Automated Malware Analysis Report for Netwrix Account Lockout Examiner.Exe

ID: 468093 Sample Name: Netwrix_Account_Lockout_Examiner.exe Cookbook: default.jbs Time: 11:11:30 Date: 19/08/2021 Version: 33.0.0 White Diamond Table of Contents

Table of Contents 2 Windows Analysis Report Netwrix_Account_Lockout_Examiner.exe 4 Overview 4 General Information 4 Detection 4 Compliance 4 Signatures 4 Classification 4 Analysis Advice 4 Process Tree 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Jbx Signature Overview 5 Compliance: 5 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 8 Domains 8 URLs 8 Domains and IPs 9 Contacted Domains 9 Contacted URLs 9 URLs from Memory and Binaries 9 Contacted IPs 9 Public 9 Private 9 General Information 9 Simulations 10 Behavior and APIs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 11 Created / dropped Files 11 Static File Info 25 General 25 File Icon 25 Static PE Info 25 General 25 Authenticode Signature 25 Entrypoint Preview 26 Rich Headers 26 Data Directories 26 Sections 26 Resources 26 Imports 26 Version Infos 26 Possible Origin 26 Network Behavior 26 Network Port Distribution 26 TCP Packets 26 UDP Packets 26 DNS Queries 26 DNS Answers 27 HTTP Request Dependency Graph 27 HTTP Packets 27 Code Manipulations 27 Statistics 28 Behavior 28 System Behavior 28 Analysis Process: Netwrix_Account_Lockout_Examiner.exe PID: 6372 Parent PID: 3260 28 General 28 File Activities 28 File Created 28 File Deleted 28 File Written 28 File Read 28

Copyright Joe Security LLC 2021 Page 2 of 29 Analysis Process: Netwrix.ALE.Launcher.exe PID: 6556 Parent PID: 6372 28 General 28 File Activities 29 File Created 29 File Written 29 File Read 29 Registry Activities 29 Disassembly 29 Code Analysis 29

Overview

General Information Detection Compliance Signatures Classification

Sample Netwrix_Account_Lockout Name: _Examiner.exe Quueerrriiieess ttthhee vvoollluumee iiinnfffoorrrmaatttiiioonn (((nnaam…

Analysis ID: 468093 DQDrrurooepprsise PsP EEth ffefiiilll eevsso ltttuoom ttthheee i n aafpopprpmllliiiccaaatttitioiioonnn ( pnprraroom… MD5: 9fc98474b06655d… CDCoroonnptttasaii inPnssE ff fufuinlneccsttti iiotoonn atahllliieitttyy a tttpoop qqliucueaertrryiyo lnlloo cpcaraolllee… SHA1: 7d8510018ce80b… MCoaanyy t saslilleneesep pf u (((neecvvtaaiossniiivvaeel i tllloyo ootopp ssq)))u ttteoor hyh iiinlnoddceearrrl e … Ransomware SHA256: 51d7acb2504c08… DMDeeatttyee cscttlteeded p pp o(oetttevenanttstiiiaiavlll e cc rrlroyypoptpttoos )fffu utnonc chtttiiionondner Miner Spreading Infos: mmaallliiiccciiioouusss FDFooeuutenncddt e ppdoo ttpteeonntttetiiiaanlllt issatttlrrr iicinnrggy p ddteoec cfrrruyynppctttiitiooionnn /// aa… malicious Evader Phishing

sssuusssppiiiccciiioouusss

Most interesting Screenshot: suspicious FFoouunndd dpdrorootpeppnpeteiaddl PPsEtEri nffiigllee d wwehchiriccyhhp thhioaanss /nn aoo FFoouunndd ddrrrooppppeedd PPEE fffiiilllee wwhhiiicchh hhaass nnoo… cccllleeaann clean

HFHoTTuTTnPPd G dErEoTTp pooerrr dPP OPESS TTfi l wew iiiwttthhhooiucuthtt a ah uausse enrrro … Exploiter Banker

CHCoTonTntttPaai iinGnssE fffTuu nnoccrt ttiPiiooOnnaaSllliiTitttyy w wwithhiiiocchuh t m aa auyys bebere …

Spyware Trojan / Bot

CCoonntttaaiiinnss llflouonngcg t sisollleneeaeplpistsy ( ((w>>=h= i 3c3h m miiinna)))y be Adware Score: 4 Score: 46 Range: 0 - 100 Range: 0 - 100 ECEnonanabtballleeinsss d dleoebnbugug gs plperrreiiivvpiiillslee g(g>ee=ss 3 min)

Whitelist false FEFonouaunbndlde asa hdhieiiggbhhu ngnu upmribvbeielerrr g ooefff s Wiiinnddooww /// UUss… ed: DFDoLLuLLn ppdlla aann thtiiningggh / / n hhuiijmjaacbckkeiinrn gog f v vWuullnineedrroaawbbi il/lii ttUiiees Confiden 0% DDLLLL pplllaanntttiiinngg /// hhiiijjjaacckkiiinngg vvuulllnneerrraabbiiillliiitttiiiee… ce: SDSaLamL ppllleae n fffiitilllieen giiiss / d dhiiiffiffjffaeecrrrekeninnttt g ttth hvaaunnln ooerrriiiaggbiiinnilaaitllil e …

DSDrarroompppss l ePP EfEil efffiii llleiesss different than original

FDFiiirllleoe p iiiss pPpaaEcc kfkieleedds wwiiittthh WiiinnRRaarrr Analysis Advice BFBiiinlneaa irrrsyy p ccaoocnnktttaeaidiinn sws aiat h ss uWussippniiiRcciiiaooruuss tttiiimee ssttt…

Sample drops PE files which have not been started, submit dropped PE samples for a secondMBaiornoynan iiriatttyoon rrrcasso l cyncesetarirrtstitana itsiinon a rrrJe esoggueiiiss tSpttrrriyayc n ikokdeeuybyssos t xi///m vveaa lllusut…

Sample may be VM or Sandbox-aware, try analysis on a native machine CMCrrroeenaaittteoesrss a ac peprrrotoaccienes srsse giiinnis sstruuyss pkpeeynnsdd e/e dvd a mluoo…

Some HTTP requests failed (404). It is likely the sample will exhibit less behavior Creates a process in suspended mo

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Process Tree

System is w10x64 Netwrix_Account_Lockout_Examiner.exe (PID: 6372 cmdline: 'C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe' MD5: 9FC98474B06655DCB0A9A392C0D86537) Netwrix.ALE.Launcher.exe (PID: 6556 cmdline: 'C:\ProgramData\Netwrix Account Lockout Examiner\Netwrix.ALE.Launcher.exe' MD5: 3E6448BDE464CC02762DE87F1928CF17) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

Jbx Signature Overview

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Compliance:

DLL planting / hijacking vulnerabilities found

PE / OLE file has a valid certificate

Binary contains paths to debug symbols

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Windows DLL Search Access Token Disable or Modify OS System Time Remote Archive Exfiltration Encrypted Eavesdrop on Accounts Management Order Manipulation 1 Tools 1 Credential Discovery 1 Services Collected Over Other Channel 1 Insecure Instrumentation Hijacking 1 Dumping Data 1 Network Network Medium Communication Default Scheduled Boot or Process Virtualization/Sandbox LSASS Query Registry 1 Remote Data from Exfiltration Ingress Tool Exploit SS7 to Accounts Task/Job Logon Injection 1 1 Evasion 2 2 Memory Desktop Removable Over Transfer 3 Redirect Phone Initialization Protocol Media Bluetooth Calls/SMS Scripts Domain At (Linux) Logon Script DLL Search Access Token Security Security Software SMB/Windows Data from Automated Non- Exploit SS7 to Accounts (Windows) Order Manipulation 1 Account Discovery 1 Admin Shares Network Exfiltration Application Track Device Hijacking 1 Manager Shared Layer Location Drive Protocol 3 Local At (Windows) Logon Script Logon Script Process NTDS Virtualization/Sandbox Distributed Input Scheduled Application SIM Card Accounts (Mac) (Mac) Injection 1 1 Evasion 2 2 Component Capture Transfer Layer Swap Object Model Protocol 3 Cloud Cron Network Network Logon Deobfuscate/Decode LSA Application Window SSH Keylogging Data Fallback Manipulate Accounts Logon Script Script Files or Information 1 Secrets Discovery 1 Transfer Channels Device Size Limits Communication

Replication Launchd Rc.common Rc.common Obfuscated Files or Cached Remote System VNC GUI Input Exfiltration Multiband Jamming or Through Information 1 Domain Discovery 1 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media External Scheduled Startup Startup Items Software Packing 1 DCSync File and Directory Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Remote Task Items Discovery 2 Remote Capture Over Used Port Access Points Services Management Alternative Protocol Drive-by Command and Scheduled Scheduled Timestomp 1 Proc System Information Shared Credential Exfiltration Application Downgrade to Compromise Scripting Task/Job Task/Job Filesystem Discovery 2 4 Webroot API Over Layer Protocol Insecure Interpreter Hooking Symmetric Protocols Encrypted Non-C2 Protocol Exploit PowerShell At (Linux) At (Linux) DLL Search Order /etc/passwd System Network Software Data Exfiltration Web Protocols Rogue Cellular Public- Hijacking 1 and Connections Deployment Staged Over Base Station Facing /etc/shadow Discovery Tools Asymmetric Application Encrypted Non-C2 Protocol

Behavior Graph Copyright Joe Security LLC 2021 Page 5 of 29 Hide Legend Legend: Process Signature

Behavior Graph Created File ID: 468093 DNS/IP Info Sample: Netwrix_Account_Lockout_Exa... Is Dropped Startdate: 19/08/2021 Architecture: WINDOWS Is Windows Process Score: 4 Number of created Registry Values

started Number of created Files

Visual Basic Netwrix_Account_Lockout_Examiner.exe Delphi

70 Java

.Net C# or VB.NET dropped dropped dropped dropped C, C++ or other language

C:\ProgramData\...11etwrix.ALE.Updater.exe, PE32 C:\ProgramData\...13etwrix.ALE.Launcher.exe, PE32 C:\ProgramData\...\log4net.dll, PE32 36 other files (nIosne m is amalilciciouus)s started

Internet

Netwrix.ALE.Launcher.exe

14 7

updates.netwrix.com 192.168.2.1 54.172.115.150, 49721, 80 unknown AMAZON-AESUS unknown United States

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

Source Detection Scanner Label Link Netwrix_Account_Lockout_Examiner.exe 0% Virustotal Browse Netwrix_Account_Lockout_Examiner.exe 0% Metadefender Browse Netwrix_Account_Lockout_Examiner.exe 0% ReversingLabs

