ID: 65597

Sample Name: 1dvwi.scr

Cookbook: default.jbs
Time: 12:19:40
Date: 26/06/2018
Version: 23.0.0
 Table of Contents

Table of Contents 2
Analysis Report 4
Overview 4
General Information 4
Detection 4
Confidence 5
Classification 5
Analysis Advice 6
Signature Overview 6
AV Detection: 6
Networking: 6
Boot Survival: 6
Remote Access Functionality: 6
Stealing of Sensitive Information: 6
Persistence and Installation Behavior: 7
Data Obfuscation: 7
Spreading: 7
System Summary: 7
HIPS / PFW / Operating System Protection Evasion: 7
Anti Debugging: 7
Malware Analysis System Evasion: 7
Hooking and other Techniques for Hiding and Protection: 8
Language, Device and Operating System Detection: 8
Behavior Graph 8
Simulations 9
Behavior and APIs 9
Antivirus Detection 9
Initial Sample 9
Dropped Files 9
Unpacked PE Files 9
Domains 9
URLs 10
Yara Overview 10
Initial Sample 10
PCAP (Network Traffic) 10
Dropped Files 10
Memory Dumps 10
Unpacked PEs 10
Joe Sandbox View / Context 11
IPs 11
Domains 12
ASN 13
Dropped Files 14
Screenshots 14
Startup 15
Created / dropped Files 15
Contacted Domains/Contacted IPs 103
Contacted Domains 103
Contacted IPs 104
Public 104
Private 105
Static File Info 105
General 105
File Icon 106
Copyright Joe Security LLC 2018 Page 2 of 287
 Static PE Info 106
General 106
Entrypoint Preview 106
Data Directories 107
Sections 108
Resources 108
Imports 108
Possible Origin 108
Network Behavior 108
Network Port Distribution 108
TCP Packets 109
UDP Packets 115
DNS Queries 117
DNS Answers 119
Code Manipulations 123
Statistics 123
Behavior 123
System Behavior 123
Analysis Process: 1dvwi.exe PID: 3348 Parent PID: 2960 123
General 123
File Activities 123
File Created 123
File Deleted 124
File Written 124
File Read 126
Registry Activities 129
Key Created 129
Key Value Created 129

Analysis Process: lsass.exe PID: 3428 Parent PID: 1432 130

General 130
File Activities 130
File Created 130
File Deleted 157
File Written 157
File Read 275
Registry Activities 280
Analysis Process: WerFault.exe PID: 3472 Parent PID: 3348 280
General 280
File Activities 280
File Created 280
File Deleted 280
File Written 281
Registry Activities 287
Key Created 287
Key Value Created 287

Disassembly 287
Code Analysis 287

Copyright Joe Security LLC 2018 Page 3 of 287

 Analysis Report
Overview

General Information

Joe Sandbox Version: 23.0.0

Analysis ID: 65597
Start time: 12:19:40
Joe Sandbox Product: CloudBasic
Start date: 26.06.2018
Overall analysis duration: 0h 6m 41s
Hypervisor based Inspection enabled: false
Report type: light
Sample file name: 1dvwi.scr (renamed file extension from scr to exe)
Cookbook file name: default.jbs
Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54,
Chrome 60, Acrobat Reader DC 17, Flash 26, Java
8.0.1440.1)
Number of analysed new started processes analysed: 5
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Technologies HCA enabled
EGA enabled
HDC enabled
Analysis stop reason: Timeout
Detection: MAL
Classification: mal100.evad.troj.winEXE@4/436@71/33
HCA Information: Successful, ratio: 57%
Number of executed functions: 0
Number of non-executed functions: 0
EGA Information: Successful, ratio: 100%
HDC Information: Successful, ratio: 98.9% (good quality ratio 78.1%)
Quality average: 61%
Quality standard deviation: 38%
Cookbook Comments: Adjust boot time
Correcting counters for adjusted boot time
Warnings: Show All
Exclude process from analysis (whitelisted):
svchost.exe, dllhost.exe
Report size getting too big, too many
NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile
calls found.
Report size getting too big, too many
NtQueryDirectoryFile calls found.
Report size getting too big, too many
NtQueryValueKey calls found.
Report size getting too big, too many
NtQueryVolumeInformationFile calls found.
Report size getting too big, too many
NtSetInformationFile calls found.

Detection

Strategy Score Range Reporting Detection

Threshold 100 0 - 100 Report FP / FN

Copyright Joe Security LLC 2018 Page 4 of 287

 Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0-5 false

Classification

Ransomware

Miner Spreading

malicious
malicious

malicious

Evader Phishing

suspicious
suspicious

suspicious

clean
clean

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Copyright Joe Security LLC 2018 Page 5 of 287

 Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Signature Overview

• AV Detection
• Networking
• Boot Survival
• Remote Access Functionality
• Stealing of Sensitive Information
• Persistence and Installation Behavior
• Data Obfuscation
• Spreading
• System Summary
• HIPS / PFW / Operating System Protection Evasion
• Anti Debugging
• Malware Analysis System Evasion
• Hooking and other Techniques for Hiding and Protection
• Language, Device and Operating System Detection

Click to jump to signature section

AV Detection:

Antivirus detection for dropped file

Antivirus detection for submitted file

Antivirus detection for unpacked file

Networking:

Detected TCP or UDP traffic on non-standard ports

Domain name seen in connection with other malware

Tries to resolve many domain names, but no domain seems valid

Connects to many different domains

IP address seen in connection with other malware

Contains functionality to download additional files from the internet

Found strings which match to known social media urls

Performs DNS lookups

Urls found in memory or binary data

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Creates an autostart registry key

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Stealing of Sensitive Information:

Contains functionality to search for IE or Outlook window (often done to steal information)

Copyright Joe Security LLC 2018 Page 6 of 287

 Searches for user specific document files

Persistence and Installation Behavior:

Drops PE files with a suspicious file extension

Drops executables to the windows directory (C:\Windows) and starts them

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Data Obfuscation:

Contains functionality to dynamically determine API calls

Uses code obfuscation techniques (call, push, ret)

Sample is packed with UPX

Spreading:

Enumerates the file system

Contains functionality to enumerate / list files inside a directory

System Summary:

Creates files with lurking names (e.g. Crack.exe)

Drops files with a known system name (to hide its detection)

Creates files inside the system directory

Creates mutexes

Deletes files inside the Windows folder

One or more processes crash

PE file contains strange resources

Reads the hosts file

PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)

Classification label

Creates files inside the program directory

Creates files inside the user directory

Creates temporary files

Reads ini files

Reads software policies

Spawns processes

Uses an in-process (OLE) Automation server

Creates a directory in C:\Program Files

Binary contains paths to debug symbols

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Checks if the current process is being debugged

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Enables debug privileges

Malware Analysis System Evasion:

Copyright Joe Security LLC 2018 Page 7 of 287

 Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Enumerates the file system

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Uses the system / local time for branch decision (may execute only at specific dates)

Contains functionality to enumerate / list files inside a directory

Program exit points

Queries a list of all running processes

Hooking and other Techniques for Hiding and Protection:

Creates PE files with a name equal or similiar to existing files in Windows

Disables application error messsages (SetErrorMode)

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Contains functionality to query time zone information

Queries the cryptographic machine GUID

Behavior Graph

Hide Legend

Legend:
Process
Signature
Created File
DNS/IP Info
Is Dropped

Is Windows Process

Number of created Registry Values

Behavior Graph
Number of created Files
ID: 65597

Sample:

Startdate:
1dvwi.scr

26/06/2018
Visual Basic
Architecture: WINDOWS

Delphi
Score: 100

Domain name seen in

Java
Antivirus detection Antivirus detection connection with other 4 other signatures started started
for dropped file for submitted file malware

lsass.exe 1dvwi.exe
.Net C# or VB.NET
437 1 7

C, C++ or other language

134.189.78.184, 1042 144.197.186.75, 1042

ZIGGOZiggoBVNL
United States
CHINATELECOM-HUNAN-XIANGTAN-MANXiangtanCN
United States
29 other IPs or domains dropped dropped dropped dropped smtp.theriver.com smtp.northcoast.com 31 other IPs or domains dropped dropped
Is malicious dropped

C:\...\WinRAR.v.3.2.and.key.ShareReactor.com, PE32 C:\...\Kazaa Lite.ShareReactor.com, PE32 C:\Program Files\...\index.ShareReactor.com, PE32 219 other files (155 malicious) C:\Windows\lsass.exe, PE32 C:\Windows\lsass.exe:Zone.Identifier, ASCII C:\Users\HERBBL~1\AppData\...\tmpE8F0.tmp, PE32 started

Detected TCP or UDP Found evasive API chain Found stalling execution Creates files with lurking Drops PE files with Tries to resolve many Drops files with a known Creates an autostart
traffic on non-standard (may stop execution ending in API Sleep names (e.g. Crack.exe) a suspicious file extension domain names, but no system name (to hide registry key pointing
ports after checking mutex) call domain seems valid its detection) to binary in C:\Windows

WerFault.exe

5 4

Copyright Joe Security LLC 2018 Page 8 of 287

 Simulations

Behavior and APIs

Time Type Description

12:20:45 API Interceptor 2x Sleep call for process: 1dvwi.exe modified
12:20:47 Autostart Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Traybar C:\Windows\lsass.exe
12:20:48 API Interceptor 1x Sleep call for process: lsass.exe modified
12:20:58 API Interceptor 3x Sleep call for process: WerFault.exe modified

Antivirus Detection

Initial Sample

Source Detection Scanner Label Link

1dvw.exe 100% Avira WORM/Mydoom.L.1

Dropped Files

Source Detection Scanner Label Link

C:\Program Files\Common Files\microsoft shared\DAO\Harry Potter.com 100% Avira WORM/Mydoom.L.1
C:\Program Files\Common Files\microsoft shared\Help\1028\ICQ 4 Lite.ShareReactor.com 100% Avira WORM/Mydoom.L.1
C:\Program Files\Common Files\microsoft shared\Help\1049\Harry Potter.exe 100% Avira WORM/Mydoom.L.1
C:\Program Files\Common Files\microsoft shared\Help\1041\index.com 100% Avira WORM/Mydoom.L.1
C:\Program Files\Common Files\microsoft shared\EQUATION\Kazaa Lite.exe 100% Avira WORM/Mydoom.L.1
C:\Program Files\Common Files\microsoft shared\EQUATION\Kazaa Lite.exe 100% Avira WORM/Mydoom.L.1
C:\Program Files\Common Files\microsoft shared\Filters\Kazaa Lite.ShareReactor.com 100% Avira WORM/Mydoom.L.1
C:\Program Files\Common Files\microsoft shared\Help\1036\Harry Potter.ShareReactor.com 100% Avira WORM/Mydoom.L.1
C:\Program Files\Common Files\microsoft shared\EURO\Winamp 5.0 (en).com 100% Avira WORM/Mydoom.L.1
C:\Program Files\Common Files\microsoft shared\Help\1040\Winamp 5.0 (en).ShareReactor.com 100% Avira WORM/Mydoom.L.1
C:\Program Files\Common Files\microsoft shared\DW\Winamp 5.0 (en).exe 100% Avira WORM/Mydoom.L.1
C:\Program Files\Common Files\microsoft shared\Help\1028\ICQ 4 Lite.ShareReactor.com 100% Avira WORM/Mydoom.L.1
C:\Program Files\Common Files\microsoft shared\GRPHFLT\index.exe 100% Avira WORM/Mydoom.L.1
C:\Program Files\Common Files\microsoft shared\Filters\Kazaa Lite.ShareReactor.com 100% Avira WORM/Mydoom.L.1
C:\Program Files\Common Files\microsoft shared\EQUATION\1033\ICQ 4 Lite.exe 100% Avira WORM/Mydoom.L.1
C:\Program Files\Common Files\microsoft shared\EQUATION\1033\ICQ 4 Lite.exe 100% Avira WORM/Mydoom.L.1

Unpacked PE Files

Source Detection Scanner Label Link

3.2.WerFault.exe.130000.1.unpack 100% Avira TR/Agent.Blkhl.dam
1.0.1dvwi.exe.800000.0.unpack 100% Avira TR/Agent.Blkhl.dam
2.1.lsass.exe.800000.0.unpack 100% Avira TR/Agent.Blkhl.dam
2.2.lsass.exe.800000.0.unpack 100% Avira TR/Agent.Blkhl.dam
2.0.lsass.exe.800000.0.unpack 100% Avira TR/Agent.Blkhl.dam
1.1.1dvwi.exe.800000.0.unpack 100% Avira TR/Agent.Blkhl.dam
1.2.1dvwi.exe.800000.0.unpack 100% Avira TR/Agent.Blkhl.dam

Domains

Source Detection Scanner Label Link

openoffice.apache.org 0% virustotal Browse
northcoast.com 0% virustotal Browse
unicode.org 0% virustotal Browse
mx2.mindspring.com 0% virustotal Browse
onlineconnections.com.au 0% virustotal Browse
theriver.com 0% virustotal Browse
mx.cam.ac.uk 0% virustotal Browse
mail.pobox.com 0% virustotal Browse
netcom.com 0% virustotal Browse
ismtp.sitestar.everyone.net 0% virustotal Browse

Copyright Joe Security LLC 2018 Page 9 of 287

 Source Detection Scanner Label Link
mx3.mindspring.com 0% virustotal Browse
pb-mx14.pobox.com 0% virustotal Browse
pb-mx13.pobox.com 0% virustotal Browse
mx1.mindspring.com 0% virustotal Browse
mx1-lw-eu.apache.org 0% virustotal Browse
pb-mx10.pobox.com 0% virustotal Browse
pb-mx12.pobox.com 0% virustotal Browse
mx1-lw-us.apache.org 0% virustotal Browse
mail.theriver.sitestar.everyone.net 0% virustotal Browse
pb-mx9.pobox.com 0% virustotal Browse
smtp.pobox.com 0% virustotal Browse
pb-mx11.pobox.com 0% virustotal Browse
mx4.mindspring.com 0% virustotal Browse
pobox.com 0% virustotal Browse
openoffice.org 0% virustotal Browse
smtp.northcoast.com 0% virustotal Browse
mx.cl.cam.ac.uk 0% virustotal Browse
mx.netcom.com 0% virustotal Browse
mail.northcoast.com 0% virustotal Browse
atwola.com 0% virustotal Browse
mx.northcoast.com 0% virustotal Browse
src.dec.com 0% virustotal Browse
mx.onlineconnections.com.au 0% virustotal Browse
smtp.theriver.com 0% virustotal Browse
mx.openoffice.org 0% virustotal Browse
smtp.cl.cam.ac.uk 0% virustotal Browse
mx2-lw-us.apache.org 0% virustotal Browse
mail.openoffice.org 0% virustotal Browse
mail.theriver.com 0% virustotal Browse
mx2-lw-eu.apache.org 0% virustotal Browse
mx.theriver.com 0% virustotal Browse
smtp.netcom.com 0% virustotal Browse
mail.onlineconnections.com.au 0% virustotal Browse

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Copyright Joe Security LLC 2018 Page 10 of 287

 Joe Sandbox View / Context

IPs

Associated Sample
Match Name / URL SHA 256 Detection Link Context
64.147.108.54 9attachment.exe 44f65c20cf16df36a16cc4e341c2 malicious Browse
97ced4dd97635444d62e7db60bb
b9fd41753
10attachment.exe 5968cea0e3b08d693312409ca40 malicious Browse
6b6d96cb4703876a7dfbe29b2c3
8c7bdb7068
40messag.exe e2d3438e59c95ceebe5e5917bbe malicious Browse
737ba8e078c8933197c75f01f146
061062232
23transcrip.exe 7cbea8fdb1641ea480520711c82 malicious Browse
8b791c084c5b82041c2805f2c1b
a2cc86621a
26readme.exe 60137af5b05a44215245b15906c malicious Browse
17d2f0621c9fec759d37cc388b51
a21e71b9b
58transcrip.exe 900f124a774ff085c896e9eb49bf0 malicious Browse
ba377401969401f0b3e522d1127f
79fbeff
.exe e9e900e7fda9c84c4f01cd9e836c malicious Browse
718f52b3bcb3a133783148f69c5f
66f77b29
26pvhp@bes.exe 17e8f74120e65045cff1bd0d3628 malicious Browse
020415f86e46110e3151a005b03
04c33a6d2
45mai.exe c8ac9c1a079fa7bd4cd28691ffae malicious Browse
961a00319fbc5ba941f16aa1d087
e05b0b98
16MESSAGE.EXE 5c153e27488b51b583f9045a21e malicious Browse
23bfb4409dd9e655626899f6ba55
86c8aab10
59pgwy@jihu.exe f36e3352c3ea5ca285a139a62e8 malicious Browse
121e2cfc15b4753b29b0b628e5b
e974e2b68c
49lette.exe bb581af43a8ea9cd2b9a175a691 malicious Browse
71a1d884b7284dfadb064f797ce2
c914fc4f0
41youtube2@youtube.e 1eed12d7c1a7a4090eb49d92d87 malicious Browse
xe 5fcdec87b010ca1dee9657426df5
5e400f783
50messag.exe 422423299747abb8dc4fe331fd87 malicious Browse
d133f9ad69923b2859aebe69f8a7
c4d417c6
44transcrip.exe c6af2a5e72ed545a43973cd1295 malicious Browse
987e3d61983fea9fbf9681d9e9fd0
413e263f
29documen.exe 03da034b478c384dd986f334d0f1 malicious Browse
7543b67fcbcf232e0b53dab13f18
252a3b68
.exe f34d1d0315f3741b62b94e19a74b malicious Browse
f17a88d8acbe22cb61246ad0711f
b0d36f14
41ygh.exe ed9c42a6c0da1abd238a5ad148d malicious Browse
cb8ed511f8f23191da6056bad460
ee007797a
12qJymZORpvp.exe fabecd8913183b8b750905b680a malicious Browse
4e247802a10807eed926504e235
fe4dc44915
21messag.exe 78bfd8bb27e8d5d5a879ac6cdf48 malicious Browse
03b11461fe1bdcc5776d8bbda20
d87212ab7
64.147.108.55 9attachment.exe 44f65c20cf16df36a16cc4e341c2 malicious Browse
97ced4dd97635444d62e7db60bb
b9fd41753
10attachment.exe 5968cea0e3b08d693312409ca40 malicious Browse
6b6d96cb4703876a7dfbe29b2c3
8c7bdb7068
40messag.exe e2d3438e59c95ceebe5e5917bbe malicious Browse
737ba8e078c8933197c75f01f146
061062232

Copyright Joe Security LLC 2018 Page 11 of 287

 Associated Sample
Match Name / URL SHA 256 Detection Link Context
23transcrip.exe 7cbea8fdb1641ea480520711c82 malicious Browse
8b791c084c5b82041c2805f2c1b
a2cc86621a
26readme.exe 60137af5b05a44215245b15906c malicious Browse
17d2f0621c9fec759d37cc388b51
a21e71b9b
58transcrip.exe 900f124a774ff085c896e9eb49bf0 malicious Browse
ba377401969401f0b3e522d1127f
79fbeff
.exe e9e900e7fda9c84c4f01cd9e836c malicious Browse
718f52b3bcb3a133783148f69c5f
66f77b29
26pvhp@bes.exe 17e8f74120e65045cff1bd0d3628 malicious Browse
020415f86e46110e3151a005b03
04c33a6d2
45mai.exe c8ac9c1a079fa7bd4cd28691ffae malicious Browse
961a00319fbc5ba941f16aa1d087
e05b0b98
16MESSAGE.EXE 5c153e27488b51b583f9045a21e malicious Browse
23bfb4409dd9e655626899f6ba55
86c8aab10
49lette.exe bb581af43a8ea9cd2b9a175a691 malicious Browse
71a1d884b7284dfadb064f797ce2
c914fc4f0
41youtube2@youtube.e 1eed12d7c1a7a4090eb49d92d87 malicious Browse
xe 5fcdec87b010ca1dee9657426df5
5e400f783
50messag.exe 422423299747abb8dc4fe331fd87 malicious Browse
d133f9ad69923b2859aebe69f8a7
c4d417c6
44transcrip.exe c6af2a5e72ed545a43973cd1295 malicious Browse
987e3d61983fea9fbf9681d9e9fd0
413e263f
29documen.exe 03da034b478c384dd986f334d0f1 malicious Browse
7543b67fcbcf232e0b53dab13f18
252a3b68
41ygh.exe ed9c42a6c0da1abd238a5ad148d malicious Browse
cb8ed511f8f23191da6056bad460
ee007797a
12qJymZORpvp.exe fabecd8913183b8b750905b680a malicious Browse
4e247802a10807eed926504e235
fe4dc44915
21messag.exe 78bfd8bb27e8d5d5a879ac6cdf48 malicious Browse
03b11461fe1bdcc5776d8bbda20
d87212ab7
17youtube.exe a4cbe1413e88bd108521c6462a7 malicious Browse
4331173d802c7261c9a331f214e
712526607d
32exempl.exe c3c0a1ac355703f6faec36dc4a22 malicious Browse
80a89c201c2606472dd3c60b830
5fb7d59f5

Domains

Associated Sample
Match Name / URL SHA 256 Detection Link Context
openoffice.apache.org 5XWZmuQvvPQ.exe f4cb503dccf44e4d92e99ade1bd7 malicious Browse 195.154.151.36
72693a161bbf1f8d9866ba5f859b
46da9eae
31tatanova.com.doc 93a3c1e8727ad38b80f5d1e707f1 malicious Browse 40.79.78.1
21e315771cb4a1fe351f97fd4c54
.exe 312452f0
9attachment.exe 44f65c20cf16df36a16cc4e341c2 malicious Browse 95.216.24.32
97ced4dd97635444d62e7db60bb
b9fd41753
10attachment.exe 5968cea0e3b08d693312409ca40 malicious Browse 95.216.24.32
6b6d96cb4703876a7dfbe29b2c3
8c7bdb7068
40messag.exe e2d3438e59c95ceebe5e5917bbe malicious Browse 40.79.78.1
737ba8e078c8933197c75f01f146
061062232
23transcrip.exe 7cbea8fdb1641ea480520711c82 malicious Browse 40.79.78.1
8b791c084c5b82041c2805f2c1b
a2cc86621a
26readme.exe 60137af5b05a44215245b15906c malicious Browse 40.79.78.1
17d2f0621c9fec759d37cc388b51
a21e71b9b

Copyright Joe Security LLC 2018 Page 12 of 287

 Associated Sample
Match Name / URL SHA 256 Detection Link Context
58transcrip.exe 900f124a774ff085c896e9eb49bf0 malicious Browse 40.79.78.1
ba377401969401f0b3e522d1127f
79fbeff
.exe e9e900e7fda9c84c4f01cd9e836c malicious Browse 40.79.78.1
718f52b3bcb3a133783148f69c5f
66f77b29
northcoast.com 21gjj.exe 1f6a51b1f854974b68c3b1f913f7e malicious Browse 69.172.201.153
1d6d1dc52ae4555e4d53144dcab
a36ff8e2

ASN

Associated Sample
Match Name / URL SHA 256 Detection Link Context
LEVEL3-Level3CommunicationsIncUS 39transcrip.exe 752923505b46d88f13c2bee9528 malicious Browse 64.147.108.30
51153aa1ef9414f2e2390bb61cbd
d3bb35799
34text.exe 24a87613e32bec42fefc058dd48e malicious Browse 64.147.108.40
b569a764b6184c61175a57d4869
02f11627d
60wangzhihuiurb@azei 320530ab25ea2b8eccb6ad5e5ae malicious Browse 64.147.108.40
te.exe 72a302e7ec44f262f479654dca26
439193c71
65Fil.exe 1d16d13887917df11398e81e88a malicious Browse 64.147.108.30
2ef619a70e05b4beb2d31c061eb
c673943363
kovter.exe 0d0a07d32295b94fd665ac39d47 malicious Browse 9.40.178.37
55014a00381c6b06c2b4a6aeffa0
344ac956a
5messag.exe 8604435c904440ec594490c062e malicious Browse 64.147.108.30
9c8c4d25045c7b21a372e1a8370
56af99bfa9
.exe ba366712888049e7f7eff0fc93908 malicious Browse 4.31.198.44
0da187dd510bd48ab58dc2166bb
30e2a03b
1fil.exe f2158cb984966f66f1635f64948ec malicious Browse 64.147.108.30
0293e54e5d960c427efe30d2b71f
0fcca75
18lette.exe 22af3330a59bae1e70b7a837632 malicious Browse 64.147.108.40
aa2260c896008068d1cecabd49b
fe8d8516b0
64transcript.exe 47aeb17c302601612a35e901c3b malicious Browse 64.147.108.30
a9837ac82e2dca208087371e8f1
3b423dbf42
13documen.exe de8a2298b9753d681fba9102d19f malicious Browse 64.147.108.30
0181f89c3439f3aae09e55bb712c
87d2fc66
64jfUryj8MeC.exe 8c6c5478402a93b28f77556c161 malicious Browse 4.240.75.122
127280e517c583fef7fa012b6689
8ac66e3da
28mai.exe c1c853ffc1c09ecaa10b795159ffb malicious Browse 64.147.108.30
47b694adc71d393021d4540907c
ee542674
19Fk42jFQUOd.exe ef1aac04640547783a113e1dff80 malicious Browse 64.147.108.30
9694e51f2b4a2f64047db3a187f0
c7d65192
21fil.exe d7ae7d45815beeb26ae2a72a448 malicious Browse 64.147.108.30
2369383a45fa06d58bf742f141b2f
ad35bbee
47james@nadi.exe 80930505c4d3a6879521e2cf2c7f malicious Browse 64.147.108.30
eedcf3bb50b6ad9988d51e6d225
a80a464d4
25ogqh.exe 3638b3f772093feb6cfe5809a9fca malicious Browse 64.147.108.40
9e9a635fd4070aed601913ccdc6
9d9b4dfe
23hotmia.exe 729583b9965970e111ba6e9c660 malicious Browse 64.147.108.30
b4633e14025575dd8ae72e35c4b
5195d5b8c5
58messag.exe 703fb16a50521535dea2fd76245e malicious Browse 64.147.108.30
4282cb02970c554ace1ad99b374
dc637de7e
23Documen.exe 83f00b0381651af8a7678002dc42 malicious Browse 64.147.108.40
89963c5808c125f67921a1499ba
2e5a82813
LEVEL3-Level3CommunicationsIncUS 39transcrip.exe 752923505b46d88f13c2bee9528 malicious Browse 64.147.108.30
51153aa1ef9414f2e2390bb61cbd
d3bb35799

Copyright Joe Security LLC 2018 Page 13 of 287

 Associated Sample
Match Name / URL SHA 256 Detection Link Context
34text.exe 24a87613e32bec42fefc058dd48e malicious Browse 64.147.108.40
b569a764b6184c61175a57d4869
02f11627d
60wangzhihuiurb@azei 320530ab25ea2b8eccb6ad5e5ae malicious Browse 64.147.108.40
te.exe 72a302e7ec44f262f479654dca26
439193c71
65Fil.exe 1d16d13887917df11398e81e88a malicious Browse 64.147.108.30
2ef619a70e05b4beb2d31c061eb
c673943363
kovter.exe 0d0a07d32295b94fd665ac39d47 malicious Browse 9.40.178.37
55014a00381c6b06c2b4a6aeffa0
344ac956a
5messag.exe 8604435c904440ec594490c062e malicious Browse 64.147.108.30
9c8c4d25045c7b21a372e1a8370
56af99bfa9
.exe ba366712888049e7f7eff0fc93908 malicious Browse 4.31.198.44
0da187dd510bd48ab58dc2166bb
30e2a03b
1fil.exe f2158cb984966f66f1635f64948ec malicious Browse 64.147.108.30
0293e54e5d960c427efe30d2b71f
0fcca75
18lette.exe 22af3330a59bae1e70b7a837632 malicious Browse 64.147.108.40
aa2260c896008068d1cecabd49b
fe8d8516b0
64transcript.exe 47aeb17c302601612a35e901c3b malicious Browse 64.147.108.30
a9837ac82e2dca208087371e8f1
3b423dbf42
13documen.exe de8a2298b9753d681fba9102d19f malicious Browse 64.147.108.30
0181f89c3439f3aae09e55bb712c
87d2fc66
64jfUryj8MeC.exe 8c6c5478402a93b28f77556c161 malicious Browse 4.240.75.122
127280e517c583fef7fa012b6689
8ac66e3da
28mai.exe c1c853ffc1c09ecaa10b795159ffb malicious Browse 64.147.108.30
47b694adc71d393021d4540907c
ee542674
19Fk42jFQUOd.exe ef1aac04640547783a113e1dff80 malicious Browse 64.147.108.30
9694e51f2b4a2f64047db3a187f0
c7d65192
21fil.exe d7ae7d45815beeb26ae2a72a448 malicious Browse 64.147.108.30
2369383a45fa06d58bf742f141b2f
ad35bbee
47james@nadi.exe 80930505c4d3a6879521e2cf2c7f malicious Browse 64.147.108.30
eedcf3bb50b6ad9988d51e6d225
a80a464d4
25ogqh.exe 3638b3f772093feb6cfe5809a9fca malicious Browse 64.147.108.40
9e9a635fd4070aed601913ccdc6
9d9b4dfe
23hotmia.exe 729583b9965970e111ba6e9c660 malicious Browse 64.147.108.30
b4633e14025575dd8ae72e35c4b
5195d5b8c5
58messag.exe 703fb16a50521535dea2fd76245e malicious Browse 64.147.108.30
4282cb02970c554ace1ad99b374
dc637de7e
23Documen.exe 83f00b0381651af8a7678002dc42 malicious Browse 64.147.108.40
89963c5808c125f67921a1499ba
2e5a82813

Dropped Files

No context

Screenshots

Copyright Joe Security LLC 2018 Page 14 of 287

 Startup

System is w7
1dvwi.exe (PID: 3348 cmdline: 'C:\Users\user\Desktop\1dvwi.exe' MD5: 74E9710D0BB409AEB3F8881EF75B062C)
WerFault.exe (PID: 3472 cmdline: C:\Windows\system32\WerFault.exe -u -p 3348 -s 716 MD5: 5FEAB868CAEDBBD1B7A145CA8261E4AA)
lsass.exe (PID: 3428 cmdline: 'C:\Windows\lsass.exe' MD5: 74E9710D0BB409AEB3F8881EF75B062C)
cleanup

Created / dropped Files

C:\Program Files\Common Files\microsoft shared\DAO\Harry Potter.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
Antivirus: Antivirus: Avira, Detection: 100%, Browse
Reputation: low

