Beruflich Dokumente
Kultur Dokumente
Table of Contents 2
Analysis Report 4
Overview 4
General Information 4
Detection 4
Confidence 5
Classification 5
Analysis Advice 6
Signature Overview 6
AV Detection: 6
Networking: 6
Boot Survival: 6
Remote Access Functionality: 6
Stealing of Sensitive Information: 6
Persistence and Installation Behavior: 7
Data Obfuscation: 7
Spreading: 7
System Summary: 7
HIPS / PFW / Operating System Protection Evasion: 7
Anti Debugging: 7
Malware Analysis System Evasion: 7
Hooking and other Techniques for Hiding and Protection: 8
Language, Device and Operating System Detection: 8
Behavior Graph 8
Simulations 9
Behavior and APIs 9
Antivirus Detection 9
Initial Sample 9
Dropped Files 9
Unpacked PE Files 9
Domains 9
URLs 10
Yara Overview 10
Initial Sample 10
PCAP (Network Traffic) 10
Dropped Files 10
Memory Dumps 10
Unpacked PEs 10
Joe Sandbox View / Context 11
IPs 11
Domains 12
ASN 13
Dropped Files 14
Screenshots 14
Startup 15
Created / dropped Files 15
Contacted Domains/Contacted IPs 103
Contacted Domains 103
Contacted IPs 104
Public 104
Private 105
Static File Info 105
General 105
File Icon 106
Copyright Joe Security LLC 2018 Page 2 of 287
Static PE Info 106
General 106
Entrypoint Preview 106
Data Directories 107
Sections 108
Resources 108
Imports 108
Possible Origin 108
Network Behavior 108
Network Port Distribution 108
TCP Packets 109
UDP Packets 115
DNS Queries 117
DNS Answers 119
Code Manipulations 123
Statistics 123
Behavior 123
System Behavior 123
Analysis Process: 1dvwi.exe PID: 3348 Parent PID: 2960 123
General 123
File Activities 123
File Created 123
File Deleted 124
File Written 124
File Read 126
Registry Activities 129
Key Created 129
Key Value Created 129
Disassembly 287
Code Analysis 287
General Information
Detection
Classification
Ransomware
Miner Spreading
malicious
malicious
malicious
Evader Phishing
suspicious
suspicious
suspicious
clean
clean
clean
Exploiter Banker
Adware
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Signature Overview
• AV Detection
• Networking
• Boot Survival
• Remote Access Functionality
• Stealing of Sensitive Information
• Persistence and Installation Behavior
• Data Obfuscation
• Spreading
• System Summary
• HIPS / PFW / Operating System Protection Evasion
• Anti Debugging
• Malware Analysis System Evasion
• Hooking and other Techniques for Hiding and Protection
• Language, Device and Operating System Detection
AV Detection:
Networking:
Boot Survival:
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to search for IE or Outlook window (often done to steal information)
Drops PE files
Data Obfuscation:
Spreading:
System Summary:
Drops files with a known system name (to hide its detection)
Creates mutexes
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)
Classification label
Spawns processes
May try to detect the Windows Explorer process (often used for injection)
Anti Debugging:
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Uses the system / local time for branch decision (may execute only at specific dates)
Behavior Graph
Hide Legend
Legend:
Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Sample:
Startdate:
1dvwi.scr
26/06/2018
Visual Basic
Architecture: WINDOWS
Delphi
Score: 100
Java
Antivirus detection Antivirus detection connection with other 4 other signatures started started
for dropped file for submitted file malware
lsass.exe 1dvwi.exe
.Net C# or VB.NET
437 1 7
ZIGGOZiggoBVNL
United States
CHINATELECOM-HUNAN-XIANGTAN-MANXiangtanCN
United States
29 other IPs or domains dropped dropped dropped dropped smtp.theriver.com smtp.northcoast.com 31 other IPs or domains dropped dropped
Is malicious dropped
C:\...\WinRAR.v.3.2.and.key.ShareReactor.com, PE32 C:\...\Kazaa Lite.ShareReactor.com, PE32 C:\Program Files\...\index.ShareReactor.com, PE32 219 other files (155 malicious) C:\Windows\lsass.exe, PE32 C:\Windows\lsass.exe:Zone.Identifier, ASCII C:\Users\HERBBL~1\AppData\...\tmpE8F0.tmp, PE32 started
Detected TCP or UDP Found evasive API chain Found stalling execution Creates files with lurking Drops PE files with Tries to resolve many Drops files with a known Creates an autostart
traffic on non-standard (may stop execution ending in API Sleep names (e.g. Crack.exe) a suspicious file extension domain names, but no system name (to hide registry key pointing
ports after checking mutex) call domain seems valid its detection) to binary in C:\Windows
WerFault.exe
5 4
Antivirus Detection
Initial Sample
Dropped Files
Unpacked PE Files
Domains
URLs
No Antivirus matches
Yara Overview
Initial Sample
No yara matches
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
IPs
Associated Sample
Match Name / URL SHA 256 Detection Link Context
64.147.108.54 9attachment.exe 44f65c20cf16df36a16cc4e341c2 malicious Browse
97ced4dd97635444d62e7db60bb
b9fd41753
10attachment.exe 5968cea0e3b08d693312409ca40 malicious Browse
6b6d96cb4703876a7dfbe29b2c3
8c7bdb7068
40messag.exe e2d3438e59c95ceebe5e5917bbe malicious Browse
737ba8e078c8933197c75f01f146
061062232
23transcrip.exe 7cbea8fdb1641ea480520711c82 malicious Browse
8b791c084c5b82041c2805f2c1b
a2cc86621a