Dropped Files

Source Detection Scanner Label Link C:\ProgramData\Netwrix Account Lockout Examiner\Common\EntityFramework.dll 0% Metadefender Browse C:\ProgramData\Netwrix Account Lockout Examiner\Common\EntityFramework.dll 0% ReversingLabs C:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.ALE.UsageStatistics.dll 0% Metadefender Browse C:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.ALE.UsageStatistics.dll 0% ReversingLabs C:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.AuditCore.Common.dll 0% Metadefender Browse C:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.AuditCore.Common.dll 0% ReversingLabs C:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.AuditCore.ComponentsLib.dll 0% Metadefender Browse C:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.AuditCore.ComponentsLib.dll 0% ReversingLabs C:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.AuditCore.Node.dll 0% Metadefender Browse C:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.AuditCore.Node.dll 0% ReversingLabs C:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.AuditCore.UsageStatisticsSe 0% Metadefender Browse nder.dll C:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.AuditCore.UsageStatisticsSe 0% ReversingLabs nder.dll

Copyright Joe Security LLC 2021 Page 7 of 29 Source Detection Scanner Label Link C:\ProgramData\Netwrix Account Lockout Examiner\Common\System.Data.SQLite.EF6.dll 0% Metadefender Browse C:\ProgramData\Netwrix Account Lockout Examiner\Common\System.Data.SQLite.EF6.dll 0% ReversingLabs C:\ProgramData\Netwrix Account Lockout Examiner\Common\System.Data.SQLite.dll 0% Metadefender Browse C:\ProgramData\Netwrix Account Lockout Examiner\Common\System.Data.SQLite.dll 0% ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link gsmart.gigabytecm.com/en/ 0% Avira URL Cloud safe www.spicemobilephones.co.in/ 0% Avira URL Cloud safe www.bedove.com/product.html 0% Avira URL Cloud safe www.simvalley-mobile.de/ 0% Avira URL Cloud safe www.tom-tec.eu/pages/tablets.php 0% Avira URL Cloud safe www.blusens.com/es/?sg=1&sv=al&roc=1 0% Avira URL Cloud safe www.iru.ru/catalog/soho/planetable/ 0% Avira URL Cloud safe www.mobistel.com/ 0% Avira URL Cloud safe www.cubotmall.com/ 0% Avira URL Cloud safe www.ejiayu.com/en/Product.html 0% Avira URL Cloud safe www.zopomobiles.com/products.html 0% Avira URL Cloud safe azendcorp.com/index.php/products/portable-electronics 0% Avira URL Cloud safe www.ziilabs.com/products/platforms/androidreferencetablets.php 0% Avira URL Cloud safe www.mytab.eu/en/category/mytab-products/ 0% Avira URL Cloud safe www.i-mobilephone.com/ 0% Avira URL Cloud safe odys.de 0% Avira URL Cloud safe www.smartbitt.com/ 0% Avira URL Cloud safe wolfgangmobile.com/ 0% Avira URL Cloud safe www.xolo.in/ 0% Avira URL Cloud safe www.olivetti.de/EN/Page/t02/view_html?idp=348 0% Avira URL Cloud safe www.treq.co.id/product 0% Avira URL Cloud safe www.gionee.com/ 0% Avira URL Cloud safe www.allwinner.com/ 0% Avira URL Cloud safe www.freescale.com/webapp/sps/site/prod_summary.jsp?code=IMX53QSB 0% Avira URL Cloud safe www.luckystar.com.cn/en/mobiletel.aspx?page=1 0% Avira URL Cloud safe www.modecom.eu/tablets/portal/ 0% Avira URL Cloud safe wetab.mobi/ 0% Avira URL Cloud safe www.luckystar.com.cn/en/mid.aspx?page=1 0% Avira URL Cloud safe www.galapad.net/product.html 0% Avira URL Cloud safe user-agents.me/cfnetwork-version-list 0% Avira URL Cloud safe impression.ua/planshetnye-kompyutery 0% Avira URL Cloud safe www.toshiba.co.jp/ 0% Avira URL Cloud safe www.phicomm.com.cn/ 0% Avira URL Cloud safe www.mpmaneurope.com 0% Avira URL Cloud safe www.sonymobile.co.jp/index.html 0% Avira URL Cloud safe www.haipad.net/ 0% Avira URL Cloud safe www.goclever.com 0% Avira URL Cloud safe www.broncho.cn/ 0% Avira URL Cloud safe pompmobileshop.com/ 0% Avira URL Cloud safe www.ztedevices.com/ 0% Avira URL Cloud safe en.smartdevices.com.cn/Products/ 0% Avira URL Cloud safe www.lemonmobiles.com/products.php?type=1 0% Avira URL Cloud safe polaroidstore.com/store/start.asp?category_id=382&category_id2=0&order=title&filter1=&filter2 0% Avira URL Cloud safe www.tookymobile.com/ 0% Avira URL Cloud safe www.hyundaitechnologies.com 0% Avira URL Cloud safe www.yifangdigital.com/ 0% Avira URL Cloud safe 218.249.47.94/Xianghe/. 0% Avira URL Cloud safe www.orion.ua/en/products/computer-products/tablet-pcs.html 0% Avira URL Cloud safe

Copyright Joe Security LLC 2021 Page 8 of 29 Source Detection Scanner Label Link www.sk-w.com/phone/phone_list.jsp 0% Avira URL Cloud safe www.benss.net/ 0% Avira URL Cloud safe developer.emnet.ne.jp/android.html 0% Avira URL Cloud safe vivo.cn/ 0% Avira URL Cloud safe www.lexibook.com/fr 0% Avira URL Cloud safe www.maxxmobile.in/ 0% Avira URL Cloud safe intexmobile.in/index.aspx 0% Avira URL Cloud safe conkeror.org/ 0% Avira URL Cloud safe www.ponselimo.com/ 0% Avira URL Cloud safe www.tecmobile.com/ 0% Avira URL Cloud safe www.amoi.com/en/prd/prd_index.jspx 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation updates.netwrix.com 54.172.115.150 true false high

Contacted URLs

Name Malicious Antivirus Detection Reputation updates.netwrix.com/aleVersion.xml false high

URLs from Memory and Binaries

Contacted IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 54.172.115.150 updates.netwrix.com United States 14618 AMAZON-AESUS false

Private

IP 192.168.2.1

General Information

Joe Sandbox Version: 33.0.0 White Diamond Analysis ID: 468093 Start date: 19.08.2021 Start time: 11:11:30 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 8m 28s Hypervisor based Inspection enabled: false Report type: light Sample file name: Netwrix_Account_Lockout_Examiner.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes 22 analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0

Copyright Joe Security LLC 2021 Page 9 of 29 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean4.winEXE@3/45@1/2 EGA Information: Successful, ratio: 50% HDC Information: Successful, ratio: 99.2% (good quality ratio 97.3%) Quality average: 90.7% Quality standard deviation: 19% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context AMAZON-AESUS PAYMENT ADVISE CONFIRMATION.xlsx Get hash malicious Browse 3.232.205.82 jjy.dll Get hash malicious Browse 54.235.88.121 0818_5221888776.doc Get hash malicious Browse 54.235.244.43 jjy.dll Get hash malicious Browse 50.16.216.118 0818_1715427111.doc Get hash malicious Browse 50.16.239.65 0818_4630283540.doc Get hash malicious Browse 54.235.88.121 ys9ckvmdYU Get hash malicious Browse 18.210.70.160 ttWjYomGYN Get hash malicious Browse 54.8.106.158 0818_1062635368.doc Get hash malicious Browse 50.19.92.227 3l0hmU1dYa Get hash malicious Browse 18.208.195.117 4sccI1xrtq Get hash malicious Browse 54.24.210.64 Chase update form[1207].html Get hash malicious Browse 52.55.5.168 v02dyhbaq5.exe Get hash malicious Browse 52.203.81.245 rich.exe Get hash malicious Browse 3.223.115.185 PROFOMA INVOICE NO2021TD24 PDF.exe Get hash malicious Browse 52.4.209.250 documents.dll Get hash malicious Browse 3.211.138.232 Temmuz 2021 Ekstreniz.exe Get hash malicious Browse 34.224.160.149 0817_4257168362.doc Get hash malicious Browse 54.235.244.43 x86 Get hash malicious Browse 34.226.20.178 0OBKA8AwTn.exe Get hash malicious Browse 52.0.219.100

JA3 Fingerprints Copyright Joe Security LLC 2021 Page 10 of 29 No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Netwrix Account Lockout Examiner\Common\Default.acconf Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: XML 1.0 document, ASCII text, with CRLF line terminators Category: dropped Size (bytes): 17920 Entropy (8bit): 4.676239053520324 Encrypted: false SSDEEP: 384:VCO3eqCNZ353U3T9lCv3q3tnU2CzrwyGL6RinU2h1F1+E41OufrwyGL6UENHG6Nm:RunJE4a8S MD5: D90A3A0E30E6F79A635DBB9D344A59BC SHA1: B7BCE824702C789815BF72B38ED29BAB93F1A42B SHA-256: 38C8AD29F492A8A73D7B6F306A9494D07F8D0F874C380975A71DE3ACE24D3914 SHA-512: 052C8910CBB069DBC23C04A0782EE2AE80F2DCF45F4DF71C5A9D2BCA073F3C67C44400A544845C4429DFB7ADA45DFED4F3AE1CB99FADBED15C1C79525AE50 D6B Malicious: false Reputation: low Preview: .... .. .. .. .. .. .. .. .. .. .. .. .. .. Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 4991352 Entropy (8bit): 6.097816081905885 Encrypted: false SSDEEP: 49152:9PrnRLX8ziolcD5jX24Y/g1YmNBayW5Ci72yEBzw9vb5:tnt8zi8o5jX24Y/fmLaZv7xt MD5: FFDCF232D0BB2FFF78721FB347641A76 SHA1: 54C76A2FA61E6DF1AE4C9DF65435A38482C2CB71 SHA-256: FF42BCA704605E187ABB45523868B15128D6AF1C28AD40A4579D507D34A953B2 SHA-512: 89DF103556CFBD955283BEE551576134F9A7B0D121E12CF6DF4E9F4028075B2C4FF9D22886CFD21B10D0A0D6E640DB784B74D42EBAC4A45CCB9CE9C725A1FDF 1 Malicious: false Antivirus: Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0% Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...... " ..0...K...... K.. ... L...... `L.....

C:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.ALE.UsageStatistics.dll

Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 66288 Entropy (8bit): 6.374882652434104 Encrypted: false SSDEEP: 768:7nsm5+EMledrAxB130hWPLKgO+QSefvV7L3nGmjSm5M3sYLVbK9FMw/GXUwtCV+l:7f+4uFWCelf341m9FTGk+CV+01Ul MD5: 7E2DDD9FEA511F019735409E50640D3F SHA1: 113C015A89F50D8305ADF3E7F5927B701CA1384E SHA-256: B423B63532B6861055DE0576AAA6C6FE935026202791D93FB04D5B5BA67306A0 Copyright Joe Security LLC 2021 Page 11 of 29 C:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.ALE.UsageStatistics.dll

SHA-512: 7E405DE6F5A5F92B0019043EA41EA9CA192AEF6152B737E14436457309A0C098FD1A03669178EF30E6D6F90B5D9DEE81B2AEDBD7F7DC5879EFBF18039BC9D3D 5 Malicious: false Antivirus: Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0% Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...nF.`...... !...... @...... `...... `...... h...W...... @...... H...... text...... `.rsrc...... @[email protected] oc...... @...... @..B...... H...... {..x...... u...... 0...... s.....-.&+...... +.*..0...... (#...... ($...o%...3.(....-..j*~....%.,.&.-.&+...+.(& ...+.~....o.....-.&..j@K...+..+.('....-.&s(....-.&+...+..+...o)...... &..o*...s+...... o,.....,...i-....,...o-....(...... o/...o0...o-...... ($...(...... (...... c.o1...... c.o1...... c.o1...... o1...... o1...... c .o1...... c.o1...... c.o1....o2...... j....+)....o3...nX.....bX.....da.....o4...... X.....

C:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.AuditCore.Common.dll

Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 12528 Entropy (8bit): 5.791834815771361 Encrypted: false SSDEEP: 192:g8bUhUDBgz0aaK5bW4CriD3Pf1MnpGNTvrVfOyHcGwj2:3b+z0aaGb/xspGlxnr MD5: 9EFCB223C3AD4CF1DE0B3B5132A29D74 SHA1: D32CEA5C310333E170F922682F9149C363B82D24 SHA-256: 3B76B5B322679D663AA49915CAEA99C5EC6474DBD149B074D27F0E18A23EC3B6 SHA-512: 28F78091320483AA4B3BD1495403B0D846DCC91024FAB63FCD2C76BD706B18489F2A363C323C587A311373DE0CB85E9B2BB23EC6B4EA1DF47913B8A884E7989D Malicious: false Antivirus: Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0% Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L....E.`...... " ..0...... 9...... @...... b... ..`...... 9..O....@...... $...... `...... h8...... H...... text...... `.rsrc...... @...... @[email protected] oc...... `...... "...... @..B...... 9...... H...... 4$..4...... (....*V.(...... }...... }....*..(...... }...... {.....2..+..(%...}....*..s....*J.{.....{....s....*v..3..*.,..-..*. {.....{...... *...(...... **.{...... *...(...... *....0...... u...... (....,..*..(....*..{....*".(....&*..0..&...... +...... {.....3.*..X....i2..(....&*6.{...... **.(...... *2.r...p(....*F...(...... (....*R.r...p(...... (....*. .s....*..(....*..(.....{....-..+..{....o#....{....-..+..{...

C:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.AuditCore.ComponentsLib.dll

Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 13040 Entropy (8bit): 5.67202537063726 Encrypted: false SSDEEP: 192:hQ5tSvKmzWNL0fgqpdTKB2cRP9huAiEWBtbNr3PvdnL29YHcGw/D:hAwvKc51PKzxiEktbxXdnL2ECD MD5: 0614AF552E542D4AACB89BA1B404BFAE SHA1: 50D545A08EC12545EEED7711FC3B3A385AE42978 SHA-256: 5AF1DD59D6916554CD7B77A2F4950C66D0E3287A15646E9DAB0C10E77C92A4AC SHA-512: CBF8474F7C72ACFF77B845D011F27773E3EDB5E073C5577D536E3DEEC7B7807C95A5F18B9E4ECCB65DC9FA7227C6865F7735C3F8256D81EFBE67A5AF727890D 5 Malicious: false Antivirus: Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0% Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L....E.`...... " ..0...... :...... @...... [... ..`...... 8:..O....@...... &...... `...... 9...... H...... text...... `.rsrc...... @...... @[email protected] oc...... `...... $...... @..B...... l:...... H...... "...... (....*2.(....(....*....0.."...... -...`..(.....(....(....&.s....*...0...... s.....(....(....&.s....*&...(... .*.0...... ("...(....&.*6..r...p(....*.0...... (.....o....*J...... (!...(....&*....0..t...... (....(.....o.....o...... o.....+/.o...... o....r...p(....-..o....r#..p(....,...... o....-....,..o .....-. ....(....&.*...... ;Z...... "..(!...*>..(!.....("...*v.o#...-..($...-..(%...

C:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.AuditCore.Node.dll

Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 46832 Entropy (8bit): 5.77453521817218 Encrypted: false SSDEEP: 768:kAUF9NfnJvfTgr/xG3MXAjmPdlQzMuoT6jvmNNENdLLDVr+QEmC687gDgT8GGxc:k5hfTgrYV6PdlQzMuoTov7DgKxc MD5: 82566C3F5E75E06ADBD5123DCCAFA46C

Copyright Joe Security LLC 2021 Page 12 of 29 C:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.AuditCore.Node.dll

SHA1: F44E2C362484057A932D241D5140268F717F6B4A SHA-256: AFC2E74682EB57089A0934623E5BD8021593D6CF1B6187733900694D57054C8D SHA-512: AB9D856FB732C031A653D860018376DD056F0FED5A5886FA0DF4CBCFFFBEE6D24FC5654FDC861141424BB3C50C681BE020952D12D35B4EEE46DBE109AB674D F7 Malicious: false Antivirus: Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0% Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L....E.`...... " ..0...... `...... O...... L...... H...... text...... `.rsrc...... @[email protected]...... @..B...... H...... K...r...... s....*..s....*"..s....*:..s.....(....*"..(....*..o....-..o....,. W...(....&..s....*"..s....*"..s....*"..s....*"..s....*.. (....**....(....*..(.....,..-. W...(....&..t....}-.....}....*..{....*..0...... (.....{...... (....(....&.*f.(.....{.....(....(....&**.o...... *...0...... (.....{...... (....(....&.*J.(.....{....(....*J.(.....{....(....*J.(.....{.... (....*J.(.....{....(....*J.(.....{....(....*

C:\ProgramData\Netwrix Account Lockout Examiner\Common\Netwrix.AuditCore.UsageStatisticsSender.dll

Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 19696 Entropy (8bit): 5.904761973311916 Encrypted: false SSDEEP: 192:i/fsiRRkxIgqoUH7PQ13jBddZQLYdxUEtguLhSt8XR7HJTHYswgsBaaDMs53+hyL:eRRQqyzIHEhhTJD8BDMFhMQGFJ MD5: E88A75151A82C6970DD3A7CF3CEB883E SHA1: C854EEECFB62C8BCBFB0C21E3B0F5CDA548294B1 SHA-256: 352F3C563AE2307DA17E2F8F9CDFFF14AB15C987AB3E46B3B8F81C52F8D86AC5 SHA-512: F4CF76469A66F42D0248C30BEB8C43D736CE1AFC21BF448D5115839F1599A63CD8BD55F90828F0F2583F90B750801643BA7035721F55B984EF5CDA3A21495D63 Malicious: false Antivirus: Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0% Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...qF.`...... !.....6...... BT...... `....@...... s<.. ..`...... S..W....`...... @...... H...... text...H4...... 6...... `.rsrc...... `...... 8...... @[email protected] oc...... >...... @..B...... $T...... H...... ,9...... 8...... z.(...... }.....(....o....}....*..*...0..)...... {...... E...... ?...Z...|...... *..}..... [...}...... }.....*..}...... {.... .k.=a}...... }.....*..}...... <.}...... }.....*..}...... {.... .k.=a}...... }.....*..}...... W.!}...... }.....*..}...... {...... ^&a}...... }.....*..}...... Z .}...... }.....*..}...... x.I}...... }.....*..}.....*.....{....*.s. ...z.2.{...... *....0..<...... {...... 3..{....

C:\ProgramData\Netwrix Account Lockout Examiner\Common\System.Data.SQLite.EF6.dll

Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 186880 Entropy (8bit): 5.794712003587705 Encrypted: false SSDEEP: 1536:nyUY5ArG1Vl6KP8cglLECvD0UZhZ+M86AaDORzxOkVabge9lh0En:nq5AO36KP8cwLE2MXcOegaZ9T3n MD5: 7D4DE390307B9FFBF4E73DC8B81BE9F9 SHA1: 50EFD6211D5A5E38160486882A5F4A34FBC4942D SHA-256: C0FCB231810795D7540468D9C220A920F925284231DCE760185D9EAF9C12EA66 SHA-512: 2DB3D98C4907BFB73ED1F838119013DC02DD1F66DCC65F2555974F9ACC3E67E4238F842A4B984C74A8F1CD6E73D790E52366004C9C8C7233F9A93D7985F3A95B Malicious: false Antivirus: Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0% Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...... ^...... !...... N...... @...... -w.. ..`...... O...... X...... H...... text...T...... `.rsrc...X...... @[email protected]...... @..B...... 0...... H...... /...... n...P ...... rO=...Cb.Br}....S....z.....H....=...... :.vr.U.wS....d4.cm...y5....R9P.n..k.Zqy2Iw..d..).l.

C:\ProgramData\Netwrix Account Lockout Examiner\Common\System.Data.SQLite.dll

Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 364032 Entropy (8bit): 6.016661202515103 Encrypted: false SSDEEP: 6144:bplhytE7KivmenMk0Tm1udZ9KxTNwzo57QFNFfcaFeFOFwcGF6cmFWc0FWc8cIcR:NKkmeo9FNFfcaFeFOFwcGF6cmFWc0FWt

Copyright Joe Security LLC 2021 Page 13 of 29 C:\ProgramData\Netwrix Account Lockout Examiner\Common\System.Data.SQLite.dll

MD5: 17BB52713D75F8B334A311BD27CF5F23 SHA1: 24446D9F4E639454F36B6EDCC187834A059B6082 SHA-256: 6C156F7CF30A6C1E2538E8EE8744F641A9270E9B3A1D5B13C8486EA8B8CD5B03 SHA-512: 33934DD07F98C87B4C86D0C60C64BFE5FA5BCD74F314AF9069A0FCAA9A3BFEFE331AB751652CED5FA100A490088F063421F0BE14A7C6E995665C0EF5D01C168 C Malicious: false Antivirus: Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0% Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...... ^...... !...... `...... K...... H...... text...$...... `.rsrc...... @[email protected]...... @..B...... H...... D...T...... J...P ...... 6..[.t.....e.!....e....".V...."....-.!.~..Eo..PG,,.~...8.ov.^.H.i....L.I6(4.}..Y.kD...... `...'...EQ.XglS.#$h- .5.....q.":.(...... }....*..{....*:.(...... }....*..{....*r.(...... }...... }...... }....*..0..5...... -..*~.....o.....X...s....~...... o...... o ...... *6..(....(....*"..(....*.0..T...... ~!...("...-..-.~#...*../....+...X....($...-..-.~#... *..s...... (%...~...... o&...*Z.~....2..~......

