Size: 400 21 General 22 Stream Path: \x18496\x17180\x17514\x17892\x17784\x18472, File Type: data, Stream Size: 52 22 General 22 Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 198 22 General 22 Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 102 22 General 22 Stream Path: \x18496\x17548\x16881\x17900\x17580\x18481, File Type: data, Stream Size: 6 22 General 22 Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 240 23

Copyright Joe Security LLC 2019 Page 3 of 26 General 23 Stream Path: \x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522, File Type: iAPX 286 executable large model (COFF) not stripped, Stream Size: 536 23 General 23 Stream Path: \x18496\x17548\x17905\x17589\x15279\x16953\x17905, File Type: data, Stream Size: 1404 23 General 23 Stream Path: \x18496\x17548\x17905\x17589\x18479, File Type: data, Stream Size: 4628 23 General 23 Stream Path: \x18496\x17610\x16179\x16680\x16821\x18475, File Type: data, Stream Size: 28 23 General 24 Stream Path: \x18496\x17630\x17770\x16868\x18472, File Type: data, Stream Size: 16 24 General 24 Stream Path: \x18496\x17740\x16680\x16951\x17551\x16879\x17768, File Type: data, Stream Size: 4 24 General 24 Stream Path: \x18496\x17741\x17557\x16678\x17591\x18485, File Type: data, Stream Size: 32 24 General 24 Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 76 24 General 24 Stream Path: \x18496\x17814\x15340\x17388\x15464\x17828\x18475, File Type: CLIPPER COFF executable (VAX #) not stripped - version 425, Stream Size: 280 24 General 24 Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 96 25 General 25 Stream Path: \x18496\x17933\x17395\x16812\x17892\x15336\x17388\x18472, File Type: data, Stream Size: 80 25 General 25 Stream Path: \x18496\x17998\x17512\x15799\x17636\x17203\x17073, File Type: data, Stream Size: 32 25 General 25 Network Behavior 25 Code Manipulations 25 Statistics 25 System Behavior 26 Analysis Process: msiexec.exe PID: 4400 Parent PID: 4220 26 General 26 File Activities 26 Disassembly 26 Code Analysis 26

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 195574 Start date: 11.12.2019 Start time: 23:32:33 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 10s Hypervisor based Inspection enabled: false Report type: light Sample file name: FileOpenInstaller64.msi Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 2 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean1.winMSI@1/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .msi Stop behavior analysis, all processes terminated

Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 1 0 - 100 false

Strategy Score Range Further Analysis Required? Confidence

Threshold 2 0 - 5 true

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Copyright Joe Security LLC 2019 Page 6 of 26 Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Replication Command- Winlogon Port DLL Side- Credential Peripheral Replication Data from Data Data Eavesdrop on Remotely Modify Through Line Helper DLL Monitors Loading 1 Dumping Device Through Local Compressed Obfuscation Insecure Track Device System Removable Interface 2 Discovery 1 1 Removable System Network Without Partition Media 1 Media 1 Communication Authorization Replication Graphical Port Accessibility Binary Network System Remote Data from Exfiltration Fallback Exploit SS7 to Remotely Device Through User Monitors Features Padding Sniffing Information Services Removable Over Other Channels Redirect Phone Wipe Data Lockout Removable Interface 1 Discovery 1 3 Media Network Calls/SMS Without Media Medium Authorization

Signature Overview

• Spreading • Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Language, Device and Operating System Detection

Click to jump to signature section

Spreading:

Checks for available system drives (often done to infect USB drives)

Networking:

Urls found in memory or binary data

System Summary:

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Classification label

Reads software policies

Sample is a Windows installer

Sample might require command line arguments

Uses an in-process (OLE) Automation server

Found graphical window changes (likely an installer)

Submission file is bigger than most known malware samples

Binary contains paths to debug symbols

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Checks the free space of harddrives

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Queries the cryptographic machine GUID

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped

Is Windows Process

Behavior Graph Number of created Registry Values Number of created Files ID: 195574 Visual Basic Sample: FileOpenInstaller64.msi Startdate: 11/12/2019 Delphi Architecture: WINDOWS Java Score: 1 .Net C# or VB.NET

C, C++ or other language

started Is malicious

Internet msiexec.exe

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link FileOpenInstaller64.msi 0% Virustotal Browse FileOpenInstaller64.msi 0% Metadefender Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link www.fileopen.comK 0% Avira URL Cloud safe ocsp.thawte.com0 0% URL Reputation safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

System is w10x64 msiexec.exe (PID: 4400 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\FileOpenInstaller64.msi' MD5: 4767B71A318E201188A0D0A420C8B608) cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation

Copyright Joe Security LLC 2019 Page 11 of 26 Name Source Malicious Antivirus Detection Reputation www.fileopen.com/0 msiexec.exe, 00000000.00000002 false high .1784839535.000002AC3DDD5000.0 0000004.00000001.sdmp, FileOpe nInstaller64.msi plugin.fileopen.com/0879/nonsilent/fileopeninstaller.exe msiexec.exe, 00000000.00000003 false high .1754078443.000002AC3DD9E000.0 0000004.00000001.sdmp www.fileopen.comK msiexec.exe, 00000000.00000003 false Avira URL Cloud: safe unknown .1753629193.000002AC3DD9F000.0 0000004.00000001.sdmp crl.thawte.com/ThawteTimestampingCA.crl0 FileOpenScreenHook32.dll false high fileopen.com mainplugin0 false high plugin.fileopen.com/. mainplugin0 false high www.fileopen.com msiexec.exe, 00000000.00000003 false high .1754078443.000002AC3DD9E000.0 0000004.00000001.sdmp ocsp.thawte.com0 FileOpenScreenHook32.dll false URL Reputation: safe unknown www.fileopen.com/%s mainplugin0 false high

Contacted IPs

No contacted IP infos

Static File Info

General File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: FileOpen Cl ient (x64) B993 - build 993, Author: FileOpen Systems Inc., Keywords: Installer FileOpen, Comments: Copyright 2009-2019 FileOpen Systems Inc. All rights reserved., Template: x64;1033, Revision Number: {F6AB8009-E2FE-4C42-8595-859C37DA87A0}, Create Time/Date: Tue Apr 2 22:00:38 2019, Last Saved Tim e/Date: Tue Apr 2 22:00:38 2019, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2 Entropy (8bit): 6.313580778449693 TrID: Microsoft Windows Installer (638509/1) 98.76% Generic OLE2 / Multistream Compound File (8008/1) 1.24% File name: FileOpenInstaller64.msi File size: 4562944 MD5: 330efa06b83bc89aed8329605cd5edc9 SHA1: b97ba89ccc4e9ee12fd5820a959b07e540a064a6 SHA256: 6342832cfe02b71d6bbb361b744d3ec739baa6786db777 1ad2855e48c308260b SHA512: ec39fa3912aaaa1c9277e236cbfbe20c166ab3e5a5c872b b3509ceea15b3dd60fa2f661945ad6085c7327a502c7c00 035a3ec26b13e938299bc1efb8c4927563 SSDEEP: 49152:DKQwT7TPnPw1Ssne21iGgALUIBHrP3XCQxm wAKMYY6f0iZXNbk3IDTCR0sSQ2p:5yHnPwTBHLSQU wAeXMEFB7 File Content Preview: ...... >......