26readme.exe 60137af5b05a44215245b15906c malicious Browse
17d2f0621c9fec759d37cc388b51
a21e71b9b
58transcrip.exe 900f124a774ff085c896e9eb49bf0 malicious Browse
ba377401969401f0b3e522d1127f
79fbeff
.exe e9e900e7fda9c84c4f01cd9e836c malicious Browse
718f52b3bcb3a133783148f69c5f
66f77b29
26pvhp@bes.exe 17e8f74120e65045cff1bd0d3628 malicious Browse
020415f86e46110e3151a005b03
04c33a6d2
45mai.exe c8ac9c1a079fa7bd4cd28691ffae malicious Browse
961a00319fbc5ba941f16aa1d087
e05b0b98
16MESSAGE.EXE 5c153e27488b51b583f9045a21e malicious Browse
23bfb4409dd9e655626899f6ba55
86c8aab10
59pgwy@jihu.exe f36e3352c3ea5ca285a139a62e8 malicious Browse
121e2cfc15b4753b29b0b628e5b
e974e2b68c
49lette.exe bb581af43a8ea9cd2b9a175a691 malicious Browse
71a1d884b7284dfadb064f797ce2
c914fc4f0
41youtube2@youtube.e 1eed12d7c1a7a4090eb49d92d87 malicious Browse
xe 5fcdec87b010ca1dee9657426df5
5e400f783
50messag.exe 422423299747abb8dc4fe331fd87 malicious Browse
d133f9ad69923b2859aebe69f8a7
c4d417c6
44transcrip.exe c6af2a5e72ed545a43973cd1295 malicious Browse
987e3d61983fea9fbf9681d9e9fd0
413e263f
29documen.exe 03da034b478c384dd986f334d0f1 malicious Browse
7543b67fcbcf232e0b53dab13f18
252a3b68
.exe f34d1d0315f3741b62b94e19a74b malicious Browse
f17a88d8acbe22cb61246ad0711f
b0d36f14
41ygh.exe ed9c42a6c0da1abd238a5ad148d malicious Browse
cb8ed511f8f23191da6056bad460
ee007797a
12qJymZORpvp.exe fabecd8913183b8b750905b680a malicious Browse
4e247802a10807eed926504e235
fe4dc44915
21messag.exe 78bfd8bb27e8d5d5a879ac6cdf48 malicious Browse
03b11461fe1bdcc5776d8bbda20
d87212ab7
64.147.108.55 9attachment.exe 44f65c20cf16df36a16cc4e341c2 malicious Browse
97ced4dd97635444d62e7db60bb
b9fd41753
10attachment.exe 5968cea0e3b08d693312409ca40 malicious Browse
6b6d96cb4703876a7dfbe29b2c3
8c7bdb7068
40messag.exe e2d3438e59c95ceebe5e5917bbe malicious Browse
737ba8e078c8933197c75f01f146
061062232
Domains
Associated Sample
Match Name / URL SHA 256 Detection Link Context
openoffice.apache.org 5XWZmuQvvPQ.exe f4cb503dccf44e4d92e99ade1bd7 malicious Browse 195.154.151.36
72693a161bbf1f8d9866ba5f859b
46da9eae
31tatanova.com.doc 93a3c1e8727ad38b80f5d1e707f1 malicious Browse 40.79.78.1
21e315771cb4a1fe351f97fd4c54
.exe 312452f0
9attachment.exe 44f65c20cf16df36a16cc4e341c2 malicious Browse 95.216.24.32
97ced4dd97635444d62e7db60bb
b9fd41753
10attachment.exe 5968cea0e3b08d693312409ca40 malicious Browse 95.216.24.32
6b6d96cb4703876a7dfbe29b2c3
8c7bdb7068
40messag.exe e2d3438e59c95ceebe5e5917bbe malicious Browse 40.79.78.1
737ba8e078c8933197c75f01f146
061062232
23transcrip.exe 7cbea8fdb1641ea480520711c82 malicious Browse 40.79.78.1
8b791c084c5b82041c2805f2c1b
a2cc86621a
26readme.exe 60137af5b05a44215245b15906c malicious Browse 40.79.78.1
17d2f0621c9fec759d37cc388b51
a21e71b9b
ASN
Associated Sample
Match Name / URL SHA 256 Detection Link Context
LEVEL3-Level3CommunicationsIncUS 39transcrip.exe 752923505b46d88f13c2bee9528 malicious Browse 64.147.108.30
51153aa1ef9414f2e2390bb61cbd
d3bb35799
34text.exe 24a87613e32bec42fefc058dd48e malicious Browse 64.147.108.40
b569a764b6184c61175a57d4869
02f11627d
60wangzhihuiurb@azei 320530ab25ea2b8eccb6ad5e5ae malicious Browse 64.147.108.40
te.exe 72a302e7ec44f262f479654dca26
439193c71
65Fil.exe 1d16d13887917df11398e81e88a malicious Browse 64.147.108.30
2ef619a70e05b4beb2d31c061eb
c673943363
kovter.exe 0d0a07d32295b94fd665ac39d47 malicious Browse 9.40.178.37
55014a00381c6b06c2b4a6aeffa0
344ac956a
5messag.exe 8604435c904440ec594490c062e malicious Browse 64.147.108.30
9c8c4d25045c7b21a372e1a8370
56af99bfa9
.exe ba366712888049e7f7eff0fc93908 malicious Browse 4.31.198.44
0da187dd510bd48ab58dc2166bb
30e2a03b
1fil.exe f2158cb984966f66f1635f64948ec malicious Browse 64.147.108.30
0293e54e5d960c427efe30d2b71f
0fcca75
18lette.exe 22af3330a59bae1e70b7a837632 malicious Browse 64.147.108.40
aa2260c896008068d1cecabd49b
fe8d8516b0
64transcript.exe 47aeb17c302601612a35e901c3b malicious Browse 64.147.108.30
a9837ac82e2dca208087371e8f1
3b423dbf42
13documen.exe de8a2298b9753d681fba9102d19f malicious Browse 64.147.108.30
0181f89c3439f3aae09e55bb712c
87d2fc66
64jfUryj8MeC.exe 8c6c5478402a93b28f77556c161 malicious Browse 4.240.75.122
127280e517c583fef7fa012b6689
8ac66e3da
28mai.exe c1c853ffc1c09ecaa10b795159ffb malicious Browse 64.147.108.30
47b694adc71d393021d4540907c
ee542674
19Fk42jFQUOd.exe ef1aac04640547783a113e1dff80 malicious Browse 64.147.108.30
9694e51f2b4a2f64047db3a187f0
c7d65192
21fil.exe d7ae7d45815beeb26ae2a72a448 malicious Browse 64.147.108.30
2369383a45fa06d58bf742f141b2f
ad35bbee
47james@nadi.exe 80930505c4d3a6879521e2cf2c7f malicious Browse 64.147.108.30
eedcf3bb50b6ad9988d51e6d225
a80a464d4
25ogqh.exe 3638b3f772093feb6cfe5809a9fca malicious Browse 64.147.108.40
9e9a635fd4070aed601913ccdc6
9d9b4dfe
23hotmia.exe 729583b9965970e111ba6e9c660 malicious Browse 64.147.108.30
b4633e14025575dd8ae72e35c4b
5195d5b8c5
58messag.exe 703fb16a50521535dea2fd76245e malicious Browse 64.147.108.30
4282cb02970c554ace1ad99b374
dc637de7e
23Documen.exe 83f00b0381651af8a7678002dc42 malicious Browse 64.147.108.40
89963c5808c125f67921a1499ba
2e5a82813
LEVEL3-Level3CommunicationsIncUS 39transcrip.exe 752923505b46d88f13c2bee9528 malicious Browse 64.147.108.30