Copyright Joe Security LLC 2018 Page 15 of 287

 C:\Program Files\Common Files\microsoft shared\DAO\Harry Potter.com:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: true
Reputation: high, very likely benign file

C:\Program Files\Common Files\microsoft shared\DW\Winamp 5.0 (en).exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
Antivirus: Antivirus: Avira, Detection: 100%, Browse
Reputation: low

C:\Program Files\Common Files\microsoft shared\DW\Winamp 5.0 (en).exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: true
Reputation: high, very likely benign file

C:\Program Files\Common Files\microsoft shared\EQUATION\1033\ICQ 4 Lite.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
Antivirus: Antivirus: Avira, Detection: 100%, Browse
Antivirus: Avira, Detection: 100%, Browse
Reputation: low

C:\Program Files\Common Files\microsoft shared\EQUATION\1033\ICQ 4 Lite.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD

Copyright Joe Security LLC 2018 Page 16 of 287

 C:\Program Files\Common Files\microsoft shared\EQUATION\1033\ICQ 4 Lite.exe:Zone.Identifier
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: true
Reputation: high, very likely benign file

C:\Program Files\Common Files\microsoft shared\EQUATION\Kazaa Lite.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
Antivirus: Antivirus: Avira, Detection: 100%, Browse
Antivirus: Avira, Detection: 100%, Browse
Reputation: low

C:\Program Files\Common Files\microsoft shared\EQUATION\Kazaa Lite.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: true
Reputation: high, very likely benign file

C:\Program Files\Common Files\microsoft shared\EURO\Winamp 5.0 (en).com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
Antivirus: Antivirus: Avira, Detection: 100%, Browse
Reputation: low

C:\Program Files\Common Files\microsoft shared\EURO\Winamp 5.0 (en).com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: true
Reputation: high, very likely benign file

Copyright Joe Security LLC 2018 Page 17 of 287

 C:\Program Files\Common Files\microsoft shared\Filters\Kazaa Lite.ShareReactor.com
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
Antivirus: Antivirus: Avira, Detection: 100%, Browse
Antivirus: Avira, Detection: 100%, Browse
Reputation: low

C:\Program Files\Common Files\microsoft shared\Filters\Kazaa Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: true
Reputation: high, very likely benign file

C:\Program Files\Common Files\microsoft shared\GRPHFLT\index.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
Antivirus: Antivirus: Avira, Detection: 100%, Browse
Reputation: low

C:\Program Files\Common Files\microsoft shared\GRPHFLT\index.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: true
Reputation: high, very likely benign file

C:\Program Files\Common Files\microsoft shared\Help\1028\ICQ 4 Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C

Copyright Joe Security LLC 2018 Page 18 of 287

 C:\Program Files\Common Files\microsoft shared\Help\1028\ICQ 4 Lite.ShareReactor.com
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
Antivirus: Antivirus: Avira, Detection: 100%, Browse
Antivirus: Avira, Detection: 100%, Browse
Reputation: low

C:\Program Files\Common Files\microsoft shared\Help\1028\ICQ 4 Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: true
Reputation: high, very likely benign file

C:\Program Files\Common Files\microsoft shared\Help\1031\ICQ 4 Lite.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false
Reputation: low

C:\Program Files\Common Files\microsoft shared\Help\1031\ICQ 4 Lite.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false
Reputation: high, very likely benign file

C:\Program Files\Common Files\microsoft shared\Help\1033\Kazaa Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
Reputation: low

Copyright Joe Security LLC 2018 Page 19 of 287

 C:\Program Files\Common Files\microsoft shared\Help\1033\Kazaa Lite.ShareReactor.com:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false
Reputation: high, very likely benign file

C:\Program Files\Common Files\microsoft shared\Help\1036\Harry Potter.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
Antivirus: Antivirus: Avira, Detection: 100%, Browse
Reputation: low

C:\Program Files\Common Files\microsoft shared\Help\1036\Harry Potter.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: true
Reputation: high, very likely benign file

C:\Program Files\Common Files\microsoft shared\Help\1040\Winamp 5.0 (en).ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
Antivirus: Antivirus: Avira, Detection: 100%, Browse
Reputation: low

C:\Program Files\Common Files\microsoft shared\Help\1040\Winamp 5.0 (en).ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64

Copyright Joe Security LLC 2018 Page 20 of 287

 C:\Program Files\Common Files\microsoft shared\Help\1040\Winamp 5.0 (en).ShareReactor.com:Zone.Identifier
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: true
Reputation: high, very likely benign file

C:\Program Files\Common Files\microsoft shared\Help\1041\index.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
Antivirus: Antivirus: Avira, Detection: 100%, Browse
Reputation: low

C:\Program Files\Common Files\microsoft shared\Help\1041\index.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: true
Reputation: high, very likely benign file

C:\Program Files\Common Files\microsoft shared\Help\1042\Kazaa Lite.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false
Reputation: low

C:\Program Files\Common Files\microsoft shared\Help\1042\Kazaa Lite.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false
Reputation: high, very likely benign file

C:\Program Files\Common Files\microsoft shared\Help\1046\ICQ 4 Lite.ShareReactor.com

Process: C:\Windows\lsass.exe

Copyright Joe Security LLC 2018 Page 21 of 287

 C:\Program Files\Common Files\microsoft shared\Help\1046\ICQ 4 Lite.ShareReactor.com
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
Reputation: low

C:\Program Files\Common Files\microsoft shared\Help\1046\ICQ 4 Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false
Reputation: high, very likely benign file

C:\Program Files\Common Files\microsoft shared\Help\1049\Harry Potter.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
Antivirus: Antivirus: Avira, Detection: 100%, Browse
Reputation: low

C:\Program Files\Common Files\microsoft shared\Help\1049\Harry Potter.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: true
Reputation: high, very likely benign file

C:\Program Files\Common Files\microsoft shared\Help\2052\Winamp 5.0 (en).exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Copyright Joe Security LLC 2018 Page 22 of 287
 C:\Program Files\Common Files\microsoft shared\Help\2052\Winamp 5.0 (en).exe
Malicious: false
Reputation: low

C:\Program Files\Common Files\microsoft shared\Help\2052\Winamp 5.0 (en).exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false
Reputation: high, very likely benign file

C:\Program Files\Common Files\microsoft shared\Help\3082\Winamp 5.0 (en) Crack.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true
Reputation: low

C:\Program Files\Common Files\microsoft shared\Help\3082\Winamp 5.0 (en) Crack.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\Help\ICQ 4 Lite.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\Help\ICQ 4 Lite.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 23 of 287

 C:\Program Files\Common Files\microsoft shared\Help\ICQ 4 Lite.exe:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\MSEnv\ICQ 4 Lite.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\MSEnv\ICQ 4 Lite.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\MSEnv\PublicAssemblies\Winamp 5.0 (en).com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\MSEnv\PublicAssemblies\Winamp 5.0 (en).com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\MSInfo\WinRAR.v.3.2.and.key.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 24 of 287

 C:\Program Files\Common Files\microsoft shared\MSInfo\WinRAR.v.3.2.and.key.ShareReactor.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\MSInfo\WinRAR.v.3.2.and.key.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\WinRAR.v.3.2.and.key.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\WinRAR.v.3.2.and.key.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\1033\index.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\OFFICE14\1033\index.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 25 of 287

 C:\Program Files\Common Files\microsoft shared\OFFICE14\1033\index.ShareReactor.com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\Winamp 5.0 (en).com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\Winamp 5.0 (en).com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\Harry Potter.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\Harry Potter.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\Winamp 5.0 (en).exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 26 of 287

 C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\Winamp 5.0 (en).exe
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\Winamp 5.0 (en).exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\Harry Potter.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\Harry Potter.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\index.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\index.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 27 of 287

 C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\index.exe:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\ICQ 4 Lite.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\ICQ 4 Lite.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\Harry Potter.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\Harry Potter.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\WinRAR.v.3.2.and.key.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 28 of 287

 C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\WinRAR.v.3.2.and.key.exe
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\WinRAR.v.3.2.and.key.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\Winamp 5.0 (en) Crack.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\Winamp 5.0 (en) Crack.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\Kazaa Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\Kazaa Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 29 of 287

 C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\Kazaa Lite.ShareReactor.com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\Winamp 5.0 (en).ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\Winamp 5.0 (en).ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\index.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\index.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\SingleImage\index.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 30 of 287

 C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\SingleImage\index.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\SingleImage\index.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Winamp 5.0 (en) Crack.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Winamp 5.0 (en) Crack.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\Kazaa Lite.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\Kazaa Lite.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 31 of 287

 C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\Kazaa Lite.exe:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\OFFICE14\WinRAR.v.3.2.and.key.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\OFFICE14\WinRAR.v.3.2.and.key.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\Winamp 5.0 (en).ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\Winamp 5.0 (en).ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\PROOF\index.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 32 of 287

 C:\Program Files\Common Files\microsoft shared\PROOF\index.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\PROOF\index.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\Portal\1033\Winamp 5.0 (en) Crack.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\Portal\1033\Winamp 5.0 (en) Crack.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\Portal\WinRAR.v.3.2.and.key.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\Portal\WinRAR.v.3.2.and.key.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 33 of 287

 C:\Program Files\Common Files\microsoft shared\Portal\WinRAR.v.3.2.and.key.com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\Smart Tag\1033\ICQ 4 Lite.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\Smart Tag\1033\ICQ 4 Lite.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\Smart Tag\LISTS\1033\Harry Potter.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\Smart Tag\LISTS\1033\Harry Potter.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\Smart Tag\LISTS\Harry Potter.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 34 of 287

 C:\Program Files\Common Files\microsoft shared\Smart Tag\LISTS\Harry Potter.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\Smart Tag\LISTS\Harry Potter.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\Smart Tag\Winamp 5.0 (en) Crack.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\Smart Tag\Winamp 5.0 (en) Crack.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\Source Engine\Winamp 5.0 (en).com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\Source Engine\Winamp 5.0 (en).com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 35 of 287

 C:\Program Files\Common Files\microsoft shared\Source Engine\Winamp 5.0 (en).com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\Stationery\Kazaa Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\Stationery\Kazaa Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\AFTRNOON\Winamp 5.0 (en) Crack.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\AFTRNOON\Winamp 5.0 (en) Crack.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\ARCTIC\Kazaa Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 36 of 287

 C:\Program Files\Common Files\microsoft shared\THEMES14\ARCTIC\Kazaa Lite.ShareReactor.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\ARCTIC\Kazaa Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\AXIS\Harry Potter.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\AXIS\Harry Potter.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\BLENDS\Winamp 5.0 (en) Crack.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\BLENDS\Winamp 5.0 (en) Crack.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 37 of 287

 C:\Program Files\Common Files\microsoft shared\THEMES14\BLENDS\Winamp 5.0 (en) Crack.exe:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\BLUECALM\Winamp 5.0 (en) Crack.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\BLUECALM\Winamp 5.0 (en) Crack.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\BLUEPRNT\Harry Potter.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\BLUEPRNT\Harry Potter.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\BOLDSTRI\Winamp 5.0 (en) Crack.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 38 of 287

 C:\Program Files\Common Files\microsoft shared\THEMES14\BOLDSTRI\Winamp 5.0 (en) Crack.ShareReactor.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\BOLDSTRI\Winamp 5.0 (en) Crack.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\BREEZE\Winamp 5.0 (en) Crack.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\BREEZE\Winamp 5.0 (en) Crack.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\CANYON\ICQ 4 Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\CANYON\ICQ 4 Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 39 of 287

 C:\Program Files\Common Files\microsoft shared\THEMES14\CANYON\ICQ 4 Lite.ShareReactor.com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\CAPSULES\Winamp 5.0 (en) Crack.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\CAPSULES\Winamp 5.0 (en) Crack.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\CASCADE\Kazaa Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\CASCADE\Kazaa Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\COMPASS\Winamp 5.0 (en).com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 40 of 287

 C:\Program Files\Common Files\microsoft shared\THEMES14\COMPASS\Winamp 5.0 (en).com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\COMPASS\Winamp 5.0 (en).com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\CONCRETE\WinRAR.v.3.2.and.key.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\CONCRETE\WinRAR.v.3.2.and.key.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\DEEPBLUE\Harry Potter.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\DEEPBLUE\Harry Potter.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 41 of 287

 C:\Program Files\Common Files\microsoft shared\THEMES14\DEEPBLUE\Harry Potter.com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\ECHO\ICQ 4 Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\ECHO\ICQ 4 Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\ECLIPSE\WinRAR.v.3.2.and.key.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\ECLIPSE\WinRAR.v.3.2.and.key.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\EDGE\Winamp 5.0 (en) Crack.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 42 of 287

 C:\Program Files\Common Files\microsoft shared\THEMES14\EDGE\Winamp 5.0 (en) Crack.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\EDGE\Winamp 5.0 (en) Crack.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\EVRGREEN\Harry Potter.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\EVRGREEN\Harry Potter.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\EXPEDITN\Winamp 5.0 (en) Crack.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\EXPEDITN\Winamp 5.0 (en) Crack.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 43 of 287

 C:\Program Files\Common Files\microsoft shared\THEMES14\EXPEDITN\Winamp 5.0 (en) Crack.com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\ICE\ICQ 4 Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\ICE\ICQ 4 Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\INDUST\ICQ 4 Lite.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\INDUST\ICQ 4 Lite.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\IRIS\Winamp 5.0 (en) Crack.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 44 of 287

 C:\Program Files\Common Files\microsoft shared\THEMES14\IRIS\Winamp 5.0 (en) Crack.ShareReactor.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\IRIS\Winamp 5.0 (en) Crack.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\JOURNAL\ICQ 4 Lite.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\JOURNAL\ICQ 4 Lite.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\Kazaa Lite.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\Kazaa Lite.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 45 of 287

 C:\Program Files\Common Files\microsoft shared\THEMES14\Kazaa Lite.exe:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\LAYERS\Winamp 5.0 (en).exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\LAYERS\Winamp 5.0 (en).exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\LEVEL\Winamp 5.0 (en).com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\LEVEL\Winamp 5.0 (en).com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\NETWORK\Winamp 5.0 (en) Crack.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 46 of 287

 C:\Program Files\Common Files\microsoft shared\THEMES14\NETWORK\Winamp 5.0 (en) Crack.ShareReactor.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\NETWORK\Winamp 5.0 (en) Crack.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\PAPYRUS\Harry Potter.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\PAPYRUS\Harry Potter.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\PIXEL\ICQ 4 Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\PIXEL\ICQ 4 Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 47 of 287

 C:\Program Files\Common Files\microsoft shared\THEMES14\PIXEL\ICQ 4 Lite.ShareReactor.com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\PROFILE\Harry Potter.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\PROFILE\Harry Potter.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\QUAD\Kazaa Lite.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\QUAD\Kazaa Lite.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\RADIAL\index.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 48 of 287

 C:\Program Files\Common Files\microsoft shared\THEMES14\RADIAL\index.exe
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\RADIAL\index.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\REFINED\Kazaa Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\REFINED\Kazaa Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\RICEPAPR\index.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\RICEPAPR\index.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 49 of 287

 C:\Program Files\Common Files\microsoft shared\THEMES14\RICEPAPR\index.exe:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\RIPPLE\Winamp 5.0 (en).ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\RIPPLE\Winamp 5.0 (en).ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\RMNSQUE\Harry Potter.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\RMNSQUE\Harry Potter.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\SATIN\Harry Potter.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 50 of 287

 C:\Program Files\Common Files\microsoft shared\THEMES14\SATIN\Harry Potter.exe
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\SATIN\Harry Potter.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\SKY\ICQ 4 Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\SKY\ICQ 4 Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\SLATE\ICQ 4 Lite.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\SLATE\ICQ 4 Lite.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 51 of 287

 C:\Program Files\Common Files\microsoft shared\THEMES14\SLATE\ICQ 4 Lite.com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\SONORA\Harry Potter.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\SONORA\Harry Potter.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\SPRING\Winamp 5.0 (en).exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\SPRING\Winamp 5.0 (en).exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\STRTEDGE\Winamp 5.0 (en) Crack.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 52 of 287

 C:\Program Files\Common Files\microsoft shared\THEMES14\STRTEDGE\Winamp 5.0 (en) Crack.ShareReactor.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\STRTEDGE\Winamp 5.0 (en) Crack.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\STUDIO\Harry Potter.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\STUDIO\Harry Potter.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\SUMIPNTG\ICQ 4 Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\SUMIPNTG\ICQ 4 Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 53 of 287

 C:\Program Files\Common Files\microsoft shared\THEMES14\SUMIPNTG\ICQ 4 Lite.ShareReactor.com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\WATERMAR\Harry Potter.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\THEMES14\WATERMAR\Harry Potter.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\WATER\Winamp 5.0 (en).exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\THEMES14\WATER\Winamp 5.0 (en).exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\TRANSLAT\ARFR\Harry Potter.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 54 of 287

 C:\Program Files\Common Files\microsoft shared\TRANSLAT\ARFR\Harry Potter.ShareReactor.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\TRANSLAT\ARFR\Harry Potter.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\TRANSLAT\ENES\WinRAR.v.3.2.and.key.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\TRANSLAT\ENES\WinRAR.v.3.2.and.key.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\TRANSLAT\ENFR\WinRAR.v.3.2.and.key.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\TRANSLAT\ENFR\WinRAR.v.3.2.and.key.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 55 of 287

 C:\Program Files\Common Files\microsoft shared\TRANSLAT\ENFR\WinRAR.v.3.2.and.key.com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\TRANSLAT\ESEN\Winamp 5.0 (en).exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\TRANSLAT\ESEN\Winamp 5.0 (en).exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\TRANSLAT\FRAR\ICQ 4 Lite.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\TRANSLAT\FRAR\ICQ 4 Lite.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\TRANSLAT\FREN\index.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 56 of 287

 C:\Program Files\Common Files\microsoft shared\TRANSLAT\FREN\index.exe
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\TRANSLAT\FREN\index.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\TRANSLAT\index.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\TRANSLAT\index.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\TextConv\WksConv\Winamp 5.0 (en).com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\TextConv\WksConv\Winamp 5.0 (en).com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 57 of 287

 C:\Program Files\Common Files\microsoft shared\TextConv\WksConv\Winamp 5.0 (en).com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\TextConv\en-US\ICQ 4 Lite.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\TextConv\en-US\ICQ 4 Lite.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\TextConv\index.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\TextConv\index.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\Triedit\en-US\Kazaa Lite.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 58 of 287

 C:\Program Files\Common Files\microsoft shared\Triedit\en-US\Kazaa Lite.exe
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\Triedit\en-US\Kazaa Lite.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\Triedit\index.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\Triedit\index.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\VBA\VBA6\ICQ 4 Lite.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\VBA\VBA6\ICQ 4 Lite.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 59 of 287

 C:\Program Files\Common Files\microsoft shared\VBA\VBA6\ICQ 4 Lite.com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\VBA\VBA7\1033\ICQ 4 Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\VBA\VBA7\1033\ICQ 4 Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\VBA\VBA7\Winamp 5.0 (en).exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\VBA\VBA7\Winamp 5.0 (en).exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\VBA\Winamp 5.0 (en) Crack.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 60 of 287

 C:\Program Files\Common Files\microsoft shared\VBA\Winamp 5.0 (en) Crack.exe
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\VBA\Winamp 5.0 (en) Crack.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\VC\Kazaa Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\VC\Kazaa Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\VGX\WinRAR.v.3.2.and.key.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\VGX\WinRAR.v.3.2.and.key.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 61 of 287

 C:\Program Files\Common Files\microsoft shared\VGX\WinRAR.v.3.2.and.key.exe:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\VSTA\AppInfoDocument\ICQ 4 Lite.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\VSTA\AppInfoDocument\ICQ 4 Lite.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\Kazaa Lite.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\Kazaa Lite.com:Zone.

Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\VSTA\WinRAR.v.3.2.and.key.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 62 of 287

 C:\Program Files\Common Files\microsoft shared\VSTA\WinRAR.v.3.2.and.key.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\VSTA\WinRAR.v.3.2.and.key.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\ICQ 4 Lite.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\ICQ 4 Lite.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\ICQ 4 Lite.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\ICQ 4 Lite.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 63 of 287

 C:\Program Files\Common Files\microsoft shared\VSTO\10.0\ICQ 4 Lite.exe:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\VSTO\Winamp 5.0 (en) Crack.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\VSTO\Winamp 5.0 (en) Crack.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\Web Folders\1033\ICQ 4 Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\Web Folders\1033\ICQ 4 Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\Web Folders\Winamp 5.0 (en).ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 64 of 287

 C:\Program Files\Common Files\microsoft shared\Web Folders\Winamp 5.0 (en).ShareReactor.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\Web Folders\Winamp 5.0 (en).ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\Winamp 5.0 (en).com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\Winamp 5.0 (en).com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\BIN\index.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\BIN\index.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 65 of 287

 C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\BIN\index.com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\index.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\index.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\Web Server Extensions\WinRAR.v.3.2.and.key.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\Web Server Extensions\WinRAR.v.3.2.and.key.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\index.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 66 of 287

 C:\Program Files\Common Files\microsoft shared\index.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\index.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\1.0\WinRAR.v.3.2.and.key.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\1.0\WinRAR.v.3.2.and.key.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\1.7\Harry Potter.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\1.7\Harry Potter.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 67 of 287

 C:\Program Files\Common Files\microsoft shared\ink\1.7\Harry Potter.com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\Harry Potter.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\Harry Potter.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\Kazaa Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\Kazaa Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\ar-SA\ICQ 4 Lite.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 68 of 287

 C:\Program Files\Common Files\microsoft shared\ink\ar-SA\ICQ 4 Lite.exe
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\ar-SA\ICQ 4 Lite.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\bg-BG\Harry Potter.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\bg-BG\Harry Potter.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\WinRAR.v.3.2.and.key.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\WinRAR.v.3.2.and.key.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 69 of 287

 C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\WinRAR.v.3.2.and.key.exe:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\da-DK\index.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\da-DK\index.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\de-DE\ICQ 4 Lite.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\de-DE\ICQ 4 Lite.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\el-GR\Winamp 5.0 (en) Crack.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 70 of 287

 C:\Program Files\Common Files\microsoft shared\ink\el-GR\Winamp 5.0 (en) Crack.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\el-GR\Winamp 5.0 (en) Crack.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\en-US\Winamp 5.0 (en).ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\en-US\Winamp 5.0 (en).ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\es-ES\ICQ 4 Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\es-ES\ICQ 4 Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 71 of 287

 C:\Program Files\Common Files\microsoft shared\ink\es-ES\ICQ 4 Lite.ShareReactor.com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\et-EE\WinRAR.v.3.2.and.key.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\et-EE\WinRAR.v.3.2.and.key.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\fi-FI\Winamp 5.0 (en) Crack.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\fi-FI\Winamp 5.0 (en) Crack.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\fr-FR\index.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 72 of 287

 C:\Program Files\Common Files\microsoft shared\ink\fr-FR\index.exe
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\fr-FR\index.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\Harry Potter.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\Harry Potter.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\Harry Potter.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\Harry Potter.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 73 of 287

 C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\Harry Potter.com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\index.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\index.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\index.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\index.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\numbers\Harry Potter.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 74 of 287

 C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\numbers\Harry Potter.exe
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\numbers\Harry Potter.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\WinRAR.v.3.2.and.key.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\WinRAR.v.3.2.and.key.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\Kazaa Lite.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\Kazaa Lite.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 75 of 287

 C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\Kazaa Lite.exe:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\Harry Potter.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\Harry Potter.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\Winamp 5.0 (en).com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\Winamp 5.0 (en).com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\web\WinRAR.v.3.2.and.key.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 76 of 287

 C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\web\WinRAR.v.3.2.and.key.ShareReactor.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\web\WinRAR.v.3.2.and.key.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\he-IL\WinRAR.v.3.2.and.key.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\he-IL\WinRAR.v.3.2.and.key.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\hr-HR\Winamp 5.0 (en).com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\hr-HR\Winamp 5.0 (en).com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 77 of 287

 C:\Program Files\Common Files\microsoft shared\ink\hr-HR\Winamp 5.0 (en).com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\hu-HU\index.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\hu-HU\index.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\it-IT\ICQ 4 Lite.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\it-IT\ICQ 4 Lite.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\ja-JP\Kazaa Lite.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 78 of 287

 C:\Program Files\Common Files\microsoft shared\ink\ja-JP\Kazaa Lite.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\ja-JP\Kazaa Lite.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\ko-KR\Winamp 5.0 (en).com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\ko-KR\Winamp 5.0 (en).com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\lt-LT\ICQ 4 Lite.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\lt-LT\ICQ 4 Lite.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 79 of 287

 C:\Program Files\Common Files\microsoft shared\ink\lt-LT\ICQ 4 Lite.com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\lv-LV\WinRAR.v.3.2.and.key.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\lv-LV\WinRAR.v.3.2.and.key.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\nb-NO\WinRAR.v.3.2.and.key.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\nb-NO\WinRAR.v.3.2.and.key.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\nl-NL\WinRAR.v.3.2.and.key.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 80 of 287

 C:\Program Files\Common Files\microsoft shared\ink\nl-NL\WinRAR.v.3.2.and.key.ShareReactor.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\nl-NL\WinRAR.v.3.2.and.key.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\pl-PL\Winamp 5.0 (en) Crack.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\pl-PL\Winamp 5.0 (en) Crack.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\pt-BR\Harry Potter.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\pt-BR\Harry Potter.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 81 of 287

 C:\Program Files\Common Files\microsoft shared\ink\pt-BR\Harry Potter.com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\pt-PT\WinRAR.v.3.2.and.key.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\pt-PT\WinRAR.v.3.2.and.key.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\ro-RO\index.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\ro-RO\index.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\ru-RU\Harry Potter.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 82 of 287

 C:\Program Files\Common Files\microsoft shared\ink\ru-RU\Harry Potter.exe
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\ru-RU\Harry Potter.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\sk-SK\Harry Potter.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\sk-SK\Harry Potter.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\sl-SI\ICQ 4 Lite.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\sl-SI\ICQ 4 Lite.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 83 of 287

 C:\Program Files\Common Files\microsoft shared\ink\sl-SI\ICQ 4 Lite.exe:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-CS\Harry Potter.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-CS\Harry Potter.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\sv-SE\Harry Potter.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\sv-SE\Harry Potter.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\th-TH\ICQ 4 Lite.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 84 of 287

 C:\Program Files\Common Files\microsoft shared\ink\th-TH\ICQ 4 Lite.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\th-TH\ICQ 4 Lite.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\tr-TR\Winamp 5.0 (en).ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\tr-TR\Winamp 5.0 (en).ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\uk-UA\Winamp 5.0 (en).com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\uk-UA\Winamp 5.0 (en).com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 85 of 287

 C:\Program Files\Common Files\microsoft shared\ink\uk-UA\Winamp 5.0 (en).com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\zh-CN\Harry Potter.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\zh-CN\Harry Potter.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Common Files\microsoft shared\ink\zh-TW\Winamp 5.0 (en) Crack.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Common Files\microsoft shared\ink\zh-TW\Winamp 5.0 (en) Crack.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\Kazaa Lite.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 86 of 287

 C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\Kazaa Lite.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\Kazaa Lite.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\index.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\index.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\WinRAR.v.3.2.and.key.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\WinRAR.v.3.2.and.key.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 87 of 287

 C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\WinRAR.v.3.2.and.key.ShareReactor.com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\Full\WinRAR.v.3.2.and.key.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\Full\WinRAR.v.3.2.and.key.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\Harry Potter.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\DVD Maker\Shared\DvdStyles\Harry Potter.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\Kazaa Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 88 of 287

 C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\Kazaa Lite.ShareReactor.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\Kazaa Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\Kazaa Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\Kazaa Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Harry Potter.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Harry Potter.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 89 of 287

 C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Harry Potter.exe:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\ICQ 4 Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\ICQ 4 Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Winamp 5.0 (en).com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Winamp 5.0 (en).com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\WinRAR.v.3.2.and.key.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 90 of 287

 C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\WinRAR.v.3.2.and.key.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\WinRAR.v.3.2.and.key.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\Push\Winamp 5.0 (en) Crack.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\DVD Maker\Shared\DvdStyles\Push\Winamp 5.0 (en) Crack.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\Kazaa Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\Kazaa Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 91 of 287

 C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\Kazaa Lite.ShareReactor.com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Winamp 5.0 (en).exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Winamp 5.0 (en).exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\Harry Potter.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\Harry Potter.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\ICQ 4 Lite.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 92 of 287

 C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\ICQ 4 Lite.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\ICQ 4 Lite.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\Harry Potter.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\Harry Potter.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\Winamp 5.0 (en).exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\Winamp 5.0 (en).exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 93 of 287

 C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\Winamp 5.0 (en).exe:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\ICQ 4 Lite.exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\ICQ 4 Lite.exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\Kazaa Lite.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\Kazaa Lite.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\Winamp 5.0 (en).ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1

Copyright Joe Security LLC 2018 Page 94 of 287

 C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\Winamp 5.0 (en).ShareReactor.com
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\Winamp 5.0 (en).ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\DVD Maker\Shared\index.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\DVD Maker\Shared\index.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Google\Update\Download\Kazaa Lite.ShareReactor.com

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Google\Update\Download\Kazaa Lite.ShareReactor.com:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 95 of 287

 C:\Program Files\Google\Update\Download\Kazaa Lite.ShareReactor.com:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\60.0.3112.90\Winamp 5.0 (en).exe

Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: false

C:\Program Files\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\60.0.3112.90\Winamp 5.0 (en).exe:Zone.Identifier

Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Program Files\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\WinRAR.v.3.2.and.key.ShareReactor.com
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Program Files\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\WinRAR.v.3.2.and.key.ShareReactor.com:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 58074
Entropy (8bit): 7.625167710590361
Encrypted: false
MD5: 30E1F2AD875E0750165C5761DAE10F07
SHA1: 7D79CBD624C04795FFC1486386322BA3CDBBDC54
SHA-256: 93F889A7C5D4B3E6A16FA3E8836B580D05BF51410CDFF4388E4BFBA28F83B90D

