Automated Malware Analysis Report For

ID: 74965 Cookbook: urldownload.jbs Time: 01:35:09 Date: 01/09/2018 Version: 23.0.0 Table of Contents

Table of Contents 2 Analysis Report http://cdn.appexnw.com/trident/version5b0ee6680e058.exe 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Signature Overview 6 Cryptography: 6 Bitcoin Miner: 6 Spreading: 6 Networking: 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 System Summary: 6 Data Obfuscation: 7 Persistence and Installation Behavior: 7 Hooking and other Techniques for Hiding and Protection: 7 Malware Analysis System Evasion: 7 Anti Debugging: 7 HIPS / PFW / Operating System Protection Evasion: 7 Language, Device and Operating System Detection: 7 Lowering of HIPS / PFW / Operating System Security Settings: 8 Behavior Graph 8 Simulations 8 Behavior and APIs 8 Antivirus Detection 8 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 Dropped Files 10 Screenshots 10 Startup 10 Created / dropped Files 11 Domains and IPs 15 Contacted Domains 15 Contacted URLs 15 URLs from Memory and Binaries 15 Contacted IPs 17 Public 17 Static File Info 17 No static file info 17 Copyright Joe Security LLC 2018 Page 2 of 42 Network Behavior 17 Network Port Distribution 17 TCP Packets 18 DNS Queries 19 DNS Answers 19 HTTP Request Dependency Graph 20 Code Manipulations 20 Statistics 20 Behavior 20 System Behavior 20 Analysis Process: cmd.exe PID: 3220 Parent PID: 1780 20 General 20 File Activities 21 File Created 21 Analysis Process: wget.exe PID: 3244 Parent PID: 3220 21 General 21 File Activities 21 File Created 21 File Written 21 Analysis Process: version5b0ee6680e058.exe PID: 3376 Parent PID: 3056 22 General 22 File Activities 22 File Created 22 File Deleted 25 File Written 25 File Read 39 Registry Activities 39 Key Created 39 Key Value Created 40 Key Value Modified 40 Analysis Process: HostAppServiceUpdater.exe PID: 3420 Parent PID: 1432 40 General 40 Analysis Process: taskeng.exe PID: 3440 Parent PID: 848 41 General 41 File Activities 41 File Read 41 Registry Activities 41 Key Value Created 41 Analysis Process: HostAppServiceUpdater.exe PID: 3476 Parent PID: 3440 41 General 41 Disassembly 42 Code Analysis 42

Overview

General Information

Joe Sandbox Version: 23.0.0 Analysis ID: 74965 Start date: 01.09.2018 Start time: 01:35:09 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 7s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: urldownload.jbs Sample URL: http://cdn.appexnw.com/trident/version5b0ee6680e05 8.exe Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 9 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: MAL Classification: mal48.evad.mine.win@8/19@1/1 EGA Information: Successful, ratio: 50% HDC Information: Successful, ratio: 59.7% (good quality ratio 55.5%) Quality average: 74.2% Quality standard deviation: 30.5% HCA Information: Failed Cookbook Comments: Adjust boot time Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe TCP Packets have been reduced to 100 Execution Graph export aborted for target HostAppServiceUpdater.exe, PID 3420 because there are no executed function Report size exceeded maximum capacity and may have missing network information.

Detection

Strategy Score Range Reporting Detection

Threshold 48 0 - 100 Report FP / FN

Confidence

Threshold 5 0 - 5 false

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

• Cryptography • Bitcoin Miner • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Cryptography:

Public key (encryption) found

Bitcoin Miner:

Configures the Internet Explorer emulation mode (likely to run Javascript)

Spreading:

Creates COM task schedule object (often to register a task for autostart)

Contains functionality to enumerate / list files inside a directory

Networking:

Downloads executable code via HTTP

Downloads files from webservers via HTTP

Performs DNS lookups

Urls found in memory or binary data

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

System Summary:

Contains functionality to shutdown / reboot the system

Creates mutexes

Detected potential crypto function

Found potential string decryption / allocating functions

PE file contains strange resources

Binary contains paths to development resources

Classification label

Contains functionality to adjust token privileges (e.g. debug / backup)

Contains functionality to check free disk space

Contains functionality to instantiate COM classes Copyright Joe Security LLC 2018 Page 6 of 42 Contains functionality to load and extract PE file embedded resources

Creates files inside the user directory

Creates temporary files

Reads ini files

Reads software policies

SQL strings found in memory and binary data

Spawns processes

Uses an in-process (OLE) Automation server

Found graphical window changes (likely an installer)

Creates a software uninstall entry

Binary contains paths to debug symbols

Data Obfuscation:

Contains functionality to dynamically determine API calls

PE file contains an invalid checksum

Uses code obfuscation techniques (call, push, ret)

Persistence and Installation Behavior:

Drops PE files

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Checks the free space of harddrives

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to enumerate / list files inside a directory

Contains functionality to query system information

Program exit points

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality to register its own exception handler

HIPS / PFW / Operating System Protection Evasion:

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Contains functionality to add an ACL to a security descriptor

May try to detect the Windows Explorer process (often used for injection)

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Contains functionality to query local / system time

Contains functionality to query time zone information

Contains functionality to query windows version

Queries the cryptographic machine GUID

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the internet feature controls of the internet explorer

Behavior Graph

Hide Legend Legend: Process Signature Created File Behavior Graph ID: 74965 DNS/IP Info URL: http://cdn.appexnw.com/trident/version5b0ee6680e058.exe Startdate: 01/09/2018 Is Dropped Architecture: WINDOWS Score: 48 Is Windows Process

Contains functionality Number of created Registry Values to detect sleep reduction started started started started / modifications Number of created Files

Visual Basic version5b0ee6680e058.exe cmd.exe taskeng.exe HostAppServiceUpdater.exe Delphi

20 47 1 1 Java

dropped dropped dropped dropped .Net C# or VB.NET C:\Users\user\AppData\...\SLToolWrapper.dll, PE32 C:\Users\user\...\HostAppServiceUpdater.exe, PE32 C:\Users\HERBBL~1\AppData\...\___aensis.dll, PE32 9 other files (1 malicious) C, C++ or other language started started Is malicious Configures the Internet Explorer emulation mode (likely to run Javascript)

wget.exe HostAppServiceUpdater.exe

cs47724812.wpc.nucdn.net

152.195.9.15, 49161, 80 cs477248.wpc.nucdn.net 2 other IPs or domains dropped EDGECAST-MCICommunicationsServicesIncdbaVerizonB United States

C:\Users\user\...\version5b0ee6680e058.exe, PE32

Simulations

Behavior and APIs

Time Type Description 01:35:45 API Interceptor 629x Sleep call for process: cmd.exe modified 01:36:13 API Interceptor 5x Sleep call for process: version5b0ee6680e058.exe modified 01:36:15 Task Scheduler Run new task: App Explorer path: %LOCALAPPDATA%\Host App Service\Engine\HostAppServiceUpdater.exe s>/LOGON 01:36:15 API Interceptor 3x Sleep call for process: taskeng.exe modified

Antivirus Detection

Source Detection Scanner Label Link http://cdn.appexnw.com/trident/version5b0ee6680e058.exe 0% virustotal Browse

Dropped Files

Source Detection Scanner Label Link C:\Users\HERBBL~1\AppData\Local\Temp\nscCD1A.tmp\System.dll 0% virustotal Browse C:\Users\HERBBL~1\AppData\Local\Temp\nscCD1A.tmp\System.dll 3% metadefender Browse C:\Users\HERBBL~1\AppData\Local\Temp\nscCD1A.tmp\___aensis.dll 0% virustotal Browse C:\Users\user\AppData\Local\Host App Service\Engine\SLToolWrapper.dll 0% virustotal Browse

Unpacked PE Files

No Antivirus matches

Domains

Source Detection Scanner Label Link cs47724812.wpc.nucdn.net 0% virustotal Browse cdn.appexnw.com 0% virustotal Browse

URLs

Source Detection Scanner Label Link http://cdn.appexnw.com/trident/version5b0ee6680e058.exe? 0% Avira URL Cloud safe http://metro.mahapps.com/winfx/xaml/controls 0% virustotal Browse http://metro.mahapps.com/winfx/xaml/controls 0% Avira URL Cloud safe http://james.newtonking.com/projects/json 0% virustotal Browse http://james.newtonking.com/projects/json 0% Avira URL Cloud safe https://geo.geo-svc.comchecksumtargets://httphttpsapi1apipokki.comappexnw.comappexnwcn.com 0% Avira URL Cloud safe https://ht http://metro.mahapps.com/winfx/xaml/shared 0% virustotal Browse http://metro.mahapps.com/winfx/xaml/shared 0% Avira URL Cloud safe http://cdn.appexnw.com/trident/version5b0ee6680e058.exe 0% virustotal Browse http://cdn.appexnw.com/trident/version5b0ee6680e058.exe 0% Avira URL Cloud safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

Startup

Copyright Joe Security LLC 2018 Page 10 of 42 System is w7 cmd.exe (PID: 3220 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-ag ent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://cdn.appexnw.com/trident/version5b0ee6680e058.exe' > cmdline.out 2>&1 MD5: AD7B9C14083B52BC532FBA5948342B98) wget.exe (PID: 3244 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://cdn.appexnw.com/trident/version5b0ee6680e058.exe' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60) version5b0ee6680e058.exe (PID: 3376 cmdline: 'C:\Users\user\Desktop\download\version5b0ee6680e058.exe' MD5: 3ACCC5DBF606CD53DCAE5400CAE1146C) HostAppServiceUpdater.exe (PID: 3420 cmdline: 'C:\Users\user\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe' /LOGON MD5: 79D64D6F9A0DE39E5558D86E22C13021) taskeng.exe (PID: 3440 cmdline: taskeng.exe {080305CB-EE84-4FFA-BAC8-23828B83C6BD} S-1-5-21-290172400-2828352916-2832973385-1001:computer\user:Interactive:[1] MD5: 4F2659160AFCCA990305816946F69407) HostAppServiceUpdater.exe (PID: 3476 cmdline: 'C:\Users\user\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe' /LOGON MD5: 79D64D6F9A0DE39E5558D86E22C13021) cleanup

Created / dropped Files

C:\Users\HERBBL~1\AppData\Local\Temp\App Explorer-2018-09-01.log Process: C:\Users\user\Desktop\download\version5b0ee6680e058.exe File Type: Little-endian UTF-16 Unicode text, with CRLF, CR line terminators Size (bytes): 5658 Entropy (8bit): 3.4628558846417112 Encrypted: false MD5: F313E0B80AE0FCBEE4307F268B134EB5 SHA1: 798B4BEE2379CDCDE2398E75A89A63F6D313E4EB SHA-256: FA23F2AABDB2550E77DB8775B5DBE7F5E68A7D02568C03C824DC1247DFA4C436 SHA-512: 6FAFF06CB9EB88179E7BA7E3E9FEC044376D20F79880E65B54AEE510F7A9D539C9359727FDF385FD9E92A46B43 12D25F14A4157996A2035E0A6FE3C222760287 Malicious: false Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\nscCD1A.tmp\System.dll

Process: C:\Users\user\Desktop\download\version5b0ee6680e058.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 11776 Entropy (8bit): 5.656126712214018 Encrypted: false MD5: A4DD044BCD94E9B3370CCF095B31F896 SHA1: 17C78201323AB2095BC53184AA8267C9187D5173 SHA-256: 2E226715419A5882E2E14278940EE8EF0AA648A3EF7AF5B3DC252674111962BC SHA-512: 87335A43B9CA13E1300C7C23E702E87C669E2BCF4F6065F0C684FC53165E9C1F091CC4D79A3ECA3910F0518D3B6 47120AC0BE1A68EAADE2E75EAA64ADFC92C5A Malicious: true Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 3%, Browse Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\nscCD1A.tmp\___aensis.dll