C:\ProgramData\Netwrix Account Lockout Examiner\Common\UsageStatistics.db Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: SQLite 3.x database, last written using SQLite version 3011000 Category: dropped Size (bytes): 40960 Entropy (8bit): 0.5994477301705048 Encrypted: false SSDEEP: 48:TWwYEeHRqfvHG5LtaPTX6E6H3RBndl1mrY4IKaDRYt5LtX2k2HT:CDEeHcfvHG1IP7je3R9srY4IXWt1D2z MD5: 53EB617D150F060B21FAD5DCA3BE7937 SHA1: 77E8EA49E49F5A8DA9BA72DEE7BA4DB11AED06AA SHA-256: 1D216AE905B63B6FD36626E6F4C032717BE472C52B1F55F88725DFF96FF2E5D7 SHA-512: 8F062148848420813CBFE7D2470F39D639C761B86548356211B002F44F3E2BC1ED03C53FDE2B4AA4749128D8196359198293F31F46D9FDE9B94C8A8CCF443488 Malicious: false Preview: SQLite format 3...... @ ...)...... ).-...t......

C:\ProgramData\Netwrix Account Lockout Examiner\Common\x64\ComponentsLib.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows Category: dropped Size (bytes): 1344752 Entropy (8bit): 5.9102809354572825 Encrypted: false SSDEEP: 24576:9suKOqIvqraF9FK/hqi1k3bJo5Mo+pXPNwo:9XKoqrmsqck3bVo+puo MD5: 992A720A53AB664FDA95072622BE5A26 SHA1: 68DAAC115CA1E4FB04EE6E12CA5017B197F8482D SHA-256: 280897AE054753FB60608C65BFF78D1EF3CBC89A2922F20491F9853044D0BD61 SHA-512: 517612817D316A3C6894BA28636F91ED43A09EC24CC835748C176788BB211DE5FA82CFBF00621329D5FCBE58EC01D1467628ACE2565B4FE753D81F0135BD9B79 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... I.L.....I.N.p...I.O...... \...... {v...... 1...\....\...... \.B...... *.....\...... Rich...... PE..d....E.`...... " ...... x~....`...... t...... x...... t...P$..8...... %..(....$...... text...... `.rdata..|N...... P...... @[email protected]...*...... @....pdata...... @...... @[email protected]...... Z...... @[email protected]...... `...... @..B......

C:\ProgramData\Netwrix Account Lockout Examiner\Common\x64\CoreErrorMessages.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows Category: dropped Size (bytes): 48880 Entropy (8bit): 3.878943307340076 Encrypted: false SSDEEP: 768:nGGDGChb+BcFzdNUePuMKeImzEX1wGxAPmFfUd:nGGDG9MAAJd MD5: C1B503DDF262A97D710790B2F02EC2F0 SHA1: E65C527350DC72E566DA7B8AD58781B5A9604E95 SHA-256: C8B40219F4A926E9D6C368630112D72F4F15EBE74415EE880E3A7DA13D801953 SHA-512: 893C10391876E99022ABCFDE15E138DD5C831640449AF9AC9B31F452F3C4E9C0E88FE1846E55559DE8CF433FDE3AA2780CED9904431BCD1B06B433173C929B13 Malicious: false

Copyright Joe Security LLC 2021 Page 14 of 29 C:\ProgramData\Netwrix Account Lockout Examiner\Common\x64\CoreErrorMessages.dll Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... Q...... 9...... Rich...... PE..d...rE.`...... " ...... `...... (...... T...... rdata...... @[email protected]...(...... @..@......

C:\ProgramData\Netwrix Account Lockout Examiner\Common\x64\DataLayer.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows Category: dropped Size (bytes): 1090288 Entropy (8bit): 6.2167880691415505 Encrypted: false SSDEEP: 24576:DJ0VAReWM9FPZtRN8CRLQfVXd6NWItjxXFIEQE0pWRBxKf:90nZLq48ItjxXFIhE0p1 MD5: 2815D58BEAD055278A3323E9783FE3B1 SHA1: 672231CAAF71EBDAE15049441D0AF3E859426050 SHA-256: 9C3C55631DD968F186089DEBF9C1EADE90322B2DBDA13C987E0BBEC28FC4B258 SHA-512: 89D6F1FF64B98B7F2EBBC0227FD36D69D6CA40B1E919447BC636A7A99DADB3BA7DF07E05F8CFD61004E2E47F2D15A9CBFEFB72C4B47F10D93AC1AFE6E0B3F 8A1 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... /..A..A..A.`'...A.`'..[.A.`'...A...B..A...E...A...D...A..D...A..D...A. [email protected]...... PE..d....E.`...... " ...... @...... f.....`...... p...d...... t...... P...p...8...... (...... text...... `.rdata...... @[email protected]...

C:\ProgramData\Netwrix Account Lockout Examiner\Common\x64\SQLite.Interop.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows Category: dropped Size (bytes): 1678064 Entropy (8bit): 6.513822455195177 Encrypted: false SSDEEP: 24576:rwI/ZeTLMOTTDOl6KPFgLkTqTeLtr5X5L22AoP7Y1N6sMRk7/MWn/87pd0PXKqcd:M8MDgHQeLL5L2LPOR+nYpXj MD5: 880E747B69607B7215308A8E4D257C1D SHA1: DA996866CFA923E9CD7647F85052F53DA0381998 SHA-256: F244A1AD9171B01B326064C8EBC1388F26D765060973A98D7D6BFFD701919E5E SHA-512: 511F622D693BCBBC1038172D29017D4AFED431787FF378B8EE475BFFFED13B9F3C77B2A14940FE9FFF13D46AF9103EADE6EBBCFA156AE3C35EF6B1FD6CCE50 F2 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... P..k.x.8.x.8.x.8._8.x.8.^8.x.8.]8.x.8.x.8kx.8..)8.x.87.B8.x.8r .Z8.x.8r.Y8.x.8r.\8.x.8Rich.x.8...... PE..d...... ^...... " ...... r...... -...... `...... 1.....(...... <...... 04..8...... &..p...... 0...... text...... `.rdata...... 0...... @[email protected]...... h...... @....pdata...... J...... @..@ .rsrc...<...... Z...... @[email protected]...(...... *...d...... @..B......

C:\ProgramData\Netwrix Account Lockout Examiner\Common\x64\UsageStatisticsServer.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows Category: dropped Size (bytes): 3785968 Entropy (8bit): 6.050736654221608 Encrypted: false SSDEEP: 49152:tnUj/nx383BpubyvE5CHGs8KVHjQYALz4GTYsQwWK:tUjq322vEu84DQbTYsQwWK MD5: 9524AF2C2C88A82A9495D5FEA7FDD3F9 SHA1: 4895773D102CBE557C437EF6A233C7F8503AEA0E SHA-256: B4DC8F3F57346375BAD4F6E653DA9BA565C9A92485E33859BA616FA723EFFCB2 SHA-512: BDBFD80462BFB83D2416F48F850A58C13E05CFBBDA398C9F7D03717243901266BA393D9D9572FB234C3BE9DFB7E74AB333EAC3B726117E4FC3E5CA61EE8FB27 2 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... j...... m5.....m5..~...m5...... x...... x...... V.....V...... x...... x...... x...... x...... Rich...... PE..d....E.`...... " ...... *...... q#...... @:...... R:...`...... 5...... 5...... 9...... 6.d.....9...... :..8...d0.T...... `e0.(...`d0...... +...... text...(.*...... *...... `.rdata...... +...... *...... @[email protected]...... 6..v....5...... @....pdata..d.....6...... l6...... @. [email protected]...... 9...... x9...... @[email protected]....:..:...~9...... @..B......

C:\ProgramData\Netwrix Account Lockout Examiner\Common\x86\ComponentsLib.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe Copyright Joe Security LLC 2021 Page 15 of 29 C:\ProgramData\Netwrix Account Lockout Examiner\Common\x86\ComponentsLib.dll File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Category: dropped Size (bytes): 1003248 Entropy (8bit): 6.387900577113299 Encrypted: false SSDEEP: 24576:c4pG4uSyO8wsO52IcLIO4JMMnPFlxOeVwZUjHYP:h04uSyO8wN52IQd4607+UL0 MD5: 000F64B1E8F84979D251AF6EC7278967 SHA1: F4B8C8D97BA404A0B0F2F5EEAE1A9F6C25D7D2B4 SHA-256: E96C1A383589F4A873807B6EB7AD3C7EEAEEF0AE2467501B38B76C7463CC5971 SHA-512: 5A1B840C81CF21F289C8BA2F71212AD4B949FDFDEF5E0CFE475846987C2AF337B9A552A5BD66B5B13246B15E05791C5498DEB1F2052128334E4597C3A2F26715 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... Z'..4t..4t..4tJp.t..4tJp.ts.4tJp.t..4t..7u..4t..0u..4t..1u..4t_.5u..4t #..t..4t..5t9.4t_.=u..4t_.4u..4t_..t..4t..t..4t_.6u..4tRich..4t...... PE..L...'E.`...... !.....,...(...... \...... @...... @...... B...... @...8...... x...@...... @...... text...%*...... ,...... `[email protected]...... @[email protected]...... "...... @....rsrc ...... @[email protected]...... @..B......

C:\ProgramData\Netwrix Account Lockout Examiner\Common\x86\CoreErrorMessages.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Category: dropped Size (bytes): 48368 Entropy (8bit): 3.9091448344604127 Encrypted: false SSDEEP: 768:0GGDGChb+BcFzdNUePuMKeImzEX1wGxAPmFfAw:0GGDG9MAA5w MD5: 82D3A8E1424989F41C30F8B66E57280F SHA1: FF6002C0DFB00FD93B8247ACD282AA80FB1444BB SHA-256: 27B417E0FB55B36246D54D608D9E49A668EEA841C1285094EB0FD01B2C26A90A SHA-512: 7289D9450F4102E076CB909808FA80F42DE741C56E379E16B3189AB4F8EA8A83049D12513E2A5CFCBB90AE0CC8AEB3E898EC0A8EF16F80E6DE3715E49C1F381 3 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... Q...... 9...... Rich...... PE..L....D.`...... !...... d....@...... (...... T...... rdata...... @[email protected]...(...... @[email protected].`...... L...T...T...... D.`...... D.`...... T...... RSDS.L....lF....O....c:\a\_work\51\b\Win32\Release\CoreErrorMessages.pdb...... T....rdata..T...... rdata$zzzdbg...... rsrc$01...... 8....rsrc$02......

C:\ProgramData\Netwrix Account Lockout Examiner\Common\x86\DataLayer.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Category: dropped Size (bytes): 851184 Entropy (8bit): 6.5430720962254485 Encrypted: false SSDEEP: 24576:pSLej7/uUVD+H7ETw/JrS8LPAHJM/GJlZlvnr:pAauUVD+vAyPMMwlZlvnr MD5: 92BD09F3039A5A77A3509FF893496638 SHA1: ED33F5DFCA8D9DC95592C2988596764BDF35A72B SHA-256: C4FBCDD806E2AACE19F6623A4E7998BD0E9CD797CA71480D8587BDB5FD429BBF SHA-512: 2C3CD522BB74A621EF8F2F57EA075A4C13D54EDD5344E27A661E891ADF41098E9803BA5829A5A81CA60CCEE41644898A9D511504F481116BE72ED9133B7C5EC B Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... W..9...9...9.24...9.24...9.24...9...:...9...=...9...<..9.[W....9.[W..9 ...8.+.9.'.0...9.'.9...9.'....9...... 9.'.;...9.Rich..9...... PE..L....E.`...... !...... 9...... @...... z....@...... >..d....E...... $....R..8...... hS...... R..@...... |...... text...... `.rdata...3...... 4...... @[email protected]...`..."...F...... @....rsrc...... h ...... @[email protected]..$...... n...... @..B......