Copyright Joe Security LLC 2018 Page 96 of 287

 C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp
SHA-512: 3AB8E141A5959B3E30B9D695A3049FBD54C6BC2772B7448629B836B324E8AAFD423A4F7C54C8ADD37A066F50A7
4D67B22642678F5DFCD71B98C547693A1FA989
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp214E.tmp
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 58074
Entropy (8bit): 7.625167710590361
Encrypted: false
MD5: 30E1F2AD875E0750165C5761DAE10F07
SHA1: 7D79CBD624C04795FFC1486386322BA3CDBBDC54
SHA-256: 93F889A7C5D4B3E6A16FA3E8836B580D05BF51410CDFF4388E4BFBA28F83B90D
SHA-512: 3AB8E141A5959B3E30B9D695A3049FBD54C6BC2772B7448629B836B324E8AAFD423A4F7C54C8ADD37A066F50A7
4D67B22642678F5DFCD71B98C547693A1FA989
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp214E.tmp:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp3361.tmp
Process: C:\Windows\lsass.exe
File Type: Zip archive data, at least v1.0 to extract
Size (bytes): 40092
Entropy (8bit): 7.617804509684197
Encrypted: false
MD5: E8D7B0ADC8631013D59B27D6DD14E46C
SHA1: 4A6E82D60B080FCE2D91ECA52E18EF12ABA74422
SHA-256: A326D039F8919AC34CB2CD391DDD163F4AF5AC92A76D4DCAAD2E049215066C08
SHA-512: 4D46FABF0CDD871347827C77BEAC0EC5F6141D5386CF4EC1ABD296AB56121DCD3818A07DBDE257CE5F639C561
5DD8EF832E318756599AE0FADEF6FD26D74EABF
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 58074
Entropy (8bit): 7.625167710590361
Encrypted: false
MD5: 30E1F2AD875E0750165C5761DAE10F07
SHA1: 7D79CBD624C04795FFC1486386322BA3CDBBDC54
SHA-256: 93F889A7C5D4B3E6A16FA3E8836B580D05BF51410CDFF4388E4BFBA28F83B90D

Copyright Joe Security LLC 2018 Page 97 of 287

 C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp
SHA-512: 3AB8E141A5959B3E30B9D695A3049FBD54C6BC2772B7448629B836B324E8AAFD423A4F7C54C8ADD37A066F50A7
4D67B22642678F5DFCD71B98C547693A1FA989
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C59.tmp
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 58074
Entropy (8bit): 7.625167710590361
Encrypted: false
MD5: 30E1F2AD875E0750165C5761DAE10F07
SHA1: 7D79CBD624C04795FFC1486386322BA3CDBBDC54
SHA-256: 93F889A7C5D4B3E6A16FA3E8836B580D05BF51410CDFF4388E4BFBA28F83B90D
SHA-512: 3AB8E141A5959B3E30B9D695A3049FBD54C6BC2772B7448629B836B324E8AAFD423A4F7C54C8ADD37A066F50A7
4D67B22642678F5DFCD71B98C547693A1FA989
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C59.tmp:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 58074
Entropy (8bit): 7.625167710590361
Encrypted: false
MD5: 30E1F2AD875E0750165C5761DAE10F07
SHA1: 7D79CBD624C04795FFC1486386322BA3CDBBDC54
SHA-256: 93F889A7C5D4B3E6A16FA3E8836B580D05BF51410CDFF4388E4BFBA28F83B90D
SHA-512: 3AB8E141A5959B3E30B9D695A3049FBD54C6BC2772B7448629B836B324E8AAFD423A4F7C54C8ADD37A066F50A7
4D67B22642678F5DFCD71B98C547693A1FA989
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Copyright Joe Security LLC 2018 Page 98 of 287

 C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp:Zone.Identifier
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D2D.tmp
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 58074
Entropy (8bit): 7.625167710590361
Encrypted: false
MD5: 30E1F2AD875E0750165C5761DAE10F07
SHA1: 7D79CBD624C04795FFC1486386322BA3CDBBDC54
SHA-256: 93F889A7C5D4B3E6A16FA3E8836B580D05BF51410CDFF4388E4BFBA28F83B90D
SHA-512: 3AB8E141A5959B3E30B9D695A3049FBD54C6BC2772B7448629B836B324E8AAFD423A4F7C54C8ADD37A066F50A7
4D67B22642678F5DFCD71B98C547693A1FA989
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D2D.tmp:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp3DA6.tmp
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 58074
Entropy (8bit): 7.625167710590361
Encrypted: false
MD5: 30E1F2AD875E0750165C5761DAE10F07
SHA1: 7D79CBD624C04795FFC1486386322BA3CDBBDC54
SHA-256: 93F889A7C5D4B3E6A16FA3E8836B580D05BF51410CDFF4388E4BFBA28F83B90D
SHA-512: 3AB8E141A5959B3E30B9D695A3049FBD54C6BC2772B7448629B836B324E8AAFD423A4F7C54C8ADD37A066F50A7
4D67B22642678F5DFCD71B98C547693A1FA989
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp3DA6.tmp:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E33.tmp
Process: C:\Windows\lsass.exe
File Type: Zip archive data, at least v1.0 to extract
Size (bytes): 39862
Entropy (8bit): 7.625824956267297
Encrypted: false
MD5: 9371BB8602620C894912C6A40DC5CCCE
SHA1: 386059BBEAE21D4E56ABC2CDD9482AC9C606F3C3
SHA-256: 13908169C6D0C6D5D78633EEA52CDB0A5D00818458B93D7B479C444509AB0FF6

Copyright Joe Security LLC 2018 Page 99 of 287

 C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E33.tmp
SHA-512: 0995ACBB3FA30D248858E620DB578FBE1B07EB1A565B0F2516F0BADDB088F4FE730105E1533B1852F17E738DE4
15D381B1CA73D664E85A2D21E3DC456F439733
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E5C.tmp
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 58074
Entropy (8bit): 7.625167710590361
Encrypted: false
MD5: 30E1F2AD875E0750165C5761DAE10F07
SHA1: 7D79CBD624C04795FFC1486386322BA3CDBBDC54
SHA-256: 93F889A7C5D4B3E6A16FA3E8836B580D05BF51410CDFF4388E4BFBA28F83B90D
SHA-512: 3AB8E141A5959B3E30B9D695A3049FBD54C6BC2772B7448629B836B324E8AAFD423A4F7C54C8ADD37A066F50A7
4D67B22642678F5DFCD71B98C547693A1FA989
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E5C.tmp:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp3F76.tmp
Process: C:\Windows\lsass.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 58074
Entropy (8bit): 7.625167710590361
Encrypted: false
MD5: 30E1F2AD875E0750165C5761DAE10F07
SHA1: 7D79CBD624C04795FFC1486386322BA3CDBBDC54
SHA-256: 93F889A7C5D4B3E6A16FA3E8836B580D05BF51410CDFF4388E4BFBA28F83B90D
SHA-512: 3AB8E141A5959B3E30B9D695A3049FBD54C6BC2772B7448629B836B324E8AAFD423A4F7C54C8ADD37A066F50A7
4D67B22642678F5DFCD71B98C547693A1FA989
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp3F76.tmp:Zone.Identifier
Process: C:\Windows\lsass.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp4FF9.tmp
Process: C:\Windows\lsass.exe
File Type: Zip archive data, at least v1.0 to extract
Size (bytes): 39932
Entropy (8bit): 7.6235117235474235
Encrypted: false
MD5: D50F3490AF9F43AF6180D43529A1EA55
SHA1: 3C0129B14736335DCCC22BC6467E55F52B56C6A3
SHA-256: D31231699F23069AB313D567BFA007C24F572A14A928D6D6F8727ABACB563200

Copyright Joe Security LLC 2018 Page 100 of 287

 C:\Users\HERBBL~1\AppData\Local\Temp\tmp4FF9.tmp
SHA-512: E79DBB02BEA6CB9E82B8FC0FB932E3F1BD706EBA17E7481A30EA82C650C889341C82832070EBEC707B7F3AD92
93EAB45F11BFE0B65D955DA7188BB162E12E172
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp598F.tmp
Process: C:\Windows\lsass.exe
File Type: Zip archive data, at least v1.0 to extract
Size (bytes): 39648
Entropy (8bit): 7.628171778635863
Encrypted: false
MD5: 142B600806F826B35684A3D62DFC5CA0
SHA1: 3DD6147F2E713E7DE62BA6B8F3A72897F2BB30A7
SHA-256: EEE5FD95F03776C67A74D6EE243CA3A09F1B8B1A5868432C4BA4E9E06E84CB5E
SHA-512: 2F07C21D80F7433447C51983FA50C765E4ED8B145F88E4D759200E9D9A6FA15580D5AA916A182CE81C3DAA747A
CC6572D53FF938E31FBC46B66089A3F348D922
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp6376.tmp
Process: C:\Windows\lsass.exe
File Type: Zip archive data, at least v1.0 to extract
Size (bytes): 40030
Entropy (8bit): 7.619877925137778
Encrypted: false
MD5: 9806C2624035E200B8070BE3DC258A09
SHA1: 582A6C1D3A8BE47816AFD12D1106FA3E8F134333
SHA-256: A9157F5E949A0BB38EBA94A19A0DC1B712E079BB62EA156147B11FC0C499DF3B
SHA-512: 6F53301F639DF040AD55519A1F088D4FDB8E0647CA29640F26B7C6EB6F4F77123F8161BFB321924BF323CF499B7B
3F8F3409F929ED0FEC4FB4ADB289754B2422
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp72F5.tmp
Process: C:\Windows\lsass.exe
File Type: Zip archive data, at least v1.0 to extract
Size (bytes): 40074
Entropy (8bit): 7.6181910494875495
Encrypted: false
MD5: 2DAE866DEA83C91C7460747166562C07
SHA1: 48C47124C6E4CDD9642BD545707F3F8B22BC2C26
SHA-256: 6528006D3C2EF1EE752FB6BFA44F185F09AB345AD625E65C9583EC1079D682B3
SHA-512: 465ACA8D9600587D0F1E9F0C729A278DBE5D19CEE7DE4BDBD12E4ED64C79ADF4F1FF14056FAAEB9B7BDFE4E
0D7A06EC5E7767C83FBA0C75D081F8875D523A120
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmp86D5.tmp
Process: C:\Windows\lsass.exe
File Type: Zip archive data, at least v1.0 to extract
Size (bytes): 39642
Entropy (8bit): 7.62811140333313
Encrypted: false
MD5: 18B84E0D3367C1F3D49F0DE0BA86E7A3
SHA1: 3976F81FD6DC7E3D5640C135749A7BE2F85B5828
SHA-256: 3399C96759B974553CFC7D867CBD85448FF5200D2E31F4F54124B6D7776B0202
SHA-512: 317C754304B64A78990471764FF931AFED7271F127D7CD3548B60514D997DAFCBC671AB7C99462530537C9B4647E
D86F963736830EE0AF1F9701B6B7C408D390
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmpE8F0.tmp
Process: C:\Users\user\Desktop\1dvwi.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 58086
Entropy (8bit): 7.6252950866047176
Encrypted: false
MD5: 247E76F8C74B8FB1F56964ACD6FD1C5D
SHA1: D9664C30FF1B2A29901FEB9A8C15EA3F9ACE18C2
SHA-256: 15A44773BA8AD7A13FDE4B89D9D6553B94ECCD725F9054BD33B80E2BC8EB2891

Copyright Joe Security LLC 2018 Page 101 of 287

 C:\Users\HERBBL~1\AppData\Local\Temp\tmpE8F0.tmp
SHA-512: A5A12A870ED7A3DA2A12D331F1A4BF9C9610AE220CE21B153A4D943E9BA6B9096ACF9912EC84A5C66E448B2E4
E41F788E2649A59C3C5732EB2DBCC885DC44A89
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmpE8F0.tmp:Zone.Identifier
Process: C:\Users\user\Desktop\1dvwi.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\tmpFA27.tmp
Process: C:\Users\user\Desktop\1dvwi.exe
File Type: Zip archive data, at least v1.0 to extract
Size (bytes): 39890
Entropy (8bit): 7.624803700840179
Encrypted: false
MD5: 1EEE99FB4DED67E4F2D271325C73FB9B
SHA1: 84FA6A015732EEE24E443C444A292C08C71C9EFC
SHA-256: B4FBDA83EAE260707ABD66F3DEDE431E4515EDEAAA9EB71BCF9BBFF4729CFB31
SHA-512: B1EF55A6DC577344053A501760F00B860E7D3A55FB3E8360DE1704829D5210A62D9962A4B5993FD6E22C1EEFD81
D5F166E4ED0FC1A02AE9549358A75E06DFF21
Malicious: false

C:\Users\HERBBL~1\AppData\Local\Temp\uheknclgts.txt
Process: C:\Windows\lsass.exe
File Type: data
Size (bytes): 18548
Entropy (8bit): 7.5536927871761135
Encrypted: false
MD5: 23FD59F873183F04B874281A20067078
SHA1: AD665AEF612A584FD405109800F1812EE6D9FCA1
SHA-256: 1FB6B456E8332311910BC33508A8214E8FE2173817FD24EA2FA6CEFB45AB9438
SHA-512: 17F29071B847655C28EE8625CAA43941CB2615A0E99AFC392DA288E334EE2691DD6BBE487665B5A7EF80C9ED94
3449CAFBFDBFF61C895156795322EBD863AB8E
Malicious: false

C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_1dvwi.exe_cac8ee3a6acf6e3046666fdd7dcba2fbcf302323_0dd714
20\Report.wer
Process: C:\Windows\System32\WerFault.exe
File Type: data
Size (bytes): 8722
Entropy (8bit): 3.697404273859529
Encrypted: false
MD5: 6FE91B62443204F8A0BCB1F2F299E6DB
SHA1: 3EE1B5F984E7DE73CB7F21A823F3D6B3E5D671EC
SHA-256: 0820FDD5741AD2C404CCEC50EC21D3CDCB9068EF7243CD2E1375EE956CA7532D
SHA-512: 12350C56661C7BCC772E2B397997F09885FE5CF319EA99FBE82C04C2BEB4BE501CFCDD925D5628D3A1BD388375
AC560BFDEF5D0FE9217CB4A0CC7DA8F2144263
Malicious: false

C:\Users\user\AppData\Local\Temp\WER11DB.tmp.WERInternalMetadata.xml
Process: C:\Windows\System32\WerFault.exe
File Type: XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes): 3392
Entropy (8bit): 3.6700849656061774
Encrypted: false
MD5: 473F87BD0A1DA2694A059532ED1A84CA
SHA1: F6E3E4DD4F0B74BD97A025C2E0BE29160BB89BC9
SHA-256: A8721E6883CF815326566CDFDEFDE81ACED2B19E8CF1B2D737C96DB77D6A64DF

Copyright Joe Security LLC 2018 Page 102 of 287

 C:\Users\user\AppData\Local\Temp\WER11DB.tmp.WERInternalMetadata.xml
SHA-512: B260007CD935B75E99B2D19DCB439580E075D1DC2C92C38DE9DDB29C23FF45C4667E1EDE4FC837102216C3D74D
5324F6B7E378964F90F692CF8E015109F8B129
Malicious: false

C:\Windows\lsass.exe
Process: C:\Users\user\Desktop\1dvwi.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 39538
Entropy (8bit): 7.632806266802097
Encrypted: false
MD5: 74E9710D0BB409AEB3F8881EF75B062C
SHA1: A2B0C49EFA2FA06C2132F24CA187972A0233C0F0
SHA-256: 1A4C49CB28D098C686CC728563C90040068C10DA8ACA6FD71F8B29BA3A23ADF1
SHA-512: DE61A887DE379CC04A194273D1EC35D11FFDA01F8311C808A93443911B654D6943FD1AC93C27C92E94DFE9CA98
6A62D865F9D552075F6B6AAE355E34803DB2BD
Malicious: true

C:\Windows\lsass.exe:Zone.Identifier
Process: C:\Users\user\Desktop\1dvwi.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.9500637564362093
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53B
C731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: true

Contacted Domains/Contacted IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation

openoffice.apache.org 40.79.78.1 true false 0%, virustotal, Browse high
northcoast.com 184.168.221.45 true true 0%, virustotal, Browse low
unicode.org 216.97.88.9 true false 0%, virustotal, Browse high
mx2.mindspring.com 207.69.189.218 true false 0%, virustotal, Browse high
onlineconnections.com.au 192.254.190.168 true true 0%, virustotal, Browse low
theriver.com 74.201.226.52 true true 0%, virustotal, Browse low
mta0.cl.cam.ac.uk 128.232.25.20 true false low
mx.cam.ac.uk 131.111.8.147 true false 0%, virustotal, Browse low
mail.pobox.com 64.147.108.30 true false 0%, virustotal, Browse high
netcom.com 209.86.122.183 true true 0%, virustotal, Browse low
ismtp.sitestar.everyone.net 216.200.145.235 true false 0%, virustotal, Browse high
mx3.mindspring.com 207.69.189.219 true false 0%, virustotal, Browse high
pb-mx14.pobox.com 64.147.108.55 true false 0%, virustotal, Browse high
pb-mx13.pobox.com 64.147.108.54 true false 0%, virustotal, Browse high
mx1.mindspring.com 207.69.189.217 true false 0%, virustotal, Browse high
mx1-lw-eu.apache.org 37.48.69.230 true false 0%, virustotal, Browse high
pb-mx10.pobox.com 64.147.108.51 true false 0%, virustotal, Browse high
pb-mx12.pobox.com 64.147.108.53 true false 0%, virustotal, Browse high
mx1-lw-us.apache.org 207.244.88.150 true false 0%, virustotal, Browse high
mail.theriver.sitestar.everyone.net 209.249.171.103 true false 0%, virustotal, Browse high
pb-mx9.pobox.com 64.147.108.50 true false 0%, virustotal, Browse high
smtp.pobox.com 64.147.108.70 true false 0%, virustotal, Browse high
pb-mx11.pobox.com 64.147.108.52 true false 0%, virustotal, Browse high
mx4.mindspring.com 207.69.189.220 true false 0%, virustotal, Browse high
pobox.com 64.147.108.40 true false 0%, virustotal, Browse high
openoffice.org 40.79.78.1 true false 0%, virustotal, Browse high
smtp.northcoast.com unknown unknown true 0%, virustotal, Browse low

Copyright Joe Security LLC 2018 Page 103 of 287

 Name IP Active Malicious Antivirus Detection Reputation
mx.cl.cam.ac.uk unknown unknown true 0%, virustotal, Browse low
mx.netcom.com unknown unknown true 0%, virustotal, Browse low
mail.northcoast.com unknown unknown true 0%, virustotal, Browse low
atwola.com unknown unknown false 0%, virustotal, Browse high
resources.jar unknown unknown true low
mx.northcoast.com unknown unknown true 0%, virustotal, Browse low
src.dec.com unknown unknown true 0%, virustotal, Browse low
mx.onlineconnections.com.au unknown unknown true 0%, virustotal, Browse low
smtp.theriver.com unknown unknown true 0%, virustotal, Browse low
mx.openoffice.org unknown unknown false 0%, virustotal, Browse high
smtp.cl.cam.ac.uk unknown unknown true 0%, virustotal, Browse low
mx2-lw-us.apache.org unknown unknown false 0%, virustotal, Browse high
mail.openoffice.org unknown unknown false 0%, virustotal, Browse high
mail.theriver.com unknown unknown true 0%, virustotal, Browse low
mx2-lw-eu.apache.org unknown unknown false 0%, virustotal, Browse high
mx.theriver.com unknown unknown true 0%, virustotal, Browse low
smtp.netcom.com unknown unknown true 0%, virustotal, Browse low
mail.onlineconnections.com.au unknown unknown true 0%, virustotal, Browse low
bryson.demon.co.uk unknown unknown true low
mx.pobox.com unknown unknown false high
mail.netcom.com unknown unknown true low
mail.atwola.com unknown unknown false high
mx.atwola.com unknown unknown false high
mail.cl.cam.ac.uk unknown unknown true low
cl.cam.ac.uk unknown unknown true low

Contacted IPs

No. of IPs < 25%

25% < No. of IPs < 50%

50% < No. of IPs < 75%

75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious

64.147.108.54 United States 3356 LEVEL3- false
Level3CommunicationsIncUS
64.147.108.55 United States 3356 LEVEL3- false
Level3CommunicationsIncUS
64.147.108.70 United States 3356 LEVEL3- false
Level3CommunicationsIncUS
64.147.108.52 United States 3356 LEVEL3- false
Level3CommunicationsIncUS

Copyright Joe Security LLC 2018 Page 104 of 287

 IP Country Flag ASN ASN Name Malicious
64.147.108.53 United States 3356 LEVEL3- false
Level3CommunicationsIncUS
64.147.108.50 United States 3356 LEVEL3- false
Level3CommunicationsIncUS
131.111.8.147 United Kingdom 786 JANETJiscServicesLimitedGB false
64.147.108.51 United States 3356 LEVEL3- false
Level3CommunicationsIncUS
134.189.78.184 United States 9143 ZIGGOZiggoBVNL true
64.165.18.101 United States 7132 SBIS-AS-ATTInternetServicesUS true
207.69.189.220 United States 6983 ITCDELTA-EarthlinkIncUS false
64.147.108.30 United States 3356 LEVEL3- false
Level3CommunicationsIncUS
216.97.88.9 United States 54489 CORESPACE-DAL- false
CoreSpaceIncUS
144.197.186.75 United States 58541 CHINATELECOM-HUNAN- true
XIANGTAN-MANXiangtanCN
207.69.189.217 United States 6983 ITCDELTA-EarthlinkIncUS false
207.69.189.218 United States 6983 ITCDELTA-EarthlinkIncUS false
4.46.196.224 United States 3356 LEVEL3- true
Level3CommunicationsIncUS
207.69.189.219 United States 6983 ITCDELTA-EarthlinkIncUS false
209.86.122.183 United States 6983 ITCDELTA-EarthlinkIncUS true
207.244.88.150 United States 30633 LEASEWEB-USA-WDC-01- false
LeasewebUSAIncUS
40.79.78.1 United States 58593 MCCL- false
CHNMicrosoftChinaCoLtdCN
64.147.108.40 United States 3356 LEVEL3- false
Level3CommunicationsIncUS
216.200.145.235 United States 30627 EON-NET-EveryonenetIncUS false
95.216.24.32 Germany 24940 HETZNER-ASDE false
192.254.190.168 United States 46606 UNIFIEDLAYER-AS-1- true
UnifiedLayerUS
37.48.69.230 Netherlands 60781 LEASEWEB-NLNetherlandsNL false
184.168.221.45 United States 26496 AS-26496-GO-DADDY-COM-LLC- true
GoDaddycomLLCUS
74.201.226.52 United States 29791 VOXEL-DOT-NET- true
VoxelDotNetIncUS
169.254.94.70 Reserved 6966 USDOS-USDepartmentofStateUS false
209.249.171.103 United States 30627 EON-NET-EveryonenetIncUS false
128.232.25.20 United Kingdom 786 JANETJiscServicesLimitedGB false

Private

IP
10.192.40.186
192.168.2.255

Static File Info

General
File type: PE32 executable (GUI) Intel 80386, for MS Windows,
UPX compressed
Entropy (8bit): 7.632806266802097
TrID: Win32 Executable (generic) a (10002005/4)
99.37%
UPX compressed Win32 Executable (30571/9)
0.30%
Win32 EXE Yoda's Crypter (26571/9) 0.26%
Clipper DOS Executable (2020/12) 0.02%
Generic Win/DOS Executable (2004/3) 0.02%
File name: 1dvw.exe
File size: 39538
MD5: 74e9710d0bb409aeb3f8881ef75b062c
SHA1: a2b0c49efa2fa06c2132f24ca187972a0233c0f0
SHA256: 1a4c49cb28d098c686cc728563c90040068c10da8aca6f
d71f8b29ba3a23adf1

Copyright Joe Security LLC 2018 Page 105 of 287

 General
SHA512: de61a887de379cc04a194273d1ec35d11ffda01f8311c80
8a93443911b654d6943fd1ac93c27c92e94dfe9ca986a62
d865f9d552075f6b6aae355e34803db2bd
File Content Preview: MZ......................@...............................................!..L.!Th
is program cannot be run in DOS mode....$....................
.........................................................................................
..PE..L..................

File Icon

Static PE Info

General
Entrypoint: 0x80b4a0
Entrypoint Section: UPX1
Digitally signed: false
Imagebase: 0x800000
Subsystem: windows gui
Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE,
LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major: 4
OS Version Minor: 0
File Version Major: 4
File Version Minor: 0
Subsystem Version Major: 4
Subsystem Version Minor: 0
Import Hash: 5d02f6de12eb07fb22fe87e05e50d6a0

Entrypoint Preview

Instruction
pushad
mov esi, 00807000h
lea edi, dword ptr [esi-00006000h]
push edi
or ebp, FFFFFFFFh
jmp 00007F007DC69482h
nop
nop
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F007DC69479h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F007DC6945Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F007DC69479h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh

Copyright Joe Security LLC 2018 Page 106 of 287

 Instruction
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F007DC69461h
jne 00007F007DC6947Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F007DC69456h
xor ecx, ecx
sub eax, 03h
jc 00007F007DC6947Fh
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F007DC694E6h
mov ebp, eax
add ebx, ebx
jne 00007F007DC69479h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jne 00007F007DC69479h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jne 00007F007DC69492h
inc ecx
add ebx, ebx
jne 00007F007DC69479h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F007DC69461h
jne 00007F007DC6947Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F007DC69456h
add ecx, 02h
cmp ebp, FFFFF300h
adc ecx, 01h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F007DC69481h
mov al, byte ptr [edx]
inc edx
mov byte ptr [edi], al
inc edi
dec ecx
jne 00007F007DC69469h
jmp 00007F007DC693D8h
nop
mov eax, dword ptr [edx]

Data Directories

Name Virtual Address Virtual Size Is in Section

Copyright Joe Security LLC 2018 Page 107 of 287

 Name Virtual Address Virtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_IMPORT 0xc514 0x130 .rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE 0xc000 0x514 .rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0
IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0
IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0
IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_IAT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0
IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics
UPX0 0x1000 0x6000 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_EXECUTE,
IMAGE_SCN_MEM_WRITE,
IMAGE_SCN_CNT_UNINITIALIZED_
DATA, IMAGE_SCN_MEM_READ
UPX1 0x7000 0x5000 0x4600 False 0.992410714286 data 7.89790234125 IMAGE_SCN_MEM_EXECUTE,
IMAGE_SCN_CNT_INITIALIZED_DA
TA, IMAGE_SCN_MEM_WRITE,
IMAGE_SCN_MEM_READ
.rsrc 0xc000 0x1000 0x800 False 0.2783203125 data 2.64956945519 IMAGE_SCN_CNT_INITIALIZED_DA
TA, IMAGE_SCN_MEM_WRITE,
IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country

RT_ICON 0xc0d8 0x2e8 data English United States
RT_ICON 0xc3c4 0x128 GLS_BINARY_LSB_FIRST English United States
RT_GROUP_ICON 0xc4f0 0x22 MS Windows icon resource - 2 icons, 32x32, 16-colors English United States

Imports

DLL Import
KERNEL32.DLL LoadLibraryA, GetProcAddress, ExitProcess
ADVAPI32.dll RegCloseKey
MSVCRT.dll time
USER32.dll wsprintfA
WS2_32.dll gethostname

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

Network Behavior

Network Port Distribution

Copyright Joe Security LLC 2018 Page 108 of 287

 Total Packets: 264

• 251042(SMTP)
• 53 (DNS)undefined
•

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP

Jun 26, 2018 12:20:17.678016901 CEST 49163 1042 192.168.2.2 10.192.40.186
Jun 26, 2018 12:20:20.676666975 CEST 49163 1042 192.168.2.2 10.192.40.186
Jun 26, 2018 12:20:21.103809118 CEST 56842 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:20:21.146749020 CEST 53 56842 8.8.8.8 192.168.2.2
Jun 26, 2018 12:20:21.177536011 CEST 56843 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:20:21.221587896 CEST 53 56843 8.8.8.8 192.168.2.2
Jun 26, 2018 12:20:21.222224951 CEST 56843 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:20:21.241241932 CEST 53 56843 8.8.8.8 192.168.2.2
Jun 26, 2018 12:20:21.338781118 CEST 56844 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:20:21.382713079 CEST 53 56844 8.8.8.8 192.168.2.2
Jun 26, 2018 12:20:21.382989883 CEST 56844 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:20:21.401880980 CEST 53 56844 8.8.8.8 192.168.2.2
Jun 26, 2018 12:20:25.936043978 CEST 53440 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:20:25.970952988 CEST 53 53440 8.8.8.8 192.168.2.2
Jun 26, 2018 12:20:26.685309887 CEST 49163 1042 192.168.2.2 10.192.40.186
Jun 26, 2018 12:20:28.220828056 CEST 59605 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:20:28.272450924 CEST 53 59605 8.8.8.8 192.168.2.2
Jun 26, 2018 12:20:32.232603073 CEST 50900 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:20:32.288032055 CEST 53 50900 8.8.8.8 192.168.2.2
Jun 26, 2018 12:20:32.296191931 CEST 51075 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:20:32.339874029 CEST 53 51075 8.8.8.8 192.168.2.2
Jun 26, 2018 12:20:33.291430950 CEST 61674 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:20:33.334295988 CEST 53 61674 8.8.8.8 192.168.2.2
Jun 26, 2018 12:20:35.610023975 CEST 49165 1042 192.168.2.2 134.189.78.184
Jun 26, 2018 12:20:38.612711906 CEST 49165 1042 192.168.2.2 134.189.78.184
Jun 26, 2018 12:20:44.611552954 CEST 49165 1042 192.168.2.2 134.189.78.184
Jun 26, 2018 12:21:17.609808922 CEST 49167 1042 192.168.2.2 144.197.186.75
Jun 26, 2018 12:21:20.613168001 CEST 49167 1042 192.168.2.2 144.197.186.75
Jun 26, 2018 12:21:26.611541033 CEST 49167 1042 192.168.2.2 144.197.186.75
Jun 26, 2018 12:21:38.609750032 CEST 49168 1042 192.168.2.2 64.165.18.101
Jun 26, 2018 12:21:41.392906904 CEST 59291 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:41.426862955 CEST 63053 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:41.428119898 CEST 53 59291 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:41.461986065 CEST 53 63053 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:41.613344908 CEST 49168 1042 192.168.2.2 64.165.18.101
Jun 26, 2018 12:21:46.212759018 CEST 60812 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:46.247776031 CEST 53 60812 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:47.289118052 CEST 58523 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:47.324645996 CEST 53 58523 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:47.611737013 CEST 49168 1042 192.168.2.2 64.165.18.101
Jun 26, 2018 12:21:48.330343008 CEST 65490 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.349817038 CEST 60652 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.366198063 CEST 53 65490 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.376326084 CEST 57729 53 192.168.2.2 8.8.8.8