Process: C:\Users\user\Desktop\download\version5b0ee6680e058.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 4685720 Entropy (8bit): 6.72132289820911 Encrypted: false MD5: C6C16E41CD07FB63C6DF2202471D31E3 SHA1: E9840612FDB478A54401D8AC89B61AD5B1D65D2F SHA-256: 6460BE2EF275ECE546EEBFC7E6877170F1D8A72A17CFE7E8F2F218C048418D27 SHA-512: AD9DDE9883BB7A6003A6759FBE97B8E2D932707092AC42FB5E1C59527C27D3C4C6F0EB5CC6CB392834C716ECD 51F58BE812B6EDB43985D9AC572C47CD124B47E Malicious: true Antivirus: Antivirus: virustotal, Detection: 0%, Browse Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\nsyCCFB.tmp Process: C:\Users\user\Desktop\download\version5b0ee6680e058.exe File Type: data Size (bytes): 77051472 Entropy (8bit): 6.869297219188504 Copyright Joe Security LLC 2018 Page 11 of 42 C:\Users\HERBBL~1\AppData\Local\Temp\nsyCCFB.tmp Encrypted: false MD5: 90079A893BE96D53FD5ADACFDB0E6943 SHA1: CEBC66735F9BFD89BB6610C4BD32319CB587B46B SHA-256: BD586432623E2AAA53FC71B6D377F88DA16A406969749240C3D70222F304AF3A SHA-512: A3F48731F2EA940684F11353BF6B91B93ABAC3BD3BA27BDC21BFBE7B1287B86F52E69ADA1DFC416BEED3EB1D 662E9C0CF9C802F936406267BE3F98372CF9C2B8 Malicious: false Reputation: low

C:\Users\user\AppData\Local\Host App Service\Apps\32643404c9763e5e50dbcbb85d1ee63a23897ed0.pokki

Process: C:\Users\user\Desktop\download\version5b0ee6680e058.exe File Type: data Size (bytes): 146047 Entropy (8bit): 7.9914424015650605 Encrypted: true MD5: 99C532297A4A726CF643B21D54CD7620 SHA1: 0C6CC6205F2F847819C54FA8CE1AFC6FD2441CF3 SHA-256: B3F3C62BACC2C64EBE01DDB32842716A8E37B153432FE0F6698002138238C9A0 SHA-512: 4B1DDF0E21E7B479176462672B2D4B4E215149A4B9041456F7D151B113CB250D35AA9663107267DB089D2EEB4DA FC9E96DAE699469DD88636C9EF5AC69608FF4 Malicious: false Reputation: low

C:\Users\user\AppData\Local\Host App Service\Engine\HostAppService.exe Process: C:\Users\user\Desktop\download\version5b0ee6680e058.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 7149464 Entropy (8bit): 6.726415197709913 Encrypted: false MD5: 5ACEAD6231A371FDFBA159B1BE54B33E SHA1: 807248437773824C075CD737022680F9A69F778E SHA-256: B9CD0E45BD65BE137E565F68597051D1822C1E755388852277C2FD7ADCF67B5E SHA-512: 812CD22763257CC9B45BE67CE951AFCD629CC5BDFD9EC343CD33DCF17161E7D73A13022DD8AC4A28EC58D5E25 BE12ABBD8850DE436A2DC25814E8A118B6ECA8F Malicious: false Reputation: low

C:\Users\user\AppData\Local\Host App Service\Engine\HostAppServiceInterface.exe Process: C:\Users\user\Desktop\download\version5b0ee6680e058.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 3193752 Entropy (8bit): 6.778590244885567 Encrypted: false MD5: EC3CB8157C55BA11FD5FBCCC9E4BB635 SHA1: 5FCFA38182934857879506D035BF010C0B80CCB5 SHA-256: 47280A674996049ADF63AA24C009AA8A500572DC6B57B0FA430693E828E996F4 SHA-512: 8BCDD662A73A23F40AF0202DF08CF2AED4A84D3B06182EC1370A89781D5252928F9CCAB9859E5668EE77025CE6 CA255941EB756508CBF466987C3C5725BC1AD7 Malicious: false Reputation: low

C:\Users\user\AppData\Local\Host App Service\Engine\HostAppServiceUpdateManager.exe Process: C:\Users\user\Desktop\download\version5b0ee6680e058.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 7589272 Entropy (8bit): 7.245784567906547 Encrypted: false MD5: A22255BC46BB2117C4B407E1F59E1890 SHA1: FBFA2A19FB360B6697566660CA3B96915E53D053 SHA-256: B2205C4BE6AD802E06C6431208008EB2E55330F95FDC1536BFA9A4D4AA22869A SHA-512: 911D0B248FC3014C7EB7BFA4963FA0740A884B72A98D2BD51E9E7755877AC1FB1826DDF940BCF68385C9B6E260 891E5F2F8500A8C1EE52093C8D846A6FC39830 Malicious: false Reputation: low

Copyright Joe Security LLC 2018 Page 12 of 42 C:\Users\user\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe

Process: C:\Users\user\Desktop\download\version5b0ee6680e058.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 3574680 Entropy (8bit): 6.771753626229005 Encrypted: false MD5: 79D64D6F9A0DE39E5558D86E22C13021 SHA1: 21BC4CF0F5443536EC4ECDDBB3DEF3B82A8793AE SHA-256: D3946384DB7FF32B70E15C330EA0364A0AD4F80F27A4A7FC1457D4CB49A72244 SHA-512: 16FB1DED9BC3D379162278EA60695A1472F686C601D98835E09C3AE4EFCB166A8A26EA4C5F7C229489E85A4CE1 23A05B1F1AFB3A1C96468FA0BE975075751574 Malicious: true Reputation: low

C:\Users\user\AppData\Local\Host App Service\Engine\HostAppServiceUpdaterMetrics.exe Process: C:\Users\user\Desktop\download\version5b0ee6680e058.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 2994072 Entropy (8bit): 6.7776063563434175 Encrypted: false MD5: 2B797B9E80A064F26EC1E10022332547 SHA1: 97B7B136B26FD7BBBD3B2A2494D75DAEA47FDA41 SHA-256: 18B811B6D461E8ACE00B82A098243E209980C14805D654B52A99F7A3E6A1899F SHA-512: E76A8014D7D3912A9D36EDECAE9A13E23AD1F76F17243370568CBCE944BD6D49DB1552E6A50B0BD73AABA24C8 40AB455DF75224E6D1C8A9D03154A6B07459F5D Malicious: false Reputation: low

C:\Users\user\AppData\Local\Host App Service\Engine\SLTool.dll Process: C:\Users\user\Desktop\download\version5b0ee6680e058.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Size (bytes): 23960 Entropy (8bit): 6.909793979149044 Encrypted: false MD5: ADEF8DA1AC8C2F9008463EE79D98D611 SHA1: AE652A0D6428FCFF68DB12402861A23B6773985C SHA-256: 096B31831DE3237FF1B777753F9D9544218D93D5190D09B8851014CD92954968 SHA-512: 69ADBE517FA494464C50B58992BE5B8A263D5745F8AEB471234D318E289DCFB4585B366051069D69DF84D3B6690 F78688DDAD519BEAE2E43A3E768E9BCF9552C Malicious: false Reputation: low

C:\Users\user\AppData\Local\Host App Service\Engine\SLToolWrapper.dll

Process: C:\Users\user\Desktop\download\version5b0ee6680e058.exe File Type: PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows Size (bytes): 138648 Entropy (8bit): 6.440181746967707 Encrypted: false MD5: 79C665FF7BE3966A86C12BF6A35C7727 SHA1: F0649132DDEF0FAD1FF6FFF834F7655E792CF742 SHA-256: 72A52746DDE009F4F924C779CC7992B59A8972DACA496756C81537BF6F7CB809 SHA-512: 6BAE1C45A0F9774DA297F3D35B6A4674E38E36719192F4E953A92C051E7775D53E377CF72BFF60F3B70F4258D7B 57F794A09109A0A5F68FC3FD8F12E8C196FD2 Malicious: true Antivirus: Antivirus: virustotal, Detection: 0%, Browse Reputation: low

C:\Users\user\AppData\Local\Host App Service\Engine\WebAppHelper.exe Process: C:\Users\user\Desktop\download\version5b0ee6680e058.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 3425176 Entropy (8bit): 6.778440567028875 Encrypted: false MD5: B32AE27F61BA442A2154795AEDFBDDC6 SHA1: 75DC3CD88CEDF06994772C8BE8C2402257087706 SHA-256: 80E3CE039085153D629A5F57869CCFCBC409EE171CF88EA1CA642ABB97EC925F

Copyright Joe Security LLC 2018 Page 13 of 42 C:\Users\user\AppData\Local\Host App Service\Engine\WebAppHelper.exe SHA-512: 1E5CA60BA19E3652F89022C073296C1F1803C4A1DE1E18DC683137195C7AFEB4ECE67CF98F4255B413BEF7AD04 6A4CA2FB560AD679C7296F4FCF2E2731D73AE6 Malicious: false Reputation: low

C:\Users\user\AppData\Local\Host App Service\Engine\vcruntime140.dll Process: C:\Users\user\Desktop\download\version5b0ee6680e058.exe File Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows Size (bytes): 83784 Entropy (8bit): 6.845861669519174 Encrypted: false MD5: A2523EA6950E248CBDF18C9EA1A844F6 SHA1: 549C8C2A96605F90D79A872BE73EFB5D40965444 SHA-256: 6823B98C3E922490A2F97F54862D32193900077E49F0360522B19E06E6DA24B4 SHA-512: 2141C041B6BDBEE9EC10088B9D47DF02BF72143EB3619E8652296D617EFD77697F4DC8727D11998695768843B4E9 4A47B1AED2C6FB9F097FFC8A42CA7AAAF66A Malicious: false Reputation: low

C:\Users\user\AppData\Local\Host App Service\IconCache\persistent\App Explorer.ico Process: C:\Users\user\Desktop\download\version5b0ee6680e058.exe File Type: MS Windows icon resource - 6 icons, 256-colors Size (bytes): 38266 Entropy (8bit): 3.0700750183902654 Encrypted: false MD5: 2A13A142D93492DC495D14EBE7C7659C SHA1: EDA00D156C707656005A35986FD73DAF2CE7C553 SHA-256: 9FBB59B1DDBB8B14F3D46DC86F34B9A480070D075BF8FF517120E5940276754B SHA-512: C11BA5EA17DE3938FA82FDCE9362239AB7153A3466067A46E014A64EBB3D9496A9AB8350A80A83FFB0AADBE9A DC611A0E34ADA79098F204755B9EBEB21B8828A Malicious: false Reputation: low

C:\Users\user\AppData\Local\Host App Service\Uninstall.exe Process: C:\Users\user\Desktop\download\version5b0ee6680e058.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive Size (bytes): 1916016 Entropy (8bit): 7.986390827735197 Encrypted: false MD5: 72DFD05026DA7FC98386E81141DC53F1 SHA1: CF8DF7A3CB32FD34602ACCEB215429F162D9DB7D SHA-256: 964FD32BED66E8413FD9BA772923EBB14344418D74E3C5365BB14EE8FF7DD8A4 SHA-512: 0D3E7D653CFFB37F5DEAB7834FB6B70142A3974082812B03A4650E0A435A8D7FA50A02DBD111124A16B253E4319 1785E12FB70EFD200B1D56E1142502E97B557 Malicious: false Reputation: low

C:\Users\user\Desktop\cmdline.out Process: C:\Windows\System32\wget.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 35042 Entropy (8bit): 2.2087700420654945 Encrypted: false MD5: 7D43F2D025EE44D81EB9EB2B5206B145 SHA1: 6262B240A2029F1C9E772680B274ACB508AB3F80 SHA-256: 1873770F0D48730428946C597EFC4AFDD0C8C3857789D017C856B8F4FA9011CD SHA-512: F78F57285EC8675CFD0F889482159AFB9DF72332173B77D997AF76491C29175E67C57C6D54671BDB44CE617F794B 36EFBFBDB282A4B02B7EC93D95CFACA83C4A Malicious: false Reputation: low