File Icon

Icon Hash: a2a0b496b2caca72

Static OLE Info

General Document Type: OLE

Authenticode Signature

Signature Valid: true Signature Issuer: CN=Symantec Class 3 Extended Validation Code Signing CA - G2, OU=Symantec Trust Network, O=Symantec Corporation, C=US Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 8/21/2018 5:00:00 PM 8/21/2019 4:59:59 PM Subject Chain CN=FileOpen Systems Inc., O=FileOpen Systems Inc., L=Santa Cruz, S=California, C=US, SERIALNUMBER=5070649, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=Santa Cruz, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US Version: 3 Thumbprint MD5: 40C091C0D1F51CA3B940DC675FF5C563 Thumbprint SHA-1: 816F090655BBCDBD97001D2B1F91825BB1F305FD Thumbprint SHA-256: D03B8E7E710169E0A2989053A5094C8FF8C739484044F6C03BD4AA8F622C14FD Serial: 45B7F3C4D65094C8BFDF212B871339EC

OLE File "FileOpenInstaller64.msi"

Indicators Has Summary Info: True Application Name: Windows Installer XML Toolset (3.11.0.1701) Encrypted Document: False Contains Word Document Stream: False Contains Workbook/Book Stream: False Contains PowerPoint Document Stream: False Contains Visio Document Stream: False Contains ObjectPool Stream: Flash Objects Count: Contains VBA Macros: False

Summary Code Page: 1252 Title: Installation Database Subject: FileOpen Client (x64) B993 - build 993 Author: FileOpen Systems Inc. Keywords: Installer FileOpen Comments: Copyright 2009-2019 FileOpen Systems Inc. All rights reserved. Template: x64;1033 Revion Number: {F6AB8009-E2FE-4C42-8595-859C37DA87A0} Create Time: 2019-04-02 21:00:38 Last Saved Time: 2019-04-02 21:00:38 Number of Pages: 300 Number of Words: 2 Creating Application: Windows Installer XML Toolset (3.11.0.1701) Security: 2

Streams

Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 7246

General Stream Path: \x5DigitalSignature File Type: data Stream Size: 7246 Entropy: 7.32120177024 Base64 Encoded: True Data ASCII: 0 . . J . . * . H ...... ; 0 . . 7 . . . 1 . 0 . . . ` . H . e ...... 0 w . . + . . . . . 7 . . . . i 0 g 0 2 . . + . . . . . 7 . . . 0 $ ...... F ...... 0 1 0 . . . ` . H . e ...... w ? . . . ] . ^ w ( . . 2 | . . . d . . . q \\ . . ^ . e . | . . . . . 0 . . V 0 . . > ...... 2 . u ...... I 0 . . . * . H ...... 0 . . 1 . 0 . . . U . . . . U S 1 . 0 . . . U . . . . V e r i S i g n , I n c . 1 Data Raw: 30 82 1c 4a 06 09 2a 86 48 86 f7 0d 01 07 02 a0 82 1c 3b 30 82 1c 37 02 01 01 31 0f 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 30 77 06 0a 2b 06 01 04 01 82 37 02 01 04 a0 69 30 67 30 32 06 0a 2b 06 01 04 01 82 37 02 01 1e 30 24 02 01 02 04 10 f1 10 0c 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 01 00 02 01 00 02 01 00 02 01 00 02 01 00 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01

General Stream Path: \x5MsiDigitalSignatureEx File Type: data Stream Size: 32 Entropy: 4.9375 Base64 Encoded: False Data ASCII: ...... n . . . . , . . . Q . . > ...... G . . v . . A Data Raw: 88 f6 fe a5 a8 1e 6e f9 0e d3 c6 2c 84 f2 fe 51 fa c5 3e 05 ea 9f b3 d6 94 47 7f c7 76 b4 0a 41

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 560

General Stream Path: \x5SummaryInformation File Type: data Stream Size: 560 Entropy: 4.77678680408 Base64 Encoded: True Data ASCII: ...... O h . . . . . + ' . . 0 ...... x ...... X ...... l ...... I n s t a l l a t i o n D a t a b a s e ...... ' . . . F i l e O p e n C l i e n t ( x 6 4 ) B 9 9 3 - b u i l d 9 9 3 . . Data Raw: fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 00 02 00 00 0e 00 00 00 01 00 00 00 78 00 00 00 02 00 00 00 80 00 00 00 03 00 00 00 a0 00 00 00 04 00 00 00 d0 00 00 00 05 00 00 00 f0 00 00 00 06 00 00 00 0c 01 00 00 07 00 00 00 58 01 00 00 09 00 00 00 6c 01 00 00 0c 00 00 00 9c 01 00 00

Stream Path: \x16786\x17522\x17022\x18418\x17583\x17578\x17214\x17574, File Type: MS Windows icon resource - 19 icons, 256x256, 32 bits/pixel, 128x128, 32 bits/pixel, Stream Size: 544750