Copyright Joe Security LLC 2018 Page 109 of 287

 Timestamp Source Port Dest Port Source IP Dest IP
Jun 26, 2018 12:21:48.389273882 CEST 53 60652 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.395354033 CEST 53 57729 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.424895048 CEST 65311 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.446676016 CEST 50323 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.460542917 CEST 53 65311 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.479223013 CEST 50324 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.501593113 CEST 64115 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.514925957 CEST 53 50324 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.537004948 CEST 53 64115 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.559067011 CEST 59195 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.564539909 CEST 53 50323 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.569062948 CEST 59196 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.594377041 CEST 53 59195 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.616482019 CEST 53 59196 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.642230988 CEST 58138 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.678320885 CEST 53 58138 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.678395033 CEST 60708 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.713365078 CEST 53 60708 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.776510954 CEST 65034 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.782478094 CEST 65035 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.817867041 CEST 53 65035 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.818156958 CEST 65035 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.837106943 CEST 53 65035 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.893805981 CEST 53 65034 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.946516037 CEST 65036 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.982239008 CEST 53 65036 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.984205008 CEST 65036 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:49.003470898 CEST 53 65036 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:49.257272959 CEST 58653 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:49.292752981 CEST 53 58653 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:49.329770088 CEST 49172 25 192.168.2.2 216.97.88.9
Jun 26, 2018 12:21:49.343036890 CEST 25 49172 216.97.88.9 192.168.2.2
Jun 26, 2018 12:21:49.484499931 CEST 57327 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:49.519666910 CEST 53 57327 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:49.845309019 CEST 49172 25 192.168.2.2 216.97.88.9
Jun 26, 2018 12:21:49.858571053 CEST 25 49172 216.97.88.9 192.168.2.2
Jun 26, 2018 12:21:50.365916967 CEST 49172 25 192.168.2.2 216.97.88.9
Jun 26, 2018 12:21:50.379395962 CEST 25 49172 216.97.88.9 192.168.2.2
Jun 26, 2018 12:21:50.383773088 CEST 56352 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:50.419671059 CEST 53 56352 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:50.420368910 CEST 49174 25 192.168.2.2 216.97.88.9
Jun 26, 2018 12:21:50.433557987 CEST 25 49174 216.97.88.9 192.168.2.2
Jun 26, 2018 12:21:50.926923037 CEST 49174 25 192.168.2.2 216.97.88.9
Jun 26, 2018 12:21:50.940310001 CEST 25 49174 216.97.88.9 192.168.2.2
Jun 26, 2018 12:21:51.059434891 CEST 62091 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:51.094727993 CEST 53 62091 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:51.437135935 CEST 49174 25 192.168.2.2 216.97.88.9
Jun 26, 2018 12:21:51.450423002 CEST 25 49174 216.97.88.9 192.168.2.2
Jun 26, 2018 12:21:52.218821049 CEST 63509 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:52.254345894 CEST 53 63509 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:53.328111887 CEST 51492 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:53.347253084 CEST 53 51492 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:53.630354881 CEST 62750 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:53.666729927 CEST 53 62750 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:53.671427011 CEST 58913 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:53.708128929 CEST 53 58913 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:53.714411020 CEST 63309 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:53.750488997 CEST 53 63309 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:53.752518892 CEST 49178 25 192.168.2.2 207.244.88.150
Jun 26, 2018 12:21:53.765804052 CEST 25 49178 207.244.88.150 192.168.2.2
Jun 26, 2018 12:21:54.271229982 CEST 49178 25 192.168.2.2 207.244.88.150
Jun 26, 2018 12:21:54.284388065 CEST 25 49178 207.244.88.150 192.168.2.2
Jun 26, 2018 12:21:54.817222118 CEST 49178 25 192.168.2.2 207.244.88.150
Jun 26, 2018 12:21:54.830502033 CEST 25 49178 207.244.88.150 192.168.2.2

Copyright Joe Security LLC 2018 Page 110 of 287

 Timestamp Source Port Dest Port Source IP Dest IP
Jun 26, 2018 12:21:54.835845947 CEST 52316 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:54.871596098 CEST 53 52316 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:54.872504950 CEST 49179 25 192.168.2.2 37.48.69.230
Jun 26, 2018 12:21:54.885703087 CEST 25 49179 37.48.69.230 192.168.2.2
Jun 26, 2018 12:21:55.414210081 CEST 49179 25 192.168.2.2 37.48.69.230
Jun 26, 2018 12:21:55.427505016 CEST 25 49179 37.48.69.230 192.168.2.2
Jun 26, 2018 12:21:55.933577061 CEST 49179 25 192.168.2.2 37.48.69.230
Jun 26, 2018 12:21:55.946866989 CEST 25 49179 37.48.69.230 192.168.2.2
Jun 26, 2018 12:21:55.950062990 CEST 65236 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:55.985801935 CEST 53 65236 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:55.989080906 CEST 49180 25 192.168.2.2 40.79.78.1
Jun 26, 2018 12:21:56.002496958 CEST 25 49180 40.79.78.1 192.168.2.2
Jun 26, 2018 12:21:56.055902004 CEST 55904 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:56.094420910 CEST 53 55904 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:56.103157043 CEST 49181 25 192.168.2.2 192.254.190.168
Jun 26, 2018 12:21:56.116698027 CEST 25 49181 192.254.190.168 192.168.2.2
Jun 26, 2018 12:21:56.504669905 CEST 49180 25 192.168.2.2 40.79.78.1
Jun 26, 2018 12:21:56.517992973 CEST 25 49180 40.79.78.1 192.168.2.2
Jun 26, 2018 12:21:56.624674082 CEST 49181 25 192.168.2.2 192.254.190.168
Jun 26, 2018 12:21:56.638099909 CEST 25 49181 192.254.190.168 192.168.2.2
Jun 26, 2018 12:21:57.022867918 CEST 49180 25 192.168.2.2 40.79.78.1
Jun 26, 2018 12:21:57.036111116 CEST 25 49180 40.79.78.1 192.168.2.2
Jun 26, 2018 12:21:57.039136887 CEST 55581 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:57.080776930 CEST 53 55581 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:57.081490993 CEST 49182 25 192.168.2.2 40.79.78.1
Jun 26, 2018 12:21:57.094731092 CEST 25 49182 40.79.78.1 192.168.2.2
Jun 26, 2018 12:21:57.147129059 CEST 49181 25 192.168.2.2 192.254.190.168
Jun 26, 2018 12:21:57.160825968 CEST 25 49181 192.254.190.168 192.168.2.2
Jun 26, 2018 12:21:57.163995981 CEST 57178 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:57.199748039 CEST 53 57178 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:57.200422049 CEST 49183 25 192.168.2.2 192.254.190.168
Jun 26, 2018 12:21:57.213716030 CEST 25 49183 192.254.190.168 192.168.2.2
Jun 26, 2018 12:21:57.594083071 CEST 49182 25 192.168.2.2 40.79.78.1
Jun 26, 2018 12:21:57.607777119 CEST 25 49182 40.79.78.1 192.168.2.2
Jun 26, 2018 12:21:57.716222048 CEST 49183 25 192.168.2.2 192.254.190.168
Jun 26, 2018 12:21:57.729563951 CEST 25 49183 192.254.190.168 192.168.2.2
Jun 26, 2018 12:21:58.106834888 CEST 49182 25 192.168.2.2 40.79.78.1
Jun 26, 2018 12:21:58.120176077 CEST 25 49182 40.79.78.1 192.168.2.2
Jun 26, 2018 12:21:58.125967979 CEST 62406 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:58.163050890 CEST 53 62406 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:58.164153099 CEST 49184 25 192.168.2.2 95.216.24.32
Jun 26, 2018 12:21:58.177346945 CEST 25 49184 95.216.24.32 192.168.2.2
Jun 26, 2018 12:21:58.226883888 CEST 49183 25 192.168.2.2 192.254.190.168
Jun 26, 2018 12:21:58.240228891 CEST 25 49183 192.254.190.168 192.168.2.2
Jun 26, 2018 12:21:58.246819973 CEST 58563 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:58.418970108 CEST 53 58563 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:58.591731071 CEST 49408 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:58.626873016 CEST 53 49408 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:58.629811049 CEST 49185 25 192.168.2.2 192.254.190.168
Jun 26, 2018 12:21:58.638328075 CEST 61609 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:58.643167019 CEST 25 49185 192.254.190.168 192.168.2.2
Jun 26, 2018 12:21:58.681143045 CEST 49184 25 192.168.2.2 95.216.24.32
Jun 26, 2018 12:21:58.686562061 CEST 53 61609 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:58.687390089 CEST 49186 25 192.168.2.2 184.168.221.45
Jun 26, 2018 12:21:58.694439888 CEST 25 49184 95.216.24.32 192.168.2.2
Jun 26, 2018 12:21:58.700593948 CEST 25 49186 184.168.221.45 192.168.2.2
Jun 26, 2018 12:21:59.138561964 CEST 49185 25 192.168.2.2 192.254.190.168
Jun 26, 2018 12:21:59.151721001 CEST 25 49185 192.254.190.168 192.168.2.2
Jun 26, 2018 12:21:59.188807011 CEST 49184 25 192.168.2.2 95.216.24.32
Jun 26, 2018 12:21:59.198878050 CEST 49186 25 192.168.2.2 184.168.221.45
Jun 26, 2018 12:21:59.202296019 CEST 25 49184 95.216.24.32 192.168.2.2
Jun 26, 2018 12:21:59.212228060 CEST 25 49186 184.168.221.45 192.168.2.2
Jun 26, 2018 12:21:59.649082899 CEST 49185 25 192.168.2.2 192.254.190.168
Jun 26, 2018 12:21:59.662426949 CEST 25 49185 192.254.190.168 192.168.2.2

Copyright Joe Security LLC 2018 Page 111 of 287

 Timestamp Source Port Dest Port Source IP Dest IP
Jun 26, 2018 12:21:59.785722017 CEST 49186 25 192.168.2.2 184.168.221.45
Jun 26, 2018 12:21:59.799251080 CEST 25 49186 184.168.221.45 192.168.2.2
Jun 26, 2018 12:21:59.802542925 CEST 59433 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:59.849773884 CEST 53 59433 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:59.854916096 CEST 57291 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:59.891925097 CEST 52245 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:59.904103994 CEST 53 57291 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:59.907624006 CEST 56115 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:59.927565098 CEST 53 52245 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:59.961206913 CEST 53 56115 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:02.179898977 CEST 64225 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:02.223006010 CEST 53 64225 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:02.369297028 CEST 49187 1042 192.168.2.2 4.46.196.224
Jun 26, 2018 12:22:02.736458063 CEST 55567 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:02.772547007 CEST 53 55567 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:02.774004936 CEST 49188 25 192.168.2.2 64.147.108.50
Jun 26, 2018 12:22:02.787355900 CEST 25 49188 64.147.108.50 192.168.2.2
Jun 26, 2018 12:22:03.294348955 CEST 49188 25 192.168.2.2 64.147.108.50
Jun 26, 2018 12:22:03.307694912 CEST 25 49188 64.147.108.50 192.168.2.2
Jun 26, 2018 12:22:03.814912081 CEST 49188 25 192.168.2.2 64.147.108.50
Jun 26, 2018 12:22:03.828358889 CEST 25 49188 64.147.108.50 192.168.2.2
Jun 26, 2018 12:22:03.872806072 CEST 54625 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:03.909903049 CEST 53 54625 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:03.910918951 CEST 49189 25 192.168.2.2 64.147.108.53
Jun 26, 2018 12:22:03.924186945 CEST 25 49189 64.147.108.53 192.168.2.2
Jun 26, 2018 12:22:04.425796032 CEST 49189 25 192.168.2.2 64.147.108.53
Jun 26, 2018 12:22:04.439048052 CEST 25 49189 64.147.108.53 192.168.2.2
Jun 26, 2018 12:22:04.661767960 CEST 64017 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:04.697861910 CEST 53 64017 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:04.936520100 CEST 49189 25 192.168.2.2 64.147.108.53
Jun 26, 2018 12:22:04.949795961 CEST 25 49189 64.147.108.53 192.168.2.2
Jun 26, 2018 12:22:04.956285954 CEST 53054 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:05.006807089 CEST 53 53054 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:05.008764982 CEST 49190 25 192.168.2.2 64.147.108.55
Jun 26, 2018 12:22:05.021939039 CEST 25 49190 64.147.108.55 192.168.2.2
Jun 26, 2018 12:22:05.367217064 CEST 49187 1042 192.168.2.2 4.46.196.224
Jun 26, 2018 12:22:05.517826080 CEST 49190 25 192.168.2.2 64.147.108.55
Jun 26, 2018 12:22:05.531469107 CEST 25 49190 64.147.108.55 192.168.2.2
Jun 26, 2018 12:22:06.028167963 CEST 49190 25 192.168.2.2 64.147.108.55
Jun 26, 2018 12:22:06.041582108 CEST 25 49190 64.147.108.55 192.168.2.2
Jun 26, 2018 12:22:06.049595118 CEST 61002 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:06.086580992 CEST 53 61002 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:06.087502956 CEST 49191 25 192.168.2.2 64.147.108.52
Jun 26, 2018 12:22:06.100660086 CEST 25 49191 64.147.108.52 192.168.2.2
Jun 26, 2018 12:22:06.597167969 CEST 49191 25 192.168.2.2 64.147.108.52
Jun 26, 2018 12:22:06.610507011 CEST 25 49191 64.147.108.52 192.168.2.2
Jun 26, 2018 12:22:07.109798908 CEST 49191 25 192.168.2.2 64.147.108.52
Jun 26, 2018 12:22:07.123146057 CEST 25 49191 64.147.108.52 192.168.2.2
Jun 26, 2018 12:22:07.127648115 CEST 61578 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:07.164446115 CEST 53 61578 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:07.165203094 CEST 49192 25 192.168.2.2 64.147.108.51
Jun 26, 2018 12:22:07.178438902 CEST 25 49192 64.147.108.51 192.168.2.2
Jun 26, 2018 12:22:07.504734993 CEST 64252 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:07.540472031 CEST 53 64252 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:07.541202068 CEST 49193 25 192.168.2.2 216.200.145.235
Jun 26, 2018 12:22:07.554644108 CEST 25 49193 216.200.145.235 192.168.2.2
Jun 26, 2018 12:22:07.680546999 CEST 49192 25 192.168.2.2 64.147.108.51
Jun 26, 2018 12:22:07.693783998 CEST 25 49192 64.147.108.51 192.168.2.2
Jun 26, 2018 12:22:08.058059931 CEST 49193 25 192.168.2.2 216.200.145.235
Jun 26, 2018 12:22:08.071228981 CEST 25 49193 216.200.145.235 192.168.2.2
Jun 26, 2018 12:22:08.209611893 CEST 49192 25 192.168.2.2 64.147.108.51
Jun 26, 2018 12:22:08.222693920 CEST 25 49192 64.147.108.51 192.168.2.2
Jun 26, 2018 12:22:08.225646973 CEST 62744 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:08.260598898 CEST 53 62744 8.8.8.8 192.168.2.2

Copyright Joe Security LLC 2018 Page 112 of 287

 Timestamp Source Port Dest Port Source IP Dest IP
Jun 26, 2018 12:22:08.261570930 CEST 49194 25 192.168.2.2 64.147.108.54
Jun 26, 2018 12:22:08.275389910 CEST 25 49194 64.147.108.54 192.168.2.2
Jun 26, 2018 12:22:08.571964025 CEST 49193 25 192.168.2.2 216.200.145.235
Jun 26, 2018 12:22:08.585422039 CEST 25 49193 216.200.145.235 192.168.2.2
Jun 26, 2018 12:22:08.588756084 CEST 64808 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:08.707588911 CEST 53 64808 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:08.708256960 CEST 49195 25 192.168.2.2 74.201.226.52
Jun 26, 2018 12:22:08.721637964 CEST 25 49195 74.201.226.52 192.168.2.2
Jun 26, 2018 12:22:08.772164106 CEST 49194 25 192.168.2.2 64.147.108.54
Jun 26, 2018 12:22:08.785446882 CEST 25 49194 64.147.108.54 192.168.2.2
Jun 26, 2018 12:22:09.248398066 CEST 49195 25 192.168.2.2 74.201.226.52
Jun 26, 2018 12:22:09.261804104 CEST 25 49195 74.201.226.52 192.168.2.2
Jun 26, 2018 12:22:09.323359966 CEST 49194 25 192.168.2.2 64.147.108.54
Jun 26, 2018 12:22:09.336838961 CEST 25 49194 64.147.108.54 192.168.2.2
Jun 26, 2018 12:22:09.341253996 CEST 65300 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:09.376785040 CEST 53 65300 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:09.377789974 CEST 49196 25 192.168.2.2 64.147.108.40
Jun 26, 2018 12:22:09.391123056 CEST 25 49196 64.147.108.40 192.168.2.2
Jun 26, 2018 12:22:09.512995958 CEST 51518 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:09.548563957 CEST 53 51518 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:09.549462080 CEST 49197 25 192.168.2.2 131.111.8.147
Jun 26, 2018 12:22:09.562793970 CEST 25 49197 131.111.8.147 192.168.2.2
Jun 26, 2018 12:22:09.763567924 CEST 49195 25 192.168.2.2 74.201.226.52
Jun 26, 2018 12:22:09.777110100 CEST 25 49195 74.201.226.52 192.168.2.2
Jun 26, 2018 12:22:09.780275106 CEST 63535 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:09.893711090 CEST 49196 25 192.168.2.2 64.147.108.40
Jun 26, 2018 12:22:09.900820017 CEST 53 63535 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:09.906852007 CEST 25 49196 64.147.108.40 192.168.2.2
Jun 26, 2018 12:22:10.064970016 CEST 49197 25 192.168.2.2 131.111.8.147
Jun 26, 2018 12:22:10.078178883 CEST 25 49197 131.111.8.147 192.168.2.2
Jun 26, 2018 12:22:10.414572954 CEST 49196 25 192.168.2.2 64.147.108.40
Jun 26, 2018 12:22:10.427954912 CEST 25 49196 64.147.108.40 192.168.2.2
Jun 26, 2018 12:22:10.433693886 CEST 65474 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:10.551321030 CEST 53 65474 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:10.596760988 CEST 49197 25 192.168.2.2 131.111.8.147
Jun 26, 2018 12:22:10.610129118 CEST 25 49197 131.111.8.147 192.168.2.2
Jun 26, 2018 12:22:10.613482952 CEST 58773 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:10.658847094 CEST 53 58773 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:11.451201916 CEST 49187 1042 192.168.2.2 4.46.196.224
Jun 26, 2018 12:22:11.768018007 CEST 64117 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:11.803616047 CEST 53 64117 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:11.804660082 CEST 49198 25 192.168.2.2 207.69.189.219
Jun 26, 2018 12:22:11.818008900 CEST 25 49198 207.69.189.219 192.168.2.2
Jun 26, 2018 12:22:12.152228117 CEST 64501 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:12.317872047 CEST 49198 25 192.168.2.2 207.69.189.219
Jun 26, 2018 12:22:12.331293106 CEST 25 49198 207.69.189.219 192.168.2.2
Jun 26, 2018 12:22:12.434541941 CEST 53 64501 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:12.435602903 CEST 49199 25 192.168.2.2 209.249.171.103
Jun 26, 2018 12:22:12.448893070 CEST 25 49199 209.249.171.103 192.168.2.2
Jun 26, 2018 12:22:12.801284075 CEST 55877 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:12.828285933 CEST 49198 25 192.168.2.2 207.69.189.219
Jun 26, 2018 12:22:12.836951017 CEST 53 55877 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:12.837693930 CEST 49200 25 192.168.2.2 64.147.108.30
Jun 26, 2018 12:22:12.841715097 CEST 25 49198 207.69.189.219 192.168.2.2
Jun 26, 2018 12:22:12.844750881 CEST 55120 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:12.851036072 CEST 25 49200 64.147.108.30 192.168.2.2
Jun 26, 2018 12:22:12.880569935 CEST 53 55120 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:12.881304979 CEST 49201 25 192.168.2.2 207.69.189.220
Jun 26, 2018 12:22:12.894571066 CEST 25 49201 207.69.189.220 192.168.2.2
Jun 26, 2018 12:22:12.912635088 CEST 57840 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:12.948757887 CEST 49199 25 192.168.2.2 209.249.171.103
Jun 26, 2018 12:22:12.962034941 CEST 25 49199 209.249.171.103 192.168.2.2
Jun 26, 2018 12:22:12.962896109 CEST 53 57840 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:13.349014044 CEST 49200 25 192.168.2.2 64.147.108.30

Copyright Joe Security LLC 2018 Page 113 of 287

 Timestamp Source Port Dest Port Source IP Dest IP
Jun 26, 2018 12:22:13.362322092 CEST 25 49200 64.147.108.30 192.168.2.2
Jun 26, 2018 12:22:13.388956070 CEST 49201 25 192.168.2.2 207.69.189.220
Jun 26, 2018 12:22:13.402353048 CEST 25 49201 207.69.189.220 192.168.2.2
Jun 26, 2018 12:22:13.459188938 CEST 49199 25 192.168.2.2 209.249.171.103
Jun 26, 2018 12:22:13.472513914 CEST 25 49199 209.249.171.103 192.168.2.2
Jun 26, 2018 12:22:13.475720882 CEST 52123 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:13.601715088 CEST 53 52123 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:13.602504969 CEST 49202 25 192.168.2.2 209.249.171.103
Jun 26, 2018 12:22:13.615650892 CEST 25 49202 209.249.171.103 192.168.2.2
Jun 26, 2018 12:22:13.859855890 CEST 49200 25 192.168.2.2 64.147.108.30
Jun 26, 2018 12:22:13.873140097 CEST 25 49200 64.147.108.30 192.168.2.2
Jun 26, 2018 12:22:13.876207113 CEST 58962 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:13.899985075 CEST 49201 25 192.168.2.2 207.69.189.220
Jun 26, 2018 12:22:13.911546946 CEST 53 58962 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:13.912280083 CEST 49203 25 192.168.2.2 64.147.108.70
Jun 26, 2018 12:22:13.913316011 CEST 25 49201 207.69.189.220 192.168.2.2
Jun 26, 2018 12:22:13.916280031 CEST 60523 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:13.925780058 CEST 25 49203 64.147.108.70 192.168.2.2
Jun 26, 2018 12:22:13.951987982 CEST 53 60523 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:13.952838898 CEST 49204 25 192.168.2.2 207.69.189.217
Jun 26, 2018 12:22:13.966201067 CEST 25 49204 207.69.189.217 192.168.2.2
Jun 26, 2018 12:22:14.109893084 CEST 49202 25 192.168.2.2 209.249.171.103
Jun 26, 2018 12:22:14.123256922 CEST 25 49202 209.249.171.103 192.168.2.2
Jun 26, 2018 12:22:14.420629978 CEST 49203 25 192.168.2.2 64.147.108.70
Jun 26, 2018 12:22:14.433948994 CEST 25 49203 64.147.108.70 192.168.2.2
Jun 26, 2018 12:22:14.460647106 CEST 49204 25 192.168.2.2 207.69.189.217
Jun 26, 2018 12:22:14.474102020 CEST 25 49204 207.69.189.217 192.168.2.2
Jun 26, 2018 12:22:14.620613098 CEST 49202 25 192.168.2.2 209.249.171.103
Jun 26, 2018 12:22:14.633821964 CEST 25 49202 209.249.171.103 192.168.2.2
Jun 26, 2018 12:22:14.931689978 CEST 49203 25 192.168.2.2 64.147.108.70
Jun 26, 2018 12:22:14.945022106 CEST 25 49203 64.147.108.70 192.168.2.2
Jun 26, 2018 12:22:14.971124887 CEST 49204 25 192.168.2.2 207.69.189.217
Jun 26, 2018 12:22:14.984468937 CEST 25 49204 207.69.189.217 192.168.2.2
Jun 26, 2018 12:22:14.992302895 CEST 64715 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:15.027853012 CEST 53 64715 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:15.029045105 CEST 49205 25 192.168.2.2 207.69.189.218
Jun 26, 2018 12:22:15.042346954 CEST 25 49205 207.69.189.218 192.168.2.2
Jun 26, 2018 12:22:15.215600967 CEST 50225 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:15.265419960 CEST 53 50225 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:15.266462088 CEST 49206 25 192.168.2.2 128.232.25.20
Jun 26, 2018 12:22:15.279757023 CEST 25 49206 128.232.25.20 192.168.2.2
Jun 26, 2018 12:22:15.541817904 CEST 49205 25 192.168.2.2 207.69.189.218
Jun 26, 2018 12:22:15.555638075 CEST 25 49205 207.69.189.218 192.168.2.2
Jun 26, 2018 12:22:15.782179117 CEST 49206 25 192.168.2.2 128.232.25.20
Jun 26, 2018 12:22:15.795523882 CEST 25 49206 128.232.25.20 192.168.2.2
Jun 26, 2018 12:22:16.053061962 CEST 49205 25 192.168.2.2 207.69.189.218
Jun 26, 2018 12:22:16.066581964 CEST 25 49205 207.69.189.218 192.168.2.2
Jun 26, 2018 12:22:16.075151920 CEST 62475 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:16.110655069 CEST 53 62475 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:16.111704111 CEST 49207 25 192.168.2.2 209.86.122.183
Jun 26, 2018 12:22:16.125024080 CEST 25 49207 209.86.122.183 192.168.2.2
Jun 26, 2018 12:22:16.293286085 CEST 49206 25 192.168.2.2 128.232.25.20
Jun 26, 2018 12:22:16.306668997 CEST 25 49206 128.232.25.20 192.168.2.2
Jun 26, 2018 12:22:16.312531948 CEST 52196 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:16.331861019 CEST 53 52196 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:16.624037981 CEST 49207 25 192.168.2.2 209.86.122.183
Jun 26, 2018 12:22:16.637330055 CEST 25 49207 209.86.122.183 192.168.2.2
Jun 26, 2018 12:22:17.144884109 CEST 49207 25 192.168.2.2 209.86.122.183
Jun 26, 2018 12:22:17.158404112 CEST 25 49207 209.86.122.183 192.168.2.2
Jun 26, 2018 12:22:17.165467978 CEST 60278 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:17.303755045 CEST 53 60278 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:19.588582039 CEST 54681 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:19.727431059 CEST 53 54681 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:21.631731033 CEST 61540 53 192.168.2.2 8.8.8.8

Copyright Joe Security LLC 2018 Page 114 of 287

 Timestamp Source Port Dest Port Source IP Dest IP
Jun 26, 2018 12:22:21.666806936 CEST 53 61540 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:21.669559956 CEST 61541 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:21.704888105 CEST 53 61541 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:21.981949091 CEST 55216 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:22.017528057 CEST 53 55216 8.8.8.8 192.168.2.2

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP

Jun 26, 2018 12:20:21.103809118 CEST 56842 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:20:21.146749020 CEST 53 56842 8.8.8.8 192.168.2.2
Jun 26, 2018 12:20:21.177536011 CEST 56843 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:20:21.221587896 CEST 53 56843 8.8.8.8 192.168.2.2
Jun 26, 2018 12:20:21.222224951 CEST 56843 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:20:21.241241932 CEST 53 56843 8.8.8.8 192.168.2.2
Jun 26, 2018 12:20:21.338781118 CEST 56844 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:20:21.382713079 CEST 53 56844 8.8.8.8 192.168.2.2
Jun 26, 2018 12:20:21.382989883 CEST 56844 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:20:21.401880980 CEST 53 56844 8.8.8.8 192.168.2.2
Jun 26, 2018 12:20:25.936043978 CEST 53440 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:20:25.970952988 CEST 53 53440 8.8.8.8 192.168.2.2
Jun 26, 2018 12:20:28.220828056 CEST 59605 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:20:28.272450924 CEST 53 59605 8.8.8.8 192.168.2.2
Jun 26, 2018 12:20:32.232603073 CEST 50900 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:20:32.288032055 CEST 53 50900 8.8.8.8 192.168.2.2
Jun 26, 2018 12:20:32.296191931 CEST 51075 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:20:32.339874029 CEST 53 51075 8.8.8.8 192.168.2.2
Jun 26, 2018 12:20:33.291430950 CEST 61674 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:20:33.334295988 CEST 53 61674 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:41.392906904 CEST 59291 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:41.426862955 CEST 63053 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:41.428119898 CEST 53 59291 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:41.461986065 CEST 53 63053 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:46.212759018 CEST 60812 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:46.247776031 CEST 53 60812 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:47.289118052 CEST 58523 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:47.324645996 CEST 53 58523 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.330343008 CEST 65490 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.349817038 CEST 60652 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.366198063 CEST 53 65490 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.376326084 CEST 57729 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.389273882 CEST 53 60652 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.395354033 CEST 53 57729 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.424895048 CEST 65311 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.446676016 CEST 50323 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.460542917 CEST 53 65311 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.479223013 CEST 50324 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.501593113 CEST 64115 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.514925957 CEST 53 50324 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.537004948 CEST 53 64115 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.559067011 CEST 59195 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.564539909 CEST 53 50323 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.569062948 CEST 59196 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.594377041 CEST 53 59195 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.616482019 CEST 53 59196 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.642230988 CEST 58138 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.678320885 CEST 53 58138 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.678395033 CEST 60708 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.713365078 CEST 53 60708 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.776510954 CEST 65034 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.782478094 CEST 65035 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.817867041 CEST 53 65035 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.818156958 CEST 65035 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.837106943 CEST 53 65035 8.8.8.8 192.168.2.2