C:\Users\user\Desktop\download\version5b0ee6680e058.exe

Process: C:\Windows\System32\wget.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive Size (bytes): 22840504 Entropy (8bit): 7.999849900939528

Encrypted: true MD5: 3ACCC5DBF606CD53DCAE5400CAE1146C SHA1: 00C9B528A0BA51E36B0C1C9A53C29C19D49F6E31 SHA-256: A2A9EF77F04C3EBCE01952289C0935791F87D2A85E0B9E2E310958853F014E49 SHA-512: F566DEA7D7A0693578DEFE6BD4E303DE21C88E2723241A2E0D49AB386A02E14E216D4D3B7407AA55E5C877E82E F8150ACCCBFF8E4B0B60DD15985CCD79A9182C Malicious: true Reputation: low

\Endpoint Process: C:\Windows\System32\wget.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 223 Entropy (8bit): 5.194237216869277 Encrypted: false MD5: C6B05B00B35BDA45DB119AF63FE48B89 SHA1: 3CCA24CE8904D4A812774E946FD23D0DB401E5CE SHA-256: 92307F12DE4A66B5B7DF1E1FB278FA36296AF3D49184DCD02F06FB230C5D53F7 SHA-512: 47DDF280E51F3388D4FF5AD8B3F13754C04D75CA9C6145F2B4FEF11AF9D3D01F67626731B4CD782D483989BB79B F64BE3DDFAB94C84AD86BED689A566BD0BEE0 Malicious: false Reputation: low

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation cs47724812.wpc.nucdn.net 152.195.9.15 true false 0%, virustotal, Browse unknown cdn.appexnw.com unknown unknown false 0%, virustotal, Browse unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation http://cdn.appexnw.com/trident/version5b0ee6680e058.exe false 0%, virustotal, Browse unknown Avira URL Cloud: safe

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation http://cdn.appexnw.com/trident/version5b0ee6680e058.exe? wget.exe, 00000002.00000002.15 false Avira URL Cloud: safe unknown 87394619.00020000.00000004.sdmp http://ocsp.thawte.com0 wget.exe, 00000002.00000002.15 false high 87743555.00960000.00000004.sdmp, version5b0ee6680e058.exe, 0 0000005.00000002.1655354946.00 40A000.00000004.sdmp, SLTool.dll.5.dr http://schemas.xmlsoap.org/soap/envelope/ version5b0ee6680e058.exe, 0000 false high 0005.00000002.1657706789.01DE4 000.00000004.sdmp http://nlog-project.org/ version5b0ee6680e058.exe, 0000 false high 0005.00000002.1657706789.01DE4 000.00000004.sdmp http://nsis.sf.net/NSIS_ErrorError version5b0ee6680e058.exe, 0000 false high 0005.00000001.1601379033.0040A 000.00000008.sdmp, Uninstall.exe.5.dr http://metro.mahapps.com/winfx/xaml/controls version5b0ee6680e058.exe, 0000 false 0%, virustotal, Browse low 0005.00000002.1657706789.01DE4 Avira URL Cloud: safe 000.00000004.sdmp https://www.nuget.org/packages/NLog.Web.AspNetCore version5b0ee6680e058.exe, 0000 false high 0005.00000002.1657706789.01DE4 000.00000004.sdmp http://james.newtonking.com/projects/json version5b0ee6680e058.exe, 0000 false 0%, virustotal, Browse unknown 0005.00000002.1657706789.01DE4 Avira URL Cloud: safe 000.00000004.sdmp

Copyright Joe Security LLC 2018 Page 15 of 42 Name Source Malicious Antivirus Detection Reputation https://curl.haxx.se/docs/http-cookies.html version5b0ee6680e058.exe, 0000 false high 0005.00000002.1659861754.6EA17 000.00000002.sdmp, HostAppServ iceUpdater.exe, 00000006.00000 000.1653346793.004E9000.000000 02.sdmp, HostAppServiceUpdater.exe, 00000008.00000000.1656197591.004E9 000.00000002.sdmp, ___aensis.dll.5.dr http://www.newtonsoft.com/jsonschema version5b0ee6680e058.exe, 0000 false high 0005.00000002.1657706789.01DE4 000.00000004.sdmp http://www.openssl.org/support/faq.html version5b0ee6680e058.exe, 0000 false high 0005.00000002.1659861754.6EA17 000.00000002.sdmp, HostAppServ iceUpdater.exe, 00000006.00000 000.1653346793.004E9000.000000 02.sdmp, HostAppServiceUpdater.exe, 00000008.00000000.1656197591.004E9 000.00000002.sdmp, ___aensis.dll.5.dr http://nlog-project.org/ws/T version5b0ee6680e058.exe, 0000 false high 0005.00000002.1657706789.01DE4 000.00000004.sdmp http://nlog-project.org/ws/ILogReceiverServer/Proc version5b0ee6680e058.exe, 0000 false high essLogMessagesResponsep 0005.00000002.1657706789.01DE4 000.00000004.sdmp https://geo.geo-svc.comchecksumtargets://httphttpsapi1apipok HostAppServiceUpdater.exe, 000 false Avira URL Cloud: safe unknown ki.comappexnw.comappexnwcn.comhttps://ht 00006.00000000.1653346793.004E 9000.00000002.sdmp, HostAppSer viceUpdater.exe, 00000008.0000 0000.1656197591.004E9000.00000 002.sdmp https://www.pokki.com/r/?termsmanifest.json version5b0ee6680e058.exe, 0000 false high 0005.00000002.1659861754.6EA17 000.00000002.sdmp, ___aensis.dll.5.dr http://www.winimage.com/zLibDll646eef218a0f423baa9 version5b0ee6680e058.exe, 0000 false high 9a4eea59c0a52resulto__d_crequiredcampaign570typeur 0005.00000002.1659861754.6EA17 000.00000002.sdmp, ___aensis.dll.5.dr http://www.winimage.com/zLibDll- HostAppServiceUpdater.exe, 000 false high 00006.00000000.1653346793.004E 9000.00000002.sdmp, HostAppSer viceUpdater.exe, 00000008.0000 0000.1656197591.004E9000.00000 002.sdmp http://metro.mahapps.com/winfx/xaml/shared version5b0ee6680e058.exe, 0000 false 0%, virustotal, Browse low 0005.00000002.1657706789.01DE4 Avira URL Cloud: safe 000.00000004.sdmp http://crl.thawte.com/ThawteTimestampingCA.crl0 wget.exe, 00000002.00000002.15 false high 87743555.00960000.00000004.sdmp, version5b0ee6680e058.exe, 0 0000005.00000002.1655354946.00 40A000.00000004.sdmp, SLTool.dll.5.dr http://www.openssl.org/support/faq.html...... version5b0ee6680e058.exe, 0000 false high 0005.00000002.1659861754.6EA17 000.00000002.sdmp, version5b0e e6680e058.exe, 00000005.000000 02.1656828467.01A50000.0000000 4.sdmp, HostAppServiceUpdater.exe, 00000006.00000000.1653346 793.004E9000.00000002.sdmp, Ho stAppServiceUpdater.exe, 00000 008.00000000.1656197591.004E90 00.00000002.sdmp, ___aensis.dll.5.dr, HostAppServiceUpdaterMetrics.exe.5.dr https://www.pokki.com/r/?terms version5b0ee6680e058.exe false high http://nlog-project.org/dummynamespace/ version5b0ee6680e058.exe, 0000 false high 0005.00000002.1657706789.01DE4 000.00000004.sdmp http://nlog-project.org/ws/ILogReceiverOneWayServe version5b0ee6680e058.exe, 0000 false high r/ProcessLogMessages 0005.00000002.1657706789.01DE4 000.00000004.sdmp http://www.winimage.com/zLibDll HostAppServiceUpdaterMetrics.exe.5.dr false high https://www.nuget.org/packages/Newtonsoft.Json.Bson version5b0ee6680e058.exe, 0000 false high 0005.00000002.1657706789.01DE4 000.00000004.sdmp http://nlog-project.org/ws/ version5b0ee6680e058.exe, 0000 false high 0005.00000002.1657706789.01DE4 000.00000004.sdmp

Copyright Joe Security LLC 2018 Page 16 of 42 Name Source Malicious Antivirus Detection Reputation http://hg.mozilla.org/releases/mozilla-release/raw-file/defa version5b0ee6680e058.exe, 0000 false high ult/security/nss/lib/ckfw/builtins/certd 0005.00000002.1660092888.6EACE 000.00000002.sdmp, HostAppServ iceUpdater.exe, 00000006.00000 002.1659463288.00585000.000000 02.sdmp, HostAppServiceUpdater.exe, 00000008.00000000.1659312587.00585 000.00000002.sdmp, ___aensis.dll.5.dr http://nlog-project.org/ws/ILogReceiverServer/Proc version5b0ee6680e058.exe, 0000 false high essLogMessagesT 0005.00000002.1657706789.01DE4 000.00000004.sdmp http://nlog-project.org/ws/3 version5b0ee6680e058.exe, 0000 false high 0005.00000002.1657706789.01DE4 000.00000004.sdmp http://nlog-project.org/ws/5 version5b0ee6680e058.exe, 0000 false high 0005.00000002.1657706789.01DE4 000.00000004.sdmp

Contacted IPs

No. of IPs < 25% 25% < No. of IPs < 50%

50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 152.195.9.15 United States 15133 EDGECAST- false MCICommunicationsServicesIncd baVerizonB

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Sep 1, 2018 01:35:47.098370075 CEST 59605 53 192.168.2.2 8.8.8.8 Sep 1, 2018 01:35:47.148776054 CEST 53 59605 8.8.8.8 192.168.2.2 Sep 1, 2018 01:35:47.155441999 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.189949989 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.190161943 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.192279100 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.226936102 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228064060 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228108883 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228142023 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228271008 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228287935 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.228310108 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228346109 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228442907 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228478909 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228478909 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.228517056 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228570938 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228605986 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228627920 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.228641033 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228678942 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228720903 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228755951 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228781939 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.228791952 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228827000 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228862047 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228885889 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228920937 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228946924 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.228948116 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.228984118 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.229018927 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.229053974 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.229084015 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.229088068 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.229124069 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.229159117 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.229193926 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.229223967 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.229228973 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.229264975 CEST 80 49161 152.195.9.15 192.168.2.2

Copyright Joe Security LLC 2018 Page 18 of 42 Timestamp Source Port Dest Port Source IP Dest IP Sep 1, 2018 01:35:47.229361057 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.244599104 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.263921022 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264030933 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264071941 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264189005 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.264218092 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264259100 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264297009 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264348030 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264350891 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.264384985 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264420986 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264457941 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264486074 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.264518023 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264554024 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264589071 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264614105 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.264652014 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264688969 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264724016 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264735937 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.264760017 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264837027 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264844894 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.264873981 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264909983 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264946938 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.264981031 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.264983892 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.265018940 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.265053988 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.265089989 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.265116930 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.265125036 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.265161037 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.265196085 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.265230894 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.265253067 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.265266895 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.265302896 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.265337944 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.265372992 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.265403032 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.265408993 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.265444994 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.265480042 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.265516043 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.265549898 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.279454947 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.279531956 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.279573917 CEST 49161 80 192.168.2.2 152.195.9.15 Sep 1, 2018 01:35:47.279593945 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.279630899 CEST 80 49161 152.195.9.15 192.168.2.2 Sep 1, 2018 01:35:47.279666901 CEST 80 49161 152.195.9.15 192.168.2.2

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Sep 1, 2018 01:35:47.098370075 CEST 192.168.2.2 8.8.8.8 0xb2e6 Standard query cdn.appexn A (IP address) IN (0x0001) (0) w.com