General Stream Path: \x16786\x17522\x17022\x18418\x17583\x17578\x17214\x17574 File Type: MS Windows icon resource - 19 icons, 256x256, 32 bits/pixel, 128x128, 32 bits/pixel Stream Size: 544750 Entropy: 3.06657946392 Base64 Encoded: True Data ASCII: ...... ( . . 6 ...... ( . . . ^ ! . . ` ` ...... ) . . @ @ . . . . . ( B ...... 0 0 ...... % . . V ...... % ...... 6 ...... h . . . . @ ...... ( $ . . . D ...... ( L . . . h . . ` ` ...... , ...... @ @ ...... ( ...... 0 0 ...... ^ ...... h . Data Raw: 00 00 01 00 13 00 00 00 00 00 01 00 20 00 28 20 04 00 36 01 00 00 80 80 00 00 01 00 20 00 28 08 01 00 5e 21 04 00 60 60 00 00 01 00 20 00 a8 94 00 00 86 29 05 00 40 40 00 00 01 00 20 00 28 42 00 00 2e be 05 00 30 30 00 00 01 00 20 00 a8 25 00 00 56 00 06 00 20 20 00 00 01 00 20 00 a8 10 00 00 fe 25 06 00 18 18 00 00 01 00 20 00 88 09 00 00 a6 36 06 00 10 10 00 00 01 00 20 00 68 04

Stream Path: \x17163\x16689\x18229\x15358\x15128\x17848\x17591\x15024\x17894\x17580\x17841\x15693\x18453, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 1735680

General Stream Path: \x17163\x16689\x18229\x15358\x15128\x17848\x17591\x15024\x17894\x17580\x17841\x156 93\x18453 File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Stream Size: 1735680 Entropy: 5.66626665199 Base64 Encoded: True Data ASCII: M Z ...... @ ...... ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ ...... / j ` . k . . . k . . . k ...... d ...... u . . . . R . . i . . . P U ...... P U . . V . . . P U . . K ...... d . . . k ...... U ...... U . . j . . . . U . . j . . . k . . . j . . . . U . . j . . . Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Stream Path: \x17163\x16689\x18229\x15358\x17388\x15912\x16947\x15793\x15516\x17886\x17388\x18486, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 90112

General Stream Path: \x17163\x16689\x18229\x15358\x17388\x15912\x16947\x15793\x15516\x17886\x17388\x184 86 Copyright Joe Security LLC 2019 Page 14 of 26 General File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Stream Size: 90112 Entropy: 5.76396298748 Base64 Encoded: True Data ASCII: M Z ...... @ ...... ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ ...... C . . . - . . . - . . . - . . . " . . . - . . . D . . . - . . . r . . . - . . . p . . . - . r . p . . . - . 2 . p . . . - . . . , . . . - . . . M . . . - . . . q . . . - . . . s . . . - . . . w . . . - . R i c h . . - ...... Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15103\x17508\x16945\x18485, File Type: PC bitmap, Windows 3.x format, 500 x 63 x 24, Stream Size: 94556

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15103\x17508\x16945\x184 85 File Type: PC bitmap, Windows 3.x format, 500 x 63 x 24 Stream Size: 94556 Entropy: 1.08739925977 Base64 Encoded: False Data ASCII: B M \\ q ...... 6 . . . ( ...... ? ...... & q ...... Data Raw: 42 4d 5c 71 01 00 00 00 00 00 36 00 00 00 28 00 00 00 f4 01 00 00 3f 00 00 00 01 00 18 00 00 00 00 00 26 71 01 00 10 17 00 00 10 17 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15231\x16684\x17583\x18474, File Type: PC bitmap, Windows 3.x format, 503 x 314 x 24, Stream Size: 474824

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15231\x16684\x17583\x184 74 File Type: PC bitmap, Windows 3.x format, 503 x 314 x 24 Stream Size: 474824 Entropy: 0.381601515917 Base64 Encoded: False Data ASCII: B M . > ...... 6 . . . ( ...... : ...... > ...... Data Raw: 42 4d c8 3e 07 00 00 00 00 00 36 00 00 00 28 00 00 00 f7 01 00 00 3a 01 00 00 01 00 18 00 00 00 00 00 92 3e 07 00 10 17 00 00 10 17 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15871\x18088, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15871\x18088 File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors Stream Size: 318 Entropy: 2.03444158006 Base64 Encoded: False Data ASCII: ...... ( ...... ( ...... Data Raw: 00 00 01 00 01 00 10 10 10 00 00 00 00 00 28 01 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x16319\x18483, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318

Copyright Joe Security LLC 2019 Page 15 of 26 General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x16319\x18483 File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors Stream Size: 318 Entropy: 2.03693614652 Base64 Encoded: False Data ASCII: ...... ( ...... ( ...... Data Raw: 00 00 01 00 01 00 10 10 10 00 00 00 00 00 28 01 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15295\x16827\x16687\x18480, File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors, Stream Size: 766

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15295\x16827\x16687\x184 80 File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors Stream Size: 766 Entropy: 3.3484862649 Base64 Encoded: True Data ASCII: ...... ( ...... @ ...... 3 3 1 ...... 3 3 2 3 3 3 3 3 3 3 3 3 3 3 3 . 3 3 $ D D D D D D D D D D D @ 1 . 2 D D D D D D D D D D D D D . . 2 D D D D D D @ D D D D D D C . 2 D D D D D D 3 4 D D D D D C . 2 D D D D D @ 3 0 D D D D D . . 3 $ D D D D D 3 4 D D D D D 1 . 3 $ Data Raw: 00 00 01 00 01 00 20 20 10 00 00 00 00 00 e8 02 00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 c0 c0 00 80 80 80 00 00 80 80 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 33

Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15551\x17009\x18482, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors, Stream Size: 1078

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15551\x17009\x18482 File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors Stream Size: 1078 Entropy: 2.86422695486 Base64 Encoded: False Data ASCII: ...... & ...... ( ...... ( ...... @ ...... p ...... w p ...... p ...... p ...... p ...... p ...... w w . . . w w ...... Data Raw: 00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 10 10 10 00 00 00 00 00 28 01 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 80 80 80 00 c0 c0 c0 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x17184\x16827\x18468, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 107008

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x15518\x17184\x16827\x18468 File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Stream Size: 107008 Entropy: 6.5209930455 Base64 Encoded: True Data ASCII: M Z ...... @ ...... ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ ...... > 8 . . _ V . . _ V . . _ V . I . . . . _ V . I . . . . _ V . I . . . . _ V . n ? U . . _ V . n ? R . . _ V . n ? S . . _ V . . ' . . . _ V . . _ W . 8 _ V . D > S . . _ V . D > V . . _ V . D > . . . _ V . . _ . . . _ V . D > T . . _ V . R i c h . _ V . Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Copyright Joe Security LLC 2019 Page 16 of 26 Stream Path: \x17167\x16943\x17624\x17512\x17490\x17910\x17380\x16943\x18357\x14923\x14537\x16830\x16740, File Type: Microsoft Cabinet archive data, 1397022 bytes, 20 files, Stream Size: 1397022