Copyright Joe Security LLC 2018 Page 115 of 287

 Timestamp Source Port Dest Port Source IP Dest IP
Jun 26, 2018 12:21:48.893805981 CEST 53 65034 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.946516037 CEST 65036 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:48.982239008 CEST 53 65036 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:48.984205008 CEST 65036 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:49.003470898 CEST 53 65036 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:49.257272959 CEST 58653 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:49.292752981 CEST 53 58653 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:49.484499931 CEST 57327 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:49.519666910 CEST 53 57327 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:50.383773088 CEST 56352 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:50.419671059 CEST 53 56352 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:51.059434891 CEST 62091 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:51.094727993 CEST 53 62091 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:52.218821049 CEST 63509 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:52.254345894 CEST 53 63509 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:53.328111887 CEST 51492 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:53.347253084 CEST 53 51492 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:53.630354881 CEST 62750 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:53.666729927 CEST 53 62750 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:53.671427011 CEST 58913 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:53.708128929 CEST 53 58913 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:53.714411020 CEST 63309 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:53.750488997 CEST 53 63309 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:54.835845947 CEST 52316 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:54.871596098 CEST 53 52316 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:55.950062990 CEST 65236 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:55.985801935 CEST 53 65236 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:56.055902004 CEST 55904 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:56.094420910 CEST 53 55904 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:57.039136887 CEST 55581 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:57.080776930 CEST 53 55581 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:57.163995981 CEST 57178 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:57.199748039 CEST 53 57178 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:58.125967979 CEST 62406 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:58.163050890 CEST 53 62406 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:58.246819973 CEST 58563 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:58.418970108 CEST 53 58563 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:58.591731071 CEST 49408 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:58.626873016 CEST 53 49408 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:58.638328075 CEST 61609 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:58.686562061 CEST 53 61609 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:59.802542925 CEST 59433 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:59.849773884 CEST 53 59433 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:59.854916096 CEST 57291 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:59.891925097 CEST 52245 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:59.904103994 CEST 53 57291 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:59.907624006 CEST 56115 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:21:59.927565098 CEST 53 52245 8.8.8.8 192.168.2.2
Jun 26, 2018 12:21:59.961206913 CEST 53 56115 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:02.179898977 CEST 64225 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:02.223006010 CEST 53 64225 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:02.736458063 CEST 55567 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:02.772547007 CEST 53 55567 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:03.872806072 CEST 54625 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:03.909903049 CEST 53 54625 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:04.661767960 CEST 64017 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:04.697861910 CEST 53 64017 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:04.956285954 CEST 53054 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:05.006807089 CEST 53 53054 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:06.049595118 CEST 61002 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:06.086580992 CEST 53 61002 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:07.127648115 CEST 61578 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:07.164446115 CEST 53 61578 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:07.504734993 CEST 64252 53 192.168.2.2 8.8.8.8

Copyright Joe Security LLC 2018 Page 116 of 287

 Timestamp Source Port Dest Port Source IP Dest IP
Jun 26, 2018 12:22:07.540472031 CEST 53 64252 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:08.225646973 CEST 62744 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:08.260598898 CEST 53 62744 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:08.588756084 CEST 64808 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:08.707588911 CEST 53 64808 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:09.341253996 CEST 65300 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:09.376785040 CEST 53 65300 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:09.512995958 CEST 51518 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:09.548563957 CEST 53 51518 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:09.780275106 CEST 63535 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:09.900820017 CEST 53 63535 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:10.433693886 CEST 65474 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:10.551321030 CEST 53 65474 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:10.613482952 CEST 58773 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:10.658847094 CEST 53 58773 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:11.768018007 CEST 64117 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:11.803616047 CEST 53 64117 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:12.152228117 CEST 64501 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:12.434541941 CEST 53 64501 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:12.801284075 CEST 55877 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:12.836951017 CEST 53 55877 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:12.844750881 CEST 55120 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:12.880569935 CEST 53 55120 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:12.912635088 CEST 57840 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:12.962896109 CEST 53 57840 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:13.475720882 CEST 52123 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:13.601715088 CEST 53 52123 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:13.876207113 CEST 58962 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:13.911546946 CEST 53 58962 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:13.916280031 CEST 60523 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:13.951987982 CEST 53 60523 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:14.992302895 CEST 64715 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:15.027853012 CEST 53 64715 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:15.215600967 CEST 50225 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:15.265419960 CEST 53 50225 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:16.075151920 CEST 62475 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:16.110655069 CEST 53 62475 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:16.312531948 CEST 52196 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:16.331861019 CEST 53 52196 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:17.165467978 CEST 60278 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:17.303755045 CEST 53 60278 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:19.588582039 CEST 54681 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:19.727431059 CEST 53 54681 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:21.631731033 CEST 61540 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:21.666806936 CEST 53 61540 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:21.669559956 CEST 61541 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:21.704888105 CEST 53 61541 8.8.8.8 192.168.2.2
Jun 26, 2018 12:22:21.981949091 CEST 55216 53 192.168.2.2 8.8.8.8
Jun 26, 2018 12:22:22.017528057 CEST 53 55216 8.8.8.8 192.168.2.2

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class

Jun 26, 2018 12:20:21.103809118 CEST 192.168.2.2 8.8.8.8 0x657f Standard query atwola.com MX (Mail IN (0x0001)
(0) exchange)
Jun 26, 2018 12:20:21.177536011 CEST 192.168.2.2 8.8.8.8 0xa5e7 Standard query atwola.com MX (Mail IN (0x0001)
(0) exchange)
Jun 26, 2018 12:20:21.222224951 CEST 192.168.2.2 8.8.8.8 0xd7e7 Standard query atwola.com MX (Mail IN (0x0001)
(0) exchange)
Jun 26, 2018 12:20:21.338781118 CEST 192.168.2.2 8.8.8.8 0x50e8 Standard query atwola.com MX (Mail IN (0x0001)
(0) exchange)
Jun 26, 2018 12:20:21.382989883 CEST 192.168.2.2 8.8.8.8 0x78e8 Standard query atwola.com MX (Mail IN (0x0001)
(0) exchange)
Jun 26, 2018 12:20:25.936043978 CEST 192.168.2.2 8.8.8.8 0x12c1 Standard query atwola.com A (IP address) IN (0x0001)
(0)

Copyright Joe Security LLC 2018 Page 117 of 287

 Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
Jun 26, 2018 12:20:28.220828056 CEST 192.168.2.2 8.8.8.8 0x1fe3 Standard query mx.atwola.com A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:20:33.291430950 CEST 192.168.2.2 8.8.8.8 0xf20b Standard query mail.atwola.com A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:21:41.426862955 CEST 192.168.2.2 8.8.8.8 0xb68e Standard query unicode.org MX (Mail IN (0x0001)
(0) exchange)
Jun 26, 2018 12:21:48.330343008 CEST 192.168.2.2 8.8.8.8 0xcfa1 Standard query openoffice.org MX (Mail IN (0x0001)
(0) exchange)
Jun 26, 2018 12:21:48.349817038 CEST 192.168.2.2 8.8.8.8 0xadc5 Standard query onlineconn MX (Mail IN (0x0001)
(0) ections.com.au exchange)
Jun 26, 2018 12:21:48.424895048 CEST 192.168.2.2 8.8.8.8 0x8896 Standard query bryson.dem MX (Mail IN (0x0001)
(0) on.co.uk exchange)
Jun 26, 2018 12:21:48.446676016 CEST 192.168.2.2 8.8.8.8 0xd297 Standard query theriver.com MX (Mail IN (0x0001)
(0) exchange)
Jun 26, 2018 12:21:48.479223013 CEST 192.168.2.2 8.8.8.8 0xaf3c Standard query bryson.dem MX (Mail IN (0x0001)
(0) on.co.uk exchange)
Jun 26, 2018 12:21:48.501593113 CEST 192.168.2.2 8.8.8.8 0x8621 Standard query src.dec.com MX (Mail IN (0x0001)
(0) exchange)
Jun 26, 2018 12:21:48.559067011 CEST 192.168.2.2 8.8.8.8 0x5cb3 Standard query cl.cam.ac.uk MX (Mail IN (0x0001)
(0) exchange)
Jun 26, 2018 12:21:48.569062948 CEST 192.168.2.2 8.8.8.8 0x93d Standard query src.dec.com MX (Mail IN (0x0001)
(0) exchange)
Jun 26, 2018 12:21:48.642230988 CEST 192.168.2.2 8.8.8.8 0xb9c5 Standard query northcoast.com MX (Mail IN (0x0001)
(0) exchange)
Jun 26, 2018 12:21:48.678395033 CEST 192.168.2.2 8.8.8.8 0x847a Standard query netcom.com MX (Mail IN (0x0001)
(0) exchange)
Jun 26, 2018 12:21:48.776510954 CEST 192.168.2.2 8.8.8.8 0x412e Standard query pobox.com MX (Mail IN (0x0001)
(0) exchange)
Jun 26, 2018 12:21:48.782478094 CEST 192.168.2.2 8.8.8.8 0xdb3d Standard query northcoast.com MX (Mail IN (0x0001)
(0) exchange)
Jun 26, 2018 12:21:48.818156958 CEST 192.168.2.2 8.8.8.8 0x33e Standard query northcoast.com MX (Mail IN (0x0001)
(0) exchange)
Jun 26, 2018 12:21:48.946516037 CEST 192.168.2.2 8.8.8.8 0x7b3e Standard query northcoast.com MX (Mail IN (0x0001)
(0) exchange)
Jun 26, 2018 12:21:48.984205008 CEST 192.168.2.2 8.8.8.8 0xa43e Standard query northcoast.com MX (Mail IN (0x0001)
(0) exchange)
Jun 26, 2018 12:21:49.257272959 CEST 192.168.2.2 8.8.8.8 0xfc1b Standard query unicode.org A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:21:50.383773088 CEST 192.168.2.2 8.8.8.8 0xa782 Standard query unicode.org A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:21:53.630354881 CEST 192.168.2.2 8.8.8.8 0x7f35 Standard query mx2-lw-eu. A (IP address) IN (0x0001)
(0) apache.org
Jun 26, 2018 12:21:53.671427011 CEST 192.168.2.2 8.8.8.8 0x846d Standard query mx2-lw-us. A (IP address) IN (0x0001)
(0) apache.org
Jun 26, 2018 12:21:53.714411020 CEST 192.168.2.2 8.8.8.8 0xa044 Standard query mx1-lw-us. A (IP address) IN (0x0001)
(0) apache.org
Jun 26, 2018 12:21:54.835845947 CEST 192.168.2.2 8.8.8.8 0xf531 Standard query mx1-lw-eu. A (IP address) IN (0x0001)
(0) apache.org
Jun 26, 2018 12:21:55.950062990 CEST 192.168.2.2 8.8.8.8 0xf4bd Standard query openoffice.org A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:21:56.055902004 CEST 192.168.2.2 8.8.8.8 0xb379 Standard query onlineconn A (IP address) IN (0x0001)
(0) ections.com.au
Jun 26, 2018 12:21:57.039136887 CEST 192.168.2.2 8.8.8.8 0xc42 Standard query mx.openoffice.org A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:21:57.163995981 CEST 192.168.2.2 8.8.8.8 0x58af Standard query onlineconn A (IP address) IN (0x0001)
(0) ections.com.au
Jun 26, 2018 12:21:58.125967979 CEST 192.168.2.2 8.8.8.8 0xf273 Standard query mail.openo A (IP address) IN (0x0001)
(0) ffice.org
Jun 26, 2018 12:21:58.246819973 CEST 192.168.2.2 8.8.8.8 0x12fe Standard query mx.onlinec A (IP address) IN (0x0001)
(0) onnections
.com.au
Jun 26, 2018 12:21:58.591731071 CEST 192.168.2.2 8.8.8.8 0x87c7 Standard query mail.onlin A (IP address) IN (0x0001)
(0) econnectio
ns.com.au
Jun 26, 2018 12:21:58.638328075 CEST 192.168.2.2 8.8.8.8 0x6143 Standard query northcoast.com A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:21:59.802542925 CEST 192.168.2.2 8.8.8.8 0x7039 Standard query mx.northco A (IP address) IN (0x0001)
(0) ast.com
Jun 26, 2018 12:21:59.854916096 CEST 192.168.2.2 8.8.8.8 0x1433 Standard query mail.north A (IP address) IN (0x0001)
(0) coast.com
Jun 26, 2018 12:21:59.907624006 CEST 192.168.2.2 8.8.8.8 0x5b49 Standard query smtp.north A (IP address) IN (0x0001)
(0) coast.com
Jun 26, 2018 12:22:02.736458063 CEST 192.168.2.2 8.8.8.8 0xe6e9 Standard query pb-mx9.pob A (IP address) IN (0x0001)
(0) ox.com

Copyright Joe Security LLC 2018 Page 118 of 287

 Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
Jun 26, 2018 12:22:03.872806072 CEST 192.168.2.2 8.8.8.8 0x7d25 Standard query pb-mx12.po A (IP address) IN (0x0001)
(0) box.com
Jun 26, 2018 12:22:04.956285954 CEST 192.168.2.2 8.8.8.8 0xceb7 Standard query pb-mx14.po A (IP address) IN (0x0001)
(0) box.com
Jun 26, 2018 12:22:06.049595118 CEST 192.168.2.2 8.8.8.8 0x8f4f Standard query pb-mx11.po A (IP address) IN (0x0001)
(0) box.com
Jun 26, 2018 12:22:07.127648115 CEST 192.168.2.2 8.8.8.8 0xbd1e Standard query pb-mx10.po A (IP address) IN (0x0001)
(0) box.com
Jun 26, 2018 12:22:07.504734993 CEST 192.168.2.2 8.8.8.8 0x341b Standard query ismtp.site A (IP address) IN (0x0001)
(0) star.everyone.net
Jun 26, 2018 12:22:08.225646973 CEST 192.168.2.2 8.8.8.8 0xeb3b Standard query pb-mx13.po A (IP address) IN (0x0001)
(0) box.com
Jun 26, 2018 12:22:08.588756084 CEST 192.168.2.2 8.8.8.8 0x7f94 Standard query theriver.com A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:22:09.341253996 CEST 192.168.2.2 8.8.8.8 0x661d Standard query pobox.com A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:22:09.512995958 CEST 192.168.2.2 8.8.8.8 0x5828 Standard query mx.cam.ac.uk A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:22:09.780275106 CEST 192.168.2.2 8.8.8.8 0x830b Standard query mx.theriver.com A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:22:10.433693886 CEST 192.168.2.2 8.8.8.8 0xf7c6 Standard query mx.pobox.com A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:22:10.613482952 CEST 192.168.2.2 8.8.8.8 0x39d0 Standard query cl.cam.ac.uk A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:22:11.768018007 CEST 192.168.2.2 8.8.8.8 0x265a Standard query mx3.mindsp A (IP address) IN (0x0001)
(0) ring.com
Jun 26, 2018 12:22:12.152228117 CEST 192.168.2.2 8.8.8.8 0x1be8 Standard query mail.theriver.com A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:22:12.801284075 CEST 192.168.2.2 8.8.8.8 0x4cef Standard query mail.pobox.com A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:22:12.844750881 CEST 192.168.2.2 8.8.8.8 0xf504 Standard query mx4.mindsp A (IP address) IN (0x0001)
(0) ring.com
Jun 26, 2018 12:22:12.912635088 CEST 192.168.2.2 8.8.8.8 0x5e43 Standard query mx.cl.cam.ac.uk A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:22:13.475720882 CEST 192.168.2.2 8.8.8.8 0x442e Standard query smtp.theriver.com A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:22:13.876207113 CEST 192.168.2.2 8.8.8.8 0x8a11 Standard query smtp.pobox.com A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:22:13.916280031 CEST 192.168.2.2 8.8.8.8 0x216 Standard query mx1.mindsp A (IP address) IN (0x0001)
(0) ring.com
Jun 26, 2018 12:22:14.992302895 CEST 192.168.2.2 8.8.8.8 0x2dc8 Standard query mx2.mindsp A (IP address) IN (0x0001)
(0) ring.com
Jun 26, 2018 12:22:15.215600967 CEST 192.168.2.2 8.8.8.8 0xce2f Standard query mail.cl.cam.ac.uk A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:22:16.075151920 CEST 192.168.2.2 8.8.8.8 0xe067 Standard query netcom.com A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:22:16.312531948 CEST 192.168.2.2 8.8.8.8 0x39ea Standard query smtp.cl.cam.ac.uk A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:22:17.165467978 CEST 192.168.2.2 8.8.8.8 0x6ad7 Standard query mx.netcom.com A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:22:19.588582039 CEST 192.168.2.2 8.8.8.8 0x6e9e Standard query mail.netcom.com A (IP address) IN (0x0001)
(0)
Jun 26, 2018 12:22:21.631731033 CEST 192.168.2.2 8.8.8.8 0x25f8 Standard query resources.jar MX (Mail IN (0x0001)
(0) exchange)
Jun 26, 2018 12:22:21.669559956 CEST 192.168.2.2 8.8.8.8 0x53be Standard query resources.jar MX (Mail IN (0x0001)
(0) exchange)
Jun 26, 2018 12:22:21.981949091 CEST 192.168.2.2 8.8.8.8 0x9502 Standard query smtp.netcom.com A (IP address) IN (0x0001)
(0)

DNS Answers

Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class
Jun 26, 2018 8.8.8.8 192.168.2.2 0x1fe3 Name error (3) mx.atwola.com none none A (IP address) IN (0x0001)
12:20:28.272450924
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xf20b Name error (3) mail.atwola.com none none A (IP address) IN (0x0001)
12:20:33.334295988
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xb68e No error (0) unicode.org MX (Mail IN (0x0001)
12:21:41.461986065 exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xcfa1 No error (0) openoffice.org MX (Mail IN (0x0001)
12:21:48.366198063 exchange)
CEST

Copyright Joe Security LLC 2018 Page 119 of 287

 Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class
Jun 26, 2018 8.8.8.8 192.168.2.2 0xcfa1 No error (0) openoffice.org MX (Mail IN (0x0001)
12:21:48.366198063 exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xcfa1 No error (0) openoffice.org MX (Mail IN (0x0001)
12:21:48.366198063 exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xcfa1 No error (0) openoffice.org MX (Mail IN (0x0001)
12:21:48.366198063 exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xadc5 No error (0) onlineconn MX (Mail IN (0x0001)
12:21:48.389273882 ections.com.au exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x8896 Name error (3) bryson.dem none none MX (Mail IN (0x0001)
12:21:48.460542917 on.co.uk exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xaf3c Name error (3) bryson.dem none none MX (Mail IN (0x0001)
12:21:48.514925957 on.co.uk exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x8621 Name error (3) src.dec.com none none MX (Mail IN (0x0001)
12:21:48.537004948 exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xd297 No error (0) theriver.com MX (Mail IN (0x0001)
12:21:48.564539909 exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x5cb3 No error (0) cl.cam.ac.uk MX (Mail IN (0x0001)
12:21:48.594377041 exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x93d Name error (3) src.dec.com none none MX (Mail IN (0x0001)
12:21:48.616482019 exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x847a No error (0) netcom.com MX (Mail IN (0x0001)
12:21:48.713365078 exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x847a No error (0) netcom.com MX (Mail IN (0x0001)
12:21:48.713365078 exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x847a No error (0) netcom.com MX (Mail IN (0x0001)
12:21:48.713365078 exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x847a No error (0) netcom.com MX (Mail IN (0x0001)
12:21:48.713365078 exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x412e No error (0) pobox.com MX (Mail IN (0x0001)
12:21:48.893805981 exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x412e No error (0) pobox.com MX (Mail IN (0x0001)
12:21:48.893805981 exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x412e No error (0) pobox.com MX (Mail IN (0x0001)
12:21:48.893805981 exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x412e No error (0) pobox.com MX (Mail IN (0x0001)
12:21:48.893805981 exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x412e No error (0) pobox.com MX (Mail IN (0x0001)
12:21:48.893805981 exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x412e No error (0) pobox.com MX (Mail IN (0x0001)
12:21:48.893805981 exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xfc1b No error (0) unicode.org 216.97.88.9 A (IP address) IN (0x0001)
12:21:49.292752981
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xa782 No error (0) unicode.org 216.97.88.9 A (IP address) IN (0x0001)
12:21:50.419671059
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x7f35 Name error (3) mx2-lw-eu. none none A (IP address) IN (0x0001)
12:21:53.666729927 apache.org
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x846d Name error (3) mx2-lw-us. none none A (IP address) IN (0x0001)
12:21:53.708128929 apache.org
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xa044 No error (0) mx1-lw-us. 207.244.88.150 A (IP address) IN (0x0001)
12:21:53.750488997 apache.org
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xf531 No error (0) mx1-lw-eu. 37.48.69.230 A (IP address) IN (0x0001)
12:21:54.871596098 apache.org
CEST

Copyright Joe Security LLC 2018 Page 120 of 287

 Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class
Jun 26, 2018 8.8.8.8 192.168.2.2 0xf4bd No error (0) openoffice.org 40.79.78.1 A (IP address) IN (0x0001)
12:21:55.985801935
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xf4bd No error (0) openoffice.org 95.216.24.32 A (IP address) IN (0x0001)
12:21:55.985801935
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xb379 No error (0) onlineconn 192.254.190.168 A (IP address) IN (0x0001)
12:21:56.094420910 ections.com.au
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xc42 No error (0) mx.openoff openoffice.apache.org CNAME IN (0x0001)
12:21:57.080776930 ice.org (Canonical
CEST name)
Jun 26, 2018 8.8.8.8 192.168.2.2 0xc42 No error (0) openoffice 40.79.78.1 A (IP address) IN (0x0001)
12:21:57.080776930 .apache.org
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xc42 No error (0) openoffice 95.216.24.32 A (IP address) IN (0x0001)
12:21:57.080776930 .apache.org
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x58af No error (0) onlineconn 192.254.190.168 A (IP address) IN (0x0001)
12:21:57.199748039 ections.com.au
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xf273 No error (0) mail.openo openoffice.apache.org CNAME IN (0x0001)
12:21:58.163050890 ffice.org (Canonical
CEST name)
Jun 26, 2018 8.8.8.8 192.168.2.2 0xf273 No error (0) openoffice 95.216.24.32 A (IP address) IN (0x0001)
12:21:58.163050890 .apache.org
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xf273 No error (0) openoffice 40.79.78.1 A (IP address) IN (0x0001)
12:21:58.163050890 .apache.org
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x12fe Name error (3) mx.onlinec none none A (IP address) IN (0x0001)
12:21:58.418970108 onnections
CEST .com.au
Jun 26, 2018 8.8.8.8 192.168.2.2 0x87c7 No error (0) mail.onlin onlineconnections.com.au CNAME IN (0x0001)
12:21:58.626873016 econnectio (Canonical
CEST ns.com.au name)
Jun 26, 2018 8.8.8.8 192.168.2.2 0x87c7 No error (0) onlineconn 192.254.190.168 A (IP address) IN (0x0001)
12:21:58.626873016 ections.com.au
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x6143 No error (0) northcoast.com 184.168.221.45 A (IP address) IN (0x0001)
12:21:58.686562061
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x7039 Name error (3) mx.northco none none A (IP address) IN (0x0001)
12:21:59.849773884 ast.com
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x1433 Name error (3) mail.north none none A (IP address) IN (0x0001)
12:21:59.904103994 coast.com
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x5b49 Name error (3) smtp.north none none A (IP address) IN (0x0001)
12:21:59.961206913 coast.com
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xe6e9 No error (0) pb-mx9.pob 64.147.108.50 A (IP address) IN (0x0001)
12:22:02.772547007 ox.com
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x7d25 No error (0) pb-mx12.po 64.147.108.53 A (IP address) IN (0x0001)
12:22:03.909903049 box.com
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xceb7 No error (0) pb-mx14.po 64.147.108.55 A (IP address) IN (0x0001)
12:22:05.006807089 box.com
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x8f4f No error (0) pb-mx11.po 64.147.108.52 A (IP address) IN (0x0001)
12:22:06.086580992 box.com
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xbd1e No error (0) pb-mx10.po 64.147.108.51 A (IP address) IN (0x0001)
12:22:07.164446115 box.com
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x341b No error (0) ismtp.site 216.200.145.235 A (IP address) IN (0x0001)
12:22:07.540472031 star.every
CEST one.net
Jun 26, 2018 8.8.8.8 192.168.2.2 0xeb3b No error (0) pb-mx13.po 64.147.108.54 A (IP address) IN (0x0001)
12:22:08.260598898 box.com
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x7f94 No error (0) theriver.com 74.201.226.52 A (IP address) IN (0x0001)
12:22:08.707588911
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x661d No error (0) pobox.com 64.147.108.40 A (IP address) IN (0x0001)
12:22:09.376785040
CEST

Copyright Joe Security LLC 2018 Page 121 of 287

 Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class
Jun 26, 2018 8.8.8.8 192.168.2.2 0x5828 No error (0) mx.cam.ac.uk 131.111.8.147 A (IP address) IN (0x0001)
12:22:09.548563957
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x5828 No error (0) mx.cam.ac.uk 131.111.8.146 A (IP address) IN (0x0001)
12:22:09.548563957
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x5828 No error (0) mx.cam.ac.uk 131.111.8.149 A (IP address) IN (0x0001)
12:22:09.548563957
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x5828 No error (0) mx.cam.ac.uk 131.111.8.148 A (IP address) IN (0x0001)
12:22:09.548563957
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x830b Name error (3) mx.theriver.com none none A (IP address) IN (0x0001)
12:22:09.900820017
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xf7c6 Name error (3) mx.pobox.com none none A (IP address) IN (0x0001)
12:22:10.551321030
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x265a No error (0) mx3.mindsp 207.69.189.219 A (IP address) IN (0x0001)
12:22:11.803616047 ring.com
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x1be8 No error (0) mail.theri mail.theriver.sitestar.ever CNAME IN (0x0001)
12:22:12.434541941 ver.com yone.net (Canonical
CEST name)
Jun 26, 2018 8.8.8.8 192.168.2.2 0x1be8 No error (0) mail.theri 209.249.171.103 A (IP address) IN (0x0001)
12:22:12.434541941 ver.sitest
CEST ar.everyone.net
Jun 26, 2018 8.8.8.8 192.168.2.2 0x4cef No error (0) mail.pobox.com 64.147.108.30 A (IP address) IN (0x0001)
12:22:12.836951017
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xf504 No error (0) mx4.mindsp 207.69.189.220 A (IP address) IN (0x0001)
12:22:12.880569935 ring.com
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x5e43 Name error (3) mx.cl.cam.ac.uk none none A (IP address) IN (0x0001)
12:22:12.962896109
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x442e No error (0) smtp.theri mail.theriver.sitestar.ever CNAME IN (0x0001)
12:22:13.601715088 ver.com yone.net (Canonical
CEST name)
Jun 26, 2018 8.8.8.8 192.168.2.2 0x442e No error (0) mail.theri 209.249.171.103 A (IP address) IN (0x0001)
12:22:13.601715088 ver.sitest
CEST ar.everyone.net
Jun 26, 2018 8.8.8.8 192.168.2.2 0x8a11 No error (0) smtp.pobox.com 64.147.108.70 A (IP address) IN (0x0001)
12:22:13.911546946
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x8a11 No error (0) smtp.pobox.com 64.147.108.71 A (IP address) IN (0x0001)
12:22:13.911546946
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x216 No error (0) mx1.mindsp 207.69.189.217 A (IP address) IN (0x0001)
12:22:13.951987982 ring.com
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x2dc8 No error (0) mx2.mindsp 207.69.189.218 A (IP address) IN (0x0001)
12:22:15.027853012 ring.com
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xce2f No error (0) mail.cl.ca mta0.cl.cam.ac.uk CNAME IN (0x0001)
12:22:15.265419960 m.ac.uk (Canonical
CEST name)
Jun 26, 2018 8.8.8.8 192.168.2.2 0xce2f No error (0) mta0.cl.ca 128.232.25.20 A (IP address) IN (0x0001)
12:22:15.265419960 m.ac.uk
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0xe067 No error (0) netcom.com 209.86.122.183 A (IP address) IN (0x0001)
12:22:16.110655069
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x39ea Name error (3) smtp.cl.ca none none A (IP address) IN (0x0001)
12:22:16.331861019 m.ac.uk
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x6ad7 Name error (3) mx.netcom.com none none A (IP address) IN (0x0001)
12:22:17.303755045
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x6e9e Name error (3) mail.netco none none A (IP address) IN (0x0001)
12:22:19.727431059 m.com
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x25f8 Name error (3) resources.jar none none MX (Mail IN (0x0001)
12:22:21.666806936 exchange)
CEST
Jun 26, 2018 8.8.8.8 192.168.2.2 0x53be Name error (3) resources.jar none none MX (Mail IN (0x0001)
12:22:21.704888105 exchange)
CEST

Copyright Joe Security LLC 2018 Page 122 of 287

 Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class
Jun 26, 2018 8.8.8.8 192.168.2.2 0x9502 Name error (3) smtp.netco none none A (IP address) IN (0x0001)
12:22:22.017528057 m.com
CEST

Code Manipulations

Statistics

Behavior

• 1dvwi.exe
• lsass.exe
• WerFault.exe

Click to jump to process

System Behavior

Analysis Process: 1dvwi.exe PID: 3348 Parent PID: 2960

General

Start time: 12:20:45

Start date: 26/06/2018
Path: C:\Users\user\Desktop\1dvwi.exe
Wow64 process (32bit): false
Commandline: 'C:\Users\user\Desktop\1dvwi.exe'
Imagebase: 0x800000
File size: 39538 bytes
MD5 hash: 74E9710D0BB409AEB3F8881EF75B062C
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: low

File Activities

File Created

Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Windows\lsass.exe read attributes | normal synchronous io success or wait 1 802A9A CreateFileA
synchronize | non alert | non
generic write directory file

Copyright Joe Security LLC 2018 Page 123 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Windows\lsass.exe read data or list archive sequential only | success or wait 1 802ACC CopyFileA
directory | read non directory
attributes | file
delete | syn
chronize |
generic write
C:\Windows\lsass.exe\:Zone.Identifier:$DATA read data or list none sequential only | success or wait 1 802ACC CopyFileA
directory | synchronous io
synchronize | non alert
generic write
C:\Users\HERBBL~1\AppData\Local\Temp\uheknclgts.txt read attributes | normal synchronous io success or wait 1 8074BE fopen
synchronize | non alert | non
generic write directory file
C:\Users\HERBBL~1\AppData\Local\Temp\tmpE8F0.tmp read attributes | normal synchronous io success or wait 1 805B47 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Users\HERBBL~1\AppData\Local\Temp\tmpE8F0.tmp\:Zone.Ident read data or list none sequential only | success or wait 1 805B6B CopyFileA
ifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Users\HERBBL~1\AppData\Local\Temp\tmpFA27.tmp read attributes | normal synchronous io success or wait 1 805BA6 GetTempFileNameA
synchronize | non alert | non
generic read directory file

File Deleted

Source
File Path Completion Count Address Symbol
C:\Windows\lsass.exe success or wait 1 802AB7 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmpE8F0.tmp success or wait 1 805D08 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmpFA27.tmp success or wait 1 806413 DeleteFileA