DNS Answers

Copyright Joe Security LLC 2018 Page 19 of 42 Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class Sep 1, 2018 8.8.8.8 192.168.2.2 0xb2e6 No error (0) cdn.appexn cs477248.wpc.nucdn.net CNAME IN (0x0001) 01:35:47.148776054 w.com (Canonical CEST name) Sep 1, 2018 8.8.8.8 192.168.2.2 0xb2e6 No error (0) cs477248.w cs477248.lb.apr- CNAME IN (0x0001) 01:35:47.148776054 pc.nucdn.net 16873.edgecastdns.net (Canonical CEST name) Sep 1, 2018 8.8.8.8 192.168.2.2 0xb2e6 No error (0) cs477248.lb.apr- cs47724812.wpc.nucdn.n CNAME IN (0x0001) 01:35:47.148776054 16873.edgecast et (Canonical CEST dns.net name) Sep 1, 2018 8.8.8.8 192.168.2.2 0xb2e6 No error (0) cs47724812 152.195.9.15 A (IP address) IN (0x0001) 01:35:47.148776054 .wpc.nucdn.net CEST

HTTP Request Dependency Graph

cdn.appexnw.com

Code Manipulations

Statistics

Behavior

• cmd.exe • wget.exe • version5b0ee6680e058.exe • HostAppServiceUpdater.exe • taskeng.exe • HostAppServiceUpdater.exe

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 3220 Parent PID: 1780

General

Start time: 01:35:44 Start date: 01/09/2018 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no -check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://cdn.appexnw.com/trident/version5b0ee6680e05 8.exe' > cmdline.out 2>&1 Imagebase: 0x4a590000 File size: 302592 bytes

Copyright Joe Security LLC 2018 Page 20 of 42 MD5 hash: AD7B9C14083B52BC532FBA5948342B98 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\Desktop\cmdline.out read attributes | normal synchronous io success or wait 1 4A593A79 CreateFileW synchronize | non alert | non generic write directory file

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: wget.exe PID: 3244 Parent PID: 3220

General

Start time: 01:35:44 Start date: 01/09/2018 Path: C:\Windows\System32\wget.exe Wow64 process (32bit): false Commandline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-d isposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://cdn.appexnw.com/trident/version5b0ee6680e058.exe' Imagebase: 0x400000 File size: 3895184 bytes MD5 hash: 3DADB6E2ECE9C4B3E1E322E617658B60 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\Desktop\download\version5b0ee6680e058.exe read attributes | normal synchronous io success or wait 1 46596C fopen synchronize | non alert | non generic write directory file

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Copyright Joe Security LLC 2018 Page 21 of 42 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\Desktop\download\version5b0ee6680e058.exe unknown 8192 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 2807 47F21C fwrite 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... 1...P...P...P..*_...P 00 00 00 00 00 00 00 ...P..OP..*_...P...s...P...V.. 00 00 00 00 00 00 00 .P..Rich.P...... PE..L....c 00 00 00 c8 00 00 00 .W...... b...... 0e 1f ba 0e 00 b4 09 .3...... @ cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 e8 81 e9 50 86 d2 e9 50 86 d2 e9 50 86 d2 2a 5f d9 d2 eb 50 86 d2 e9 50 87 d2 4f 50 86 d2 2a 5f db d2 e6 50 86 d2 bd 73 b6 d2 e3 50 86 d2 2e 56 80 d2 e8 50 86 d2 52 69 63 68 e9 50 86 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 97 63 95 57 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 62 00 00 00 e2 00 00 00 08 00 00 b6 33 00 00 00 10 00 00 00 80 00 00 00 00 40

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: version5b0ee6680e058.exe PID: 3376 Parent PID: 3056

General

Start time: 01:36:00 Start date: 01/09/2018 Path: C:\Users\user\Desktop\download\version5b0ee6680e058.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\Desktop\download\version5b0ee6680e058.exe' Imagebase: 0x400000 File size: 22840504 bytes MD5 hash: 3ACCC5DBF606CD53DCAE5400CAE1146C Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\nswCCAA.tmp read attributes | normal synchronous io success or wait 1 405DC1 GetTempFileNameW synchronize | non alert | non generic read directory file C:\Users\HERBBL~1\AppData\Local\Temp\nsyCCFB.tmp read attributes | normal synchronous io success or wait 1 405DC1 GetTempFileNameW synchronize | non alert | non generic read directory file C:\Users\HERBBL~1\AppData\Local\Temp\nscCD1A.tmp read attributes | normal synchronous io success or wait 1 405DC1 GetTempFileNameW synchronize | non alert | non generic read directory file

Copyright Joe Security LLC 2018 Page 22 of 42 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users read data or list normal directory file | object name collision 2 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\HERBBL~1 read data or list normal directory file | object name collision 2 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\HERBBL~1\AppData read data or list normal directory file | object name collision 2 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\HERBBL~1\AppData\Local read data or list normal directory file | object name collision 2 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\HERBBL~1\AppData\Local\Temp read data or list normal directory file | object name collision 2 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\HERBBL~1\AppData\Local\Temp\nscCD1A.tmp read data or list normal directory file | success or wait 1 4057F5 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\HERBBL~1\AppData\Local\Temp\nscCD1A.tmp\___aensis.dll read attributes | none synchronous io success or wait 1 405D7F CreateFileW synchronize | non alert | non generic write directory file C:\Users\HERBBL~1\AppData\Local\Temp\nscCD1A.tmp\System.dll read attributes | none synchronous io success or wait 1 405D7F CreateFileW synchronize | non alert | non generic write directory file C:\Users read data or list normal directory file | object name collision 34 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\HERBBL~1 read data or list normal directory file | object name collision 26 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\HERBBL~1\AppData read data or list normal directory file | object name collision 26 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\HERBBL~1\AppData\Local read data or list normal directory file | object name collision 26 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\HERBBL~1\AppData\Local\Temp read data or list normal directory file | object name collision 26 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\HERBBL~1\AppData\Local\Temp\nscCD1A.tmp read data or list normal directory file | object name collision 25 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\HERBBL~1\AppData\Local\Temp\nscCD1A.tmp\System.dll read attributes | archive | not synchronous io object name collision 31 405D7F CreateFileW synchronize | contend non alert | non generic write indexed directory file

Copyright Joe Security LLC 2018 Page 23 of 42 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\App Explorer-2018-09-01.log read attributes | normal synchronous io success or wait 1 6E951400 CreateFileW synchronize | non alert | non generic write directory file C:\Users\HERBBL~1\AppData\Local\Temp\nsoD2BD.tmp read attributes | normal synchronous io success or wait 1 405DC1 GetTempFileNameW synchronize | non alert | non generic read directory file C:\Users\HERBBL~1\AppData\Local\Temp\nsoD2BD.tmp read data or list normal directory file | success or wait 1 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\HERBBL~1\AppData\Local\Temp\nscCD1A.tmp read data or list normal directory file | object name collision 1 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\HERBBL~1\AppData\Local\Temp\nscCD1A.tmp\System.dll read attributes | archive | not synchronous io object name collision 1 405D7F CreateFileW synchronize | contend non alert | non generic write indexed directory file C:\Users\user read data or list normal directory file | object name collision 8 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData read data or list normal directory file | object name collision 8 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local read data or list normal directory file | object name collision 8 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Host App Service read data or list normal directory file | success or wait 1 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Host App Service\Engine read data or list normal directory file | success or wait 1 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Host App Service\Engine\HostAppS read attributes | none synchronous io success or wait 1 405D7F CreateFileW ervice.exe synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Host App Service\Engine\HostAppS read attributes | none synchronous io success or wait 1 405D7F CreateFileW erviceInterface.exe synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Host App Service\Engine\HostAppS read attributes | none synchronous io success or wait 1 405D7F CreateFileW erviceUpdater.exe synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Host App Service\Engine\HostAppS read attributes | none synchronous io success or wait 1 405D7F CreateFileW erviceUpdateManager.exe synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Host App Service\Engine\HostAppS read attributes | none synchronous io success or wait 1 405D7F CreateFileW erviceUpdaterMetrics.exe synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Host App Service\Engine\WebAppHe read attributes | none synchronous io success or wait 1 405D7F CreateFileW lper.exe synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Host App Service\Engine\SLToolWr read attributes | none synchronous io success or wait 1 405D7F CreateFileW apper.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Host App Service\Engine\SLTool.dll read attributes | none synchronous io success or wait 1 405D7F CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Host App Service\Engine\vcruntime140.dll read attributes | none synchronous io success or wait 1 405D7F CreateFileW synchronize | non alert | non generic write directory file

Copyright Joe Security LLC 2018 Page 24 of 42 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Host App Service read data or list normal directory file | object name collision 7 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Host App Service\IconCache read data or list normal directory file | success or wait 1 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Host App Service\IconCache\persistent read data or list normal directory file | success or wait 1 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Host App Service\IconCache\persi read attributes | none synchronous io success or wait 1 405D7F CreateFileW stent\App Explorer.ico synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Host App Service\Apps read data or list normal directory file | success or wait 1 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Host App Service\Apps\32643404c9 read attributes | none synchronous io success or wait 1 405D7F CreateFileW 763e5e50dbcbb85d1ee63a23897ed0.pokki synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Host App Service\Apps read data or list normal directory file | object name collision 5 405835 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Host App Service\Uninstall.exe read attributes | none synchronous io success or wait 1 405D7F CreateFileW synchronize | non alert | non generic write directory file

File Deleted

Source File Path Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\nscCD1A.tmp success or wait 1 40599E DeleteFileW C:\Users\HERBBL~1\AppData\Local\Temp\nsoD2BD.tmp success or wait 1 405950 DeleteFileW C:\Users\HERBBL~1\AppData\Local\Temp\nscCD1A.tmp\System.dll success or wait 1 405950 DeleteFileW C:\Users\HERBBL~1\AppData\Local\Temp\nscCD1A.tmp\___aensis.dll cannot delete 1 405950 DeleteFileW

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Copyright Joe Security LLC 2018 Page 25 of 42 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\nsyCCFB.tmp unknown 32768 74 f0 01 00 88 00 00 t...... ,...... 2... success or wait 3162 405E1F WriteFile 00 2c 01 00 00 02 00 <...... b...... ,...... 00 00 ac 01 00 00 01 ...... 00 00 00 c4 09 00 00 ...... M... 32 0f 00 00 3c b3 01 ...... 00 00 00 00 00 62 ef ...... 01 00 01 00 00 00 2c ...... f0 01 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ca 00 00 00 f1 ff ff ff cc 01 00 00 4d 05 00 00 10 06 00 00 a5 01 00 00 90 01 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Users\HERBBL~1\AppData\Loca unknown 16384 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 286 405E1F WriteFile l\Temp\nscCD1A.tmp\___aensis.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... y... 00 00 00 00 00 00 00 ....J...... L...... y.,.....V. 00 00 00 00 00 00 00 ...... Q...... x...... A...... 00 00 00 10 01 00 00 ...... }...... I...... H..... 0e 1f ba 0e 00 b4 09 ..E...... O.... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 df ed bc dc 9b 8c d2 8f 9b 8c d2 8f 9b 8c d2 8f f4 fa 79 8f 9f 8c d2 8f 08 c2 4a 8f 9d 8c d2 8f 80 11 4c 8f b0 8c d2 8f 80 11 79 8f 2c 8c d2 8f 92 f4 56 8f 9a 8c d2 8f 92 f4 51 8f 9c 8c d2 8f 80 11 78 8f cb 8f d2 8f 92 f4 41 8f b4 8c d2 8f 9b 8c d3 8f a3 8e d2 8f 80 11 7d 8f a7 8c d2 8f 80 11 49 8f 9a 8c d2 8f 80 11 48 8f 9a 8c d2 8f 9b 8c 45 8f b8 8c d2 8f 80 11 4f 8f 9a 8c d2