51153aa1ef9414f2e2390bb61cbd
d3bb35799
Dropped Files
No context
Screenshots
System is w7
1dvwi.exe (PID: 3348 cmdline: 'C:\Users\user\Desktop\1dvwi.exe' MD5: 74E9710D0BB409AEB3F8881EF75B062C)
WerFault.exe (PID: 3472 cmdline: C:\Windows\system32\WerFault.exe -u -p 3348 -s 716 MD5: 5FEAB868CAEDBBD1B7A145CA8261E4AA)
lsass.exe (PID: 3428 cmdline: 'C:\Windows\lsass.exe' MD5: 74E9710D0BB409AEB3F8881EF75B062C)
cleanup
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
Antivirus: Antivirus: Avira, Detection: 100%, Browse
Reputation: low
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
C:\Program Files\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\WinRAR.v.3.2.and.key.ShareReactor.com
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
C:\Program Files\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\WinRAR.v.3.2.and.key.ShareReactor.com:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 58074
Entropy (8bit): 7.625167710590361
Encrypted: false
MD5: 30E1F2AD875E0750165C5761DAE10F07
SHA1: 7D79CBD624C04795FFC1486386322BA3CDBBDC54
SHA-256: 93F889A7C5D4B3E6A16FA3E8836B580D05BF51410CDFF4388E4BFBA28F83B90D
C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmp214E.tmp
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 58074
Entropy (8bit): 7.625167710590361
Encrypted: false
MD5: 30E1F2AD875E0750165C5761DAE10F07
SHA1: 7D79CBD624C04795FFC1486386322BA3CDBBDC54
SHA-256: 93F889A7C5D4B3E6A16FA3E8836B580D05BF51410CDFF4388E4BFBA28F83B90D
SHA-512: 3AB8E141A5959B3E30B9D695A3049FBD54C6BC2772B7448629B836B324E8AAFD423A4F7C54C8ADD37A066F50A7
4D67B22642678F5DFCD71B98C547693A1FA989
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmp214E.tmp:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3361.tmp
Process: C:\Windows\lsass.exe
File Type: Zip archive data, at least v1.0 to extract
Size (bytes): 40092
Entropy (8bit): 7.617804509684197
Encrypted: false
MD5: E8D7B0ADC8631013D59B27D6DD14E46C
SHA1: 4A6E82D60B080FCE2D91ECA52E18EF12ABA74422
SHA-256: A326D039F8919AC34CB2CD391DDD163F4AF5AC92A76D4DCAAD2E049215066C08
SHA-512: 4D46FABF0CDD871347827C77BEAC0EC5F6141D5386CF4EC1ABD296AB56121DCD3818A07DBDE257CE5F639C561
5DD8EF832E318756599AE0FADEF6FD26D74EABF
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 58074
Entropy (8bit): 7.625167710590361
Encrypted: false
MD5: 30E1F2AD875E0750165C5761DAE10F07
SHA1: 7D79CBD624C04795FFC1486386322BA3CDBBDC54
SHA-256: 93F889A7C5D4B3E6A16FA3E8836B580D05BF51410CDFF4388E4BFBA28F83B90D
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C59.tmp
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 58074
Entropy (8bit): 7.625167710590361
Encrypted: false
MD5: 30E1F2AD875E0750165C5761DAE10F07
SHA1: 7D79CBD624C04795FFC1486386322BA3CDBBDC54
SHA-256: 93F889A7C5D4B3E6A16FA3E8836B580D05BF51410CDFF4388E4BFBA28F83B90D
SHA-512: 3AB8E141A5959B3E30B9D695A3049FBD54C6BC2772B7448629B836B324E8AAFD423A4F7C54C8ADD37A066F50A7
4D67B22642678F5DFCD71B98C547693A1FA989
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C59.tmp:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 58074
Entropy (8bit): 7.625167710590361
Encrypted: false
MD5: 30E1F2AD875E0750165C5761DAE10F07
SHA1: 7D79CBD624C04795FFC1486386322BA3CDBBDC54
SHA-256: 93F889A7C5D4B3E6A16FA3E8836B580D05BF51410CDFF4388E4BFBA28F83B90D
SHA-512: 3AB8E141A5959B3E30B9D695A3049FBD54C6BC2772B7448629B836B324E8AAFD423A4F7C54C8ADD37A066F50A7
4D67B22642678F5DFCD71B98C547693A1FA989
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D2D.tmp
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 58074
Entropy (8bit): 7.625167710590361
Encrypted: false
MD5: 30E1F2AD875E0750165C5761DAE10F07
SHA1: 7D79CBD624C04795FFC1486386322BA3CDBBDC54
SHA-256: 93F889A7C5D4B3E6A16FA3E8836B580D05BF51410CDFF4388E4BFBA28F83B90D
SHA-512: 3AB8E141A5959B3E30B9D695A3049FBD54C6BC2772B7448629B836B324E8AAFD423A4F7C54C8ADD37A066F50A7
4D67B22642678F5DFCD71B98C547693A1FA989
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D2D.tmp:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3DA6.tmp
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 58074
Entropy (8bit): 7.625167710590361
Encrypted: false
MD5: 30E1F2AD875E0750165C5761DAE10F07
SHA1: 7D79CBD624C04795FFC1486386322BA3CDBBDC54
SHA-256: 93F889A7C5D4B3E6A16FA3E8836B580D05BF51410CDFF4388E4BFBA28F83B90D
SHA-512: 3AB8E141A5959B3E30B9D695A3049FBD54C6BC2772B7448629B836B324E8AAFD423A4F7C54C8ADD37A066F50A7
4D67B22642678F5DFCD71B98C547693A1FA989
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3DA6.tmp:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E33.tmp
Process: C:\Windows\lsass.exe
File Type: Zip archive data, at least v1.0 to extract
Size (bytes): 39862
Entropy (8bit): 7.625824956267297
Encrypted: false
MD5: 9371BB8602620C894912C6A40DC5CCCE
SHA1: 386059BBEAE21D4E56ABC2CDD9482AC9C606F3C3
SHA-256: 13908169C6D0C6D5D78633EEA52CDB0A5D00818458B93D7B479C444509AB0FF6
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E5C.tmp
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 58074
Entropy (8bit): 7.625167710590361
Encrypted: false
MD5: 30E1F2AD875E0750165C5761DAE10F07
SHA1: 7D79CBD624C04795FFC1486386322BA3CDBBDC54