File Written

Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Windows\lsass.exe 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 802ACC CopyFileA
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Windows\lsass.exe:Zone.Identifier 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 802ACC CopyFileA
61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 124 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\uheknclgts.txt unknown 4096 50 4f 6c 30 39 bb 8e 5f POl09.._U..c9..L9..C9...9... success or wait 4 807519 fwrite
55 01 88 63 39 bb 8d ^..q^...^...^....y.?..U9......E.
4c 39 bb 80 43 39 bb ..0..q.Q.ve..C.h...._^...e.(6.
87 9d 39 bb 8d 02 5e +89..9.....w]..`J..m.V..?`.c..
d2 17 71 5e d2 17 18 .vb....??..[.....D.1.vep(.....
5e d2 17 d7 5e d2 19 .c...8...........-.. .i..._...
0b e1 79 ca 3f bb cb x...t._.?..C...v..fPx.2.s.....
55 39 f6 ef 93 c4 ba b8 .qs....!.....U.p.e!.~,^.&.6..U..
45 cc f6 0f 30 c4 f6 71 ...@b..L.9..
87 51 e9 76 65 d4 f6
43 ed 68 f6 ef b9 d2 5f
5e f8 8c e9 65 ab 28
36 b8 2b 38 39 bb f7
39 f6 e5 bf e3 e9 77
5d c1 e9 60 4a 0c e9
6d 13 56 f6 ec 3f 60 e9
63 ac 1b e9 76 62 f7 f3
96 85 3f 3f a0 02 5b f6
ec 9d da f6 44 80 31
e9 76 65 70 28 c5 bc
8c f3 00 ab 63 f3 03
d6 38 f3 03 c3 11 f6
1e 0c dd e9 85 e1 2d
7f ae 20 e3 69 d6 80
0d 5f 02 0d 01 78 c9
ab 03 74 e3 5f 9c 3f 80
16 43 7f ae d4 76 7f
ae 66 50 78 df 32 a9
73 c2 81 f7 7f ae d4 71
73 c2 85 d1 b8 21 10
8a e9 85 a2 55 f3 70
8d 65 21 a8 7e 2c 5e
d1 26 ec 36 15 fa 55
f6 f7 20 8a f6 e7 40 62
ba 9f 4c 9e 39 bb 8d
C:\Users\HERBBL~1\AppData\Local\Temp\tmpE8F0.tmp 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 805B6B CopyFileA
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Users\HERBBL~1\AppData\Loca 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 805B6B CopyFileA
l\Temp\tmpE8F0.tmp:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Users\HERBBL~1\AppData\Local\Temp\tmpE8F0.tmp unknown 4 c0 a8 02 02 .... success or wait 4636 807C00 WriteFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmpE8F0.tmp unknown 4 c0 a8 02 02 .... success or wait 1 807C66 WriteFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmpFA27.tmp unknown 30 50 4b 03 04 0a 00 00 PK.........R.0.u..t...t...~... success or wait 1 805440 WriteFile
00 00 00 9a 52 da 30
1c 75 13 0d 74 9a 00
00 74 9a 00 00 7e 00
00 00

Copyright Joe Security LLC 2018 Page 125 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmpFA27.tmp unknown 126 2e 68 74 6d 20 20 20 .htm success or wait 1 805453 WriteFile
20 20 20 20 20 20 20
20 20 20 20 20 20 20 .pif
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 2e 70 69 66
C:\Users\HERBBL~1\AppData\Local\Temp\tmpFA27.tmp unknown 1024 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 39 805485 WriteFile
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Users\HERBBL~1\AppData\Local\Temp\tmpFA27.tmp unknown 46 50 4b 01 02 14 00 0a PK...........R.0.u..t...t...~. success or wait 1 8054DA WriteFile
00 00 00 00 00 9a 52 ........ .......
da 30 1c 75 13 0d 74
9a 00 00 74 9a 00 00
7e 00 00 00 00 00 00
00 00 00 20 00 00 00
00 00 00 00
C:\Users\HERBBL~1\AppData\Local\Temp\tmpFA27.tmp unknown 126 2e 68 74 6d 20 20 20 .htm success or wait 1 8054ED WriteFile
20 20 20 20 20 20 20
20 20 20 20 20 20 20 .pif
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 2e 70 69 66
C:\Users\HERBBL~1\AppData\Local\Temp\tmpFA27.tmp unknown 22 50 4b 05 06 00 00 00 PK.................... success or wait 1 80552E WriteFile
00 01 00 01 00 ac 00
00 00 10 9b 00 00 00
00

File Read
Copyright Joe Security LLC 2018 Page 126 of 287
 File Read

Source
File Path Offset Length Completion Count Address Symbol
C:\Users\user\Desktop\1dvwi.exe unknown 4 success or wait 1 8031B2 ReadFile
C:\Users\user\Desktop\1dvwi.exe unknown 22 success or wait 1 8031DF ReadFile
C:\Users\user\Desktop\1dvwi.exe unknown 40 success or wait 3 80323A ReadFile
C:\Users\user\Desktop\1dvwi.exe unknown 4 success or wait 4636 807D08 ReadFile
C:\Users\user\Desktop\1dvwi.exe unknown 4 end of file 1 807D08 ReadFile
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 success or wait 1 804953 ReadFile
S\common[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 end of file 1 804953 ReadFile
S\common[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 success or wait 1 804953 ReadFile
S\common[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 end of file 1 804953 ReadFile
S\common[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 success or wait 1 804953 ReadFile
S\host[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 end of file 1 804953 ReadFile
S\host[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 success or wait 1 804953 ReadFile
S\progress_bg_fill[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 end of file 1 804953 ReadFile
S\progress_bg_fill[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 success or wait 1 804953 ReadFile
S\progress_bg_left[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 end of file 1 804953 ReadFile
S\progress_bg_left[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 success or wait 1 804953 ReadFile
S\progress_fg_right[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 end of file 1 804953 ReadFile
S\progress_fg_right[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 success or wait 1 804953 ReadFile
S\welcome[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1P unknown 65533 end of file 1 804953 ReadFile
S\welcome[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 success or wait 1 804953 ReadFile
D\layout[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 end of file 1 804953 ReadFile
D\layout[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 success or wait 1 804953 ReadFile
D\layout[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 end of file 1 804953 ReadFile
D\layout[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 success or wait 1 804953 ReadFile
D\masthead_fill[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 end of file 1 804953 ReadFile
D\masthead_fill[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 success or wait 1 804953 ReadFile
D\masthead_fill[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 end of file 1 804953 ReadFile
D\masthead_fill[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 success or wait 1 804953 ReadFile
D\progress[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 end of file 1 804953 ReadFile
D\progress[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 success or wait 1 804953 ReadFile
D\progress_en[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 end of file 1 804953 ReadFile
D\progress_en[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 success or wait 1 804953 ReadFile
D\progress_fg_left[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 end of file 1 804953 ReadFile
D\progress_fg_left[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 success or wait 1 804953 ReadFile
D\welcome[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9W unknown 65533 end of file 1 804953 ReadFile
D\welcome[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D unknown 65533 success or wait 1 804953 ReadFile
T\check[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D unknown 65533 end of file 1 804953 ReadFile
T\check[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D unknown 65533 success or wait 1 804953 ReadFile
T\complete[1]

Copyright Joe Security LLC 2018 Page 127 of 287

 Source
File Path Offset Length Completion Count Address Symbol
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D unknown 65533 end of file 1 804953 ReadFile
T\complete[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D unknown 65533 success or wait 1 804953 ReadFile
T\host[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D unknown 65533 end of file 1 804953 ReadFile
T\host[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D unknown 65533 success or wait 1 804953 ReadFile
T\progress_fg_fill[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D unknown 65533 end of file 1 804953 ReadFile
T\progress_fg_fill[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D unknown 65533 success or wait 1 804953 ReadFile
T\rtutils[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D unknown 65533 end of file 1 804953 ReadFile
T\rtutils[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D unknown 65533 success or wait 1 804953 ReadFile
T\rtutils[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D unknown 65533 end of file 1 804953 ReadFile
T\rtutils[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D unknown 65533 success or wait 1 804953 ReadFile
T\welcome_en[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D unknown 65533 end of file 1 804953 ReadFile
T\welcome_en[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYAC unknown 65533 success or wait 1 804953 ReadFile
U\complete_en[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYAC unknown 65533 end of file 1 804953 ReadFile
U\complete_en[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYAC unknown 65533 success or wait 1 804953 ReadFile
U\l10n[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYAC unknown 65533 end of file 1 804953 ReadFile
U\l10n[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYAC unknown 65533 success or wait 1 804953 ReadFile
U\l10n[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYAC unknown 65533 end of file 1 804953 ReadFile
U\l10n[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYAC unknown 65533 success or wait 1 804953 ReadFile
U\masthead_left[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYAC unknown 65533 end of file 1 804953 ReadFile
U\masthead_left[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYAC unknown 65533 success or wait 1 804953 ReadFile
U\masthead_left[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYAC unknown 65533 end of file 1 804953 ReadFile
U\masthead_left[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYAC unknown 65533 success or wait 1 804953 ReadFile
U\progress_bg_right[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYAC unknown 65533 end of file 1 804953 ReadFile
U\progress_bg_right[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYAC unknown 65533 success or wait 1 804953 ReadFile
U\welcome_en[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYAC unknown 65533 end of file 1 804953 ReadFile
U\welcome_en[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SN unknown 65533 success or wait 1 804953 ReadFile
L0OFP\meversion[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SN unknown 65533 end of file 1 804953 ReadFile
L0OFP\meversion[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SN unknown 65533 success or wait 1 804953 ReadFile
L0OFP\new[1].htm
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SN unknown 65533 end of file 1 804953 ReadFile
L0OFP\new[1].htm
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SN unknown 65533 success or wait 2 804953 ReadFile
L0OFP\search[1].htm
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1SN unknown 65533 end of file 1 804953 ReadFile
L0OFP\search[1].htm
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FOO unknown 65533 success or wait 1 804953 ReadFile
IW152\dest5[1].htm
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FOO unknown 65533 end of file 1 804953 ReadFile
IW152\dest5[1].htm
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE unknown 65533 success or wait 2 804953 ReadFile
CI2WS\new[1].htm
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE unknown 65533 end of file 1 804953 ReadFile
CI2WS\new[1].htm
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE unknown 65533 success or wait 2 804953 ReadFile
CI2WS\new[2].htm
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE unknown 65533 end of file 1 804953 ReadFile
CI2WS\new[2].htm
Copyright Joe Security LLC 2018 Page 128 of 287
 Source
File Path Offset Length Completion Count Address Symbol
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE unknown 65533 success or wait 1 804953 ReadFile
CI2WS\Passport[1].htm
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE unknown 65533 end of file 1 804953 ReadFile
CI2WS\Passport[1].htm
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE unknown 65533 success or wait 1 804953 ReadFile
CI2WS\print[1].txt
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE unknown 65533 end of file 1 804953 ReadFile
CI2WS\print[1].txt
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE unknown 65533 success or wait 1 804953 ReadFile
CI2WS\sft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MS
NDEDE12;kvgrp=104272687;kvismob=2;extmirroring=0;kvtile=1;target=_blank;aduho=120;grp=1042
72687[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE unknown 65533 end of file 1 804953 ReadFile
CI2WS\sft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MS
NDEDE12;kvgrp=104272687;kvismob=2;extmirroring=0;kvtile=1;target=_blank;aduho=120;grp=1042
72687[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE unknown 65533 success or wait 1 804953 ReadFile
CI2WS\sft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MS
NDEDE1B;kvgrp=104272687;kvismob=2;extmirroring=0;kvtile=3;target=_blank;aduho=120;grp=1042
72687[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE unknown 65533 end of file 1 804953 ReadFile
CI2WS\sft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MS
NDEDE1B;kvgrp=104272687;kvismob=2;extmirroring=0;kvtile=3;target=_blank;aduho=120;grp=1042
72687[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE unknown 65533 success or wait 1 804953 ReadFile
CI2WS\sft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MS
NDEDE1C;kvgrp=104272687;kvismob=2;extmirroring=0;kvtile=4;target=_blank;aduho=120;grp=1042
72687[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE unknown 65533 end of file 1 804953 ReadFile
CI2WS\sft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MS
NDEDE1C;kvgrp=104272687;kvismob=2;extmirroring=0;kvtile=4;target=_blank;aduho=120;grp=1042
72687[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE unknown 65533 success or wait 1 804953 ReadFile
CI2WS\sft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MS
NDEDE1D;kvgrp=104272687;kvismob=2;extmirroring=0;kvtile=5;target=_blank;aduho=120;grp=1042
72687[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE unknown 65533 end of file 1 804953 ReadFile
CI2WS\sft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MS
NDEDE1D;kvgrp=104272687;kvismob=2;extmirroring=0;kvtile=5;target=_blank;aduho=120;grp=1042
72687[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE unknown 65533 success or wait 1 804953 ReadFile
CI2WS\stub_attribution_code[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WYE unknown 65533 end of file 1 804953 ReadFile
CI2WS\stub_attribution_code[1]
C:\Users\HERBBL~1\AppData\Local\Temp\tmpE8F0.tmp unknown 4 success or wait 1 8031B2 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmpE8F0.tmp unknown 22 success or wait 1 8031DF ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmpE8F0.tmp unknown 40 success or wait 3 80323A ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmpE8F0.tmp unknown 1024 success or wait 39 8052FE ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmpE8F0.tmp unknown 1024 end of file 1 8052FE ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmpE8F0.tmp unknown 1024 success or wait 39 8054A8 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmpE8F0.tmp unknown 1024 end of file 1 8054A8 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmpFA27.tmp unknown 1024 success or wait 39 806038 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmpFA27.tmp unknown 1024 end of file 1 806038 ReadFile

Registry Activities

Key Created

Source
Key Path Completion Count Address Symbol
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\POSIX success or wait 1 8028C0 RegCreateKeyExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\POSIX success or wait 1 8028C0 RegCreateKeyExA

Key Value Created

Source
Key Path Name Type Data Completion Count Address Symbol
HKEY_LOCAL_MACHINE\SOFTWARE\Mi Traybar unicode C:\Windows\lsass.exe success or wait 1 802C38 RegSetValueExA
crosoft\Windows\CurrentVersion\Run

Source
Key Path Name Type Old Data New Data Completion Count Address Symbol

Copyright Joe Security LLC 2018 Page 129 of 287

 Analysis Process: lsass.exe PID: 3428 Parent PID: 1432

General

Start time: 12:20:47

Start date: 26/06/2018
Path: C:\Windows\lsass.exe
Wow64 process (32bit): false
Commandline: 'C:\Windows\lsass.exe'
Imagebase: 0x800000
File size: 39538 bytes
MD5 hash: 74E9710D0BB409AEB3F8881EF75B062C
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: low

File Activities

File Created

Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp read attributes | normal synchronous io success or wait 1 805B47 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp\:Zone.Ident read data or list none sequential only | success or wait 1 805B6B CopyFileA
ifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Users\HERBBL~1\AppData\Local\Temp\tmp214E.tmp read attributes | normal synchronous io success or wait 1 805B47 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Users\HERBBL~1\AppData\Local\Temp\tmp214E.tmp\:Zone.Ident read data or list none sequential only | success or wait 1 805B6B CopyFileA
ifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3361.tmp read attributes | normal synchronous io success or wait 1 805BA6 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp read attributes | normal synchronous io success or wait 1 805B47 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp\:Zone.Ident read data or list none sequential only | success or wait 1 805B6B CopyFileA
ifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C59.tmp read attributes | normal synchronous io success or wait 1 805B47 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C59.tmp\:Zone.Ident read data or list none sequential only | success or wait 1 805B6B CopyFileA
ifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp read attributes | normal synchronous io success or wait 1 805B47 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp\:Zone.Ident read data or list none sequential only | success or wait 1 805B6B CopyFileA
ifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D2D.tmp read attributes | normal synchronous io success or wait 1 805A5A GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D2D.tmp\:Zone.Ident read data or list none sequential only | success or wait 1 805A73 CopyFileA
ifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\index.com read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write

Copyright Joe Security LLC 2018 Page 130 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\index.com\:Zo read data or list none sequential only | success or wait 1 80334D CopyFileA
ne.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3DA6.tmp read attributes | normal synchronous io success or wait 1 805A5A GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3DA6.tmp\:Zone.Ident read data or list none sequential only | success or wait 1 805A73 CopyFileA
ifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\DAO\Harry Potter.com read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\DAO\Harry Pot read data or list none sequential only | success or wait 1 80334D CopyFileA
ter.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E33.tmp read attributes | normal synchronous io success or wait 1 805BA6 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E5C.tmp read attributes | normal synchronous io success or wait 1 805B47 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E5C.tmp\:Zone.Ident read data or list none sequential only | success or wait 1 805B6B CopyFileA
ifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\DW\Winamp 5.0 read data or list archive sequential only | success or wait 1 80334D CopyFileA
(en).exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\DW\Winamp 5.0 read data or list none sequential only | success or wait 1 80334D CopyFileA
(en).exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3F76.tmp read attributes | normal synchronous io success or wait 1 805B47 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3F76.tmp\:Zone.Ident read data or list none sequential only | success or wait 1 805B6B CopyFileA
ifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\EQUATION\Kazaa read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\EQUATION\Kazaa read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\EQUATION\1033\ICQ 4 read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\EQUATION\1033\ICQ 4 read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\EURO\Winamp 5.0 read data or list archive sequential only | success or wait 1 80334D CopyFileA
(en).com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\EURO\Winamp 5.0 read data or list none sequential only | success or wait 1 80334D CopyFileA
(en).com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write

Copyright Joe Security LLC 2018 Page 131 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\Filters\Kazaa read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Filters\Kazaa read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\GRPHFLT\index.exe read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\GRPHFLT\index read data or list none sequential only | success or wait 1 80334D CopyFileA
.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Help\ICQ 4 Lite.exe read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Help\ICQ 4 Li read data or list none sequential only | success or wait 1 80334D CopyFileA
te.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Help\1028\ICQ 4 read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Help\1028\ICQ 4 read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Help\1031\ICQ 4 read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Help\1031\ICQ 4 read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Help\1033\Kazaa read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Help\1033\Kazaa read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Help\1036\Harry read data or list archive sequential only | success or wait 1 80334D CopyFileA
Potter.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Help\1036\Harry read data or list none sequential only | success or wait 1 80334D CopyFileA
Potter.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Help\1040\Winamp 5.0 read data or list archive sequential only | success or wait 1 80334D CopyFileA
(en).ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Help\1040\Winamp 5.0 read data or list none sequential only | success or wait 1 80334D CopyFileA
(en).ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write

Copyright Joe Security LLC 2018 Page 132 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\Help\1041\index.com read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Help\1041\ind read data or list none sequential only | success or wait 1 80334D CopyFileA
ex.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Help\1042\Kazaa read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Help\1042\Kazaa read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Help\1046\ICQ 4 read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Help\1046\ICQ 4 read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Help\1049\Harry read data or list archive sequential only | success or wait 1 80334D CopyFileA
Potter.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Help\1049\Harry read data or list none sequential only | success or wait 1 80334D CopyFileA
Potter.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Help\2052\Winamp 5.0 read data or list archive sequential only | success or wait 1 80334D CopyFileA
(en).exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Help\2052\Winamp 5.0 read data or list none sequential only | success or wait 1 80334D CopyFileA
(en).exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Help\3082\Winamp 5.0 read data or list archive sequential only | success or wait 1 80334D CopyFileA
(en) Crack.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Help\3082\Winamp 5.0 read data or list none sequential only | success or wait 1 80334D CopyFileA
(en) Crack.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\Kazaa Lit read data or list archive sequential only | success or wait 1 80334D CopyFileA
e.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\Kazaa Lit read data or list none sequential only | success or wait 1 80334D CopyFileA
e.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\1.0\WinRA read data or list archive sequential only | success or wait 1 80334D CopyFileA
R.v.3.2.and.key.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\1.0\WinRA read data or list none sequential only | success or wait 1 80334D CopyFileA
R.v.3.2.and.key.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write

Copyright Joe Security LLC 2018 Page 133 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\1.7\Harry Potter.com read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\1.7\Harry read data or list none sequential only | success or wait 1 80334D CopyFileA
Potter.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\ICQ 4 Lite.exe read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\ICQ 4 read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\Harry read data or list archive sequential only | success or wait 1 80334D CopyFileA
Potter.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\Harry read data or list none sequential only | success or wait 1 80334D CopyFileA
Potter.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\Win read data or list archive sequential only | success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\Win read data or list none sequential only | success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\da-DK\index.com read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\da-DK\ind read data or list none sequential only | success or wait 1 80334D CopyFileA
ex.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\de-DE\ICQ 4 read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Users\HERBBL~1\AppData\Local\Temp\tmp4FF9.tmp read attributes | normal synchronous io success or wait 1 805BA6 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Program Files\Common Files\microsoft shared\ink\de-DE\ICQ 4 read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\el-GR\Winamp 5.0 read data or list archive sequential only | success or wait 1 80334D CopyFileA
(en) Crack.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\el-GR\Winamp 5.0 read data or list none sequential only | success or wait 1 80334D CopyFileA
(en) Crack.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\en-US\Winamp 5.0 read data or list archive sequential only | success or wait 1 80334D CopyFileA
(en).ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write

Copyright Joe Security LLC 2018 Page 134 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\en-US\Winamp 5.0 read data or list none sequential only | success or wait 1 80334D CopyFileA
(en).ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\es-ES\ICQ 4 read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\es-ES\ICQ 4 read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\et-EE\Win read data or list archive sequential only | success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\et-EE\Win read data or list none sequential only | success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\Winamp 5.0 read data or list archive sequential only | success or wait 1 80334D CopyFileA
(en) Crack.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\Winamp 5.0 read data or list none sequential only | success or wait 1 80334D CopyFileA
(en) Crack.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\index.exe read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ind read data or list none sequential only | success or wait 1 80334D CopyFileA
ex.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\Harry read data or list archive sequential only | success or wait 1 80334D CopyFileA
Potter.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\Harry read data or list none sequential only | success or wait 1 80334D CopyFileA
Potter.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit read data or list archive sequential only | success or wait 1 80334D CopyFileA
ions\auxpad\Harry Potter.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit read data or list none sequential only | success or wait 1 80334D CopyFileA
ions\auxpad\Harry Potter.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit read data or list archive sequential only | success or wait 1 80334D CopyFileA
ions\keypad\index.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit read data or list none sequential only | success or wait 1 80334D CopyFileA
ions\keypad\index.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit read data or list archive sequential only | success or wait 1 80334D CopyFileA
ions\main\index.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write

Copyright Joe Security LLC 2018 Page 135 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit read data or list none sequential only | success or wait 1 80334D CopyFileA
ions\main\index.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit read data or list archive sequential only | success or wait 1 80334D CopyFileA
ions\numbers\Harry Potter.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit read data or list none sequential only | success or wait 1 80334D CopyFileA
ions\numbers\Harry Potter.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit read data or list archive sequential only | success or wait 1 80334D CopyFileA
ions\oskmenu\WinRAR.v.3.2.and.key.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit read data or list none sequential only | success or wait 1 80334D CopyFileA
ions\oskmenu\WinRAR.v.3.2.and.key.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit read data or list archive sequential only | success or wait 1 80334D CopyFileA
ions\osknumpad\Kazaa Lite.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit read data or list none sequential only | success or wait 1 80334D CopyFileA
ions\osknumpad\Kazaa Lite.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit read data or list archive sequential only | success or wait 1 80334D CopyFileA
ions\oskpred\Harry Potter.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit read data or list none sequential only | success or wait 1 80334D CopyFileA
ions\oskpred\Harry Potter.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit read data or list archive sequential only | success or wait 1 80334D CopyFileA
ions\symbols\Winamp 5.0 (en).com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit read data or list none sequential only | success or wait 1 80334D CopyFileA
ions\symbols\Winamp 5.0 (en).com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit read data or list archive sequential only | success or wait 1 80334D CopyFileA
ions\web\WinRAR.v.3.2.and.key.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit read data or list none sequential only | success or wait 1 80334D CopyFileA
ions\web\WinRAR.v.3.2.and.key.ShareReactor.com\:Zone.Identif directory | synchronous io
ier:$DATA synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\he-IL\Win read data or list archive sequential only | success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Users\HERBBL~1\AppData\Local\Temp\tmp598F.tmp read attributes | normal synchronous io success or wait 1 805BA6 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Program Files\Common Files\microsoft shared\ink\he-IL\Win read data or list none sequential only | success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write

Copyright Joe Security LLC 2018 Page 136 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\hr-HR\Winamp 5.0 read data or list archive sequential only | success or wait 1 80334D CopyFileA
(en).com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\hr-HR\Winamp 5.0 read data or list none sequential only | success or wait 1 80334D CopyFileA
(en).com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\hu-HU\ind read data or list archive sequential only | success or wait 1 80334D CopyFileA
ex.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\hu-HU\ind read data or list none sequential only | success or wait 1 80334D CopyFileA
ex.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\HWRCustom read data or list archive sequential only | success or wait 1 80334D CopyFileA
ization\Harry Potter.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\HWRCustom read data or list none sequential only | success or wait 1 80334D CopyFileA
ization\Harry Potter.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\it-IT\ICQ 4 Lite.exe read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\it-IT\ICQ 4 read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\ja-JP\Kazaa read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\ja-JP\Kazaa read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\ko-KR\Winamp 5.0 read data or list archive sequential only | success or wait 1 80334D CopyFileA
(en).com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\ko-KR\Winamp 5.0 read data or list none sequential only | success or wait 1 80334D CopyFileA
(en).com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\lt-LT\ICQ 4 Lite.com read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\lt-LT\ICQ 4 read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\lv-LV\Win read data or list archive sequential only | success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\lv-LV\Win read data or list none sequential only | success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write

Copyright Joe Security LLC 2018 Page 137 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\nb-NO\Win read data or list archive sequential only | success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\nb-NO\Win read data or list none sequential only | success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\nl-NL\Win read data or list archive sequential only | success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\nl-NL\Win read data or list none sequential only | success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\pl-PL\Winamp 5.0 read data or list archive sequential only | success or wait 1 80334D CopyFileA
(en) Crack.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\pl-PL\Winamp 5.0 read data or list none sequential only | success or wait 1 80334D CopyFileA
(en) Crack.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\pt-BR\Harry read data or list archive sequential only | success or wait 1 80334D CopyFileA
Potter.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\pt-BR\Harry read data or list none sequential only | success or wait 1 80334D CopyFileA
Potter.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\pt-PT\Win read data or list archive sequential only | success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\pt-PT\Win read data or list none sequential only | success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\ro-RO\ind read data or list archive sequential only | success or wait 1 80334D CopyFileA
ex.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\ro-RO\ind read data or list none sequential only | success or wait 1 80334D CopyFileA
ex.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\ru-RU\Harry read data or list archive sequential only | success or wait 1 80334D CopyFileA
Potter.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\ru-RU\Harry read data or list none sequential only | success or wait 1 80334D CopyFileA
Potter.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\sk-SK\Harry read data or list archive sequential only | success or wait 1 80334D CopyFileA
Potter.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\sk-SK\Harry read data or list none sequential only | success or wait 1 80334D CopyFileA
Potter.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write

Copyright Joe Security LLC 2018 Page 138 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\sl-SI\ICQ 4 Lite.exe read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\sl-SI\ICQ 4 read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-CS\Harry read data or list archive sequential only | success or wait 1 80334D CopyFileA
Potter.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-CS\Harry read data or list none sequential only | success or wait 1 80334D CopyFileA
Potter.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\sv-SE\Harry read data or list archive sequential only | success or wait 1 80334D CopyFileA
Potter.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Users\HERBBL~1\AppData\Local\Temp\tmp6376.tmp read attributes | normal synchronous io success or wait 1 805BA6 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Program Files\Common Files\microsoft shared\ink\sv-SE\Harry read data or list none sequential only | success or wait 1 80334D CopyFileA
Potter.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\th-TH\ICQ 4 read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\th-TH\ICQ 4 read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\tr-TR\Winamp 5.0 read data or list archive sequential only | success or wait 1 80334D CopyFileA
(en).ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\tr-TR\Winamp 5.0 read data or list none sequential only | success or wait 1 80334D CopyFileA
(en).ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\uk-UA\Winamp 5.0 read data or list archive sequential only | success or wait 1 80334D CopyFileA
(en).com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\uk-UA\Winamp 5.0 read data or list none sequential only | success or wait 1 80334D CopyFileA
(en).com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\zh-CN\Harry read data or list archive sequential only | success or wait 1 80334D CopyFileA
Potter.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\ink\zh-CN\Harry read data or list none sequential only | success or wait 1 80334D CopyFileA
Potter.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\ink\zh-TW\Winamp 5.0 read data or list archive sequential only | success or wait 1 80334D CopyFileA
(en) Crack.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write

Copyright Joe Security LLC 2018 Page 139 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\zh-TW\Winamp 5.0 read data or list none sequential only | success or wait 1 80334D CopyFileA
(en) Crack.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\MSEnv\ICQ 4 Lite.exe read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\MSEnv\ICQ 4 L read data or list none sequential only | success or wait 1 80334D CopyFileA
ite.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\MSEnv\PublicA read data or list archive sequential only | success or wait 1 80334D CopyFileA
ssemblies\Winamp 5.0 (en).com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\MSEnv\PublicA read data or list none sequential only | success or wait 1 80334D CopyFileA
ssemblies\Winamp 5.0 (en).com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\MSInfo\WinRAR read data or list archive sequential only | success or wait 1 80334D CopyFileA
.v.3.2.and.key.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\MSInfo\WinRAR read data or list none sequential only | success or wait 1 80334D CopyFileA
.v.3.2.and.key.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\ read data or list archive sequential only | success or wait 1 80334D CopyFileA
WinRAR.v.3.2.and.key.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\ read data or list none sequential only | success or wait 1 80334D CopyFileA
WinRAR.v.3.2.and.key.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\WinR read data or list archive sequential only | success or wait 1 80334D CopyFileA
AR.v.3.2.and.key.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\WinR read data or list none sequential only | success or wait 1 80334D CopyFileA
AR.v.3.2.and.key.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\1033 read data or list archive sequential only | success or wait 1 80334D CopyFileA
\index.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\1033 read data or list none sequential only | success or wait 1 80334D CopyFileA
\index.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Cult read data or list archive sequential only | success or wait 1 80334D CopyFileA
ures\Winamp 5.0 (en).com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Cult read data or list none sequential only | success or wait 1 80334D CopyFileA
ures\Winamp 5.0 (en).com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list archive sequential only | success or wait 1 80334D CopyFileA
Controller\Winamp 5.0 (en) Crack.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write