C:\ProgramData\Netwrix Account Lockout Examiner\Common\x86\SQLite.Interop.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Category: dropped Size (bytes): 1365744 Entropy (8bit): 6.783967050188796 Encrypted: false SSDEEP: 24576:rcbN6B9z+P7j7GA9ZyHAlDvn429TSQ+2f96dpG8MaFXbjxXrVyFNpXO1:INkz+vS8yiv0dcJaFLjtoNi MD5: DCE26B21B1E0134A9C9A1DD4C73DC511

Copyright Joe Security LLC 2021 Page 16 of 29 C:\ProgramData\Netwrix Account Lockout Examiner\Common\x86\SQLite.Interop.dll SHA1: AAEF1EFA21D0FB1647E7BD6404D8EAF8252E5CE2 SHA-256: 373A8771B7E0392C3DC4C24979BD31D05CE0C395CFEBC54A871C028FFB6B5B18 SHA-512: 38DEC9330E2F8B061411C5E0D98993CDA3C24888E006559DCF33D9B48D0201D4ECBCD98A2F35109AF256D59EC242D734E12FB57B5A9FE3D42C33604379432CBD Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... cE..'$.K'$.K'$.K..UK8$.K..WKa$.K..TK.$.K'$.K.$.K.S#K$$.K..HK&$ .KA.PK&$.KA.SK&$.KA.VK&$.KRich'$.K...... PE..L...q..^...... !...... -...... d....@...... P....2.....(....`..<...... p...... 8...... @...... text...... `.rdata...... @[email protected]...... J...... @....rsrc...<....`...... @[email protected]...... p...... *...... @..B......

C:\ProgramData\Netwrix Account Lockout Examiner\Common\x86\UsageStatisticsServer.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Category: dropped Size (bytes): 2897136 Entropy (8bit): 6.48496942621266 Encrypted: false SSDEEP: 49152:PC9MZ3Ldz99iF2JM9mnSM8B1BJIA/qICtWTO2nmD/sFB1bTiLZaDU6:L5B9iQ+sV6xIaqhtW4/IBL MD5: 693EB327AB951AAC0E737775FE5A9B79 SHA1: BEE9F6CC3B5CC000E3F5D883AEB668F8667177F0 SHA-256: A32EF339DC430401F0A792BD2AB28EF51CB4FAFA3650CA324DC063229B8B28C7 SHA-512: 21CC796C4614540C5437303B39D7F97CA06AAC30B788EBA19F2521753CC1D4FF73528308C5ED19B7C01EA5D2F27C91ED98215C1A012DCCABAB8B6996A8ED87D B Malicious: false Preview: MZ...... @...... 0...... !..L.!This program cannot be run in DOS mode....$...... c....c...c...c.].....c.]...N.c.].....c..j`...c..jg...c..jf...c.Hkb...c.Hkf...c.4. ....c.4.....c...b...c.Hkj...c.Hkc...c.Hk....c...... c.Hka...c.Rich..c...... PE..L...jE.`...... !...... $...... $...... ,...... p,...@...... h*.....

C:\ProgramData\Netwrix Account Lockout Examiner\Examiners\Netwrix.ALE.Examiners.Application.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 26864 Entropy (8bit): 6.274386946791171 Encrypted: false SSDEEP: 768:UgSr7HYMmiKNn07p07t3VDm4xTVCSsZiRkJ/:e7H/G07m4ZiSJ/ MD5: 04C2A141021053FE0C3136F8F4F15D9C SHA1: B77604706A809341EF82C083E0876A3DF79C2620 SHA-256: 74BE4D8E1297D672E2DE9F3E4220F35BD46AFAD26DD7543D75D0542D3F2BBBB7 SHA-512: 1697858DBF641ABDB7924B467995EF8102A194C3134F42DDE253DE9446865AD041C90D3050E1EE2F61F773E150176C30BDE4F00ADABE0B5A88F51BFB49C62731 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...#F.`...... !.....R...... p...... @...... Yy.. ..`...... (p..W...... \...... H...... text....P...... R...... `.rsrc...... T...... @[email protected]...... Z...... @..B...... dp...... H...... 0@.../...... =..\...... 0...... (...... -.&&.(....o.....-.&&+.}....+.}....+.*...*...0..A...... {.....,-&.E...... 2...T...o...... +..+..*...-.&&. [....-.&&..}.....+.}....+.}....+.*..}...... {.... .k.=a}...... }.....*..}...... <.}...... }.....*..}...... {.... .k.=a}...... }.....*..}...... W.!}...... }.....*..}...... {...... ^&a}...... }.....*..}...... Z .}...... }.....*..}...... x.I}...... }.....*..}.....*....0......

C:\ProgramData\Netwrix Account Lockout Examiner\Examiners\Netwrix.ALE.Examiners.CredentialManager.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 42224 Entropy (8bit): 6.321922988910379 Encrypted: false SSDEEP: 384:giCh52B6N+fLLDOtn6aeQOX0TlhC3yt/6kz054bb/j0YD+YXzkW5NmY/Ed7XNbkZ:wW/DTehtl0av/wYD+YXerr+xbilItV MD5: 4613276BB56488B91B2DCBA250712D25 SHA1: DADAD026CC825968E62216A1D5E1B89D5F59C073 SHA-256: 7E6E27B12163528D941F540595AEFAA75CE3DDEAC4E45AF52937E667688B267B SHA-512: BCE57C8C617D041281B064D17AB02DDA336BBF0A96EE11CC8C2BBA7798E5ED728C8E4B54888096145D7B92F72DC2125A8F71824D6FA2AC5C25AC0FA8E020383 2 Malicious: false

Copyright Joe Security LLC 2021 Page 17 of 29 C:\ProgramData\Netwrix Account Lockout Examiner\Examiners\Netwrix.ALE.Examiners.CredentialManager.dll Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...(F.`...... !...... r...... @...... `...... W...... H...... text...x...... `.rsrc...... @[email protected]...... @..B...... T...... H...... X..xS...... Q...... 0..+...... -.&-.+.&+.s"...z...-.&o#...i...... +.&+.*..0...... s.....-.&+...... +.*..0...... ($...... (%...o&...3.(....-..j*~....%.-.&.-.&+...+.('...+.~....o.....-.&..j@K...+..+.((....-.&s)....-.&+...+..+...o*...... &..o+...s,...... o-.....,...i-....,...o.....(/.....o0...o1...o...... (%...(...... (...... c.o2...... c.o2...... c.o2...... o2...... o2...... c.o2...... c.o2...... c.o2....o3.

C:\ProgramData\Netwrix Account Lockout Examiner\Examiners\Netwrix.ALE.Examiners.HumanFactor.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 30960 Entropy (8bit): 6.310819148949 Encrypted: false SSDEEP: 768:j0ju/wy7tFaUpahc5rR1lE9JKmKYD3I7c2qiJXHGTUvp:AaYyLi9riJXHTvp MD5: 281C7F1BF66B28EE7241287A72AFDB88 SHA1: 11E80159541DDC8C48B4EA5092B15D2F2F11379C SHA-256: E967CD79EBEB5ABFFB1FD5AC9531F391D8320ACA2AA2DBA1C3203763129336B7 SHA-512: F9155D29D6A34F6483B9DDA1D3F77220294B6F2F420EC9F226956C1E0BD417641E0B42954B79CB845AA1CB2A3B20F7B9ECB7648ACE9386B04928599C6E476CF0 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...,F.`...... !.....b...... "...... @...... 4... ..`...... W...... l...... H...... text...(a...... b...... `.rsrc...... d...... @[email protected]...... j...... @..B...... H...... HH...8...... D..,...... 0...... (...... ,.&&.(....o.....-.&&+.}....+.}....+.*...*...0..A...... {.....--&.E...... 2...T...o...... +..+..*...-.&&. [....-.&&..}.....+.}....+.}....+.*..}...... {.... .k.=a}...... }.....*..}...... <.}...... }.....*..}...... {.... .k.=a}...... }.....*..}...... W.!}...... }.....*..}...... {...... ^&a}...... }.....*..}...... Z .}...... }.....*..}...... x.I}...... }.....*..}.....*....0......

C:\ProgramData\Netwrix Account Lockout Examiner\Examiners\Netwrix.ALE.Examiners.IIS.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 43248 Entropy (8bit): 6.375881870442856 Encrypted: false SSDEEP: 768:Y2JN3zwO1DY4lkv/4ysDdq88cD+JvlowuDyE32PxPy:R33cFuC/4yeAohDJ3QPy MD5: DA682D62E76119EB7AF2F8BB440639EA SHA1: 0AAF08F0E299D660F20F9F1A21D5E0BECF8B2C5D SHA-256: EBF5E1886E7ACED9EBF6734C152909A9C1F4847122921797B1ED2C6B06A2E6C5 SHA-512: D94AA62C201C0AD5288DB63D78CFBA2A5D207A92F1B4283C515524B1D04E79ED203152542EA04E775D5B4865EFDBD0F09C57A3DDA5A165EFB0E56CCC9FFA9A C0 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...0F.`...... !...... @...... x,.. ..`...... \...W...... H...... text...... `.rsrc...... @[email protected]...... @..B...... H...... Z...V...... (U..t...... 0..+...... -.&-.+.&+.s....z...-.&o....i...... +.&+.*..0...... =.,A& ....Y.-9&.#s.....-1&..-3&..s.. ...-+&..Y.-(&...o ...... -.+..+..+.....+..+...+..+.s!...... o ...... Hz.dX.afefeffeef .a.v.Y.Yfeffeefefa...-..+...o"...... ,.. _....a.Xfeffeeffeefa...-..+...o#...... z...($...3.~.....`...... Y.a.X a.8~.....-T....(....,&.. .~[.X.Yfefeffeef.Ya...~....`.....+I. .P...a.afefefeffea..~....`

C:\ProgramData\Netwrix Account Lockout Examiner\Examiners\Netwrix.ALE.Examiners.TaskScheduler.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 77040 Entropy (8bit): 6.185547236908198 Encrypted: false SSDEEP: 1536:iae5hWivxhfZ6ZxZUgesBz0GbJcQaBAzeEJYJ9JbNYuYP:i7tJTCxZURsBz0IJxXzeQYJHbNYuYP MD5: 2011FFACA4F5BC4CD0533AA13844F114 SHA1: 45809605E85AFDE101A4BD60789F71D2E2490705 SHA-256: 53876C6DCFD20FAE2FA9B5D46DC7F886CC069F90EEFD6C10AB71A8845DB76218 SHA-512: 2D2F9FC15B1811D8538CA2C19F54CCA222EC7CA9931135DCA6D0AD837ADEA9965026094800209413F9C35CF4C590AE54475238C30DE0EC59A3551206FA3EDF53 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...5F.`...... !...... 64...... @....@...... `...... 3..W....@...... `...... H...... text...<...... `.rsrc...... @...... @[email protected] oc...... `...... @..B...... 4...... H...... xb..d...... _..X...... 0...... s.....-.&+...... +.*..0...... (7...... (8...o9...3.(....-..j*~....%.-.&.-.&+...+.(: ...+.~....o.....-.&..j@K...+..+.(;....-.&s<....-.&+...+..+...o=...... &..o>...s?...... o@.....,...i-....,...oA....(B.....oC...oD...oA...... (8...(...... (...... c.oE...... c.oE...... c.oE...... oE...... o E...... c.oE...... c.oE...... c.oE....oF...... j....+)....oG...nX.....bX.....da.....oH...... X.....