General Stream Path: \x17167\x16943\x17624\x17512\x17490\x17910\x17380\x16943\x18357\x14923\x14537\x168 30\x16740 File Type: Microsoft Cabinet archive data, 1397022 bytes, 20 files Stream Size: 1397022 Entropy: 7.99961135832 Base64 Encoded: True Data ASCII: M S C F . . . . . Q ...... , ...... @ ...... / N . . . . f i l e o p e n 3 2 . s y s . ` ] . . @ . . . . . / N # . . . f i l e o p e n 6 4 . s y s . . 7 . . . * . . . . . N . . . F i l e O p e n B r o k e r . e x e . . { . . . a . . . . . N . . . F i l e O p e n M a n a g e r 6 4 . e x e . H / ...... N . . . F i l e O p e n S c r e e n H o o k 3 2 . d l l ...... N . . . F i l e O p e n S c r e e n H o o k 6 4 Data Raw: 4d 53 43 46 00 00 00 00 1e 51 15 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 14 00 00 00 00 00 00 00 88 02 00 00 8b 00 03 15 40 cd 01 00 00 00 00 00 00 00 2f 4e 9c 89 00 00 66 69 6c 65 6f 70 65 6e 33 32 2e 73 79 73 00 60 5d 02 00 40 cd 01 00 00 00 2f 4e 23 92 00 00 66 69 6c 65 6f 70 65 6e 36 34 2e 73 79 73 00 08 37 12 00 a0 2a 04 00 00 00 81 4e f4 83 20 00 46 69 6c 65 4f 70

Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 1576

General Stream Path: \x18496\x15167\x17394\x17464\x17841 File Type: data Stream Size: 1576 Entropy: 5.06820083733 Base64 Encoded: False Data ASCII: ...... " . " . " . % . % . % . ) . ) . ) . * . * . * . + . + . , . , . 1 . 1 . 5 . 5 . 9 . 9 . 9 . 9 . 9 . 9 . ? . ? . ? . H . H . H . H . H . H . H . H . M . M . M . M . M . M . M . M . M . M . M . M . O . O . O . O . O . O . O . O . O . O . a . a . a . a . h . h . h . h . h . h . q . q . u . u . u . u . u ...... Data Raw: 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 22 00 22 00 22 00 25 00 25 00 25 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2c 00 2c 00 31 00 31 00 35 00 35 00 39 00 39 00 39 00 39 00 39 00 39 00 3f 00 3f 00 3f 00 48 00 48 00 48 00 48 00 48 00 48 00 48 00 48 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4f 00 4f 00 4f 00 4f 00 4f 00

Stream Path: \x18496\x15518\x16925\x17915, File Type: data, Stream Size: 204

General Stream Path: \x18496\x15518\x16925\x17915 File Type: data Stream Size: 204 Entropy: 4.32693828433 Base64 Encoded: False Data ASCII: 4 . 5 . 6 . 7 . 8 . 9 . ; . = . ? . A . C . E . G . I . K . M . O . Q . S . U . W . Y . [ . ] . _ . a . c . e . g . i . k . m . o . q . s . u . w . y . { . } ...... 5 . 6 . 7 . 8 . : . < . > . @ . B . D . F . H . J . L . N . P . R . T . V . X . Z . \\ . ^ . ` . b . d . f . h . j . l . n . p . r . t . v . x . z . | . ~ ...... Data Raw: 34 03 35 03 36 03 37 03 38 03 39 03 3b 03 3d 03 3f 03 41 03 43 03 45 03 47 03 49 03 4b 03 4d 03 4f 03 51 03 53 03 55 03 57 03 59 03 5b 03 5d 03 5f 03 61 03 63 03 65 03 67 03 69 03 6b 03 6d 03 6f 03 71 03 73 03 75 03 77 03 79 03 7b 03 7d 03 7f 03 81 03 83 03 85 03 87 03 89 03 8b 03 8d 03 8f 03 91 03 93 03 00 00 35 03 36 03 37 03 38 03 3a 03 3c 03 3e 03 40 03 42 03 44 03 46 03 48 03

Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ISO-8859 text, with very long lines, Stream Size: 36704

General Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468 File Type: ISO-8859 text, with very long lines Stream Size: 36704 Entropy: 5.10120789862 Base64 Encoded: True Data ASCII: N a m e T a b l e T y p e C o l u m n V a l u e _ V a l i d a t i o n N P r o p e r t y I d _ S u m m a r y I n f o r m a t i o n D e s c r i p t i o n S e t C a t e g o r y K e y C o l u m n M a x V a l u e N u l l a b l e K e y T a b l e M i n V a l u e I d e n t i f i e r N a m e o f t a b l e N a m e o f c o l u m n Y ; N W h e t h e r t h e c o l u m n i s n u l l a b l e Y M i n i m u m v a l u e a l l o w e d M a x i m u m v a l u e a l l o w e d F o r f o r e i g n k e y Data Raw: 4e 61 6d 65 54 61 62 6c 65 54 79 70 65 43 6f 6c 75 6d 6e 56 61 6c 75 65 5f 56 61 6c 69 64 61 74 69 6f 6e 4e 50 72 6f 70 65 72 74 79 49 64 5f 53 75 6d 6d 61 72 79 49 6e 66 6f 72 6d 61 74 69 6f 6e 44 65 73 63 72 69 70 74 69 6f 6e 53 65 74 43 61 74 65 67 6f 72 79 4b 65 79 43 6f 6c 75 6d 6e 4d 61 78 56 61 6c 75 65 4e 75 6c 6c 61 62 6c 65 4b 65 79 54 61 62 6c 65 4d 69 6e 56 61 6c 75 65 Copyright Joe Security LLC 2019 Page 17 of 26 Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 3672

General Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479 File Type: data Stream Size: 3672 Entropy: 3.44487403804 Base64 Encoded: False Data ASCII: ...... u ...... A ...... Z ...... 6 . . . $ ...... d ...... B . . . . . % ...... o ...... ( ...... 5 ...... ' ...... ( ...... * ...... ; ...... > ...... Data Raw: e4 04 00 00 04 00 0c 00 05 00 02 00 00 00 00 00 04 00 06 00 06 00 02 00 05 00 0b 00 0b 00 15 00 01 00 75 00 0a 00 01 00 13 00 02 00 0b 00 16 00 03 00 02 00 08 00 02 00 09 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 0a 00 41 00 0d 00 01 00 0e 00 01 00 03 00 01 00 1e 00 01 00 01 00 5a 00 15 00 01 00 15 00 01 00 36 00 01 00 24 00 01 00 f5 00 01 00 0f 00 01 00 04 00 64 00

Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 78

General Stream Path: \x18496\x16255\x16740\x16943\x18486 File Type: data Stream Size: 78 Entropy: 3.89929336767 Base64 Encoded: False Data ASCII: . . " . % . ) . * . + . , . 1 . 5 . 9 . ? . H . M . O . a . h . q . u ...... 8 . ; . Data Raw: 07 00 22 00 25 00 29 00 2a 00 2b 00 2c 00 31 00 35 00 39 00 3f 00 48 00 4d 00 4f 00 61 00 68 00 71 00 75 00 94 00 9d 00 a2 00 a9 00 ba 00 c9 00 cc 00 cd 00 ce 00 d1 00 d7 00 e3 00 ed 00 f6 00 00 01 03 01 0b 01 1d 01 2e 01 38 01 3b 01

Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 4776

General Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481 File Type: data Stream Size: 4776 Entropy: 2.59930384669 Base64 Encoded: False Data ASCII: ...... " . " . " . % . % . % . ) . ) . ) . * . * . * . + . + . , . , . 1 . 1 . 5 . 5 . 9 . 9 . 9 . 9 . 9 . 9 . ? . ? . ? . H . H . H . H . H . H . H . H . M . M . M . M . M . M . M . M . M . M . M . M . O . O . O . O . O . O . O . O . O . O . a . a . a . a . h . h . h . h . h . h . q . q . u . u . u . u . u ...... Data Raw: 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 0a 00 0a 00 22 00 22 00 22 00 25 00 25 00 25 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2c 00 2c 00 31 00 31 00 35 00 35 00 39 00 39 00 39 00 39 00 39 00 39 00 3f 00 3f 00 3f 00 48 00 48 00 48 00 48 00 48 00 48 00 48 00 48 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4f 00 4f 00 4f 00

Stream Path: \x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481, File Type: data, Stream Size: 12

General Stream Path: \x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481 File Type: data Stream Size: 12 Entropy: 2.221251836 Base64 Encoded: False Data ASCII: ...... Data Raw: fe 02 00 03 02 03 ff 02 01 03 03 03

Stream Path: \x18496\x16667\x17191\x15090\x17912\x17591\x18481, File Type: data, Stream Size: 36

General Stream Path: \x18496\x16667\x17191\x15090\x17912\x17591\x18481 File Type: data Stream Size: 36 Entropy: 3.38085911376 Base64 Encoded: False Data ASCII: ...... ' . ' ...... ! . . . . .

Copyright Joe Security LLC 2019 Page 18 of 26 General Data Raw: da 01 da 01 01 80 02 80 1c 03 20 03 00 80 00 80 00 80 14 80 27 81 27 81 10 80 10 80 1f 03 21 03 00 00 00 00

Stream Path: \x18496\x16786\x17522, File Type: data, Stream Size: 4

General Stream Path: \x18496\x16786\x17522 File Type: data Stream Size: 4 Entropy: 2.0 Base64 Encoded: False Data ASCII: . . . . Data Raw: e6 02 01 00

Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: x86 executable not stripped, Stream Size: 48

General Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934 File Type: x86 executable not stripped Stream Size: 48 Entropy: 3.56923567776 Base64 Encoded: False Data ASCII: H . I . J . K . L . M . N . O ...... x . . . < . . . . . Data Raw: 48 01 49 01 4a 01 4b 01 4c 01 4d 01 4e 01 4f 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 78 85 dc 85 3c 8f a0 8f c8 99

Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: x86 executable not stripped, Stream Size: 42

General Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472 File Type: x86 executable not stripped Stream Size: 42 Entropy: 3.42888341403 Base64 Encoded: False Data ASCII: H . I . J . P . Q . R . S ...... Data Raw: 48 01 49 01 4a 01 50 01 51 01 52 01 53 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 fd 7f fe 7f ff 7f 14 85

Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: x86 executable not stripped, Stream Size: 42

General Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472 File Type: x86 executable not stripped Stream Size: 42 Entropy: 3.38624972305 Base64 Encoded: False Data ASCII: H . J . K . L . O . T . U ...... x ...... Data Raw: 48 01 4a 01 4b 01 4c 01 4f 01 54 01 55 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 e8 83 78 85 dc 85 c8 99 9c 98 00 99

Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 80

General Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486 File Type: data Stream Size: 80 Entropy: 3.47018855303 Base64 Encoded: False Data ASCII: ...... t . x . { . ~ ...... o ...... Data Raw: b0 01 b0 01 b0 01 b0 01 b0 01 b0 01 b0 01 ce 02 cf 02 cf 02 cf 02 cf 02 d0 02 d0 02 d0 02 d0 02 d0 02 d0 02 d0 02 d0 02 74 01 78 01 7b 01 7e 01 81 01 84 01 87 01 6f 01 8a 01 8e 01 91 01 94 01 97 01 9b 01 9e 01 a1 01 a4 01 a7 01 aa 01 ad 01

Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 80

Copyright Joe Security LLC 2019 Page 19 of 26 General Stream Path: \x18496\x16911\x17892\x17784\x18472 File Type: data Stream Size: 80 Entropy: 2.42578022126 Base64 Encoded: False Data ASCII: ...... Data Raw: b0 01 cc 02 ce 02 cf 02 d0 02 cc 02 00 00 cc 02 cc 02 cc 02 00 00 00 00 00 00 00 00 00 00 00 00 cd 02 00 00 00 00 00 00 00 80 01 80 02 80 04 80 06 80 00 80 01 80 01 80 01 80 01 80 00 00 00 00 00 00 00 00 00 00 00 80 00 80 00 80 00 80 00 80

Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 14

General Stream Path: \x18496\x16918\x17191\x18468 File Type: MIPSEB Ucode Stream Size: 14 Entropy: 1.95021206491 Base64 Encoded: False Data ASCII: ...... Data Raw: 01 80 14 00 00 80 00 00 04 03 00 00 00 00

Stream Path: \x18496\x16923\x15722\x16818\x17892\x17778, File Type: data, Stream Size: 30