Copyright Joe Security LLC 2018 Page 26 of 42 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Loca unknown 11776 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 405E1F WriteFile l\Temp\nscCD1A.tmp\System.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... 1...u...u...u...... s. 00 00 00 00 00 00 00 ..u...a...... r...!...q...... 00 00 00 00 00 00 00 t...... t...Richu...... 00 00 00 e0 00 00 00 ...... PE..L...zc.W.... 0e 1f ba 0e 00 b4 09 ...... !...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 93 d2 ee 75 f2 bc bd 75 f2 bc bd 75 f2 bc bd f6 ee b2 bd 73 f2 bc bd 75 f2 bd bd 61 f2 bc bd b6 fd e1 bd 72 f2 bc bd 21 d1 8c bd 71 f2 bc bd 16 d0 96 bd 74 f2 bc bd 8a d2 b8 bd 74 f2 bc bd 52 69 63 68 75 f2 bc bd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 7a 63 95 57 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 06 00 00 20 00 C:\Users\HERBBL~1\AppData\Local\Temp\App Explorer-2018- unknown 168 ff fe 76 00 65 00 72 00 ..v.e.r.s.i.o.n.5.b.0.e.e.6.6. success or wait 1 6E942B82 WriteFile 09-01.log 73 00 69 00 6f 00 6e 8.0.e.0.5.8...... 00 35 00 62 00 30 00 .0.3.3.7.6. .0.3.3.8.0. .[. 65 00 65 00 36 00 36 2.0.1.8.-.0.9.-.0.1. .0.1.:.3. 00 38 00 30 00 65 00 6.:.0.2.]. .D.l.l.M.a.i.n.:. . 30 00 35 00 38 00 20 s.t.a.r.t.e.d..... 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 30 00 33 00 33 00 37 00 36 00 20 00 30 00 33 00 33 00 38 00 30 00 20 00 5b 00 32 00 30 00 31 00 38 00 2d 00 30 00 39 00 2d 00 30 00 31 00 20 00 30 00 31 00 3a 00 33 00 36 00 3a 00 30 00 32 00 5d 00 20 00 44 00 6c 00 6c 00 4d 00 61 00 69 00 6e 00 3a 00 20 00 73 00 74 00 61 00 72 00 74 00 65 00 64 00 0d 00 0a 00

Copyright Joe Security LLC 2018 Page 27 of 42 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\App Explorer-2018- unknown 240 76 00 65 00 72 00 73 v.e.r.s.i.o.n.5.b.0.e.e.6.6.8. success or wait 1 6E942B82 WriteFile 09-01.log 00 69 00 6f 00 6e 00 0.e.0.5.8...... 35 00 62 00 30 00 65 .0.3.3.7.6. .0.3.3.8.0. .[.2. 00 65 00 36 00 36 00 0.1.8.-.0.9.-.0.1. .0.1.:.3.6. 38 00 30 00 65 00 30 :.0.2.]. .O.C.O.S.:.:.g.e.t.W. 00 35 00 38 00 20 00 i.n.d.o.w.s.V.e.r.s.i.o.n.:. . 20 00 20 00 20 00 20 6...1...7.6.0.1.;. .W.i.n.d.o. 00 20 00 20 00 20 00 w.s.V.e.r.s.i.o.n. .=. .7..... 20 00 20 00 20 00 30 00 33 00 33 00 37 00 36 00 20 00 30 00 33 00 33 00 38 00 30 00 20 00 5b 00 32 00 30 00 31 00 38 00 2d 00 30 00 39 00 2d 00 30 00 31 00 20 00 30 00 31 00 3a 00 33 00 36 00 3a 00 30 00 32 00 5d 00 20 00 4f 00 43 00 4f 00 53 00 3a 00 3a 00 67 00 65 00 74 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3a 00 20 00 36 00 2e 00 31 00 2e 00 37 00 36 00 30 00 31 00 3b 00 20 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 20 00 3d 00 20 00 37 00 0d 00 0a 00 C:\Users\HERBBL~1\AppData\Local\Temp\App Explorer-2018- unknown 288 76 00 65 00 72 00 73 v.e.r.s.i.o.n.5.b.0.e.e.6.6.8. success or wait 1 6E942B82 WriteFile 09-01.log 00 69 00 6f 00 6e 00 0.e.0.5.8...... 35 00 62 00 30 00 65 .0.3.3.7.6. .0.3.3.8.0. .[.2. 00 65 00 36 00 36 00 0.1.8.-.0.9.-.0.1. .0.1.:.3.6. 38 00 30 00 65 00 30 :.0.2.]. .T.h.r.e.a.d.L.o.c.a. 00 35 00 38 00 20 00 l.e.M.a.n.a.g.e.r.:.:.I.n.i.t.:. 20 00 20 00 20 00 20 .m.a.i.n. .t.h.r.e.a.d. .i.d. 00 20 00 20 00 20 00 .i.s. .3.3.8.0.,. .l.a.n.g.i.d. 20 00 20 00 20 00 30 .i.n.i.t.i 00 33 00 33 00 37 00 36 00 20 00 30 00 33 00 33 00 38 00 30 00 20 00 5b 00 32 00 30 00 31 00 38 00 2d 00 30 00 39 00 2d 00 30 00 31 00 20 00 30 00 31 00 3a 00 33 00 36 00 3a 00 30 00 32 00 5d 00 20 00 54 00 68 00 72 00 65 00 61 00 64 00 4c 00 6f 00 63 00 61 00 6c 00 65 00 4d 00 61 00 6e 00 61 00 67 00 65 00 72 00 3a 00 3a 00 49 00 6e 00 69 00 74 00 3a 00 20 00 6d 00 61 00 69 00 6e 00 20 00 74 00 68 00 72 00 65 00 61 00 64 00 20 00 69 00 64 00 20 00 69 00 73 00 20 00 33 00 33 00 38 00 30 00 2c 00 20 00 6c 00 61 00 6e 00 67 00 69 00 64 00 20 00 69 00 6e 00 69 00 74 00 69

Copyright Joe Security LLC 2018 Page 28 of 42 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\App Explorer-2018- unknown 296 76 00 65 00 72 00 73 v.e.r.s.i.o.n.5.b.0.e.e.6.6.8. success or wait 13 6E942B82 WriteFile 09-01.log 00 69 00 6f 00 6e 00 0.e.0.5.8...... 35 00 62 00 30 00 65 .0.3.3.7.6. .0.3.3.8.0. .[.2. 00 65 00 36 00 36 00 0.1.8.-.0.9.-.0.1. .0.1.:.3.6. 38 00 30 00 65 00 30 :.0.2.]. .s.t.a.r.t.e.d. .w.i.t.h. 00 35 00 38 00 20 00 .'.C.:.\.U.s.e.r.s.\.H.e.r.b. 20 00 20 00 20 00 20 .B.l.a.c.k.b.u.r.n.\.D.e. 00 20 00 20 00 20 00 s.k.t.o.p.\.d.o.w.n.l.o.a.d.\. 20 00 20 00 20 00 30 v.e.r.s.i.o.n.5 00 33 00 33 00 37 00 36 00 20 00 30 00 33 00 33 00 38 00 30 00 20 00 5b 00 32 00 30 00 31 00 38 00 2d 00 30 00 39 00 2d 00 30 00 31 00 20 00 30 00 31 00 3a 00 33 00 36 00 3a 00 30 00 32 00 5d 00 20 00 73 00 74 00 61 00 72 00 74 00 65 00 64 00 20 00 77 00 69 00 74 00 68 00 20 00 27 00 43 00 3a 00 5c 00 55 00 73 00 65 00 72 00 73 00 5c 00 48 00 65 00 72 00 62 00 20 00 42 00 6c 00 61 00 63 00 6b 00 62 00 75 00 72 00 6e 00 5c 00 44 00 65 00 73 00 6b 00 74 00 6f 00 70 00 5c 00 64 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 5c 00 76 00 65 00 72 00 73 00 69 00 6f 00 6e 00 35 C:\Users\HERBBL~1\AppData\Local\Temp\App Explorer-2018- unknown 238 76 00 65 00 72 00 73 v.e.r.s.i.o.n.5.b.0.e.e.6.6.8. success or wait 1 6E942B82 WriteFile 09-01.log 00 69 00 6f 00 6e 00 0.e.0.5.8...... 35 00 62 00 30 00 65 .0.3.3.7.6. .0.3.3.8.0. .[.2. 00 65 00 36 00 36 00 0.1.8.-.0.9.-.0.1. .0.1.:.3.6. 38 00 30 00 65 00 30 :.0.2.]. .A.E.N.S.I.S._.S.i.g. 00 35 00 38 00 20 00 n.a.l.U.p.d.a.t.i.n.g.E.v.e.n. 20 00 20 00 20 00 20 t.:. .I.n.s.t.a.l.l.e.r. .e.v.e.n.t. 00 20 00 20 00 20 00 .s.i.g.n.a.l.e.d..... 20 00 20 00 20 00 30 00 33 00 33 00 37 00 36 00 20 00 30 00 33 00 33 00 38 00 30 00 20 00 5b 00 32 00 30 00 31 00 38 00 2d 00 30 00 39 00 2d 00 30 00 31 00 20 00 30 00 31 00 3a 00 33 00 36 00 3a 00 30 00 32 00 5d 00 20 00 41 00 45 00 4e 00 53 00 49 00 53 00 5f 00 53 00 69 00 67 00 6e 00 61 00 6c 00 55 00 70 00 64 00 61 00 74 00 69 00 6e 00 67 00 45 00 76 00 65 00 6e 00 74 00 3a 00 20 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 65 00 72 00 20 00 65 00 76 00 65 00 6e 00 74 00 20 00 73 00 69 00 67 00 6e 00 61 00 6c 00 65 00 64 00 0d 00 0a 00

Copyright Joe Security LLC 2018 Page 29 of 42 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\App Explorer-2018- unknown 228 76 00 65 00 72 00 73 v.e.r.s.i.o.n.5.b.0.e.e.6.6.8. success or wait 1 6E942B82 WriteFile 09-01.log 00 69 00 6f 00 6e 00 0.e.0.5.8...... 35 00 62 00 30 00 65 .0.3.3.7.6. .0.3.3.8.0. .[.2. 00 65 00 36 00 36 00 0.1.8.-.0.9.-.0.1. .0.1.:.3.6. 38 00 30 00 65 00 30 :.0.2.]. .A.E.N.S.I.S._.S.i.g. 00 35 00 38 00 20 00 n.a.l.U.p.d.a.t.i.n.g.E.v.e.n. 20 00 20 00 20 00 20 t.:. .H.o.s.t. .e.v.e.n.t. .s. 00 20 00 20 00 20 00 i.g.n.a.l.e.d..... 20 00 20 00 20 00 30 00 33 00 33 00 37 00 36 00 20 00 30 00 33 00 33 00 38 00 30 00 20 00 5b 00 32 00 30 00 31 00 38 00 2d 00 30 00 39 00 2d 00 30 00 31 00 20 00 30 00 31 00 3a 00 33 00 36 00 3a 00 30 00 32 00 5d 00 20 00 41 00 45 00 4e 00 53 00 49 00 53 00 5f 00 53 00 69 00 67 00 6e 00 61 00 6c 00 55 00 70 00 64 00 61 00 74 00 69 00 6e 00 67 00 45 00 76 00 65 00 6e 00 74 00 3a 00 20 00 48 00 6f 00 73 00 74 00 20 00 65 00 76 00 65 00 6e 00 74 00 20 00 73 00 69 00 67 00 6e 00 61 00 6c 00 65 00 64 00 0d 00 0a 00 C:\Users\HERBBL~1\AppData\Local\Temp\App Explorer-2018- unknown 276 76 00 65 00 72 00 73 v.e.r.s.i.o.n.5.b.0.e.e.6.6.8. success or wait 1 6E942B82 WriteFile 09-01.log 00 69 00 6f 00 6e 00 0.e.0.5.8...... 35 00 62 00 30 00 65 .0.3.3.7.6. .0.3.3.8.0. .[.2. 00 65 00 36 00 36 00 0.1.8.-.0.9.-.0.1. .0.1.:.3.6. 38 00 30 00 65 00 30 :.0.2.]. .V.e.r.s.i.o.n.:. .W. 00 35 00 38 00 20 00 i.n.7. .(.3.2.b.i.t.). .-. .O.S. 20 00 20 00 20 00 20 .L.a.n.g.u.a.g.e.:. .e.n. . 00 20 00 20 00 20 00 (.0.4.0.9.). .-. .U.I. .L.a.n. 20 00 20 00 20 00 30 g.u.a.g.e.:. .e 00 33 00 33 00 37 00 36 00 20 00 30 00 33 00 33 00 38 00 30 00 20 00 5b 00 32 00 30 00 31 00 38 00 2d 00 30 00 39 00 2d 00 30 00 31 00 20 00 30 00 31 00 3a 00 33 00 36 00 3a 00 30 00 32 00 5d 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3a 00 20 00 57 00 69 00 6e 00 37 00 20 00 28 00 33 00 32 00 62 00 69 00 74 00 29 00 20 00 2d 00 20 00 4f 00 53 00 20 00 4c 00 61 00 6e 00 67 00 75 00 61 00 67 00 65 00 3a 00 20 00 65 00 6e 00 20 00 28 00 30 00 34 00 30 00 39 00 29 00 20 00 2d 00 20 00 55 00 49 00 20 00 4c 00 61 00 6e 00 67 00 75 00 61 00 67 00 65 00 3a 00 20 00 65