C:\ProgramData\Netwrix Account Lockout Examiner\Examiners\Netwrix.ALE.Examiners.TerminalServerSession.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe

Copyright Joe Security LLC 2021 Page 18 of 29 C:\ProgramData\Netwrix Account Lockout Examiner\Examiners\Netwrix.ALE.Examiners.TerminalServerSession.dll File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 29424 Entropy (8bit): 6.289765580649617 Encrypted: false SSDEEP: 768:ekbAGb+jnMqKY/+w/mRcD+V7UZ2ybnLs7jadKVt:elU+oqKYmA2mnLszVt MD5: 3A61C0DAE87FC41670F5C0D02D56ED4E SHA1: BF5EE54E1CCB8CE14144F40281FEF9965EAD6566 SHA-256: C8841F508017A383D237FD9A852E265BB721B3E37419B34AC0ECEDBDACBA2909 SHA-512: E3A7A185324BF2F28BEF08F1CA6DFA33BA374EA90410C203DC3B08ACC14707ECC28B5F9F958273E4437BC2F8D8CB28DCEDA02C9075D9852DBA87DD1B214289 7F Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...9F.`...... !.....\...... z...... @...... K.. ..`...... Dz..W...... f...... H...... text....Z...... \...... `.rsrc...... ^...... @[email protected]...... d...... @..B...... z...... H...... `C...6...... 4A..,...... 0...... s.....-.&+...... +.*..0...... (...... (....o....3.(....-..j*~....%.-.&.-.&+...+.(....+.~....o.....- .&..j@K...+..+.(.....-.&s.....-.&+...+..+...o...... &..o....s...... o...... ,...i-....,...o.....(...... o ...o!...o...... (....(...... (...... c.o"...... c.o"...... c.o"...... o"...... o"...... c.o"...... c.o"...... c.o"....o#...... j....+)....o$...nX.....bX.....da.....o%...... X.....

C:\ProgramData\Netwrix Account Lockout Examiner\Examiners\Netwrix.ALE.Examiners.WindowsService.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 35056 Entropy (8bit): 6.3286945677331445 Encrypted: false SSDEEP: 768:NeyE6DXnZbzVQumAYD+V7Us09kNufKZNKTc:NjtXnZbeqgTc MD5: 77BA5E0BF2982D6C6FE8E8DCC9AD92BC SHA1: 0131A48D1E6558AD731B84F7775D88A78170243B SHA-256: 3B88978E28CA935B80B1C3FC0D1A65843681E7DA268280B4346DFFC8829A3577 SHA-512: C61AB318B9777D1F5E333AB33DD6C9750D3805C3673BF4817F524E2F7129AFE254DC1255C3F6C805E982AF265BC3AF04230E3EE409362662606A577C5DE84778 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...=F.`...... !.....r...... @...... &%.. ..`...... W...... |...... H...... text...$q...... r...... `.rsrc...... t...... @[email protected]...... z...... @..B...... H...... I...F...... @G...... 0...... P..-A&. ..#Ra.-9&..s ....-1&..-3&..s!....-+&..Y.-(&...o"...... -.+..+..+.....+..+. ..+..+.s#...... o"..... k5.d.X.Xffefeeffe d..A.a.Yfeffefefefea...-..+...o$...... ,.. ..#..Y.Xffeeffefea...-..+...o%...... a...(&...3..~....`...... #Ra.a.Xa.8...... -X....(....,(. .A.-.Y.Xfefef efeffe.Ya.~...... `.....+I.. ...a.afeffefefeefa..~....`.....+$.. ..;SX.Xffefeeffe.Ya...~....`.....~.....X..

C:\ProgramData\Netwrix Account Lockout Examiner\Libraries\Castle.Core.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 434688 Entropy (8bit): 5.854413824287925 Encrypted: false SSDEEP: 6144:FGt/Gt/tvyi2rNJVGlINLvQGrMkwc+HRPyVqRBHItEqZDeF+:kt/9JVGlQLvQrPyVqRBHI5ZiF+ MD5: 726AB57D22C502A460576F55041A9CE1 SHA1: 04E9C98D812A180D954441F41225FFD6EB6ED60A SHA-256: 1796277A7AA9F2A9835C070D28FED44B3614CA221A2C1AFFC21A4C4E41194C3F SHA-512: 2D12178086A6BD835BBE38EB27303E630AA06DCAF229529D303EEE90E11BA24FA2EB5C409EDD73600844045594175012BBFBE17C3282C585515E838FE6D5DEA2 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L..."...... " ..0...... `...... 6...O...... `...T...... H...... text...0...... `.rsrc...... @[email protected]...... @..B...... j...... H...... <...t...... X...... {....*..{....*V.(...... }...... }....*...0..;...... uJ.....,/(.....{.....{....o....,.(.....{.....{....o....*.*. .... ) UU.Z(.....{....o....X )UU.Z(.....{....o....X*.0...... r...p...... %..{...... M.....M...-.qM...... M...-.&.+...M...o.....%..{...... N.....N...-.qN...... N...-.&.+...N...o.....(....*..{....*..{....*V. (...... }...... }....*...0..;...... uO.....,/(.....{.....{....o....,.(.....{...

C:\ProgramData\Netwrix Account Lockout Examiner\Libraries\Castle.Windsor.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 351232 Entropy (8bit): 5.969301692899601 Encrypted: false SSDEEP: 6144:RmzPAx1ra7i3e7GsCuF+lDQkVtwpe3wjevmPtx4fz:Rveae7FCuslDQkVtwpe3wjvx MD5: EF993B5091EE15132D7C07E2DB117585 SHA1: 70EE8D78816315C5DD9ECA98DA5FB7E9A5275F35

Copyright Joe Security LLC 2021 Page 19 of 29 C:\ProgramData\Netwrix Account Lockout Examiner\Libraries\Castle.Windsor.dll SHA-256: 4291682FE416702A70631E74C9B8EDF5F3E0AEBBE8D7A580A768CFA07B7A4CBC SHA-512: FB943D08FCC601A948782520CE1B0A64777F1218855C8CA2CAE37AA9D73D079CF36E7D8606CC46183FD2B104413901953B90B3F06F858D39A502186A30C6C3AF Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L....DT...... " ..0..R...... q...... A.. ..`...... ;q..O...... T...... \p..T...... H...... text....Q...... R...... `.rsrc...T...... T...... @[email protected] oc...... Z...... @..B...... oq...... H...... o...... {;...*..{<...*V.(=.....};.....}<...*...0..;...... u1.....,/(>....{;....{;...o?...,.(@....{<.... {<...oA...*.*. ...W )UU.Z(>....{;...oB...X )UU.Z(@....{<...oC...X*.0...... r...p...... %..{;...... -.q...... -.&.+...... oD....%..{<...... 4.....4...-.q4...... 4...-.&.+...4...oD....(E ...*b.o.....s.....()...o$...*f.o...... s.....()...o*...*..o.....5...(F...s.....()...o$....5...*b.o...

C:\ProgramData\Netwrix Account Lockout Examiner\Libraries\Netwrix.ALE.DomainModel.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 57072 Entropy (8bit): 6.218867669798392 Encrypted: false SSDEEP: 768:JizvABXn0yTyHY+Dl1ZS4CkHI2Go65JKlX74sE6wDb7pFI8E146Hqks0FdDp:ovMByY+DbI4Cx5GSITqkzFdDp MD5: 8E870405754F1A994A1F1D5A4B0A0683 SHA1: 5B32BCA26FCC8B5E58506B102D4DEDF56124AB0E SHA-256: ED50EDDEA35649E5EAD5DCB9E2546EC70EB7A9FC645E78969F56C9E53DCFF915 SHA-512: A68A0C46CB2C8D9DE125806626128ABDBA715509C0A9F48EC9813396F2A52B13D04E1AB83A4E847E575B5C14A4746CDD6B5A12430DC76BC626E3596E15F5CF6 C Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L... F.`...... !...... @...... @...... >.. ..`...... x...W...... H...... text...... `.rsrc...... @[email protected]...... @..B...... H...... pt...r...... @e..0...... 0...... -A&. G..7a.-9&.;s.....-1&..-3&..s.....-+&..Y.,(&...o...... -.+..+..+.....+.. +...+..+.s...... o...... Q..{.X.Xffefeeffe ...$.a.Yfeffeeffeefa...-..+...o...... ,... G..X.afeffefeeffea...-..+...o...... D...(....3..~....`...... (...Y.X.Xa.8~.....-V....(....,(. ...7.a.Yffeeffefeef. Ya...~....`.....+G.. ..%.X.afeffefefea..~....`.....+$.. ...7a.Yfeffeefef.Ya.~...... `.....~.....X..