General Stream Path: \x18496\x16923\x15722\x16818\x17892\x17778 File Type: data Stream Size: 30 Entropy: 3.36473517873 Base64 Encoded: False Data ASCII: W . Y . b ...... & . ' . ( . . . . . ) ...... Data Raw: 57 01 59 01 62 01 02 80 02 80 01 80 26 03 27 03 28 03 98 00 98 00 29 03 02 80 02 80 00 80

Stream Path: \x18496\x16923\x17194\x17910\x18229, File Type: data, Stream Size: 12

General Stream Path: \x18496\x16923\x17194\x17910\x18229 File Type: data Stream Size: 12 Entropy: 2.91829583405 Base64 Encoded: False Data ASCII: " . . . # . $ . % . x . Data Raw: 22 03 02 80 23 03 24 03 25 03 78 01

Stream Path: \x18496\x16924\x18037\x16812\x15144\x17522\x17783\x17394, File Type: data, Stream Size: 12

General Stream Path: \x18496\x16924\x18037\x16812\x15144\x17522\x17783\x17394 File Type: data Stream Size: 12 Entropy: 2.75162916739 Base64 Encoded: False Data ASCII: * . + ...... t . Data Raw: 2a 03 2b 03 a3 80 00 00 00 00 74 01

Stream Path: \x18496\x16924\x18037\x16812\x15528\x17841\x16695\x17391, File Type: data, Stream Size: 32

General Stream Path: \x18496\x16924\x18037\x16812\x15528\x17841\x16695\x17391 File Type: data Stream Size: 32 Entropy: 2.60614503331 Base64 Encoded: False Data ASCII: , . + . - ...... t . . . Data Raw: 2c 03 2b 03 2d 03 10 00 00 80 02 00 00 80 01 80 00 80 00 00 00 00 00 00 00 00 00 00 74 01 2e 03

Copyright Joe Security LLC 2019 Page 20 of 26 Stream Path: \x18496\x16925\x17915\x17884\x17404\x18472, File Type: data, Stream Size: 36

General Stream Path: \x18496\x16925\x17915\x17884\x17404\x18472 File Type: data Stream Size: 36 Entropy: 2.6070177096 Base64 Encoded: False Data ASCII: . . 2 . 3 . 1 . 1 . 1 ...... Data Raw: 18 03 32 03 33 03 31 03 31 03 31 03 08 80 0c 80 09 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 80

Stream Path: \x18496\x17100\x16808\x15086\x18162, File Type: data, Stream Size: 8

General Stream Path: \x18496\x17100\x16808\x15086\x18162 File Type: data Stream Size: 8 Entropy: 1.75 Base64 Encoded: False Data ASCII: l . n . m . m . Data Raw: 6c 01 6e 01 6d 01 6d 01

Stream Path: \x18496\x17163\x16689\x18229, File Type: MIPSEB-LE MIPS-II ECOFF executable not stripped - version 0.1, Stream Size: 36

General Stream Path: \x18496\x17163\x16689\x18229 File Type: MIPSEB-LE MIPS-II ECOFF executable not stripped - version 0.1 Stream Size: 36 Entropy: 2.29248125036 Base64 Encoded: False Data ASCII: c . d . e . f . g . h . i . j . k ...... Data Raw: 63 01 64 01 65 01 66 01 67 01 68 01 69 01 6a 01 6b 01 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00

Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 90

General Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492 File Type: data Stream Size: 90 Entropy: 3.5290579707 Base64 Encoded: False Data ASCII: q . v ...... Data Raw: 71 01 76 01 8c 01 99 01 a6 02 a8 02 aa 02 ac 02 ae 02 af 02 b1 02 b3 02 b5 02 b8 02 ba 02 ac 02 a6 02 b5 02 b5 02 a8 02 aa 02 00 00 af 02 ac 02 aa 02 aa 02 aa 02 b8 02 ba 02 aa 02 ad 02 a7 02 b6 02 b7 02 a9 02 ab 02 b3 02 a9 02 a7 02 b0 02 b2 02 b4 02 b9 02 a9 02 bb 02

Stream Path: \x18496\x17165\x17380\x17074, File Type: data, Stream Size: 396

General Stream Path: \x18496\x17165\x17380\x17074 File Type: data Stream Size: 396 Entropy: 4.10506567683 Base64 Encoded: False Data ASCII: P . Q . R ...... ) . H . Z . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . r . r . r . . . r . r . r . . . r . r . . . r . r . r . r . r . r . r ...... i ...... U . . . . . U ...... ' ...... Data Raw: 50 01 51 01 52 01 b1 01 cb 01 d7 01 dc 01 e3 01 e7 01 00 02 06 02 0b 02 12 02 16 02 1a 02 29 02 48 02 5a 02 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 72 81 72 81 72 81 0e 81 72 81 72 81 72 81 04 81 72 81 72 81

Stream Path: \x18496\x17167\x16943, File Type: data, Stream Size: 400

Copyright Joe Security LLC 2019 Page 21 of 26 General Stream Path: \x18496\x17167\x16943 File Type: data Stream Size: 400 Entropy: 4.35546076293 Base64 Encoded: False Data ASCII: s . w . z . } ...... o . t . x . { . ~ ...... { . . . 7 . . @ . . . H / . . ` ] ...... , . . h 1 . . . 1 . . ( < . . . ' ...... P ...... P . . . P ...... Data Raw: 73 01 77 01 7a 01 7d 01 80 01 83 01 86 01 89 01 8d 01 90 01 93 01 96 01 9a 01 9d 01 a0 01 a3 01 a6 01 a9 01 ac 01 af 01 6f 01 74 01 78 01 7b 01 7e 01 81 01 84 01 87 01 8a 01 8e 01 91 01 94 01 97 01 9b 01 9e 01 a1 01 a4 01 a7 01 aa 01 ad 01 d1 02 d4 02 d5 02 d6 02 d7 02 d8 02 d9 02 89 01 da 02 db 02 dc 02 dd 02 de 02 df 02 e0 02 e1 02 e2 02 e3 02 e4 02 e5 02 00 ca 1d 80 f0 7b 05 80

Stream Path: \x18496\x17180\x17514\x17892\x17784\x18472, File Type: data, Stream Size: 52

General Stream Path: \x18496\x17180\x17514\x17892\x17784\x18472 File Type: data Stream Size: 52 Entropy: 1.00399757929 Base64 Encoded: False Data ASCII: [ . ] . / . 0 ...... Data Raw: 5b 01 5d 01 2f 03 30 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 198

General Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x169 34 File Type: data Stream Size: 198 Entropy: 4.88840801778 Base64 Encoded: False Data ASCII: + . H . I . J . K . L . N . O . T . U ...... Z . \\ ...... 2 ...... x ...... 4 . 3 ...... @ . . . l . . . ( . H . . . . . t . r ...... p . . . 5 . . . Data Raw: 2b 00 48 01 49 01 4a 01 4b 01 4c 01 4e 01 4f 01 54 01 55 01 98 02 9e 02 a0 02 a2 02 e7 02 e8 02 e9 02 ea 02 eb 02 ed 02 ee 02 ef 02 f0 02 f1 02 f2 02 f3 02 f4 02 f5 02 f6 02 f7 02 f8 02 f9 02 fa 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5a 01 5c 01 fb 02 00 00 00 00 00 00 00 00 ec 02 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 02 ec 02 00 00 00 00

Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 102

General Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472 File Type: data Stream Size: 102 Entropy: 4.3174394533 Base64 Encoded: False Data ASCII: + . H . I . J . P . Q . R . S ...... Z ...... f . n ...... 2 ...... 1 ...... d . Data Raw: 2b 00 48 01 49 01 4a 01 50 01 51 01 52 01 53 01 dc 01 e7 01 00 02 16 02 1a 02 5a 02 e7 02 e8 02 f9 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc 02 66 02 6e 02 fd 02 00 00 00 00 00 00 32 80 20 83 84 83 e8 83 fd 7f fe 7f ff 7f 14 85 31 80 13 85 10 85 11 85 12 85 0f 85 19 80 bc 82 64 80

Stream Path: \x18496\x17548\x16881\x17900\x17580\x18481, File Type: data, Stream Size: 6

General Stream Path: \x18496\x17548\x16881\x17900\x17580\x18481 File Type: data Stream Size: 6 Entropy: 1.79248125036 Base64 Encoded: False Data ASCII: . . . . r . Data Raw: b0 01 01 80 72 01 Copyright Joe Security LLC 2019 Page 22 of 26 Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 240

General Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487 File Type: data Stream Size: 240 Entropy: 3.81915990251 Base64 Encoded: False Data ASCII: o . t . x . { . ~ ...... p . u . y . | ...... q . v . v . v . v . v . v . q ...... r ...... s . w . z . } ...... Data Raw: 6f 01 74 01 78 01 7b 01 7e 01 81 01 84 01 87 01 8a 01 8e 01 91 01 94 01 97 01 9b 01 9e 01 a1 01 a4 01 a7 01 aa 01 ad 01 70 01 75 01 79 01 7c 01 7f 01 82 01 85 01 88 01 8b 01 8f 01 92 01 95 01 98 01 9c 01 9f 01 a2 01 a5 01 a8 01 ab 01 ae 01 71 01 76 01 76 01 76 01 76 01 76 01 76 01 71 01 8c 01 8c 01 8c 01 8c 01 99 01 99 01 99 01 99 01 99 01 99 01 99 01 99 01 00 80 00 81 00 81 00 81

Stream Path: \x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522, File Type: iAPX 286 executable large model (COFF) not stripped, Stream Size: 536

General

Stream Path: \x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522 File Type: iAPX 286 executable large model (COFF) not stripped Stream Size: 536 Entropy: 3.83304538721 Base64 Encoded: False Data ASCII: R . R ...... ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . H . H . H . H . H . H . H . H . H . # . & ...... D . D ...... * . * . * . , . , . , . - . - . - . 0 . 0 . 1 . 1 . 3 . 3 . 4 . 6 . 8 . : . < . > . @ . B . D . F . : . > . B . Data Raw: 52 01 52 01 e7 01 e7 01 e7 01 e7 01 e7 01 e7 01 e7 01 e7 01 e7 01 e7 01 00 02 00 02 16 02 16 02 16 02 16 02 1a 02 1a 02 1a 02 1a 02 1a 02 1a 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 48 02 48 02 48 02 48 02 48 02 48 02

Stream Path: \x18496\x17548\x17905\x17589\x15279\x16953\x17905, File Type: data, Stream Size: 1404

General Stream Path: \x18496\x17548\x17905\x17589\x15279\x16953\x17905 File Type: data Stream Size: 1404 Entropy: 4.09240690147 Base64 Encoded: False Data ASCII: P . Q . R ...... ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . ) . H . H . H . H . H . H . H . Z . Z . Z ...... Data Raw: 50 01 51 01 52 01 b1 01 b1 01 b1 01 b1 01 b1 01 b1 01 b1 01 cb 01 cb 01 cb 01 d7 01 d7 01 d7 01 dc 01 e3 01 e3 01 e7 01 00 02 00 02 00 02 00 02 00 02 00 02 00 02 00 02 00 02 00 02 00 02 00 02 00 02 06 02 0b 02 0b 02 0b 02 12 02 16 02 16 02 16 02 1a 02 1a 02 1a 02 1a 02 1a 02 1a 02 1a 02 1a 02 1a 02 1a 02 1a 02 1a 02 1a 02 1a 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02 29 02

Stream Path: \x18496\x17548\x17905\x17589\x18479, File Type: data, Stream Size: 4628

General Stream Path: \x18496\x17548\x17905\x17589\x18479 File Type: data Stream Size: 4628 Entropy: 4.21785975439 Base64 Encoded: False Data ASCII: P . P . P . P . P . P . P . Q . Q . Q . Q . Q . Q . Q . R . R . R . R . R . R . R . R . R ...... Data Raw: 50 01 50 01 50 01 50 01 50 01 50 01 50 01 51 01 51 01 51 01 51 01 51 01 51 01 51 01 52 01 52 01 52 01 52 01 52 01 52 01 52 01 52 01 52 01 b1 01 b1 01 b1 01 b1 01 b1 01 b1 01 b1 01 b1 01 b1 01 cb 01 cb 01 cb 01 cb 01 cb 01 cb 01 cb 01 cb 01 cb 01 cb 01 d7 01 d7 01 d7 01 d7 01 d7 01 d7 01 d7 01 d7 01 d7 01 d7 01 dc 01 dc 01 dc 01 dc 01 dc 01 dc 01 dc 01 dc 01 dc 01 e3 01 e3 01 e3 01