SHA-256: 93F889A7C5D4B3E6A16FA3E8836B580D05BF51410CDFF4388E4BFBA28F83B90D
SHA-512: 3AB8E141A5959B3E30B9D695A3049FBD54C6BC2772B7448629B836B324E8AAFD423A4F7C54C8ADD37A066F50A7
4D67B22642678F5DFCD71B98C547693A1FA989
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E5C.tmp:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3F76.tmp
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 58074
Entropy (8bit): 7.625167710590361
Encrypted: false
MD5: 30E1F2AD875E0750165C5761DAE10F07
SHA1: 7D79CBD624C04795FFC1486386322BA3CDBBDC54
SHA-256: 93F889A7C5D4B3E6A16FA3E8836B580D05BF51410CDFF4388E4BFBA28F83B90D
SHA-512: 3AB8E141A5959B3E30B9D695A3049FBD54C6BC2772B7448629B836B324E8AAFD423A4F7C54C8ADD37A066F50A7
4D67B22642678F5DFCD71B98C547693A1FA989
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3F76.tmp:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmp4FF9.tmp
Process: C:\Windows\lsass.exe
File Type: Zip archive data, at least v1.0 to extract
Size (bytes): 39932
Entropy (8bit): 7.6235117235474235
Encrypted: false
MD5: D50F3490AF9F43AF6180D43529A1EA55
SHA1: 3C0129B14736335DCCC22BC6467E55F52B56C6A3
SHA-256: D31231699F23069AB313D567BFA007C24F572A14A928D6D6F8727ABACB563200
C:\Users\HERBBL~1\AppData\Local\Temp\tmp598F.tmp
Process: C:\Windows\lsass.exe
File Type: Zip archive data, at least v1.0 to extract
Size (bytes): 39648
Entropy (8bit): 7.628171778635863
Encrypted: false
MD5: 142B600806F826B35684A3D62DFC5CA0
SHA1: 3DD6147F2E713E7DE62BA6B8F3A72897F2BB30A7
SHA-256: EEE5FD95F03776C67A74D6EE243CA3A09F1B8B1A5868432C4BA4E9E06E84CB5E
SHA-512: 2F07C21D80F7433447C51983FA50C765E4ED8B145F88E4D759200E9D9A6FA15580D5AA916A182CE81C3DAA747A
CC6572D53FF938E31FBC46B66089A3F348D922
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmp6376.tmp
Process: C:\Windows\lsass.exe
File Type: Zip archive data, at least v1.0 to extract
Size (bytes): 40030
Entropy (8bit): 7.619877925137778
Encrypted: false
MD5: 9806C2624035E200B8070BE3DC258A09
SHA1: 582A6C1D3A8BE47816AFD12D1106FA3E8F134333
SHA-256: A9157F5E949A0BB38EBA94A19A0DC1B712E079BB62EA156147B11FC0C499DF3B
SHA-512: 6F53301F639DF040AD55519A1F088D4FDB8E0647CA29640F26B7C6EB6F4F77123F8161BFB321924BF323CF499B7B
3F8F3409F929ED0FEC4FB4ADB289754B2422
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmp72F5.tmp
Process: C:\Windows\lsass.exe
File Type: Zip archive data, at least v1.0 to extract
Size (bytes): 40074
Entropy (8bit): 7.6181910494875495
Encrypted: false
MD5: 2DAE866DEA83C91C7460747166562C07
SHA1: 48C47124C6E4CDD9642BD545707F3F8B22BC2C26
SHA-256: 6528006D3C2EF1EE752FB6BFA44F185F09AB345AD625E65C9583EC1079D682B3
SHA-512: 465ACA8D9600587D0F1E9F0C729A278DBE5D19CEE7DE4BDBD12E4ED64C79ADF4F1FF14056FAAEB9B7BDFE4E
0D7A06EC5E7767C83FBA0C75D081F8875D523A120
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmp86D5.tmp
Process: C:\Windows\lsass.exe
File Type: Zip archive data, at least v1.0 to extract
Size (bytes): 39642
Entropy (8bit): 7.62811140333313
Encrypted: false
MD5: 18B84E0D3367C1F3D49F0DE0BA86E7A3
SHA1: 3976F81FD6DC7E3D5640C135749A7BE2F85B5828
SHA-256: 3399C96759B974553CFC7D867CBD85448FF5200D2E31F4F54124B6D7776B0202
SHA-512: 317C754304B64A78990471764FF931AFED7271F127D7CD3548B60514D997DAFCBC671AB7C99462530537C9B4647E
D86F963736830EE0AF1F9701B6B7C408D390
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmpE8F0.tmp
Process: C:\Users\user\Desktop\1dvwi.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 58086
Entropy (8bit): 7.6252950866047176
Encrypted: false
MD5: 247E76F8C74B8FB1F56964ACD6FD1C5D
SHA1: D9664C30FF1B2A29901FEB9A8C15EA3F9ACE18C2
SHA-256: 15A44773BA8AD7A13FDE4B89D9D6553B94ECCD725F9054BD33B80E2BC8EB2891
C:\Users\HERBBL~1\AppData\Local\Temp\tmpE8F0.tmp:Zone.Identifier
Process: C:\Users\user\Desktop\1dvwi.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\tmpFA27.tmp
Process: C:\Users\user\Desktop\1dvwi.exe
File Type: Zip archive data, at least v1.0 to extract
Size (bytes): 39890
Entropy (8bit): 7.624803700840179
Encrypted: false
MD5: 1EEE99FB4DED67E4F2D271325C73FB9B
SHA1: 84FA6A015732EEE24E443C444A292C08C71C9EFC
SHA-256: B4FBDA83EAE260707ABD66F3DEDE431E4515EDEAAA9EB71BCF9BBFF4729CFB31
SHA-512: B1EF55A6DC577344053A501760F00B860E7D3A55FB3E8360DE1704829D5210A62D9962A4B5993FD6E22C1EEFD81
D5F166E4ED0FC1A02AE9549358A75E06DFF21
Malicious: false
C:\Users\HERBBL~1\AppData\Local\Temp\uheknclgts.txt
Process: C:\Windows\lsass.exe
File Type: data
Size (bytes): 18548
Entropy (8bit): 7.5536927871761135
Encrypted: false
MD5: 23FD59F873183F04B874281A20067078
SHA1: AD665AEF612A584FD405109800F1812EE6D9FCA1
SHA-256: 1FB6B456E8332311910BC33508A8214E8FE2173817FD24EA2FA6CEFB45AB9438
SHA-512: 17F29071B847655C28EE8625CAA43941CB2615A0E99AFC392DA288E334EE2691DD6BBE487665B5A7EF80C9ED94
3449CAFBFDBFF61C895156795322EBD863AB8E
Malicious: false
C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_1dvwi.exe_cac8ee3a6acf6e3046666fdd7dcba2fbcf302323_0dd714
20\Report.wer
Process: C:\Windows\System32\WerFault.exe
File Type: data
Size (bytes): 8722
Entropy (8bit): 3.697404273859529
Encrypted: false
MD5: 6FE91B62443204F8A0BCB1F2F299E6DB
SHA1: 3EE1B5F984E7DE73CB7F21A823F3D6B3E5D671EC
SHA-256: 0820FDD5741AD2C404CCEC50EC21D3CDCB9068EF7243CD2E1375EE956CA7532D