C:\ProgramData\Netwrix Account Lockout Examiner\Libraries\Netwrix.ALE.Executor.exe Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 31984 Entropy (8bit): 6.393743305551039 Encrypted: false SSDEEP: 384:ptFxGliJqPTEYHKB0rf6SX0vJgi5WbOyH0jnrGkOLQYjTWGHDcKvKB9GI9AE05MB:nGlisg0ukCfGxLJDv69/9Aldche4 MD5: 73D47B74BA9E2FB5304B4074541724D3 SHA1: E5B76DF8D8FEF61A412F69FAD46B7EFCCF704A48 SHA-256: ABC11A5C2F04381B9B1D66238DB3BC914F8F89D0130A7B1ABAE76B20AF92C8B0 SHA-512: 42C4C8047D9C9FB3D33889CCAB41BCB90EDD566EDB25A4019AB3B53712DD087932A357E474E6B699A3C538382C626925BCD739ECA4D0003471DC600F71A255D 6 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...@F.`...... d...... @...... -.. ..`...... @...W...... p...... H...... text....c...... d...... `.rsrc...... f...... @[email protected]...... n...... @..B...... |...... H...... dF...<...... ?....D...... 0..'...... -.&-.+.&+.s....z...-.&.i...... +.&+.*..0...... Of..,A&. 7.H.X.-9&..s.....-1&..-3 &..s.....-+&..Y.-(&...o...... -.+..+..+.....+..+...+..+.s...... o...... F....Y.Xffeeffefe ....a.affefeeffeefa...-..+...o...... ,.. 4....X.Yfefeffeefa...-..+...o...... Z...(....3..~....`...... 7. a.X.Xa.8...... -X....(....,(. .D...Y.affeeffeefef.Ya.~...... `.....+I.. ..G.X.Yfefeffeeffea..~....`

C:\ProgramData\Netwrix Account Lockout Examiner\Libraries\Netwrix.ALE.Executor.exe.config Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators Category: dropped Size (bytes): 1217 Entropy (8bit): 4.971623277345732 Encrypted: false SSDEEP: 24:Jdz9KwjZM7rdEGMq+nH6VB5GNlkmuI56qMd6B5husoL:35rM7r+GoHTbknKisoL MD5: CD58E319D13B6AC222B694675CFAE178 SHA1: 7254DBA9B23F31ABC240932D39223647368BA5EE SHA-256: C8E454E2079EFFC9FA89943E714EF99C0355F6AB6D8C08F816B9D597B3F1C541 SHA-512: 3E6297688120E44D5305339CEFC7723CFF432DC9B208FF90E892A73B0FB748438951DB6F6E72A9B6C1749DE8D44F5A2B58368CC5C0B54AE811A674870724C174 Malicious: false

Copyright Joe Security LLC 2021 Page 20 of 29 C:\ProgramData\Netwrix Account Lockout Examiner\Libraries\Netwrix.ALE.Executor.exe.config Preview: ..... ..

.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..

C:\ProgramData\Netwrix Account Lockout Examiner\Libraries\Netwrix.ALE.Infrastructure.API.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 58096 Entropy (8bit): 6.20113110523544 Encrypted: false SSDEEP: 768:XJBKJDyxr2WetztSzTA2X7Vr0HRLQv/FKU3Jc/KO2oObfKaIy5H5w0PK:ZBguxr2WGzt6TnP/Jc/KO2oO/h9FPK MD5: 3916AAE1A094C50BCAB012C7F5F0CD02 SHA1: A5CEBFB9CB9E01A86AB1061E9981E547385CDE13 SHA-256: 917045011F7BBEF091D002545C1A854551F23AEEE9DD3AC53B91BD5BB15F22A8 SHA-512: 6D91F59A3794E799D49405BBBCC8BC9E2F8E635A5694B78D8CBF0D620898186C6BF2DCC2D2E1E14167E10724B5FE2446F592638DB57D608DB0A6BC8842441B57 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...DF.`...... !...... @...... @...... l... ..`...... t...W...... H...... text...... `.rsrc...... @[email protected]...... @..B...... H...... l...}...... Xh..|...... 0...... 7'...-A&. ....X.-9&.-s.....-1&..,3&..s ....-+&..Y.-(&...o!...... -.+..+..+.....+..+...+..+.s "...... o!...... /.a.afeffefeeffe .PQ..X.Xfeffeefefa...-..+...o#...... ,... 3..a.afefefefeffea...-..+...o$...... l...(%...3..~....`...... VT...Y.Y.Xa.8~.....-V....(....,&. .P...X.Xffeeffefe.Ya. ..~....`.....+I. w....Y.Yfefefeffefea..~....`.....+$.. ._..a.Xfefefeffe.Ya...~....`.....~.....X..

C:\ProgramData\Netwrix Account Lockout Examiner\Libraries\Netwrix.ALE.Infrastructure.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 38640 Entropy (8bit): 6.314512168368028 Encrypted: false SSDEEP: 768:3Pf2stmnsiOx1CEPXZE6aW6+H7/umGtXwe/AK3FMItU4Jm:/fSn+1XXqZXw4hMZ4Jm MD5: 0EC84FB772AF1B0661C9FB1C959358BB SHA1: A763B3AE6A970A241632B78A9D19D6EC1CE05379 SHA-256: 969D3BC4EE5332B446B3480043F6245DE15889FAA7F663FE039495E7DD33DD73 SHA-512: 705FFC52DE8AF9C19138DB1D8AA9A5080A427D49BD7FCF7277DA2CD0C16473133B13E1646B687642C3AA3D5496A56238BE7644EF51F136871A1ADB0026722758 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...HF.`...... !...... N...... @...... lw.. ..`...... W...... H...... text...T...... `.rsrc...... @[email protected]...... @..B...... 0...... H...... 4W...G...... O..h...... 0...... k...-A&. .m.X.-9&."s.....-1&..-3&..s.....-+&..Y.-(&...o...... -.+..+..+.....+..+ ...+..+.s...... o...... l..Y.afeffefefe .4...X.Yfefeffeeffea...-..+...o...... ,.. .n.Z.Y.Xfefeffeeffea...-..+...o...... `...(....3.~.....`...... jr.a.Y.Xa.8...... -V....(....,(.. [8u.X.Xffefeefeffe. Ya.~...... `.....+I. z..m.Y.affeeffefea..~....`.....+&.. ..u.a.Yfefeffeeffe.Ya...~....`...... ~....X

C:\ProgramData\Netwrix Account Lockout Examiner\Libraries\Netwrix.ALE.Services.API.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 56048 Entropy (8bit): 6.215571111474026 Encrypted: false SSDEEP: 768:5Xz3YP5ab8SulB4GIZwO0/tur4gAfj4D9WJSUMbkFgk7xlflHCmd:Shab8SubC8BrXxtRCmd MD5: 3F9ADDA07527EFC3DB8F733C6BF4226A SHA1: 4A6008E2F1DBA9D59199026585A9052135947BA9 SHA-256: 7060A88B6130EB98C6E563485114A772A46E28C1F47FB5BB3D8FC5F6AEDDD6EC SHA-512: 0EE7FA611413FCFED8A9B4D113C6446258D28E3C0840F899A09C8053089FB4B9EA59E7FBDFE87AA080A5B891C7B4C5AAE1C4C8A4B36FE3C2E9D6AA57D410EC 1A Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...VF.`...... !...... @...... @...... `...... W...... H...... text...... `.rsrc...... @[email protected]...... @..B...... H...... j..8x...... d...... 0..+...... -.&-.+.&+.s....z...-.&o ...i...... +.&+.*..0...... (!...... -.&&.("...o#....-.&&+.}....+.}. ...+.*...*...0..A...... {.....,-&.E...... 2...T...o...... +..+..*...-.&&. [....-.&&..}.....+.}....+.}....+.*..}...... {.... .k.=a}...... }.....*..}...... <.}...... }.....*..}...... {.... .k.=a}...... }.....*..}...... W.!}...... }.....*..}...... {...... ^&a}...... }.....*..}...... Z .}....

Copyright Joe Security LLC 2021 Page 21 of 29 C:\ProgramData\Netwrix Account Lockout Examiner\Libraries\Netwrix.ALE.Services.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 196848 Entropy (8bit): 6.474925933291561 Encrypted: false SSDEEP: 3072:oBJ/cVS2VYSxZ2Cv8Yz4gYx5FoHLPWzh1PB4BVhPTogtVGdoVo:oBJ/cIM98YMRfFwLPWGhTo MD5: 39452F765218C753FF21CD98FA3E536C SHA1: 14DD818CD231BFDBF28353B3BE41428F3AEED5CC SHA-256: 752F0C46706B5DA7D778DCA63113B17EDA0A1FBA676BBB676A90B29F5439FAB5 SHA-512: 76CA8AB0961503C05E5A3387C798D3C07D09D0F86BCDF3ABADBD4A3DE4EC5174300D2154FDA8D2262F675BF31B82E054318AFA1A846898C511516CB139EB383 C Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...\F.`...... !...... @...... `...... V_.. ..`...... W...... @...... H...... text...... `.rsrc...... @[email protected]...... @ ...... @..B...... H...... 4...\...... (K...5...... 0..'...... -.&-.+.&+.s+...z...,.&.i...... +.&+.*..0..+...... -.&-.+.&+.s+...z...-.&o,...i...... +.&+.*. .0..>...... -.&-.+.&+.s+...z...-.&.i,.+.&+....-.&...... +.&+.*...... *...0...... (-...... -.&&.(....o/....-.&&+.}....+.}....+.*...*...0..A...... {.....--&.E...... 2...T...o...... +..+..*...-.&&. [....-.&&..}.....+.}....+.}....+.*..}...... {.... .k.=a}...... }.....*..}...... <

C:\ProgramData\Netwrix Account Lockout Examiner\Libraries\Netwrix.ALE.UI.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 563440 Entropy (8bit): 6.07215977427802 Encrypted: false SSDEEP: 3072:HfhZtTqMU4coqK61bThnXrMiYC8YjGOJA7JbpsigKF2cfiFBEFrJlxQXK6uY9Zi7:HfhZETjKKVpmzUYIRb1sDYi MD5: 733F4A0807CFDE67555BD8C187BB2BE8 SHA1: 1D5427D4624A46A9351788621AD98679FFDB59AC SHA-256: E0DA8CD5B8FFEDFC8D787EAEE9FB36098FC040A87C35C690AA7F860580EBEC41 SHA-512: 2472F719B63C12938E25DC0FAC0E6374B07BBCA5074F1651106DD7284B4B007FF245970727CD5EBA85EA9B105A041582513ABABD1EE850D1A5118274919388F5 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...dF.`...... !...... @...... n.. ..`...... T...W...... H...... text...... `.rsrc...... @[email protected]...... @..B...... H...... 0...... (!...... -.&&.("...o#....-.&&+.}....+.}....+.*...*...0..A...... {.....--&.E...... 2...T...o...... +..+..*...-.&&. [....-.&&..}.....+.}....+.}....+.*..}...... {.... .k.=a}...... }.....*..}...... <.}...... }.....*..}...... {.... .k.=a}...... }.....*..}...... W.!}...... }.....*..}...... {...... ^&a}...... }.....*..}...... Z .}...... }.....*..}...... x.I}...... }.....*..}.....*....0......

C:\ProgramData\Netwrix Account Lockout Examiner\Libraries\RemExec.exe Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (console) Intel 80386, for MS Windows Category: dropped Size (bytes): 208112 Entropy (8bit): 6.483109520238264 Encrypted: false SSDEEP: 6144:o6kUi0qtrQH3xltx9B0oaVYgjRECERZKMpkxa7Ljr16P:o6kUVe0Hhlj9B0oaVf+ZzZZF6P MD5: A4977BF74DD9DF72593CA560D219F3B1 SHA1: 33DFD3F4157A4F29783C35E97F2C1BACAB6699C1 SHA-256: 99651863B99D863757E04C155CE86F9DB106A671B0AE34C4737C59328E1B585F SHA-512: D694F267318CC0EA58EC35BB42CC16DC7D832C508D07301C01A688544CF26BC105FDAFD40DAFBB5F056F1470D1C34C2D00B3016EE5B8D2B55DFA271F9892E8D 0 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... oK...%}..%}..%}1..}..%}1..}..%}1..}..%}.f!|..%}.f&|..%}.f |..%}X..}..%} ..$}G.%}$g,|..%}$g.}..%}...}..%}$g'|..%}Rich..%}...... PE..L....D.`...... 8...... @...... P...... V....@...... h$...... 0..D...... p...... @...... text...... `.rdata...... @[email protected]...... @....rsrc...h$...... &...... @[email protected]...... @..B......