Stream Path: \x18496\x17610\x16179\x16680\x16821\x18475, File Type: data, Stream Size: 28 Copyright Joe Security LLC 2019 Page 23 of 26 General Stream Path: \x18496\x17610\x16179\x16680\x16821\x18475 File Type: data Stream Size: 28 Entropy: 2.8322488896 Base64 Encoded: False Data ASCII: V . X . Z . \\ . ^ . ` . a . W . Y . [ . ] . _ . _ . b . Data Raw: 56 01 58 01 5a 01 5c 01 5e 01 60 01 61 01 57 01 59 01 5b 01 5d 01 5f 01 5f 01 62 01

Stream Path: \x18496\x17630\x17770\x16868\x18472, File Type: data, Stream Size: 16

General Stream Path: \x18496\x17630\x17770\x16868\x18472 File Type: data Stream Size: 16 Entropy: 2.77439747035 Base64 Encoded: False Data ASCII: ...... Data Raw: 0e 03 95 03 0d 03 00 00 04 05 00 80 00 00 1e 03

Stream Path: \x18496\x17740\x16680\x16951\x17551\x16879\x17768, File Type: data, Stream Size: 4

General Stream Path: \x18496\x17740\x16680\x16951\x17551\x16879\x17768 File Type: data Stream Size: 4 Entropy: 1.5 Base64 Encoded: False Data ASCII: v . t . Data Raw: 76 01 74 01

Stream Path: \x18496\x17741\x17557\x16678\x17591\x18485, File Type: data, Stream Size: 32

General Stream Path: \x18496\x17741\x17557\x16678\x17591\x18485 File Type: data Stream Size: 32 Entropy: 2.84313906223 Base64 Encoded: False Data ASCII: [ . ] . _ . _ ...... Data Raw: 5b 01 5d 01 5f 01 5f 01 00 00 00 00 00 00 00 00 bc 02 bd 02 be 02 bf 02 00 80 00 80 00 80 00 80

Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 76

General Stream Path: \x18496\x17753\x17650\x17768\x18231 File Type: data Stream Size: 76 Entropy: 4.11482602894 Base64 Encoded: False Data ASCII: < . . . w ...... m ...... Data Raw: 3c 01 da 01 77 02 00 03 05 03 07 03 09 03 0a 03 0c 03 0f 03 11 03 12 03 13 03 15 03 16 03 17 03 19 03 1b 03 1d 03 0e 03 1c 03 6d 01 84 02 06 03 08 03 d3 02 0b 03 0d 03 10 03 10 03 e6 02 14 03 84 02 ad 02 18 03 1a 03 b1 01 1e 03

Stream Path: \x18496\x17814\x15340\x17388\x15464\x17828\x18475, File Type: CLIPPER COFF executable (VAX #) not stripped - version 425, Stream Size: 280

General Stream Path: \x18496\x17814\x15340\x17388\x15464\x17828\x18475 File Type: CLIPPER COFF executable (VAX #) not stripped - version 425 Stream Size: 280 Entropy: 6.90810712284 Base64 Encoded: False

Copyright Joe Security LLC 2019 Page 24 of 26 General Data ASCII: } ...... F = . . . G ...... I } . . " ...... G . . . : . . . . . U . - & ...... v . . F 4 ...... q . . . o . z . / V V ; # . . Y . . . . O ...... { " T ; . . . C . L ! % o f Z = . . . % q K Y . . . . . , ...... f ...... o . . b . . @ . . . . 9 > . . . P . . . X [ q X - I ...... k . & ...... I . . . . . D . . r % E . z i [ . . . . . Data Raw: 7d 01 83 01 8d 01 90 01 93 01 96 01 9a 01 9d 01 a0 01 a3 01 a6 01 a9 01 ac 01 af 01 00 80 00 80 00 80 00 80 00 80 00 80 00 80 00 80 00 80 00 80 00 80 00 80 00 80 00 80 e7 46 3d 12 01 a6 47 be 1f f1 a8 0c 02 d3 a1 49 7d d5 a9 22 03 f4 d2 0b 99 f2 47 0d ca 94 3a b9 da fa b3 9a 55 d0 2d 26 96 85 9e eb 7f 9d 76 b5 dd 46 34 1e ba ba 88 12 07 cd 19 71 13 1c 86 6f 09 7a 10 2f 56 56 3b 23

Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 96

General

Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522 File Type: data Stream Size: 96 Entropy: 3.59137835504 Base64 Encoded: False Data ASCII: ...... A ...... 3 . 3 . . . e . c . d . d . d . V . X . z ...... Data Raw: 91 02 96 02 98 02 9a 02 9c 02 9e 02 a0 02 a2 02 41 80 01 80 01 80 01 8c 01 8c 33 80 33 80 d2 86 65 01 63 01 64 01 64 01 64 01 56 01 58 01 7a 01 a4 02 97 02 99 02 9b 02 9d 02 9f 02 a1 02 a3 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x18496\x17933\x17395\x16812\x17892\x15336\x17388\x18472, File Type: data, Stream Size: 80

General Stream Path: \x18496\x17933\x17395\x16812\x17892\x15336\x17388\x18472 File Type: data Stream Size: 80 Entropy: 3.40370169606 Base64 Encoded: False Data ASCII: ...... o . o . o . o ...... s . s . s . s ...... V . X . . . . . V . X . . . . . Data Raw: c0 02 c1 02 c2 02 c4 02 c6 02 c7 02 c8 02 c9 02 6f 01 6f 01 6f 01 6f 01 87 01 87 01 87 01 87 01 73 01 73 01 73 01 73 01 89 01 89 01 89 01 89 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 56 01 58 01 c3 02 c5 02 56 01 58 01 c3 02 c5 02

Stream Path: \x18496\x17998\x17512\x15799\x17636\x17203\x17073, File Type: data, Stream Size: 32

General Stream Path: \x18496\x17998\x17512\x15799\x17636\x17203\x17073 File Type: data Stream Size: 32 Entropy: 3.01363991221 Base64 Encoded: False Data ASCII: ...... Data Raw: dc 01 dc 01 e7 01 e7 01 e1 01 e2 01 e2 01 fc 01 e1 01 e2 01 e2 01 ca 02 1f 00 1f 00 1f 00 cb 02

Network Behavior

No network behavior found

Code Manipulations

Statistics

Analysis Process: msiexec.exe PID: 4400 Parent PID: 4220

General

Start time: 23:33:41 Start date: 11/12/2019 Path: C:\Windows\System32\msiexec.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\FileOpenInstaller64.msi' Imagebase: 0x7ff779b90000 File size: 66048 bytes MD5 hash: 4767B71A318E201188A0D0A420C8B608 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Disassembly

Code Analysis