SHA-512: 12350C56661C7BCC772E2B397997F09885FE5CF319EA99FBE82C04C2BEB4BE501CFCDD925D5628D3A1BD388375
AC560BFDEF5D0FE9217CB4A0CC7DA8F2144263
Malicious: false
C:\Users\user\AppData\Local\Temp\WER11DB.tmp.WERInternalMetadata.xml
Process: C:\Windows\System32\WerFault.exe
File Type: XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes): 3392
Entropy (8bit): 3.6700849656061774
Encrypted: false
MD5: 473F87BD0A1DA2694A059532ED1A84CA
SHA1: F6E3E4DD4F0B74BD97A025C2E0BE29160BB89BC9
SHA-256: A8721E6883CF815326566CDFDEFDE81ACED2B19E8CF1B2D737C96DB77D6A64DF
C:\Windows\lsass.exe
Process: C:\Users\user\Desktop\1dvwi.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
C:\Windows\lsass.exe:Zone.Identifier
Process: C:\Users\user\Desktop\1dvwi.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: true
Contacted Domains
Contacted IPs
Public
Private
IP
10.192.40.186
192.168.2.255
General
File type: PE32 executable (GUI) Intel 80386, for MS Windows,
UPX compressed
Entropy (8bit): 7.632806266802097
TrID: Win32 Executable (generic) a (10002005/4)
99.37%
UPX compressed Win32 Executable (30571/9)
0.30%
Win32 EXE Yoda's Crypter (26571/9) 0.26%
Clipper DOS Executable (2020/12) 0.02%
Generic Win/DOS Executable (2004/3) 0.02%
File name: 1dvw.exe
File size: 39538
MD5: 74e9710d0bb409aeb3f8881ef75b062c
SHA1: a2b0c49efa2fa06c2132f24ca187972a0233c0f0
SHA256: 1a4c49cb28d098c686cc728563c90040068c10da8aca6f
d71f8b29ba3a23adf1
File Icon
Static PE Info
General
Entrypoint: 0x80b4a0
Entrypoint Section: UPX1
Digitally signed: false
Imagebase: 0x800000
Subsystem: windows gui
Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE,
LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major: 4
OS Version Minor: 0
File Version Major: 4
File Version Minor: 0
Subsystem Version Major: 4
Subsystem Version Minor: 0
Import Hash: 5d02f6de12eb07fb22fe87e05e50d6a0
Entrypoint Preview
Instruction
pushad
mov esi, 00807000h
lea edi, dword ptr [esi-00006000h]
push edi
or ebp, FFFFFFFFh
jmp 00007F007DC69482h
nop
nop
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F007DC69479h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F007DC6945Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F007DC69479h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
Data Directories
Sections
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics
UPX0 0x1000 0x6000 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_EXECUTE,
IMAGE_SCN_MEM_WRITE,
IMAGE_SCN_CNT_UNINITIALIZED_
DATA, IMAGE_SCN_MEM_READ
UPX1 0x7000 0x5000 0x4600 False 0.992410714286 data 7.89790234125 IMAGE_SCN_MEM_EXECUTE,
IMAGE_SCN_CNT_INITIALIZED_DA
TA, IMAGE_SCN_MEM_WRITE,
IMAGE_SCN_MEM_READ
.rsrc 0xc000 0x1000 0x800 False 0.2783203125 data 2.64956945519 IMAGE_SCN_CNT_INITIALIZED_DA
TA, IMAGE_SCN_MEM_WRITE,
IMAGE_SCN_MEM_READ
Resources
Imports
DLL Import
KERNEL32.DLL LoadLibraryA, GetProcAddress, ExitProcess
ADVAPI32.dll RegCloseKey
MSVCRT.dll time
USER32.dll wsprintfA
WS2_32.dll gethostname
Possible Origin
Network Behavior
• 251042(SMTP)
• 53 (DNS)undefined
•
TCP Packets
UDP Packets
DNS Queries
DNS Answers
Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class
Jun 26, 2018 8.8.8.8 192.168.2.2 0x1fe3 Name error (3) mx.atwola.com none none A (IP address) IN (0x0001)
12:20:28.272450924
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xf20b Name error (3) mail.atwola.com none none A (IP address) IN (0x0001)
12:20:33.334295988
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xb68e No error (0) unicode.org MX (Mail IN (0x0001)
12:21:41.461986065 exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xcfa1 No error (0) openoffice.org MX (Mail IN (0x0001)
12:21:48.366198063 exchange)
CEST
Code Manipulations
Statistics
Behavior
• 1dvwi.exe
• lsass.exe
• WerFault.exe
System Behavior
General
File Activities
File Created
Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Windows\lsass.exe read attributes | normal synchronous io success or wait 1 802A9A CreateFileA
synchronize | non alert | non
generic write directory file
File Deleted
Source
File Path Completion Count Address Symbol
C:\Windows\lsass.exe success or wait 1 802AB7 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmpE8F0.tmp success or wait 1 805D08 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmpFA27.tmp success or wait 1 806413 DeleteFileA
File Written
Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Windows\lsass.exe 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 802ACC CopyFileA
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Windows\lsass.exe:Zone.Identifier 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 802ACC CopyFileA
61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
File Read
Copyright Joe Security LLC 2018 Page 126 of 287
File Read
Source
File Path Offset Length Completion Count Address Symbol
C:\Users\user\Desktop\1dvwi.exe unknown 4 success or wait 1 8031B2 ReadFile
C:\Users\user\Desktop\1dvwi.exe unknown 22 success or wait 1 8031DF ReadFile
C:\Users\user\Desktop\1dvwi.exe unknown 40 success or wait 3 80323A ReadFile
C:\Users\user\Desktop\1dvwi.exe unknown 4 success or wait 4636 807D08 ReadFile