Copyright Joe Security LLC 2018 Page 30 of 42 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\App Explorer-2018- unknown 236 76 00 65 00 72 00 73 v.e.r.s.i.o.n.5.b.0.e.e.6.6.8. success or wait 1 6E942B82 WriteFile 09-01.log 00 69 00 6f 00 6e 00 0.e.0.5.8...... 35 00 62 00 30 00 65 .0.3.3.7.6. .0.3.3.8.0. .[.2. 00 65 00 36 00 36 00 0.1.8.-.0.9.-.0.1. .0.1.:.3.6. 38 00 30 00 65 00 30 :.0.2.]. .A.E.N.S.I.S._.S.e.t. 00 35 00 38 00 20 00 I.n.s.t.a.l.l.D.a.t.e.:. .g.o.t. 20 00 20 00 20 00 20 .i.n.s.t.a.l.l. .d.a.t.e. .f.r.o.m. 00 20 00 20 00 20 00 .s.y.s.t.e.m..... 20 00 20 00 20 00 30 00 33 00 33 00 37 00 36 00 20 00 30 00 33 00 33 00 38 00 30 00 20 00 5b 00 32 00 30 00 31 00 38 00 2d 00 30 00 39 00 2d 00 30 00 31 00 20 00 30 00 31 00 3a 00 33 00 36 00 3a 00 30 00 32 00 5d 00 20 00 41 00 45 00 4e 00 53 00 49 00 53 00 5f 00 53 00 65 00 74 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 44 00 61 00 74 00 65 00 3a 00 20 00 67 00 6f 00 74 00 20 00 69 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 20 00 64 00 61 00 74 00 65 00 20 00 66 00 72 00 6f 00 6d 00 20 00 73 00 79 00 73 00 74 00 65 00 6d 00 0d 00 0a 00 C:\Users\HERBBL~1\AppData\Local\Temp\App Explorer-2018- unknown 274 76 00 65 00 72 00 73 v.e.r.s.i.o.n.5.b.0.e.e.6.6.8. success or wait 1 6E942B82 WriteFile 09-01.log 00 69 00 6f 00 6e 00 0.e.0.5.8...... 35 00 62 00 30 00 65 .0.3.3.7.6. .0.3.3.8.0. .[.2. 00 65 00 36 00 36 00 0.1.8.-.0.9.-.0.1. .0.1.:.3.6. 38 00 30 00 65 00 30 :.0.2.]. .A.E.N.S.I.S._.S.e.t. 00 35 00 38 00 20 00 I.n.s.t.a.l.l.D.a.t.e.:. .s.t. 20 00 20 00 20 00 20 o.r.i.n.g. .i.n.s.t.a.l.l. .d. 00 20 00 20 00 20 00 a.t.e. .o.f. .2.0.1.8.-.0.9.-. 20 00 20 00 20 00 30 0.1. ./. .1.5.3 00 33 00 33 00 37 00 36 00 20 00 30 00 33 00 33 00 38 00 30 00 20 00 5b 00 32 00 30 00 31 00 38 00 2d 00 30 00 39 00 2d 00 30 00 31 00 20 00 30 00 31 00 3a 00 33 00 36 00 3a 00 30 00 32 00 5d 00 20 00 41 00 45 00 4e 00 53 00 49 00 53 00 5f 00 53 00 65 00 74 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 44 00 61 00 74 00 65 00 3a 00 20 00 73 00 74 00 6f 00 72 00 69 00 6e 00 67 00 20 00 69 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 20 00 64 00 61 00 74 00 65 00 20 00 6f 00 66 00 20 00 32 00 30 00 31 00 38 00 2d 00 30 00 39 00 2d 00 30 00 31 00 20 00 2f 00 20 00 31 00 35 00 33

Copyright Joe Security LLC 2018 Page 31 of 42 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Host App unknown 16384 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 437 405E1F WriteFile Service\Engine\HostAppService.exe 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... v...%...%...%..#%.. 00 00 00 00 00 00 00 .%.8%%...%...%...%`Zj%... 00 00 00 00 00 00 00 %`Zu% 00 00 00 20 01 00 00 ...%`Zk%...%.8.%...%.. 0e 1f ba 0e 00 b4 09 (%...%.8 cd 21 b8 01 4c cd 21 .%...%`Zp%...%...%$..%.8. 54 68 69 73 20 70 72 %U..%.8 %...%.8!%... 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f9 c4 d5 76 bd a5 bb 25 bd a5 bb 25 bd a5 bb 25 2e eb 23 25 bb a5 bb 25 a6 38 25 25 8c a5 bb 25 d2 d3 10 25 b5 a5 bb 25 60 5a 6a 25 bc a5 bb 25 60 5a 75 25 ba a5 bb 25 60 5a 6b 25 bf a5 bb 25 a6 38 15 25 a0 a5 bb 25 b4 dd 28 25 b7 a5 bb 25 a6 38 11 25 f1 a6 bb 25 60 5a 70 25 98 a5 bb 25 bd a5 ba 25 24 a7 bb 25 a6 38 10 25 55 a5 bb 25 a6 38 20 25 bc a5 bb 25 a6 38 21 25 bc a5 bb C:\Users\user\AppData\Local\Host App unknown 16384 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 195 405E1F WriteFile Service\Engine\HostAppServiceInterface.exe 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... x..p<.{#<.{# 00 00 00 00 00 00 00 <.{#S..#8.{#...#:.{#'e.#.. 00 00 00 00 00 00 00 {#'e.#..{#...#=.{#...#?. 00 00 00 00 00 00 00 {#...#>.{#5..#0.{#'e.#w. 00 00 00 20 01 00 00 {#...#!.{#<.z#..{#'e.#..{# 0e 1f ba 0e 00 b4 09 'e.#=.{#'e.#=.{ cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 78 99 15 70 3c f8 7b 23 3c f8 7b 23 3c f8 7b 23 53 8e d0 23 38 f8 7b 23 af b6 e3 23 3a f8 7b 23 27 65 e5 23 17 f8 7b 23 27 65 d0 23 a5 f8 7b 23 e1 07 aa 23 3d f8 7b 23 e1 07 b5 23 3f f8 7b 23 e1 07 ab 23 3e f8 7b 23 35 80 e8 23 30 f8 7b 23 27 65 d1 23 77 fb 7b 23 e1 07 b0 23 21 f8 7b 23 3c f8 7a 23 c3 f9 7b 23 27 65 d4 23 1e f8 7b 23 27 65 e0 23 3d f8 7b 23 27 65 e1 23 3d f8 7b

Copyright Joe Security LLC 2018 Page 32 of 42 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Host App unknown 16384 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 219 405E1F WriteFile Service\Engine\HostAppServiceUpdater.exe 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 (...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... g...g...g..R)@..g 00 00 00 00 00 00 00 ....F..g....s..g...... g...... 00 00 00 00 00 00 00 .g...... g....K..g....v..g.... 00 00 00 28 01 00 00 r..d...... g...g...e....s.lg.. 0e 1f ba 0e 00 b4 09 ..C..g....B..g. cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 85 06 b6 8f c1 67 d8 dc c1 67 d8 dc c1 67 d8 dc 52 29 40 dc c7 67 d8 dc da fa 46 dc ea 67 d8 dc ae 11 73 dc c6 67 d8 dc 1c 98 09 dc c0 67 d8 dc 1c 98 16 dc c2 67 d8 dc 1c 98 08 dc c3 67 d8 dc c8 1f 4b dc cb 67 d8 dc da fa 76 dc dc 67 d8 dc da fa 72 dc 8b 64 d8 dc 1c 98 13 dc e2 67 d8 dc c1 67 d9 dc dd 65 d8 dc da fa 73 dc 6c 67 d8 dc da fa 43 dc c0 67 d8 dc da fa 42 dc c0 67 d8 C:\Users\user\AppData\Local\Host App unknown 16384 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 464 405E1F WriteFile Service\Engine\HostAppServiceUpdateManager.exe 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... a... 00 00 00 00 00 00 00 ...cg...... R.....B.(.....B.7. 00 00 00 00 00 00 00 ....B.)...... j...... cS.....B. 00 00 00 20 01 00 00 2...... cV...... cR.W... 0e 1f ba 0e 00 b4 09 .cb...... cc.... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 db 9f 97 87 9f fe f9 d4 9f fe f9 d4 9f fe f9 d4 0c b0 61 d4 99 fe f9 d4 84 63 67 d4 b4 fe f9 d4 f0 88 52 d4 98 fe f9 d4 42 01 28 d4 9e fe f9 d4 42 01 37 d4 9b fe f9 d4 42 01 29 d4 9c fe f9 d4 96 86 6a d4 95 fe f9 d4 84 63 53 d4 ce fd f9 d4 42 01 32 d4 bc fe f9 d4 9f fe f8 d4 f1 fc f9 d4 84 63 56 d4 a9 fe f9 d4 84 63 52 d4 57 fe f9 d4 84 63 62 d4 9e fe f9 d4 84 63 63 d4 9e fe f9