Copyright Joe Security LLC 2018 Page 140 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list none sequential only | success or wait 1 80334D CopyFileA
Controller\Winamp 5.0 (en) Crack.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list archive sequential only | success or wait 1 80334D CopyFileA
Controller\Access.en-us\Harry Potter.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list none sequential only | success or wait 1 80334D CopyFileA
Controller\Access.en-us\Harry Potter.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list archive sequential only | success or wait 1 80334D CopyFileA
Controller\Excel.en-us\Winamp 5.0 (en).exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list none sequential only | success or wait 1 80334D CopyFileA
Controller\Excel.en-us\Winamp 5.0 (en).exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list archive sequential only | success or wait 1 80334D CopyFileA
Controller\Office.en-us\Harry Potter.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list none sequential only | success or wait 1 80334D CopyFileA
Controller\Office.en-us\Harry Potter.ShareReactor.c directory | synchronous io
om\:Zone.Identifier:$DATA synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list archive sequential only | success or wait 1 80334D CopyFileA
Controller\OneNote.en-us\index.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list none sequential only | success or wait 1 80334D CopyFileA
Controller\OneNote.en-us\index.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list archive sequential only | success or wait 1 80334D CopyFileA
Controller\Outlook.en-us\ICQ 4 Lite.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list none sequential only | success or wait 1 80334D CopyFileA
Controller\Outlook.en-us\ICQ 4 Lite.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list archive sequential only | success or wait 1 80334D CopyFileA
Controller\PowerPoint.en-us\Harry Potter.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list none sequential only | success or wait 1 80334D CopyFileA
Controller\PowerPoint.en-us\Harry Potter.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list archive sequential only | success or wait 1 80334D CopyFileA
Controller\Proof.en\WinRAR.v.3.2.and.key.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list none sequential only | success or wait 1 80334D CopyFileA
Controller\Proof.en\WinRAR.v.3.2.and.key.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list archive sequential only | success or wait 1 80334D CopyFileA
Controller\Proof.es\Winamp 5.0 (en) Crack.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write

Copyright Joe Security LLC 2018 Page 141 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list none sequential only | success or wait 1 80334D CopyFileA
Controller\Proof.es\Winamp 5.0 (en) Crack.ShareReac directory | synchronous io
tor.com\:Zone.Identifier:$DATA synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list archive sequential only | success or wait 1 80334D CopyFileA
Controller\Proof.fr\Kazaa Lite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list none sequential only | success or wait 1 80334D CopyFileA
Controller\Proof.fr\Kazaa Lite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list archive sequential only | success or wait 1 80334D CopyFileA
Controller\Proofing.en-us\Winamp 5.0 (en).ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list none sequential only | success or wait 1 80334D CopyFileA
Controller\Proofing.en-us\Winamp 5.0 (en).ShareReac directory | synchronous io
tor.com\:Zone.Identifier:$DATA synchronize | non alert
generic write
C:\Users\HERBBL~1\AppData\Local\Temp\tmp72F5.tmp read attributes | normal synchronous io success or wait 1 805BA6 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list archive sequential only | success or wait 1 80334D CopyFileA
Controller\Publisher.en-us\index.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list none sequential only | success or wait 1 80334D CopyFileA
Controller\Publisher.en-us\index.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list archive sequential only | success or wait 1 80334D CopyFileA
Controller\SingleImage\index.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list none sequential only | success or wait 1 80334D CopyFileA
Controller\SingleImage\index.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list archive sequential only | success or wait 1 80334D CopyFileA
Controller\Word.en-us\Kazaa Lite.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup read data or list none sequential only | success or wait 1 80334D CopyFileA
Controller\Word.en-us\Kazaa Lite.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\OfficeSoftwar read data or list archive sequential only | success or wait 1 80334D CopyFileA
eProtectionPlatform\Winamp 5.0 (en).ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\OfficeSoftwar read data or list none sequential only | success or wait 1 80334D CopyFileA
eProtectionPlatform\Winamp 5.0 (en).ShareReactor.com\:Zone.I directory | synchronous io
dentifier:$DATA synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Portal\WinRAR read data or list archive sequential only | success or wait 1 80334D CopyFileA
.v.3.2.and.key.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Portal\WinRAR read data or list none sequential only | success or wait 1 80334D CopyFileA
.v.3.2.and.key.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write

Copyright Joe Security LLC 2018 Page 142 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\Portal\1033\Winamp 5.0 read data or list archive sequential only | success or wait 1 80334D CopyFileA
(en) Crack.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Portal\1033\Winamp 5.0 read data or list none sequential only | success or wait 1 80334D CopyFileA
(en) Crack.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\PROOF\index.com read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\PROOF\index.c read data or list none sequential only | success or wait 1 80334D CopyFileA
om\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Smart Tag\Winamp 5.0 read data or list archive sequential only | success or wait 1 80334D CopyFileA
(en) Crack.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Smart Tag\Winamp 5.0 read data or list none sequential only | success or wait 1 80334D CopyFileA
(en) Crack.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Smart Tag\1033\ICQ 4 read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Smart Tag\1033\ICQ 4 read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Smart Tag\LISTS\Harry read data or list archive sequential only | success or wait 1 80334D CopyFileA
Potter.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Smart Tag\LISTS\Harry read data or list none sequential only | success or wait 1 80334D CopyFileA
Potter.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Smart Tag\LIS read data or list archive sequential only | success or wait 1 80334D CopyFileA
TS\1033\Harry Potter.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Smart Tag\LIS read data or list none sequential only | success or wait 1 80334D CopyFileA
TS\1033\Harry Potter.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Source Engine\Winamp read data or list archive sequential only | success or wait 1 80334D CopyFileA
5.0 (en).com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Source Engine\Winamp read data or list none sequential only | success or wait 1 80334D CopyFileA
5.0 (en).com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Stationery\Kazaa read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Stationery\Kazaa read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write

Copyright Joe Security LLC 2018 Page 143 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\TextConv\index.exe read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\TextConv\inde read data or list none sequential only | success or wait 1 80334D CopyFileA
x.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\TextConv\en-US\ICQ 4 read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\TextConv\en-US\ICQ 4 read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\TextConv\WksC read data or list archive sequential only | success or wait 1 80334D CopyFileA
onv\Winamp 5.0 (en).com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\TextConv\WksC read data or list none sequential only | success or wait 1 80334D CopyFileA
onv\Winamp 5.0 (en).com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\Kazaa read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\Kazaa read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\AFTR read data or list archive sequential only | success or wait 1 80334D CopyFileA
NOON\Winamp 5.0 (en) Crack.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\AFTR read data or list none sequential only | success or wait 1 80334D CopyFileA
NOON\Winamp 5.0 (en) Crack.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\ARCT read data or list archive sequential only | success or wait 1 80334D CopyFileA
IC\Kazaa Lite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\ARCT read data or list none sequential only | success or wait 1 80334D CopyFileA
IC\Kazaa Lite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\AXIS\Harry read data or list archive sequential only | success or wait 1 80334D CopyFileA
Potter.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\AXIS\Harry read data or list none sequential only | success or wait 1 80334D CopyFileA
Potter.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\BLEN read data or list archive sequential only | success or wait 1 80334D CopyFileA
DS\Winamp 5.0 (en) Crack.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\BLEN read data or list none sequential only | success or wait 1 80334D CopyFileA
DS\Winamp 5.0 (en) Crack.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write

Copyright Joe Security LLC 2018 Page 144 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\THEMES14\BLUE read data or list archive sequential only | success or wait 1 80334D CopyFileA
CALM\Winamp 5.0 (en) Crack.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\BLUE read data or list none sequential only | success or wait 1 80334D CopyFileA
CALM\Winamp 5.0 (en) Crack.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\BLUE read data or list archive sequential only | success or wait 1 80334D CopyFileA
PRNT\Harry Potter.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\BLUE read data or list none sequential only | success or wait 1 80334D CopyFileA
PRNT\Harry Potter.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\BOLD read data or list archive sequential only | success or wait 1 80334D CopyFileA
STRI\Winamp 5.0 (en) Crack.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\BOLD read data or list none sequential only | success or wait 1 80334D CopyFileA
STRI\Winamp 5.0 (en) Crack.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\BREE read data or list archive sequential only | success or wait 1 80334D CopyFileA
ZE\Winamp 5.0 (en) Crack.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\BREE read data or list none sequential only | success or wait 1 80334D CopyFileA
ZE\Winamp 5.0 (en) Crack.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\CANY read data or list archive sequential only | success or wait 1 80334D CopyFileA
ON\ICQ 4 Lite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\CANY read data or list none sequential only | success or wait 1 80334D CopyFileA
ON\ICQ 4 Lite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\CAPS read data or list archive sequential only | success or wait 1 80334D CopyFileA
ULES\Winamp 5.0 (en) Crack.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\CAPS read data or list none sequential only | success or wait 1 80334D CopyFileA
ULES\Winamp 5.0 (en) Crack.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\CASC read data or list archive sequential only | success or wait 1 80334D CopyFileA
ADE\Kazaa Lite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\CASC read data or list none sequential only | success or wait 1 80334D CopyFileA
ADE\Kazaa Lite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Users\HERBBL~1\AppData\Local\Temp\tmp86D5.tmp read attributes | normal synchronous io success or wait 1 805BA6 GetTempFileNameA
synchronize | non alert | non
generic read directory file
C:\Program Files\Common Files\microsoft shared\THEMES14\COMP read data or list archive sequential only | success or wait 1 80334D CopyFileA
ASS\Winamp 5.0 (en).com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write

Copyright Joe Security LLC 2018 Page 145 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\THEMES14\COMP read data or list none sequential only | success or wait 1 80334D CopyFileA
ASS\Winamp 5.0 (en).com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\CONC read data or list archive sequential only | success or wait 1 80334D CopyFileA
RETE\WinRAR.v.3.2.and.key.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\CONC read data or list none sequential only | success or wait 1 80334D CopyFileA
RETE\WinRAR.v.3.2.and.key.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\DEEP read data or list archive sequential only | success or wait 1 80334D CopyFileA
BLUE\Harry Potter.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\DEEP read data or list none sequential only | success or wait 1 80334D CopyFileA
BLUE\Harry Potter.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\ECHO\ICQ read data or list archive sequential only | success or wait 1 80334D CopyFileA
4 Lite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\ECHO\ICQ read data or list none sequential only | success or wait 1 80334D CopyFileA
4 Lite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\ECLI read data or list archive sequential only | success or wait 1 80334D CopyFileA
PSE\WinRAR.v.3.2.and.key.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\ECLI read data or list none sequential only | success or wait 1 80334D CopyFileA
PSE\WinRAR.v.3.2.and.key.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\EDGE read data or list archive sequential only | success or wait 1 80334D CopyFileA
\Winamp 5.0 (en) Crack.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\EDGE read data or list none sequential only | success or wait 1 80334D CopyFileA
\Winamp 5.0 (en) Crack.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\EVRG read data or list archive sequential only | success or wait 1 80334D CopyFileA
REEN\Harry Potter.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\EVRG read data or list none sequential only | success or wait 1 80334D CopyFileA
REEN\Harry Potter.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\EXPE read data or list archive sequential only | success or wait 1 80334D CopyFileA
DITN\Winamp 5.0 (en) Crack.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\EXPE read data or list none sequential only | success or wait 1 80334D CopyFileA
DITN\Winamp 5.0 (en) Crack.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\ICE\ICQ 4 read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write

Copyright Joe Security LLC 2018 Page 146 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\THEMES14\ICE\ICQ 4 read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\INDU read data or list archive sequential only | success or wait 1 80334D CopyFileA
ST\ICQ 4 Lite.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\INDU read data or list none sequential only | success or wait 1 80334D CopyFileA
ST\ICQ 4 Lite.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\IRIS read data or list archive sequential only | success or wait 1 80334D CopyFileA
\Winamp 5.0 (en) Crack.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\IRIS read data or list none sequential only | success or wait 1 80334D CopyFileA
\Winamp 5.0 (en) Crack.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\JOUR read data or list archive sequential only | success or wait 1 80334D CopyFileA
NAL\ICQ 4 Lite.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\JOUR read data or list none sequential only | success or wait 1 80334D CopyFileA
NAL\ICQ 4 Lite.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\LAYE read data or list archive sequential only | success or wait 1 80334D CopyFileA
RS\Winamp 5.0 (en).exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\LAYE read data or list none sequential only | success or wait 1 80334D CopyFileA
RS\Winamp 5.0 (en).exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\LEVE read data or list archive sequential only | success or wait 1 80334D CopyFileA
L\Winamp 5.0 (en).com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\LEVE read data or list none sequential only | success or wait 1 80334D CopyFileA
L\Winamp 5.0 (en).com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\NETW read data or list archive sequential only | success or wait 1 80334D CopyFileA
ORK\Winamp 5.0 (en) Crack.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\NETW read data or list none sequential only | success or wait 1 80334D CopyFileA
ORK\Winamp 5.0 (en) Crack.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\PAPY read data or list archive sequential only | success or wait 1 80334D CopyFileA
RUS\Harry Potter.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\PAPY read data or list none sequential only | success or wait 1 80334D CopyFileA
RUS\Harry Potter.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\PIXEL\ICQ read data or list archive sequential only | success or wait 1 80334D CopyFileA
4 Lite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write

Copyright Joe Security LLC 2018 Page 147 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\THEMES14\PIXEL\ICQ read data or list none sequential only | success or wait 1 80334D CopyFileA
4 Lite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\PROF read data or list archive sequential only | success or wait 1 80334D CopyFileA
ILE\Harry Potter.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\PROF read data or list none sequential only | success or wait 1 80334D CopyFileA
ILE\Harry Potter.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\QUAD read data or list archive sequential only | success or wait 1 80334D CopyFileA
\Kazaa Lite.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\QUAD read data or list none sequential only | success or wait 1 80334D CopyFileA
\Kazaa Lite.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\RADI read data or list archive sequential only | success or wait 1 80334D CopyFileA
AL\index.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\RADI read data or list none sequential only | success or wait 1 80334D CopyFileA
AL\index.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\REFI read data or list archive sequential only | success or wait 1 80334D CopyFileA
NED\Kazaa Lite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\REFI read data or list none sequential only | success or wait 1 80334D CopyFileA
NED\Kazaa Lite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\RICE read data or list archive sequential only | success or wait 1 80334D CopyFileA
PAPR\index.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\RICE read data or list none sequential only | success or wait 1 80334D CopyFileA
PAPR\index.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\RIPP read data or list archive sequential only | success or wait 1 80334D CopyFileA
LE\Winamp 5.0 (en).ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\RIPP read data or list none sequential only | success or wait 1 80334D CopyFileA
LE\Winamp 5.0 (en).ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\RMNS read data or list archive sequential only | success or wait 1 80334D CopyFileA
QUE\Harry Potter.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\RMNS read data or list none sequential only | success or wait 1 80334D CopyFileA
QUE\Harry Potter.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\SATI read data or list archive sequential only | success or wait 1 80334D CopyFileA
N\Harry Potter.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write

Copyright Joe Security LLC 2018 Page 148 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\THEMES14\SATI read data or list none sequential only | success or wait 1 80334D CopyFileA
N\Harry Potter.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\SKY\ICQ 4 read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\SKY\ICQ 4 read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\SLATE\ICQ read data or list archive sequential only | success or wait 1 80334D CopyFileA
4 Lite.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\SLATE\ICQ read data or list none sequential only | success or wait 1 80334D CopyFileA
4 Lite.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\SONO read data or list archive sequential only | success or wait 1 80334D CopyFileA
RA\Harry Potter.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\SONO read data or list none sequential only | success or wait 1 80334D CopyFileA
RA\Harry Potter.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\SPRI read data or list archive sequential only | success or wait 1 80334D CopyFileA
NG\Winamp 5.0 (en).exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\SPRI read data or list none sequential only | success or wait 1 80334D CopyFileA
NG\Winamp 5.0 (en).exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\STRT read data or list archive sequential only | success or wait 1 80334D CopyFileA
EDGE\Winamp 5.0 (en) Crack.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\STRT read data or list none sequential only | success or wait 1 80334D CopyFileA
EDGE\Winamp 5.0 (en) Crack.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\STUD read data or list archive sequential only | success or wait 1 80334D CopyFileA
IO\Harry Potter.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\STUD read data or list none sequential only | success or wait 1 80334D CopyFileA
IO\Harry Potter.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\SUMI read data or list archive sequential only | success or wait 1 80334D CopyFileA
PNTG\ICQ 4 Lite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\SUMI read data or list none sequential only | success or wait 1 80334D CopyFileA
PNTG\ICQ 4 Lite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\WATE read data or list archive sequential only | success or wait 1 80334D CopyFileA
R\Winamp 5.0 (en).exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write

Copyright Joe Security LLC 2018 Page 149 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\THEMES14\WATE read data or list none sequential only | success or wait 1 80334D CopyFileA
R\Winamp 5.0 (en).exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\WATE read data or list archive sequential only | success or wait 1 80334D CopyFileA
RMAR\Harry Potter.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\THEMES14\WATE read data or list none sequential only | success or wait 1 80334D CopyFileA
RMAR\Harry Potter.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\TRANSLAT\index.com read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\TRANSLAT\inde read data or list none sequential only | success or wait 1 80334D CopyFileA
x.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\TRANSLAT\ARFR\Harry read data or list archive sequential only | success or wait 1 80334D CopyFileA
Potter.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\TRANSLAT\ARFR\Harry read data or list none sequential only | success or wait 1 80334D CopyFileA
Potter.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\TRANSLAT\ENES read data or list archive sequential only | success or wait 1 80334D CopyFileA
\WinRAR.v.3.2.and.key.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\TRANSLAT\ENES read data or list none sequential only | success or wait 1 80334D CopyFileA
\WinRAR.v.3.2.and.key.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\TRANSLAT\ENFR read data or list archive sequential only | success or wait 1 80334D CopyFileA
\WinRAR.v.3.2.and.key.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\TRANSLAT\ENFR read data or list none sequential only | success or wait 1 80334D CopyFileA
\WinRAR.v.3.2.and.key.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\TRANSLAT\ESEN read data or list archive sequential only | success or wait 1 80334D CopyFileA
\Winamp 5.0 (en).exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\TRANSLAT\ESEN read data or list none sequential only | success or wait 1 80334D CopyFileA
\Winamp 5.0 (en).exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\TRANSLAT\FRAR\ICQ read data or list archive sequential only | success or wait 1 80334D CopyFileA
4 Lite.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\TRANSLAT\FRAR\ICQ read data or list none sequential only | success or wait 1 80334D CopyFileA
4 Lite.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\TRANSLAT\FREN read data or list archive sequential only | success or wait 1 80334D CopyFileA
\index.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write

Copyright Joe Security LLC 2018 Page 150 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\TRANSLAT\FREN read data or list none sequential only | success or wait 1 80334D CopyFileA
\index.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Triedit\index.com read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Triedit\index read data or list none sequential only | success or wait 1 80334D CopyFileA
.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Triedit\en-US\Kazaa read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Triedit\en-US\Kazaa read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\VBA\Winamp 5.0 (en) read data or list archive sequential only | success or wait 1 80334D CopyFileA
Crack.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\VBA\Winamp 5.0 (en) read data or list none sequential only | success or wait 1 80334D CopyFileA
Crack.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\VBA\VBA6\ICQ 4 read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\VBA\VBA6\ICQ 4 read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\VBA\VBA7\Winamp 5.0 read data or list archive sequential only | success or wait 1 80334D CopyFileA
(en).exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\VBA\VBA7\Winamp 5.0 read data or list none sequential only | success or wait 1 80334D CopyFileA
(en).exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\VBA\VBA7\1033\ICQ 4 read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\VBA\VBA7\1033\ICQ 4 read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\VC\Kazaa Lite read data or list archive sequential only | success or wait 1 80334D CopyFileA
.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\VC\Kazaa Lite read data or list none sequential only | success or wait 1 80334D CopyFileA
.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\VGX\WinRAR.v. read data or list archive sequential only | success or wait 1 80334D CopyFileA
3.2.and.key.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write

Copyright Joe Security LLC 2018 Page 151 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\VGX\WinRAR.v. read data or list none sequential only | success or wait 1 80334D CopyFileA
3.2.and.key.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\VSTA\WinRAR.v read data or list archive sequential only | success or wait 1 80334D CopyFileA
.3.2.and.key.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\VSTA\WinRAR.v read data or list none sequential only | success or wait 1 80334D CopyFileA
.3.2.and.key.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\VSTA\AppInfoD read data or list archive sequential only | success or wait 1 80334D CopyFileA
ocument\ICQ 4 Lite.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\VSTA\AppInfoD read data or list none sequential only | success or wait 1 80334D CopyFileA
ocument\ICQ 4 Lite.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\VSTA\AppInfoD read data or list archive sequential only | success or wait 1 80334D CopyFileA
ocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\Kazaa directory | read synchronous io
Lite.com attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\VSTA\AppInfoD read data or list none sequential only | success or wait 1 80334D CopyFileA
ocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\Kazaa directory | synchronous io
Lite.com\:Zone.Identifier:$DATA synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\VSTA\Pipeline read data or list archive sequential only | success or wait 1 80334D CopyFileA
.v10.0\ICQ 4 Lite.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\VSTA\Pipeline read data or list none sequential only | success or wait 1 80334D CopyFileA
.v10.0\ICQ 4 Lite.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\VSTA\Pipeline read data or list archive sequential only | success or wait 1 80334D CopyFileA
.v10.0\AddInSideAdapters\Harry Potter.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\VSTA\Pipeline read data or list none sequential only | success or wait 1 80334D CopyFileA
.v10.0\AddInSideAdapters\Harry Potter.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\VSTA\Pipeline read data or list archive sequential only | success or wait 1 80334D CopyFileA
.v10.0\AddInViews\WinRAR.v.3.2.and.key.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\VSTA\Pipeline read data or list none sequential only | success or wait 1 80334D CopyFileA
.v10.0\AddInViews\WinRAR.v.3.2.and.key.ShareReactor.com\:Zon directory | synchronous io
e.Identifier:$DATA synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\VSTA\Pipeline read data or list archive sequential only | success or wait 1 80334D CopyFileA
.v10.0\Contracts\ICQ 4 Lite.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\VSTA\Pipeline read data or list none sequential only | success or wait 1 80334D CopyFileA
.v10.0\Contracts\ICQ 4 Lite.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\VSTA\Pipeline read data or list archive sequential only | success or wait 1 80334D CopyFileA
.v10.0\HostSideAdapters\WinRAR.v.3.2.and.key.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write

Copyright Joe Security LLC 2018 Page 152 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\VSTA\Pipeline read data or list none sequential only | success or wait 1 80334D CopyFileA
.v10.0\HostSideAdapters\WinRAR.v.3.2.and.key.ShareReactor.co directory | synchronous io
m\:Zone.Identifier:$DATA synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\VSTO\Winamp 5.0 (en) read data or list archive sequential only | success or wait 1 80334D CopyFileA
Crack.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\VSTO\Winamp 5.0 (en) read data or list none sequential only | success or wait 1 80334D CopyFileA
Crack.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\ICQ 4 read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\ICQ 4 read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\ICQ 4 read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\ICQ 4 read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Web Folders\Winamp read data or list archive sequential only | success or wait 1 80334D CopyFileA
5.0 (en).ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Web Folders\Winamp read data or list none sequential only | success or wait 1 80334D CopyFileA
5.0 (en).ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Web Folders\1033\ICQ read data or list archive sequential only | success or wait 1 80334D CopyFileA
4 Lite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Web Folders\1033\ICQ read data or list none sequential only | success or wait 1 80334D CopyFileA
4 Lite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Web Server Ex read data or list archive sequential only | success or wait 1 80334D CopyFileA
tensions\WinRAR.v.3.2.and.key.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Web Server Ex read data or list none sequential only | success or wait 1 80334D CopyFileA
tensions\WinRAR.v.3.2.and.key.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Web Server Ex read data or list archive sequential only | success or wait 1 80334D CopyFileA
tensions\14\index.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Web Server Ex read data or list none sequential only | success or wait 1 80334D CopyFileA
tensions\14\index.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Web Server Ex read data or list archive sequential only | success or wait 1 80334D CopyFileA
tensions\14\BIN\index.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write

Copyright Joe Security LLC 2018 Page 153 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\Web Server Ex read data or list none sequential only | success or wait 1 80334D CopyFileA
tensions\14\BIN\index.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Common Files\microsoft shared\Web Server Ex read data or list archive sequential only | success or wait 1 80334D CopyFileA
tensions\14\BIN\1033\Winamp 5.0 (en).com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Common Files\microsoft shared\Web Server Ex read data or list none sequential only | success or wait 1 80334D CopyFileA
tensions\14\BIN\1033\Winamp 5.0 (en).com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\index.ShareReactor.com read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\DVD Maker\Shared\index.ShareReactor.com\:Zo read data or list none sequential only | success or wait 1 80334D CopyFileA
ne.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Harry Potter.com read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Harry Potter.com read data or list none sequential only | success or wait 1 80334D CopyFileA
\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\Kazaa Lite.com read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\Kazaa Li read data or list none sequential only | success or wait 1 80334D CopyFileA
te.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\index.exe read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\index.e read data or list none sequential only | success or wait 1 80334D CopyFileA
xe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\WinRAR. read data or list archive sequential only | success or wait 1 80334D CopyFileA
v.3.2.and.key.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\WinRAR. read data or list none sequential only | success or wait 1 80334D CopyFileA
v.3.2.and.key.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Full\WinRAR.v.3. read data or list archive sequential only | success or wait 1 80334D CopyFileA
2.and.key.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Full\WinRAR.v.3. read data or list none sequential only | success or wait 1 80334D CopyFileA
2.and.key.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\Kazaa L read data or list archive sequential only | success or wait 1 80334D CopyFileA
ite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write

Copyright Joe Security LLC 2018 Page 154 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\Kazaa L read data or list none sequential only | success or wait 1 80334D CopyFileA
ite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\Kazaa read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\Kazaa read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Harry P read data or list archive sequential only | success or wait 1 80334D CopyFileA
otter.exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Harry P read data or list none sequential only | success or wait 1 80334D CopyFileA
otter.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\ICQ 4 Lit read data or list archive sequential only | success or wait 1 80334D CopyFileA
e.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\ICQ 4 Lit read data or list none sequential only | success or wait 1 80334D CopyFileA
e.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Winamp 5.0 read data or list archive sequential only | success or wait 1 80334D CopyFileA
(en).com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Winamp 5.0 read data or list none sequential only | success or wait 1 80334D CopyFileA
(en).com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\WinRAR.v.3. read data or list archive sequential only | success or wait 1 80334D CopyFileA
2.and.key.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\WinRAR.v.3. read data or list none sequential only | success or wait 1 80334D CopyFileA
2.and.key.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Push\Winamp 5.0 (en) read data or list archive sequential only | success or wait 1 80334D CopyFileA
Crack.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Push\Winamp 5.0 (en) read data or list none sequential only | success or wait 1 80334D CopyFileA
Crack.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\Kazaa read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\Kazaa read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Winamp read data or list archive sequential only | success or wait 1 80334D CopyFileA
5.0 (en).exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write

Copyright Joe Security LLC 2018 Page 155 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Winamp read data or list none sequential only | success or wait 1 80334D CopyFileA
5.0 (en).exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\Harry Potter.com read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\Harry Po read data or list none sequential only | success or wait 1 80334D CopyFileA
tter.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\ICQ 4 read data or list archive sequential only | success or wait 1 80334D CopyFileA
Lite.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\ICQ 4 read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\Harry Potter.com read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\Harry Pot read data or list none sequential only | success or wait 1 80334D CopyFileA
ter.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\Winamp 5.0 read data or list archive sequential only | success or wait 1 80334D CopyFileA
(en).exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\Winamp 5.0 read data or list none sequential only | success or wait 1 80334D CopyFileA
(en).exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\ICQ 4 Lite.exe read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\ICQ 4 Lit read data or list none sequential only | success or wait 1 80334D CopyFileA
e.exe\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\Kazaa Lite.com read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\Kazaa read data or list none sequential only | success or wait 1 80334D CopyFileA
Lite.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\Winamp 5.0 read data or list archive sequential only | success or wait 1 80334D CopyFileA
(en).ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\Winamp 5.0 read data or list none sequential only | success or wait 1 80334D CopyFileA
(en).ShareReactor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Google\Update\Download\Kazaa Lite.ShareReactor.com read data or list archive sequential only | success or wait 1 80334D CopyFileA
directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write

Copyright Joe Security LLC 2018 Page 156 of 287

 Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Program Files\Google\Update\Download\Kazaa Lite.ShareReac read data or list none sequential only | success or wait 1 80334D CopyFileA
tor.com\:Zone.Identifier:$DATA directory | synchronous io
synchronize | non alert
generic write
C:\Program Files\Google\Update\Download\{8A69D345-D564-463C-AFF1- read data or list archive sequential only | success or wait 1 80334D CopyFileA
A69D9E530F96}\WinRAR.v.3.2.and.key.ShareReactor.com directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Google\Update\Download\{8A69D345-D564-463C-AFF1- read data or list none sequential only | success or wait 1 80334D CopyFileA
A69D9E530F96}\WinRAR.v.3.2.and.key.ShareReactor.com\:Zo directory | synchronous io
ne.Identifier:$DATA synchronize | non alert
generic write
C:\Program Files\Google\Update\Download\{8A69D345-D564-463C-AFF1- read data or list archive sequential only | success or wait 1 80334D CopyFileA
A69D9E530F96}\60.0.3112.90\Winamp 5.0 (en).exe directory | read synchronous io
attributes | non alert | non
delete | syn directory file
chronize |
generic write
C:\Program Files\Google\Update\Download\{8A69D345-D564-463C-AFF1- read data or list none sequential only | success or wait 1 80334D CopyFileA
A69D9E530F96}\60.0.3112.90\Winamp 5.0 (en).exe\:Zone.Id directory | synchronous io
entifier:$DATA synchronize | non alert
generic write

File Deleted

Source
File Path Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp success or wait 1 805D08 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3361.tmp success or wait 1 806413 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp214E.tmp success or wait 1 805D08 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E33.tmp success or wait 1 806413 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp success or wait 1 805D08 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp4FF9.tmp success or wait 1 806413 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C59.tmp success or wait 1 805D08 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp598F.tmp success or wait 1 806413 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3F76.tmp success or wait 1 805D08 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp6376.tmp success or wait 1 806413 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E5C.tmp success or wait 1 805D08 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp72F5.tmp success or wait 1 806413 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp success or wait 1 805D08 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp86D5.tmp success or wait 1 806413 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D2D.tmp success or wait 1 806413 DeleteFileA
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3DA6.tmp success or wait 1 806413 DeleteFileA