C:\ProgramData\Netwrix Account Lockout Examiner\Libraries\UAParser.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 213504 Entropy (8bit): 5.787924703434408 Encrypted: false SSDEEP: 1536:T55HYEJDbvXqjZ7AaqjZXWjK2d1SZrwAvRvG5pIVsVar1m1CN6iA+TOIfeM3TVzJ:T555UT+Gp6CC4iA+Rn

Copyright Joe Security LLC 2021 Page 22 of 29 C:\ProgramData\Netwrix Account Lockout Examiner\Libraries\UAParser.dll MD5: D94C96E8AF19E1B7F1EB01868159CC44 SHA1: 8FA6049CCE91FCAB86B3476863034FB57C15A7F3 SHA-256: F9A4523D45E175AB452095A107B63035932FEE93CB256C9EA8F259C7A1F4693C SHA-512: BDDAB7107F060E1F9EB8BB8947B1DF8EE4207161ACF7488079CAA45EDA309C673B9C022D1D8E5473C270B838A2B7B1CA5CA2EF5365483BD82A7E28D5FA045B 71 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...~...... " ..0..8...... V...... `...... `...... jV..O....`..$...... U..T...... H...... text....6...... 8...... `.rsrc...$....`...... :...... @[email protected] oc...... @...... @..B...... V...... H...... |A..d[...... 8....U...... {....*..{....*V.( .....}...... }....*...0..;...... u...... ,/(!....{.....{....o"...,.(#....{.....{....o$...*.*. Gh.. )UU.Z(!....{....o%...X )UU.Z(#....{....o&...X*.0...... r...p...... %..{...... -.q...... -.&.+...... o'....%..{...... -.q...... -.&.+...... o'....((...*..{)...*..{*...*V.( .....} ).....}*...*...0..;...... u...... ,/(!....{)....{)...o"...,.(#....{*..

C:\ProgramData\Netwrix Account Lockout Examiner\Libraries\log4net.dll Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 270336 Entropy (8bit): 5.576980425455978 Encrypted: false SSDEEP: 3072:HG0WgexKpGi8PnJcerXUaxX3HVeES4BEIqTTpX/4ormGpnaVTSGCkMhkEn7GAhCj:HJrycoB3HVeESME3pnaVTS1nh7hCa MD5: 27FE8D18682FD9901E589E65EF429B23 SHA1: 6426E96243911BEAB547F2BC98A252A26692F11F SHA-256: 896AB9CAC41E3977792BA2034EA8730610C2779FA51BAB6BED426094EA8D3ECD SHA-512: 9D6BC8C77C72CBAD15E808281818C2768F1B44AA6EA1D54A979C91218B8FBF2A02FEE49FA97DB6CFA6087DDC363D6CDD6407E4494934B4568C514437030A2615 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...p3...... " ..0...... `...... `...... h...O...... @...... L...... H...... text...... `.rsrc...... @[email protected] c...... @...... @..B......

C:\ProgramData\Netwrix Account Lockout Examiner\Logs\Trace.log Process: C:\ProgramData\Netwrix Account Lockout Examiner\Netwrix.ALE.Launcher.exe File Type: ASCII text, with CRLF line terminators Category: dropped Size (bytes): 1437 Entropy (8bit): 5.219118152954168 Encrypted: false SSDEEP: 24:fySydwF/y+gcy11yd3yULRdVQxyUAfBYcyey1ybZxHybggybNUByOxxan5yH4PyS:FP4sfBYNkptUVxnuQHeAbALAZlGdee MD5: 999B2BB2D543EF149E07BE2B4E126848 SHA1: C521242E78DB83B144CD95A3961FD2DBD8353C5A SHA-256: 63C2297B6E38EF17DEA3EE4670DADA468EC66EF6D3E85C064502A668E6FED219 SHA-512: 3C8F03144C82FD74F4700552AFAD539B2CF60BAC789BC374925EB73E24B1DAB7DDCFBC3F9C8C368305055F175408F28B22BB72B83CD12FB1AA1C4B4EE120BA B3 Malicious: false Preview: 2021-08-19 11:13:12,136 INFO ===== System info =====..2021-08-19 11:13:13,433 DEBUG ApplicationFolder: C:\ProgramData\Netwrix Account Lockout E xaminer..2021-08-19 11:13:13,480 INFO App Version: 5.2.217.0..2021-08-19 11:13:13,480 INFO User name: computer\user..2021-08-19 11:13:13,574 INFO Ma chine: 061544..2021-08-19 11:13:15,574 DEBUG Instantiated the User type for 'computer\user'. UPN: NULL..2021-08-19 11:13:15,730 DEBUG Connecting to WMI pa th: \\061544\root\Cimv2..2021-08-19 11:13:17,183 DEBUG Query execution: select * from Win32_OperatingSystem..2021-08-19 11:13:17,324 DEBUG Read property Caption = Microsoft Windows 10 Pro..2021-08-19 11:13:17,324 DEBUG Read property OSArchitecture = 64-bit..2021-08-19 11:13:17,324 DEBUG Disposing the WMI query..2021-08-19 11:13:17,324 INFO OS version: Microsoft Windows 10 Pro - 64-bit..2021-08-19 11:13:17,324 INFO CLR version: 4.0.30319.42000..2021-08-19 1 1:13:17,324 INFO ======

C:\ProgramData\Netwrix Account Lockout Examiner\Netwrix.ALE.Launcher.exe Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 71408 Entropy (8bit): 5.563854813111748 Encrypted: false SSDEEP: 384:kyknDVFqY2zxNFG56ZUKaLI3UNtsz7+2UC+Kjud/UW+v7eryfx4YyEkdufyrpVwG:kRxFq9U5jimWX+2UPzmhXfyra05vFBv MD5: 3E6448BDE464CC02762DE87F1928CF17 SHA1: CEC1DFF6C7D236D4F1571157614B9F932501E1C3 SHA-256: 3F6C4E0286CD15FA5AC172AAE5E60F615253DFF6ABF46B127AE70CC369809F4B SHA-512: B7B04990027E0AFF0F4FADBD0A9E8A8525AEA364055CAAF8410C7D55EDC8275E72EE16581F01ACE829E6E654F8B5430FD18C00F6F07E512002B77902B1C54A26 Malicious: false

Copyright Joe Security LLC 2021 Page 23 of 29 C:\ProgramData\Netwrix Account Lockout Examiner\Netwrix.ALE.Launcher.exe Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...LF.`...... x...... @...... `...... `...... 8...W...... 0...... @...... H...... text....w...... x...... `.rsrc...0...... z...... @[email protected] oc...... @...... @..B...... t...... H...... TR...D...... K...xL...... 0...... (...... -.&&.(....o.....-.&&+.}....+.}....+.*...*...0..A...... {.....--&.E...... 2. ..T...o...... +..+..*...-.&&. [....-.&&..}.....+.}....+.}....+.*..}...... {.... .k.=a}...... }.....*..}...... <.}...... }.....*..}...... {.... .k.=a}...... }.....*..}...... W.!}...... }.....*..}...... {...... ^&a}...... }.....*..}...... Z .}...... }.....*..}...... x.I}...... }.....*..}.....*....0......

C:\ProgramData\Netwrix Account Lockout Examiner\Netwrix.ALE.Launcher.exe.config Process: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe File Type: XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators Category: dropped Size (bytes): 3907 Entropy (8bit): 4.9276382846641935 Encrypted: false SSDEEP: 96:Pe7X87Fr7X87Ktr+/1+g/AvQTrv+AvzvPAvTuv/Wj:Pe7s7Fr7s7Or+g MD5: CAC40D3DC03301882A7F55B3365C5A73 SHA1: 1F4D0CC8D48FCCE7D79B0878643881CCBBEF9DD8 SHA-256: 27DB02F3EE5704B0DEBAD7C4C90046DC8669F3536E02934A11F5684AB6BCABCB SHA-512: 640CC8CC9CAF75E683020AE691F528476324422BC1C30CCF40D64B82EB7AABC0585AA408F41EFA224412743FB78D14EB346A2E388341A9BB2561F6707F32C781 Malicious: false Preview: ..... ..

.. ..

.. .. ..

404 Not Found

Not Found

The requested URL /aleVersion.xml was not found on this server.

Aug 19, 2021 1170 OUT GET /aleVersion.xml HTTP/1.1 11:13:26.258457899 CEST Host: updates.netwrix.com Aug 19, 2021 1170 IN HTTP/1.1 404 Not Found 11:13:26.397255898 CEST Date: Thu, 19 Aug 2021 09:13:26 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 212 Connection: keep-alive Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 61 6c 65 56 65 72 73 69 6f 6e 2e 78 6d 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: 404 Not Found

Not Found

The requested URL /aleVersion.xml was not found on this server.

Aug 19, 2021 1170 OUT GET /aleVersion.xml HTTP/1.1 11:13:26.399585962 CEST Host: updates.netwrix.com Aug 19, 2021 1172 IN HTTP/1.1 404 Not Found 11:13:26.538697958 CEST Date: Thu, 19 Aug 2021 09:13:26 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 212 Connection: keep-alive Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 61 6c 65 56 65 72 73 69 6f 6e 2e 78 6d 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: 404 Not Found

Not Found

The requested URL /aleVersion.xml was not found on this server.

Code Manipulations

Behavior

Click to jump to process

System Behavior

Analysis Process: Netwrix_Account_Lockout_Examiner.exe PID: 6372 Parent PID: 3260

General

Start time: 11:12:34 Start date: 19/08/2021 Path: C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\Netwrix_Account_Lockout_Examiner.exe' Imagebase: 0x400000 File size: 7748888 bytes MD5 hash: 9FC98474B06655DCB0A9A392C0D86537 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities Show Windows behavior

File Created

File Deleted

File Written

File Read

Analysis Process: Netwrix.ALE.Launcher.exe PID: 6556 Parent PID: 6372

General

Start time: 11:12:37 Start date: 19/08/2021 Path: C:\ProgramData\Netwrix Account Lockout Examiner\Netwrix.ALE.Launcher.exe Wow64 process (32bit): false Commandline: 'C:\ProgramData\Netwrix Account Lockout Examiner\Netwrix.ALE.Launcher.exe' Imagebase: 0x1e070ba0000 File size: 71408 bytes MD5 hash: 3E6448BDE464CC02762DE87F1928CF17 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: low

File Created

File Written

File Read

Registry Activities Show Windows behavior

Disassembly

Code Analysis