Copyright Joe Security LLC 2018 Page 33 of 42 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Host App unknown 16384 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 183 405E1F WriteFile Service\Engine\HostAppServiceUpdaterMetrics.exe 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... o#...p...p...p)..p.. 00 00 00 00 00 00 00 .p.H.p...p...p...pg*.p...pg*.p 00 00 00 00 00 00 00 ...p...p...pg*.p...p.H.p...p.H 00 00 00 20 01 00 00 .p...pg*.p...p...pD..p.H.p...p 0e 1f ba 0e 00 b4 09 .H.p...p.H.p... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 fe b4 6f 23 ba d5 01 70 ba d5 01 70 ba d5 01 70 29 9b 99 70 bc d5 01 70 a1 48 9f 70 91 d5 01 70 d5 a3 aa 70 b2 d5 01 70 67 2a d0 70 bb d5 01 70 67 2a cf 70 b9 d5 01 70 b3 ad 92 70 b0 d5 01 70 67 2a d1 70 b9 d5 01 70 a1 48 af 70 a7 d5 01 70 a1 48 ab 70 f3 d6 01 70 67 2a ca 70 99 d5 01 70 ba d5 00 70 44 d4 01 70 a1 48 aa 70 1a d5 01 70 a1 48 9a 70 bb d5 01 70 a1 48 9b 70 bb d5 01 C:\Users\user\AppData\Local\Host App unknown 16384 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 210 405E1F WriteFile Service\Engine\WebAppHelper.exe 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... }...}...}?..}.. 00 00 00 00 00 00 00 .}.j.}...}..5}...}q.O}...}q.P} 00 00 00 00 00 00 00 ...}q.N}...}...}...}.j0}...}.j 00 00 00 20 01 00 00 4}...}q.U}...}...}...}.j5}...} 0e 1f ba 0e 00 b4 09 .j.}...}.j.}... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e8 96 f0 2e ac f7 9e 7d ac f7 9e 7d ac f7 9e 7d 3f b9 06 7d aa f7 9e 7d b7 6a 00 7d 87 f7 9e 7d c3 81 35 7d ab f7 9e 7d 71 08 4f 7d ad f7 9e 7d 71 08 50 7d a8 f7 9e 7d 71 08 4e 7d ad f7 9e 7d a5 8f 0d 7d a6 f7 9e 7d b7 6a 30 7d b1 f7 9e 7d b7 6a 34 7d e5 f4 9e 7d 71 08 55 7d 8d f7 9e 7d ac f7 9f 7d 80 f5 9e 7d b7 6a 35 7d 05 f7 9e 7d b7 6a 05 7d ad f7 9e 7d b7 6a 04 7d ad f7 9e

Copyright Joe Security LLC 2018 Page 34 of 42 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Host App unknown 16384 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 9 405E1F WriteFile Service\Engine\SLToolWrapper.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... !.f.e...e...e...l...c... 00 00 00 00 00 00 00 {...g...v...a...v...g...v...o...v... 00 00 00 00 00 00 00 {...... a...... j...e. 00 00 00 18 01 00 00 ...... Y...g...Y...`...Y...d... 0e 1f ba 0e 00 b4 09 Y...d...e...d.. cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 21 a4 66 d0 65 c5 08 83 65 c5 08 83 65 c5 08 83 6c bd 9b 83 63 c5 08 83 7b 97 9b 83 67 c5 08 83 76 a3 09 82 61 c5 08 83 76 a3 0b 82 67 c5 08 83 76 a3 0c 82 6f c5 08 83 76 a3 0d 82 7b c5 08 83 16 a7 0e 82 61 c5 08 83 16 a7 09 82 6a c5 08 83 65 c5 09 83 19 c5 08 83 59 a2 0c 82 67 c5 08 83 59 a2 0d 82 60 c5 08 83 59 a2 08 82 64 c5 08 83 59 a2 f7 83 64 c5 08 83 65 c5 9f 83 64 c5 08 C:\Users\user\AppData\Local\Host App unknown 16384 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 2 405E1F WriteFile Service\Engine\SLTool.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... PE..L...g.. 00 00 00 00 00 00 00 [...... " ..0...... 4... 00 00 00 00 00 00 00 ...@...... 00 00 00 00 00 00 00 ...... `...... 00 00 00 80 00 00 00 ...... 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 67 ab 0d 5b 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 16 00 00 00 06 00 00 00 00 00 00 da 34 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 d7 f7 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2018 Page 35 of 42 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Host App Service\Engine\vcruntim unknown 16384 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 6 405E1F WriteFile e140.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... c...'...'...'....Yf.%. 00 00 00 00 00 00 00 ....>.,...'...... 7...... 00 00 00 00 00 00 00 4...... #...... ?...... &..... 00 00 00 f8 00 00 00 R.&...... &...Rich'...... 0e 1f ba 0e 00 b4 09 ...... PE..L.. cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 63 c7 c3 9a 27 a6 ad c9 27 a6 ad c9 27 a6 ad c9 fa 59 66 c9 25 a6 ad c9 2e de 3e c9 2c a6 ad c9 27 a6 ac c9 0f a6 ad c9 1c f8 a9 c8 37 a6 ad c9 1c f8 ae c8 34 a6 ad c9 1c f8 a8 c8 23 a6 ad c9 1c f8 a5 c8 3f a6 ad c9 1c f8 ad c8 26 a6 ad c9 1c f8 52 c9 26 a6 ad c9 1c f8 af c8 26 a6 ad c9 52 69 63 68 27 a6 ad c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 C:\Users\user\AppData\Local\Host App Service\IconCache\persi unknown 16384 00 00 01 00 06 00 00 ...... f...@@.... . success or wait 3 405E1F WriteFile stent\App Explorer.ico 00 00 00 01 00 20 00 (B...... 00...... %..:Q...... ac 0e 00 00 66 00 00 ...... v...... 00 40 40 00 00 01 00 .h...... PNG...... IHDR.. 20 00 28 42 00 00 12 ...... \r.f...sIDATx..._.] 0f 00 00 30 30 00 00 U...u.m...A.E....F1.D....|0.(. 01 00 20 00 a8 25 00 .}.A.B.Ax@P...>..P 00 3a 51 00 00 20 20 A.1.@.....`LLx..4B.R.b;... . 00 00 01 00 20 00 a8 {.g.s.a.3s..}.^{}?.$...;g... 10 00 00 e2 76 00 00 18 18 00 00 01 00 20 00 88 09 00 00 8a 87 00 00 10 10 00 00 01 00 20 00 68 04 00 00 12 91 00 00 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 00 00 00 01 00 08 06 00 00 00 5c 72 a8 66 00 00 0e 73 49 44 41 54 78 da ed dd 5f 8c 5d 55 15 c7 f1 75 ef 6d 0b a8 15 41 a6 45 09 94 82 a5 46 31 d1 44 12 13 e3 1f 7c 30 fa 28 b4 10 7d e0 41 8d 42 e1 41 78 40 50 f9 8f 82 3e 08 0f 50 20 41 13 31 d1 40 0b be 12 1e c4 60 4c 4c 78 d0 07 34 42 81 52 08 62 3b b5 82 a8 20 9d 7b af 67 0f 73 c3 61 9c 33 73 ff ec 7d d6 5e 7b 7d 3f c9 24 14 c2 9d 3b 67 ad f9 ad

Copyright Joe Security LLC 2018 Page 36 of 42 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Host App unknown 16384 50 4f 4b 49 01 00 00 POKI...... 0..0...*.H.... success or wait 9 405E1F WriteFile Service\Apps\32643404c9763e5e50dbcbb85d1ee63a23897ed0 00 a2 00 00 00 80 00 ...... 0...... UcU..sw@...... pokki 00 00 30 81 9f 30 0d .9..RYy...... Z..M.r1K.$.tD.. 06 09 2a 86 48 86 f7 A(...$....4.+e..*F.`\&..zD;..o 0d 01 01 01 05 00 03 ...... &.4.s.Y(p...... b._.)l.. 81 8d 00 30 81 89 02 _...... !.A..J.w{..'...... 81 81 00 dd 55 63 55 [email protected]....+...l|.X f4 86 73 77 40 e7 97 PmX..6..f..6...MK.- ea a4 de 80 89 39 ce ..._@[.4i._...... _.*O 9b 52 59 79 cd b3 a1 ea c4 18 86 a0 5a be 90 4d 1d 72 31 4b ee 24 ca 74 44 a2 c1 41 28 94 fb f7 24 9a a4 92 9d 34 90 2b 65 14 cf 2a 46 fe 60 5c 26 05 a9 7a 44 3b af a5 6f 9f f5 ba 02 dc ce 99 26 0c 34 a2 73 0f 59 28 70 ce fa ef e8 99 87 62 bc 5f 85 29 6c 8b 15 5f 98 87 0d ba 80 af b6 87 0c 21 b8 41 0a a7 4a bb 77 7b c9 80 27 91 02 03 01 00 01 8e 9b 31 80 14 80 79 83 83 87 40 bb ad ce f8 09 71 7f 34 69 e7 8e e0 86 2b db de a3 6c 7c dc 58 50 6d 58 cb 0a 36 bb 06 66 df 90 36 8d 12 d4 4d 4b e3 2d 1c ee e6 5f 40 5b 90 34 69 d4 5f a2 f0 fa 07 89 a4 f8 f1 1b 16 a0 5f f4 2a 4f C:\Users\HERBBL~1\AppData\Local\Temp\App Explorer-2018- unknown 232 76 00 65 00 72 00 73 v.e.r.s.i.o.n.5.b.0.e.e.6.6.8. success or wait 1 6E942B82 WriteFile 09-01.log 00 69 00 6f 00 6e 00 0.e.0.5.8...... 35 00 62 00 30 00 65 .0.3.3.7.6. .0.3.3.8.0. .[.2. 00 65 00 36 00 36 00 0.1.8.-.0.9.-.0.1. .0.1.:.3.6. 38 00 30 00 65 00 30 :.1.3.]. .T.a.s.k.S.c.h.e.d.u. 00 35 00 38 00 20 00 l.e.r.:.:.S.c.h.e.d.u.l.e.A.t. 20 00 20 00 20 00 20 L.o.g.O.n.T.a.s.k.F.o.r.E.x. 00 20 00 20 00 20 00 e.:. .S.U.C.C.E.S.S..... 20 00 20 00 20 00 30 00 33 00 33 00 37 00 36 00 20 00 30 00 33 00 33 00 38 00 30 00 20 00 5b 00 32 00 30 00 31 00 38 00 2d 00 30 00 39 00 2d 00 30 00 31 00 20 00 30 00 31 00 3a 00 33 00 36 00 3a 00 31 00 33 00 5d 00 20 00 54 00 61 00 73 00 6b 00 53 00 63 00 68 00 65 00 64 00 75 00 6c 00 65 00 72 00 3a 00 3a 00 53 00 63 00 68 00 65 00 64 00 75 00 6c 00 65 00 41 00 74 00 4c 00 6f 00 67 00 4f 00 6e 00 54 00 61 00 73 00 6b 00 46 00 6f 00 72 00 45 00 78 00 65 00 3a 00 20 00 53 00 55 00 43 00 43 00 45 00 53 00 53 00 0d 00 0a 00

Copyright Joe Security LLC 2018 Page 37 of 42 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\App Explorer-2018- unknown 242 76 00 65 00 72 00 73 v.e.r.s.i.o.n.5.b.0.e.e.6.6.8. success or wait 1 6E942B82 WriteFile 09-01.log 00 69 00 6f 00 6e 00 0.e.0.5.8...... 35 00 62 00 30 00 65 .0.3.3.7.6. .0.3.3.8.0. .[.2. 00 65 00 36 00 36 00 0.1.8.-.0.9.-.0.1. .0.1.:.3.6. 38 00 30 00 65 00 30 :.1.3.]. 00 35 00 38 00 20 00 .A.E.N.S.I.S._.A.d.d. 20 00 20 00 20 00 20 A.u.t.o.S.t.a.r.t.:. .S.u.c.c. 00 20 00 20 00 20 00 e.s.f.u.l.l.y. .a.d.d.e.d. .s. 20 00 20 00 20 00 30 c.h.e.d.u.l.e.d. .t.a.s.k...... 00 33 00 33 00 37 00 36 00 20 00 30 00 33 00 33 00 38 00 30 00 20 00 5b 00 32 00 30 00 31 00 38 00 2d 00 30 00 39 00 2d 00 30 00 31 00 20 00 30 00 31 00 3a 00 33 00 36 00 3a 00 31 00 33 00 5d 00 20 00 41 00 45 00 4e 00 53 00 49 00 53 00 5f 00 41 00 64 00 64 00 41 00 75 00 74 00 6f 00 53 00 74 00 61 00 72 00 74 00 3a 00 20 00 53 00 75 00 63 00 63 00 65 00 73 00 66 00 75 00 6c 00 6c 00 79 00 20 00 61 00 64 00 64 00 65 00 64 00 20 00 73 00 63 00 68 00 65 00 64 00 75 00 6c 00 65 00 64 00 20 00 74 00 61 00 73 00 6b 00 2e 00 0d 00 0a 00 C:\Users\user\AppData\Local\Host App Service\Uninstall.exe unknown 16384 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 117 405E1F WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... 1...P...P...P..*_...P 00 00 00 00 00 00 00 ...P..OP..*_...P...s...P...V.. 00 00 00 00 00 00 00 .P..Rich.P...... PE..L....c 00 00 00 c8 00 00 00 .W...... b...... 0e 1f ba 0e 00 b4 09 .3...... @ cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 e8 81 e9 50 86 d2 e9 50 86 d2 e9 50 86 d2 2a 5f d9 d2 eb 50 86 d2 e9 50 87 d2 4f 50 86 d2 2a 5f db d2 e6 50 86 d2 bd 73 b6 d2 e3 50 86 d2 2e 56 80 d2 e8 50 86 d2 52 69 63 68 e9 50 86 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 97 63 95 57 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 62 00 00 00 e2 00 00 00 08 00 00 b6 33 00 00 00 10 00 00 00 80 00 00 00 00 40