C:\Users\user\Desktop\1dvwi.exe unknown 4 end of file 1 807D08 ReadFile
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 success or wait 1 804953 ReadFile
S\common[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 end of file 1 804953 ReadFile
S\common[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 success or wait 1 804953 ReadFile
S\common[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 end of file 1 804953 ReadFile
S\common[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 success or wait 1 804953 ReadFile
S\host[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 end of file 1 804953 ReadFile
S\host[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 success or wait 1 804953 ReadFile
S\progress_bg_fill[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 end of file 1 804953 ReadFile
S\progress_bg_fill[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 success or wait 1 804953 ReadFile
S\progress_bg_left[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 end of file 1 804953 ReadFile
S\progress_bg_left[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 success or wait 1 804953 ReadFile
S\progress_fg_right[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 end of file 1 804953 ReadFile
S\progress_fg_right[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 success or wait 1 804953 ReadFile
S\welcome[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 end of file 1 804953 ReadFile
S\welcome[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 success or wait 1 804953 ReadFile
D\layout[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 end of file 1 804953 ReadFile
D\layout[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 success or wait 1 804953 ReadFile
D\layout[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 end of file 1 804953 ReadFile
D\layout[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 success or wait 1 804953 ReadFile
D\masthead_fill[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 end of file 1 804953 ReadFile
D\masthead_fill[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 success or wait 1 804953 ReadFile
D\masthead_fill[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 end of file 1 804953 ReadFile
D\masthead_fill[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 success or wait 1 804953 ReadFile
D\progress[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 end of file 1 804953 ReadFile
D\progress[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 success or wait 1 804953 ReadFile
D\progress_en[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 end of file 1 804953 ReadFile
D\progress_en[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 success or wait 1 804953 ReadFile
D\progress_fg_left[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 end of file 1 804953 ReadFile
D\progress_fg_left[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 success or wait 1 804953 ReadFile
D\welcome[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 end of file 1 804953 ReadFile
D\welcome[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D unknown 65533 success or wait 1 804953 ReadFile
T\check[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D unknown 65533 end of file 1 804953 ReadFile
T\check[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D unknown 65533 success or wait 1 804953 ReadFile
T\complete[1]
Registry Activities
Key Created
Source
Key Path Completion Count Address Symbol
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\POSIX success or wait 1 8028C0 RegCreateKeyExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\POSIX success or wait 1 8028C0 RegCreateKeyExA
Source
Key Path Name Type Data Completion Count Address Symbol
HKEY_LOCAL_MACHINE\SOFTWARE\Mi Traybar unicode C:\Windows\lsass.exe success or wait 1 802C38 RegSetValueExA
crosoft\Windows\CurrentVersion\Run
Source
Key Path Name Type Old Data New Data Completion Count Address Symbol
General
File Activities
File Created
Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp read attributes | normal synchronous io success or wait 1 805B47 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp\:Zone.Ident read data or list none sequential only | success or wait 1 805B6B CopyFileA
ifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Users\HERBBL~1\AppData\Local\Temp\tmp214E.tmp read attributes | normal synchronous io success or wait 1 805B47 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Users\HERBBL~1\AppData\Local\Temp\tmp214E.tmp\:Zone.Ident read data or list none sequential only | success or wait 1 805B6B CopyFileA
ifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3361.tmp read attributes | normal synchronous io success or wait 1 805BA6 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp read attributes | normal synchronous io success or wait 1 805B47 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp\:Zone.Ident read data or list none sequential only | success or wait 1 805B6B CopyFileA
ifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C59.tmp read attributes | normal synchronous io success or wait 1 805B47 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C59.tmp\:Zone.Ident read data or list none sequential only | success or wait 1 805B6B CopyFileA
ifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp read attributes | normal synchronous io success or wait 1 805B47 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp\:Zone.Ident read data or list none sequential only | success or wait 1 805B6B CopyFileA
ifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D2D.tmp read attributes | normal synchronous io success or wait 1 805A5A GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D2D.tmp\:Zone.Ident read data or list none sequential only | success or wait 1 805A73 CopyFileA
ifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\index.com read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
File Deleted
Source
File Path Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp success or wait 1 805D08 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3361.tmp success or wait 1 806413 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp214E.tmp success or wait 1 805D08 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E33.tmp success or wait 1 806413 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp success or wait 1 805D08 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp4FF9.tmp success or wait 1 806413 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C59.tmp success or wait 1 805D08 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp598F.tmp success or wait 1 806413 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3F76.tmp success or wait 1 805D08 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp6376.tmp success or wait 1 806413 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E5C.tmp success or wait 1 805D08 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp72F5.tmp success or wait 1 806413 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp success or wait 1 805D08 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp86D5.tmp success or wait 1 806413 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D2D.tmp success or wait 1 806413 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3DA6.tmp success or wait 1 806413 DeleteFileA
File Written
Source
File Path Offset Length Value Ascii Completion Count Address Symbol
File Read
Source
File Path Offset Length Completion Count Address Symbol
C:\Windows\lsass.exe unknown 4 success or wait 1 8031B2 ReadFile
C:\Windows\lsass.exe unknown 22 success or wait 1 8031DF ReadFile
C:\Windows\lsass.exe unknown 40 success or wait 3 80323A ReadFile
C:\Windows\lsass.exe unknown 4 success or wait 4636 807D08 ReadFile
C:\Windows\lsass.exe unknown 4 end of file 1 807D08 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\uheknclgts.txt unknown 4096 success or wait 1 80743A fread
C:\Users\HERBBL~1\AppData\Local\Temp\uheknclgts.txt unknown 4096 success or wait 4 807460 fread
C:\Users\HERBBL~1\AppData\Local\Temp\uheknclgts.txt unknown 4096 end of file 1 807460 fread
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\ReadMe.htm unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\ReadMe.htm unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Adobe\symbol.txt
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Adobe\symbol.txt
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zding unknown 65533 success or wait 1 804953 ReadFile
bat.txt
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zding unknown 65533 end of file 1 804953 ReadFile
bat.txt
Copyright Joe Security LLC 2018 Page 275 of 287
Source
File Path Offset Length Completion Count Address Symbol
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\CENTEURO.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\CENTEURO.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\CORPCHAR.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\CORPCHAR.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\CROATIAN.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\CROATIAN.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\CYRILLIC.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\CYRILLIC.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\GREEK.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\GREEK.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\ICELAND.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\ICELAND.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\ROMAN.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\ROMAN.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\ROMANIAN.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\ROMANIAN.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\SYMBOL.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\SYMBOL.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\TURKISH.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\TURKISH.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\UKRAINE.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\UKRAINE.