Copyright Joe Security LLC 2018 Page 38 of 42 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\HERBBL~1\AppData\Local\Temp\App Explorer-2018- unknown 190 76 00 65 00 72 00 73 v.e.r.s.i.o.n.5.b.0.e.e.6.6.8. success or wait 1 6E942B82 WriteFile 09-01.log 00 69 00 6f 00 6e 00 0.e.0.5.8...... 35 00 62 00 30 00 65 .0.3.3.7.6. .0.3.3.8.0. .[.2. 00 65 00 36 00 36 00 0.1.8.-.0.9.-.0.1. .0.1.:.3.6. 38 00 30 00 65 00 30 :.1.4.]. 00 35 00 38 00 20 00 .A.E.N.S.I.S._.R.u.n. 20 00 20 00 20 00 20 P.o.k.k.i.:. .u.p.d.a.t.e.d. .=. 00 20 00 20 00 20 00 .0..... 20 00 20 00 20 00 30 00 33 00 33 00 37 00 36 00 20 00 30 00 33 00 33 00 38 00 30 00 20 00 5b 00 32 00 30 00 31 00 38 00 2d 00 30 00 39 00 2d 00 30 00 31 00 20 00 30 00 31 00 3a 00 33 00 36 00 3a 00 31 00 34 00 5d 00 20 00 41 00 45 00 4e 00 53 00 49 00 53 00 5f 00 52 00 75 00 6e 00 50 00 6f 00 6b 00 6b 00 69 00 3a 00 20 00 75 00 70 00 64 00 61 00 74 00 65 00 64 00 20 00 3d 00 20 00 30 00 0d 00 0a 00 C:\Users\HERBBL~1\AppData\Local\Temp\App Explorer-2018- unknown 420 76 00 65 00 72 00 73 v.e.r.s.i.o.n.5.b.0.e.e.6.6.8. success or wait 1 6E942B82 WriteFile 09-01.log 00 69 00 6f 00 6e 00 0.e.0.5.8...... 35 00 62 00 30 00 65 .0.3.3.7.6. .0.3.3.8.0. .[.2. 00 65 00 36 00 36 00 0.1.8.-.0.9.-.0.1. .0.1.:.3.6. 38 00 30 00 65 00 30 :.1.5.]. ._.S.h.e.l.l.E.x.e.c. 00 35 00 38 00 20 00 u.t.e.:. .(.e.r.r.:. .0.). .e. 20 00 20 00 20 00 20 x.p.l.o.r.e.r.-.e.x.e.c.u.t.e.d. 00 20 00 20 00 20 00 .'.C.:.\.U.s.e.r.s.\.H.e.r.b. 20 00 20 00 20 00 30 .B.l.a.c.k.b 00 33 00 33 00 37 00 36 00 20 00 30 00 33 00 33 00 38 00 30 00 20 00 5b 00 32 00 30 00 31 00 38 00 2d 00 30 00 39 00 2d 00 30 00 31 00 20 00 30 00 31 00 3a 00 33 00 36 00 3a 00 31 00 35 00 5d 00 20 00 5f 00 53 00 68 00 65 00 6c 00 6c 00 45 00 78 00 65 00 63 00 75 00 74 00 65 00 3a 00 20 00 28 00 65 00 72 00 72 00 3a 00 20 00 30 00 29 00 20 00 65 00 78 00 70 00 6c 00 6f 00 72 00 65 00 72 00 2d 00 65 00 78 00 65 00 63 00 75 00 74 00 65 00 64 00 20 00 27 00 43 00 3a 00 5c 00 55 00 73 00 65 00 72 00 73 00 5c 00 48 00 65 00 72 00 62 00 20 00 42 00 6c 00 61 00 63 00 6b 00 62

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\download\version5b0ee6680e058.exe unknown 512 success or wait 860 405DF0 ReadFile C:\Users\user\Desktop\download\version5b0ee6680e058.exe unknown 16384 success or wait 1388 405DF0 ReadFile C:\Users\HERBBL~1\AppData\Local\Temp\nsyCCFB.tmp unknown 4 success or wait 1 405DF0 ReadFile C:\Users\HERBBL~1\AppData\Local\Temp\nsyCCFB.tmp unknown 127092 success or wait 1 4031D5 ReadFile C:\Users\HERBBL~1\AppData\Local\Temp\nsyCCFB.tmp unknown 4 success or wait 14 405DF0 ReadFile C:\Users\HERBBL~1\AppData\Local\Temp\nsyCCFB.tmp unknown 16384 success or wait 2141 405DF0 ReadFile

Registry Activities

Key Created

Copyright Joe Security LLC 2018 Page 39 of 42 Source Key Path Completion Count Address Symbol HKEY_USERS\SOFTWARE\Host App Service success or wait 1 6E7208B1 RegCreateKeyExW HKEY_USERS\Software\Host App Service\Sideload success or wait 1 4023BF RegCreateKeyExW HKEY_USERS\Software\Host App Service\Sideload\Apps success or wait 1 4023BF RegCreateKeyExW HKEY_USERS\Software\Host App Service\WebApps success or wait 1 4023BF RegCreateKeyExW HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Uninstall success or wait 1 4023BF RegCreateKeyExW HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service success or wait 1 4023BF RegCreateKeyExW

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_USERS\Software\Host App Service ClientId unicode 9299d012-d3cc-4133-b554-5120bd success or wait 1 6E71E817 RegSetValueExW 275944 HKEY_USERS\Software\Host App Service InstallDate unicode 2018-09-01 success or wait 1 6E702948 RegSetValueExW HKEY_USERS\Software\Host App Service InstallDate2 B E2 D0 89 5B 00 00 00 00 success or wait 1 6E70297D RegSetValueExW HKEY_USERS\Software\Host App S App Explorer unicode 32643404c9763e5e50dbcbb85d1ee6 success or wait 1 40241B RegSetValueExW ervice\Sideload\Apps 3a23897ed0 HKEY_USERS\Software\Host App Service InstallDir expand %LOCALAPPDATA%\Host App Servic success or wait 1 40241B RegSetValueExW unicode e HKEY_USERS\Software\Host App Service Version unicode 0.273.2.779 success or wait 1 40241B RegSetValueExW HKEY_USERS\Software\Host App Service InstallFresh dword 1 success or wait 1 40241B RegSetValueExW HKEY_USERS\Software\Host App Service InstallAppOrigin unicode success or wait 1 40241B RegSetValueExW HKEY_USERS\Software\Host App Service InstallCampaign unicode success or wait 1 40241B RegSetValueExW HKEY_USERS\Software\Host App Service InstallSource unicode success or wait 1 40241B RegSetValueExW HKEY_USERS\Software\Host App Service sta_a3i dword 1 success or wait 1 40241B RegSetValueExW HKEY_USERS\Software\Host App Service wait_to_launch dword 0 success or wait 1 40241B RegSetValueExW HKEY_USERS\Software\Microsoft\Internet HostAppService.exe dword 11000 success or wait 1 40241B RegSetValueExW Explorer\Main\Feature Control\FEATURE_BROWSER_EMULATION HKEY_USERS\Software\Microsoft\ DisplayName unicode App Explorer success or wait 1 40241B RegSetValueExW Windows\CurrentVersion\Uninstall\Host App Service HKEY_USERS\Software\Microsoft\ DisplayIcon expand "%LOCALAPPDATA%\Host App Servi success or wait 1 40241B RegSetValueExW Windows\CurrentVersion\Uninstall\Host App unicode ce\IconCache\persistent\App Ex Service plorer.ico" HKEY_USERS\Software\Microsoft\ DisplayVersion unicode 0.273.2.779 success or wait 1 40241B RegSetValueExW Windows\CurrentVersion\Uninstall\Host App Service HKEY_USERS\Software\Microsoft\ Publisher unicode SweetLabs success or wait 1 40241B RegSetValueExW Windows\CurrentVersion\Uninstall\Host App Service HKEY_USERS\Software\Microsoft\ UninstallString expand "%LOCALAPPDATA%\Host App Servi success or wait 1 40241B RegSetValueExW Windows\CurrentVersion\Uninstall\Host App unicode ce\Uninstall.exe" Service HKEY_USERS\Software\Microsoft\ NoModify dword 1 success or wait 1 40241B RegSetValueExW Windows\CurrentVersion\Uninstall\Host App Service HKEY_USERS\Software\Microsoft\ NoRepair dword 1 success or wait 1 40241B RegSetValueExW Windows\CurrentVersion\Uninstall\Host App Service

Key Value Modified

Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_USERS\Software\Host NULL unicode success or wait 1 40241B RegSetValueExW App Service\WebApps

Analysis Process: HostAppServiceUpdater.exe PID: 3420 Parent PID: 1432

General

Start time: 01:36:14 Start date: 01/09/2018 Path: C:\Users\user\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe' /LOGON

Copyright Joe Security LLC 2018 Page 40 of 42 Imagebase: 0x290000 File size: 3574680 bytes MD5 hash: 79D64D6F9A0DE39E5558D86E22C13021 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

Analysis Process: taskeng.exe PID: 3440 Parent PID: 848

General

Start time: 01:36:15 Start date: 01/09/2018 Path: C:\Windows\System32\taskeng.exe Wow64 process (32bit): false Commandline: taskeng.exe {080305CB-EE84-4FFA-BAC8-23828B83C6BD} S-1-5-21-290172400- 2828352916-2832973385-1001:computer\user:Interactive:[1] Imagebase: 0x870000 File size: 192000 bytes MD5 hash: 4F2659160AFCCA990305816946F69407 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Windows\System32\Tasks\App Explorer unknown 2 success or wait 1 874D45 ReadFile C:\Windows\System32\Tasks\App Explorer unknown 3354 success or wait 1 874D96 ReadFile

Registry Activities

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Mi data binary 4D 45 4F 57 01 00 00 00 E4 B7 BD success or wait 1 87A42F RegSetValueExW crosoft\Windows NT\CurrentVers 92 8B F2 A0 46 B5 51 45 A5 2B DD ion\Schedule\Handshake\{080305CB-EE84-4FFA- 51 25 00 00 00 00 00 00 00 00 4B C5 BAC8-23828B83C6BD} 20 41 33 1C 92 B8 1A B0 09 83 04 5C E7 72 01 6C 00 00 70 0D 00 00 04 97 AB DF CB F6 CB 3F 00 00 00 00

Analysis Process: HostAppServiceUpdater.exe PID: 3476 Parent PID: 3440

General

Start time: 01:36:15 Start date: 01/09/2018 Path: C:\Users\user\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe' /LOGON Imagebase: 0x290000 File size: 3574680 bytes MD5 hash: 79D64D6F9A0DE39E5558D86E22C13021 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

Code Analysis