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1250. unknown 65533 success or wait 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1250. unknown 65533 end of file 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1251. unknown 65533 success or wait 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1251. unknown 65533 end of file 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1252. unknown 65533 success or wait 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1252. unknown 65533 end of file 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1253. unknown 65533 success or wait 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1253. unknown 65533 end of file 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1254. unknown 65533 success or wait 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1254. unknown 65533 end of file 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1257. unknown 65533 success or wait 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1257. unknown 65533 end of file 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1258. unknown 65533 success or wait 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1258. unknown 65533 end of file 1 804953 ReadFile
TXT
C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp unknown 4 success or wait 1 8031B2 ReadFile
Registry Activities
Source
Key Path Name Type Old Data New Data Completion Count Address Symbol
General
File Activities
File Created
Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Users\user\AppData\Local\Temp\WER11DB.tmp read attributes | normal synchronous io success or wait 1 72087CFA unknown
synchronize | non alert | non
generic read directory file
C:\Users\user\AppData\Local\Temp\WER11DB.tmp.WERInternalMetadata.xml read attributes | normal synchronous io success or wait 1 72087CFA unknown
synchronize | non alert | non
generic read | directory file
generic write
C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArch read data or list normal directory file | success or wait 1 72087CFA unknown
ive\AppCrash_1dvwi.exe_cac8ee3a6acf6e3046666fdd7dcba2fbcf302 directory | synchronous io
323_0dd71420 synchronize non alert | open
for backup ident
| open reparse
point
C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArch write data or add normal synchronous io success or wait 1 72087CFA unknown
ive\AppCrash_1dvwi.exe_cac8ee3a6acf6e3046666fdd7dcba2fbcf302 file | read non alert | non
323_0dd71420\Report.wer attributes | directory file
synchronize
File Deleted
File Written
Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\user\AppData\Local\Te unknown 2 ff fe .. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 78 3c 00 3f 00 78 00 6d <.?.x.m.l. .v.e.r.s.i.o.n.=.". success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 6c 00 20 00 76 00 1...0.". .e.n.c.o.d.i.n.g.=.".
65 00 72 00 73 00 69 U.T.F.-.1.6.".?.>.
00 6f 00 6e 00 3d 00
22 00 31 00 2e 00 30
00 22 00 20 00 65 00
6e 00 63 00 6f 00 64
00 69 00 6e 00 67 00
3d 00 22 00 55 00 54
00 46 00 2d 00 31 00
36 00 22 00 3f 00 3e
00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 38 3c 00 57 00 45 00 52 <.W.E.R.R.e.p.o.r.t.M.e.t.a. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 52 00 65 00 70 00 d.a.t.a.>.
6f 00 72 00 74 00 4d
00 65 00 74 00 61 00
64 00 61 00 74 00 61
00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 44 3c 00 4f 00 53 00 56 <.O.S.V.e.r.s.i.o.n.I.n.f.o.r. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 65 00 72 00 73 00 m.a.t.i.o.n.>.
69 00 6f 00 6e 00 49
00 6e 00 66 00 6f 00
72 00 6d 00 61 00 74
00 69 00 6f 00 6e 00
3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 2 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 80 3c 00 57 00 69 00 6e <.W.i.n.d.o.w.s.N.T.V.e.r.s. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 64 00 6f 00 77 00 i.o.n.>.6...1.
73 00 4e 00 54 00 56 <./.W.i.n.d.o.w.s.
00 65 00 72 00 73 00 N.T.V.e.r.s.i.o.n.>.
69 00 6f 00 6e 00 3e
00 36 00 2e 00 31 00
3c 00 2f 00 57 00 69
00 6e 00 64 00 6f 00
77 00 73 00 4e 00 54
00 56 00 65 00 72 00
73 00 69 00 6f 00 6e
00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 2 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 68 3c 00 42 00 75 00 69 <.B.u.i.l.d.>.7.6.0.1. .S.e.r. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 6c 00 64 00 3e 00 v.i.c.e. .P.a.c.k. .1.<./.B.u.
37 00 36 00 30 00 31 i.l.d.>.
00 20 00 53 00 65 00
72 00 76 00 69 00 63
00 65 00 20 00 50 00
61 00 63 00 6b 00 20
00 31 00 3c 00 2f 00
42 00 75 00 69 00 6c
00 64 00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 2 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
Source
File Path Offset Length Completion Count Address Symbol
Registry Activities
Key Created
Source
Key Path Completion Count Address Symbol
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Debug success or wait 1 720981E4 RegCreateKeyExW
Source
Key Path Name Type Data Completion Count Address Symbol
HKEY_LOCAL_MACHINE\SOFTWARE\Mi ExceptionRecord binary 05 00 00 C0 00 00 00 00 00 00 00 success or wait 1 7209820A RegSetValueExW
crosoft\Windows\Windows Error Reporting\Debug 00 22 73 4E 77 02 00 00 00 01 00
00 00 4E 32 31 30 7F 00 01 00 00
00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00
00 7F 02 00 00 00 00 00 00 FF FF
00 00 00 00 00 00 00 00 00 00 00
00 00 00
Disassembly
Code Analysis