File Written

Source
File Path Offset Length Value Ascii Completion Count Address Symbol

Copyright Joe Security LLC 2018 Page 157 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\uheknclgts.txt unknown 4096 50 4f 6c 30 39 bb 8e 5f POl09.._U..c9..L9..C9...9... success or wait 4 807519 fwrite
55 01 88 63 39 bb 8d ^..q^...^...^....y.?..U9......E.
4c 39 bb 80 43 39 bb ..0..q.Q.ve..C.h...._^...e.(6.
87 9d 39 bb 8d 02 5e +89..9.....w]..`J..m.V..?`.c..
d2 17 71 5e d2 17 18 .vb....??..[.....D.1.vep(.....
5e d2 17 d7 5e d2 19 .c...8...........-.. .i..._...
0b e1 79 ca 3f bb cb x...t._.?..C...v..fPx.2.s.....
55 39 f6 ef 93 c4 ba b8 .qs....!.....U.p.e!.~,^.&.6..U..
45 cc f6 0f 30 c4 f6 71 ...@b..L.9..
87 51 e9 76 65 d4 f6
43 ed 68 f6 ef b9 d2 5f
5e f8 8c e9 65 ab 28
36 b8 2b 38 39 bb f7
39 f6 e5 bf e3 e9 77
5d c1 e9 60 4a 0c e9
6d 13 56 f6 ec 3f 60 e9
63 ac 1b e9 76 62 f7 f3
96 85 3f 3f a0 02 5b f6
ec 9d da f6 44 80 31
e9 76 65 70 28 c5 bc
8c f3 00 ab 63 f3 03
d6 38 f3 03 c3 11 f6
1e 0c dd e9 85 e1 2d
7f ae 20 e3 69 d6 80
0d 5f 02 0d 01 78 c9
ab 03 74 e3 5f 9c 3f 80
16 43 7f ae d4 76 7f
ae 66 50 78 df 32 a9
73 c2 81 f7 7f ae d4 71
73 c2 85 d1 b8 21 10
8a e9 85 a2 55 f3 70
8d 65 21 a8 7e 2c 5e
d1 26 ec 36 15 fa 55
f6 f7 20 8a f6 e7 40 62
ba 9f 4c 9e 39 bb 8d
C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 805B6B CopyFileA
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Users\HERBBL~1\AppData\Loca 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 805B6B CopyFileA
l\Temp\tmp2125.tmp:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp unknown 4 c0 a8 02 02 .... success or wait 4633 807C00 WriteFile

Copyright Joe Security LLC 2018 Page 158 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp214E.tmp 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 805B6B CopyFileA
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Users\HERBBL~1\AppData\Loca 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 805B6B CopyFileA
l\Temp\tmp214E.tmp:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp unknown 4 c0 a8 02 02 .... success or wait 1 807C66 WriteFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3361.tmp unknown 30 50 4b 03 04 0a 00 00 PK.........R.0..e.h...h....... success or wait 1 805440 WriteFile
00 00 00 c7 52 da 30
e0 98 65 08 68 9a 00
00 68 9a 00 00 e9 00
00 00
C:\Users\HERBBL~1\AppData\Local\Temp\tmp214E.tmp unknown 4 c0 a8 02 02 .... success or wait 4633 807C00 WriteFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3361.tmp unknown 233 74 65 78 74 2e 68 74 text.htm success or wait 1 805453 WriteFile
6d 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20 .scr
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 2e 73
63 72

Copyright Joe Security LLC 2018 Page 159 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3361.tmp unknown 1024 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 39 805485 WriteFile
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3361.tmp unknown 46 50 4b 01 02 14 00 0a PK...........R.0..e.h...h..... success or wait 1 8054DA WriteFile
00 00 00 00 00 c7 52 ........ .......
da 30 e0 98 65 08 68
9a 00 00 68 9a 00 00
e9 00 00 00 00 00 00
00 00 00 20 00 00 00
00 00 00 00
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3361.tmp unknown 233 74 65 78 74 2e 68 74 text.htm success or wait 1 8054ED WriteFile
6d 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20 .scr
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 2e 73
63 72
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3361.tmp unknown 22 50 4b 05 06 00 00 00 PK..............o..... success or wait 1 80552E WriteFile
00 01 00 01 00 17 01
00 00 6f 9b 00 00 00
00

Copyright Joe Security LLC 2018 Page 160 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 805B6B CopyFileA
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Users\HERBBL~1\AppData\Loca 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 805B6B CopyFileA
l\Temp\tmp3C44.tmp:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C59.tmp 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 805B6B CopyFileA
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Users\HERBBL~1\AppData\Loca 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 805B6B CopyFileA
l\Temp\tmp3C59.tmp:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 161 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 805B6B CopyFileA
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Users\HERBBL~1\AppData\Loca 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 805B6B CopyFileA
l\Temp\tmp3D0E.tmp:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D2D.tmp 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 805A73 CopyFileA
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Users\HERBBL~1\AppData\Loca 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 805A73 CopyFileA
l\Temp\tmp3D2D.tmp:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 162 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\index.com 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\index.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3DA6.tmp 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 805A73 CopyFileA
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Users\HERBBL~1\AppData\Loca 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 805A73 CopyFileA
l\Temp\tmp3DA6.tmp:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 163 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\DAO\Harry 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Potter.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Users\HERBBL~1\AppData\Local\Temp\tmp214E.tmp unknown 4 c0 a8 02 02 .... success or wait 1 807C66 WriteFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp unknown 4 c0 a8 02 02 .... success or wait 4633 807C00 WriteFile
C:\Program Files\Common Files\microsoft shared\DAO\Harry 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Potter.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E33.tmp unknown 30 50 4b 03 04 0a 00 00 PK.........R.0..e.h...h...v... success or wait 1 805440 WriteFile
00 00 00 c8 52 da 30
e0 98 65 08 68 9a 00
00 68 9a 00 00 76 00
00 00
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E33.tmp unknown 118 74 72 61 6e 73 63 72 transcript.htm success or wait 1 805453 WriteFile
69 70 74 2e 68 74 6d .scr
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 2e 73 63 72

Copyright Joe Security LLC 2018 Page 164 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E33.tmp unknown 1024 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 39 805485 WriteFile
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E5C.tmp 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 805B6B CopyFileA
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Users\HERBBL~1\AppData\Loca 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 805B6B CopyFileA
l\Temp\tmp3E5C.tmp:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 165 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\DW\Winamp 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
5.0 (en).exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\DW\Winamp 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
5.0 (en).exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E33.tmp unknown 46 50 4b 01 02 14 00 0a PK...........R.0..e.h...h...v. success or wait 1 8054DA WriteFile
00 00 00 00 00 c8 52 ........ .......
da 30 e0 98 65 08 68
9a 00 00 68 9a 00 00
76 00 00 00 00 00 00
00 00 00 20 00 00 00
00 00 00 00
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E33.tmp unknown 118 74 72 61 6e 73 63 72 transcript.htm success or wait 1 8054ED WriteFile
69 70 74 2e 68 74 6d .scr
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 2e 73 63 72
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E33.tmp unknown 22 50 4b 05 06 00 00 00 PK.................... success or wait 1 80552E WriteFile
00 01 00 01 00 a4 00
00 00 fc 9a 00 00 00
00

Copyright Joe Security LLC 2018 Page 166 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3F76.tmp 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 805B6B CopyFileA
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Users\HERBBL~1\AppData\Loca 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 805B6B CopyFileA
l\Temp\tmp3F76.tmp:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\EQUATION\Kazaa Lite.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\EQUATION\Kazaa Lite.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 167 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\EQUATION\1033\ICQ 4 Lite.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\EQUATION\1033\ICQ 4 Lite.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\EURO\Winamp 5.0 (en).com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\EURO\Winamp 5.0 (en).com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 168 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\Filters\Kazaa 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\Filters\Kazaa 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Lite.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\GRPHFLT\index.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\GRPHFLT\index.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 169 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\Help\ICQ 4 Li 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
te.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\Help\ICQ 4 Li 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
te.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\Help\1028\ICQ 4 Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\Help\1028\ICQ 4 Lite.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 170 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\Help\1031\ICQ 4 Lite.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\Help\1031\ICQ 4 Lite.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\Help\1033\Kazaa Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\Help\1033\Kazaa Lite.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 171 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\Help\1036\Harry Potter.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\Help\1036\Harry Potter.ShareReactor.com:Zon 61 6e 73 66 65 72 5d
e.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\Help\1040\Winamp 5.0 (en).ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\Help\1040\Winamp 5.0 (en).ShareReactor.com: 61 6e 73 66 65 72 5d
Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 172 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\Help\1041\ind 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ex.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\Help\1041\ind 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ex.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\Help\1042\Kazaa Lite.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\Help\1042\Kazaa Lite.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 173 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\Help\1046\ICQ 4 Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\Help\1046\ICQ 4 Lite.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\Help\1049\Harry Potter.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\Help\1049\Harry Potter.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 174 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\Help\2052\Winamp 5.0 (en).exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\Help\2052\Winamp 5.0 (en).exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\Help\3082\Winamp 5.0 (en) Crack.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\Help\3082\Winamp 5.0 (en) Crack.ShareReacto 61 6e 73 66 65 72 5d
r.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 175 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\Kazaa Lit 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
e.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\Kazaa Lit 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
e.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\1.0\WinRA 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
R.v.3.2.and.key.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\1.0\WinRA 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
R.v.3.2.and.key.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 176 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\1.7\Harry 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Potter.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\1.7\Harry 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Potter.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\ICQ 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
4 Lite.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\ICQ 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
4 Lite.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 177 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\Har 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ry Potter.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\Har 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ry Potter.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\Win 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\Win 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 178 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\da-DK\ind 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ex.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\da-DK\ind 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ex.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp unknown 4 c0 a8 02 02 .... success or wait 1 807C66 WriteFile
C:\Program Files\Common Files\microsoft shared\ink\de- 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
DE\ICQ 4 Lite.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C59.tmp unknown 4 c0 a8 02 02 .... success or wait 4633 807C00 WriteFile
C:\Program Files\Common Files\microsoft shared\ink\de- 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
DE\ICQ 4 Lite.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 179 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp4FF9.tmp unknown 30 50 4b 03 04 0a 00 00 PK.........R.0..e.h...h....... success or wait 1 805440 WriteFile
00 00 00 ca 52 da 30
e0 98 65 08 68 9a 00
00 68 9a 00 00 99 00
00 00
C:\Users\HERBBL~1\AppData\Local\Temp\tmp4FF9.tmp unknown 153 66 69 6c 65 2e 64 6f file.doc success or wait 1 805453 WriteFile
63 20 20 20 20 20 20
20 20 20 20 20 20 20 .pif
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 2e 70 69 66
C:\Users\HERBBL~1\AppData\Local\Temp\tmp4FF9.tmp unknown 1024 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 39 805485 WriteFile
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Users\HERBBL~1\AppData\Local\Temp\tmp4FF9.tmp unknown 46 50 4b 01 02 14 00 0a PK...........R.0..e.h...h..... success or wait 1 8054DA WriteFile
00 00 00 00 00 ca 52 ........ .......
da 30 e0 98 65 08 68
9a 00 00 68 9a 00 00
99 00 00 00 00 00 00
00 00 00 20 00 00 00
00 00 00 00

Copyright Joe Security LLC 2018 Page 180 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp4FF9.tmp unknown 153 66 69 6c 65 2e 64 6f file.doc success or wait 1 8054ED WriteFile
63 20 20 20 20 20 20
20 20 20 20 20 20 20 .pif
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 2e 70 69 66
C:\Users\HERBBL~1\AppData\Local\Temp\tmp4FF9.tmp unknown 22 50 4b 05 06 00 00 00 PK.................... success or wait 1 80552E WriteFile
00 01 00 01 00 c7 00
00 00 1f 9b 00 00 00
00
C:\Program Files\Common Files\microsoft shared\ink\el-GR\Win 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
amp 5.0 (en) Crack.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\el-GR\Win 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
amp 5.0 (en) Crack.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 181 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\en- 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
US\Winamp 5.0 (en).ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\en- 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
US\Winamp 5.0 (en).ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\es-ES\ICQ 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
4 Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\es-ES\ICQ 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
4 Lite.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 182 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\et-EE\Win 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\et-EE\Win 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\Win 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
amp 5.0 (en) Crack.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\Win 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
amp 5.0 (en) Crack.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 183 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ind 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ex.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ind 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ex.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ions\Harry Potter.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ions\Harry Potter.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 184 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ions\auxpad\Harry Potter.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ions\auxpad\Harry Potter.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ions\keypad\index.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ions\keypad\index.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 185 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ions\main\index.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ions\main\index.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ions\numbers\Harry Potter.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ions\numbers\Harry Potter.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 186 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ions\oskmenu\WinRAR.v.3.2.and.key.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ions\oskmenu\WinRAR.v.3.2.and.key.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ions\osknumpad\Kazaa Lite.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ions\osknumpad\Kazaa Lite.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 187 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ions\oskpred\Harry Potter.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ions\oskpred\Harry Potter.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ions\symbols\Winamp 5.0 (en).com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ions\symbols\Winamp 5.0 (en).com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 188 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ions\web\WinRAR.v.3.2.and.key.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\fsdefinit 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ions\web\WinRAR.v.3.2.and.key. 61 6e 73 66 65 72 5d
ShareReactor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C59.tmp unknown 4 c0 a8 02 02 .... success or wait 1 807C66 WriteFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3F76.tmp unknown 4 c0 a8 02 02 .... success or wait 4633 807C00 WriteFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp598F.tmp unknown 30 50 4b 03 04 0a 00 00 PK.........R.0..e.h...h....... success or wait 1 805440 WriteFile
00 00 00 cb 52 da 30
e0 98 65 08 68 9a 00
00 68 9a 00 00 0b 00
00 00
C:\Users\HERBBL~1\AppData\Local\Temp\tmp598F.tmp unknown 11 6d 65 73 73 61 67 65 message.scr success or wait 1 805453 WriteFile
2e 73 63 72

Copyright Joe Security LLC 2018 Page 189 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp598F.tmp unknown 1024 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 39 805485 WriteFile
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\he-IL\Win 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\he-IL\Win 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Users\HERBBL~1\AppData\Local\Temp\tmp598F.tmp unknown 46 50 4b 01 02 14 00 0a PK...........R.0..e.h...h..... success or wait 1 8054DA WriteFile
00 00 00 00 00 cb 52 ........ .......
da 30 e0 98 65 08 68
9a 00 00 68 9a 00 00
0b 00 00 00 00 00 00
00 00 00 20 00 00 00
00 00 00 00

Copyright Joe Security LLC 2018 Page 190 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp598F.tmp unknown 11 6d 65 73 73 61 67 65 message.scr success or wait 1 8054ED WriteFile
2e 73 63 72
C:\Users\HERBBL~1\AppData\Local\Temp\tmp598F.tmp unknown 22 50 4b 05 06 00 00 00 PK..........9......... success or wait 1 80552E WriteFile
00 01 00 01 00 39 00
00 00 91 9a 00 00 00
00
C:\Program Files\Common Files\microsoft shared\ink\hr-HR\Win 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
amp 5.0 (en).com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\hr-HR\Win 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
amp 5.0 (en).com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\hu-HU\ind 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ex.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f

Copyright Joe Security LLC 2018 Page 191 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\hu-HU\ind 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ex.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\ink\HWRCustomization\Harry Potter.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\ink\HWRCustomization\Harry Potter.ShareReac 61 6e 73 66 65 72 5d
tor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\it-IT\ICQ 4 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Lite.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\it-IT\ICQ 4 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Lite.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 192 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\ja-JP\Kaz 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
aa Lite.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\ja-JP\Kaz 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
aa Lite.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\ko-KR\Win 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
amp 5.0 (en).com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\ko-KR\Win 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
amp 5.0 (en).com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 193 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\lt-LT\ICQ 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
4 Lite.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\lt-LT\ICQ 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
4 Lite.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\lv-LV\Win 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\lv-LV\Win 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 194 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\nb- 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
NO\WinRAR.v.3.2.and.key.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\nb- 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
NO\WinRAR.v.3.2.and.key.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\nl-NL\Win 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\nl-NL\Win 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 195 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\pl-PL\Win 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
amp 5.0 (en) Crack.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\pl-PL\Win 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
amp 5.0 (en) Crack.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\pt-BR\Har 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ry Potter.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\pt-BR\Har 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ry Potter.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 196 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\pt-PT\Win 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\pt-PT\Win 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
RAR.v.3.2.and.key.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\ro-RO\ind 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ex.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\ro-RO\ind 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ex.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 197 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\ru-RU\Har 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ry Potter.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\ru-RU\Har 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ry Potter.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\sk-SK\Har 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ry Potter.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\sk-SK\Har 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ry Potter.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 198 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\sl-SI\ICQ 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
4 Lite.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\sl-SI\ICQ 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
4 Lite.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-C 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
S\Harry Potter.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-C 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
S\Harry Potter.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3F76.tmp unknown 4 c0 a8 02 02 .... success or wait 1 807C66 WriteFile

Copyright Joe Security LLC 2018 Page 199 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp6376.tmp unknown 30 50 4b 03 04 0a 00 00 PK.........R.0..e.h...h....... success or wait 1 805440 WriteFile
00 00 00 cd 52 da 30
e0 98 65 08 68 9a 00
00 68 9a 00 00 ca 00
00 00
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E5C.tmp unknown 4 c0 a8 02 02 .... success or wait 4633 807C00 WriteFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp6376.tmp unknown 202 2e 64 6f 63 20 20 20 .doc success or wait 1 805453 WriteFile
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20 .scr
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 2e 73 63 72
C:\Users\HERBBL~1\AppData\Local\Temp\tmp6376.tmp unknown 1024 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 39 805485 WriteFile
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f

Copyright Joe Security LLC 2018 Page 200 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\sv-SE\Har 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ry Potter.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\sv-SE\Har 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ry Potter.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Users\HERBBL~1\AppData\Local\Temp\tmp6376.tmp unknown 46 50 4b 01 02 14 00 0a PK...........R.0..e.h...h..... success or wait 1 8054DA WriteFile
00 00 00 00 00 cd 52 ........ .......
da 30 e0 98 65 08 68
9a 00 00 68 9a 00 00
ca 00 00 00 00 00 00
00 00 00 20 00 00 00
00 00 00 00
C:\Users\HERBBL~1\AppData\Local\Temp\tmp6376.tmp unknown 202 2e 64 6f 63 20 20 20 .doc success or wait 1 8054ED WriteFile
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20 .scr
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 2e 73 63 72
C:\Users\HERBBL~1\AppData\Local\Temp\tmp6376.tmp unknown 22 50 4b 05 06 00 00 00 PK..............P..... success or wait 1 80552E WriteFile
00 01 00 01 00 f8 00
00 00 50 9b 00 00 00
00

Copyright Joe Security LLC 2018 Page 201 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\th-TH\ICQ 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
4 Lite.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\th-TH\ICQ 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
4 Lite.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\tr-TR\Win 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
amp 5.0 (en).ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\tr-TR\Win 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
amp 5.0 (en).ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 202 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\uk-UA\Win 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
amp 5.0 (en).com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\uk-UA\Win 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
amp 5.0 (en).com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\ink\zh-CN\Har 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
ry Potter.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\zh-CN\Har 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
ry Potter.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 203 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\ink\zh- 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
TW\Winamp 5.0 (en) Crack.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\ink\zh- 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
TW\Winamp 5.0 (en) Crack.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\MSEnv\ICQ 4 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Lite.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\MSEnv\ICQ 4 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Lite.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 204 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\MSEnv\PublicAssemblies\Winamp 5.0 (en).com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\MSEnv\PublicAssemblies\Winamp 5.0 (en).com: 61 6e 73 66 65 72 5d
Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\MSInfo\WinRAR.v.3.2.and.key.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\MSInfo\WinRAR.v.3.2.and.key.ShareReactor.co 61 6e 73 66 65 72 5d
m:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 205 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\MSInfo\en- 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
US\WinRAR.v.3.2.and.key.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\MSInfo\en- 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
US\WinRAR.v.3.2.and.key.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\OFFICE14\WinRAR.v.3.2.and.key.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\OFFICE14\WinRAR.v.3.2.and.key.ShareReactor. 61 6e 73 66 65 72 5d
com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 206 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\OFFICE14\1033\index.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\OFFICE14\1033\index.ShareReactor.com:Zone.I 61 6e 73 66 65 72 5d
dentifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\OFFICE14\Cultures\Winamp 5.0 (en).com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\OFFICE14\Cultures\Winamp 5.0 (en).com:Zone. 61 6e 73 66 65 72 5d
Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 207 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Winamp 5.0 (en) 00 04 00 00 00 ff ff 00 ..............................
Crack.exe 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Winamp 5.0 (en) 61 6e 73 66 65 72 5d
Crack.exe:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Access.en-us\Harry 00 04 00 00 00 ff ff 00 ..............................
Potter.exe 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Access.en-us\Harry 61 6e 73 66 65 72 5d
Potter.exe:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 208 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Excel.en-us\Winamp 00 04 00 00 00 ff ff 00 ..............................
5.0 (en).exe 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Excel.en-us\Winamp 61 6e 73 66 65 72 5d
5.0 (en).exe:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Office.en-us\Harry 00 04 00 00 00 ff ff 00 ..............................
Potter.ShareReactor.com 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Office.en-us\Harry 61 6e 73 66 65 72 5d
Potter.ShareReactor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 209 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\OneNote.en- 00 04 00 00 00 ff ff 00 ..............................
us\index.exe 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\OneNote.en- 61 6e 73 66 65 72 5d
us\index.exe:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Outlook.en-us\ICQ 4 00 04 00 00 00 ff ff 00 ..............................
Lite.exe 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Outlook.en-us\ICQ 4 61 6e 73 66 65 72 5d
Lite.exe:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 210 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\PowerPoint.en- 00 04 00 00 00 ff ff 00 ..............................
us\Harry Potter.com 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\PowerPoint.en- 61 6e 73 66 65 72 5d
us\Harry Potter.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Proof.en\W 00 04 00 00 00 ff ff 00 ..............................
inRAR.v.3.2.and.key.exe 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Proof.en\W 61 6e 73 66 65 72 5d
inRAR.v.3.2.and.key.exe:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 211 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Proof.es\Winamp 5.0 00 04 00 00 00 ff ff 00 ..............................
(en) Crack.ShareReactor.com 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Proof.es\Winamp 5.0 61 6e 73 66 65 72 5d
(en) Crack.ShareReactor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Proof.fr\Kazaa 00 04 00 00 00 ff ff 00 ..............................
Lite.ShareReactor.com 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Proof.fr\Kazaa 61 6e 73 66 65 72 5d
Lite.ShareReactor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 212 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Proofing.en- 00 04 00 00 00 ff ff 00 ..............................
us\Winamp 5.0 (en).ShareReactor.com 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Proofing.en- 61 6e 73 66 65 72 5d
us\Winamp 5.0 (en).ShareReactor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E5C.tmp unknown 4 c0 a8 02 02 .... success or wait 1 807C66 WriteFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp72F5.tmp unknown 30 50 4b 03 04 0a 00 00 PK.........R.0..e.h...h....... success or wait 1 805440 WriteFile
00 00 00 cf 52 da 30
e0 98 65 08 68 9a 00
00 68 9a 00 00 e0 00
00 00
C:\Users\HERBBL~1\AppData\Local\Temp\tmp72F5.tmp unknown 224 2e 64 6f 63 20 20 20 .doc success or wait 1 805453 WriteFile
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20 .pif
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 2e 70 69 66
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp unknown 4 c0 a8 02 02 .... success or wait 4633 807C00 WriteFile

Copyright Joe Security LLC 2018 Page 213 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp72F5.tmp unknown 1024 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 39 805485 WriteFile
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Publisher.en- 00 04 00 00 00 ff ff 00 ..............................
us\index.com 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Users\HERBBL~1\AppData\Local\Temp\tmp72F5.tmp unknown 46 50 4b 01 02 14 00 0a PK...........R.0..e.h...h..... success or wait 1 8054DA WriteFile
00 00 00 00 00 cf 52 ........ .......
da 30 e0 98 65 08 68
9a 00 00 68 9a 00 00
e0 00 00 00 00 00 00
00 00 00 20 00 00 00
00 00 00 00

Copyright Joe Security LLC 2018 Page 214 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp72F5.tmp unknown 224 2e 64 6f 63 20 20 20 .doc success or wait 1 8054ED WriteFile
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20 .pif
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 20 20 20 20
20 20 20 2e 70 69 66
C:\Users\HERBBL~1\AppData\Local\Temp\tmp72F5.tmp unknown 22 50 4b 05 06 00 00 00 PK..............f..... success or wait 1 80552E WriteFile
00 01 00 01 00 0e 01
00 00 66 9b 00 00 00
00
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Publisher.en- 61 6e 73 66 65 72 5d
us\index.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\SingleImag 00 04 00 00 00 ff ff 00 ..............................
e\index.com 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\SingleImag 61 6e 73 66 65 72 5d
e\index.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 215 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Word.en-us\Kazaa 00 04 00 00 00 ff ff 00 ..............................
Lite.exe 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\OFFICE14\Office Setup Controller\Word.en-us\Kazaa 61 6e 73 66 65 72 5d
Lite.exe:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\OfficeSoftwar 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
eProtectionPlatform\Winamp 5.0 (en).ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\OfficeSoftwar 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
eProtectionPlatform\Winamp 5.0 61 6e 73 66 65 72 5d
(en).ShareReactor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 216 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\Portal\WinRAR.v.3.2.and.key.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\Portal\WinRAR.v.3.2.and.key.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\Portal\1033\W 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
inamp 5.0 (en) Crack.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\Portal\1033\W 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
inamp 5.0 (en) Crack.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 217 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\PROOF\index.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\PROOF\index.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\Smart 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Tag\Winamp 5.0 (en) Crack.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\Smart 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Tag\Winamp 5.0 (en) Crack.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 218 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\Smart 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Tag\1033\ICQ 4 Lite.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\Smart 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Tag\1033\ICQ 4 Lite.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\Smart 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Tag\LISTS\Harry Potter.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\Smart 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Tag\LISTS\Harry Potter.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 219 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\Smart 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Tag\LISTS\1033\Harry Potter.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\Smart 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Tag\LISTS\1033\Harry Potter.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\Source 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Engine\Winamp 5.0 (en).com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\Source 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Engine\Winamp 5.0 (en).com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 220 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\Stationery\Ka 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
zaa Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\Stationery\Ka 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
zaa Lite.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\TextConv\index.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\TextConv\index.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 221 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\TextConv\en- 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
US\ICQ 4 Lite.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\TextConv\en- 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
US\ICQ 4 Lite.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\TextConv\WksConv\Winamp 5.0 (en).com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\TextConv\WksConv\Winamp 5.0 (en).com:Zone.I 61 6e 73 66 65 72 5d
dentifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 222 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\Kazaa Lite.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\Kazaa Lite.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\AFTRNOON\Winamp 5.0 (en) Crack.Sha 00 04 00 00 00 ff ff 00 ..............................
reReactor.com 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\AFTRNOON\Winamp 5.0 (en) Crack.Sha 61 6e 73 66 65 72 5d
reReactor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 223 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\ARCTIC\Kazaa Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\ARCTIC\Kazaa Lite.ShareReactor.com 61 6e 73 66 65 72 5d
:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\AXIS\Harry Potter.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\AXIS\Harry Potter.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 224 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\BLENDS\Winamp 5.0 (en) Crack.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\BLENDS\Winamp 5.0 (en) Crack.exe:Z 61 6e 73 66 65 72 5d
one.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\BLUECALM\Winamp 5.0 (en) Crack.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\BLUECALM\Winamp 5.0 (en) Crack.com 61 6e 73 66 65 72 5d
:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 225 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\BLUEPRNT\Harry Potter.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\BLUEPRNT\Harry Potter.com:Zone.Ide 61 6e 73 66 65 72 5d
ntifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\BOLDSTRI\Winamp 5.0 (en) Crack.Sha 00 04 00 00 00 ff ff 00 ..............................
reReactor.com 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\BOLDSTRI\Winamp 5.0 (en) Crack.Sha 61 6e 73 66 65 72 5d
reReactor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 226 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\BREEZE\Winamp 5.0 (en) Crack.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\BREEZE\Winamp 5.0 (en) Crack.com:Z 61 6e 73 66 65 72 5d
one.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\CANYON\ICQ 4 Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\CANYON\ICQ 4 Lite.ShareReactor.com 61 6e 73 66 65 72 5d
:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 227 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\CAPSULES\Winamp 5.0 (en) Crack.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\CAPSULES\Winamp 5.0 (en) Crack.exe 61 6e 73 66 65 72 5d
:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\CASCADE\Kazaa Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp unknown 4 c0 a8 02 02 .... success or wait 1 807C66 WriteFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp86D5.tmp unknown 30 50 4b 03 04 0a 00 00 PK.........R.0..e.h...h....... success or wait 1 805440 WriteFile
00 00 00 d1 52 da 30
e0 98 65 08 68 9a 00
00 68 9a 00 00 08 00
00 00
C:\Users\HERBBL~1\AppData\Local\Temp\tmp86D5.tmp unknown 8 4b 49 4b 57 2e 53 43 KIKW.SCR success or wait 1 805453 WriteFile
52
Copyright Joe Security LLC 2018 Page 228 of 287
 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp86D5.tmp unknown 1024 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 39 805485 WriteFile
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\CASCADE\Kazaa Lite.ShareReactor.co 61 6e 73 66 65 72 5d
m:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D2D.tmp unknown 4 c0 a8 02 02 .... success or wait 4633 807C00 WriteFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp86D5.tmp unknown 46 50 4b 01 02 14 00 0a PK...........R.0..e.h...h..... success or wait 1 8054DA WriteFile
00 00 00 00 00 d1 52 ........ .......
da 30 e0 98 65 08 68
9a 00 00 68 9a 00 00
08 00 00 00 00 00 00
00 00 00 20 00 00 00
00 00 00 00
C:\Users\HERBBL~1\AppData\Local\Temp\tmp86D5.tmp unknown 8 4b 49 4b 57 2e 53 43 KIKW.SCR success or wait 1 8054ED WriteFile
52
C:\Users\HERBBL~1\AppData\Local\Temp\tmp86D5.tmp unknown 22 50 4b 05 06 00 00 00 PK..........6......... success or wait 1 80552E WriteFile
00 01 00 01 00 36 00
00 00 8e 9a 00 00 00
00

Copyright Joe Security LLC 2018 Page 229 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\COMPASS\Winamp 5.0 (en).com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\COMPASS\Winamp 5.0 (en).com:Zone.I 61 6e 73 66 65 72 5d
dentifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\CONCRETE\WinRAR.v.3.2.and.key.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\CONCRETE\WinRAR.v.3.2.and.key.exe: 61 6e 73 66 65 72 5d
Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 230 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\DEEPBLUE\Harry Potter.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\DEEPBLUE\Harry Potter.com:Zone.Ide 61 6e 73 66 65 72 5d
ntifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\ECHO\ICQ 4 Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\ECHO\ICQ 4 Lite.ShareReactor.com:Z 61 6e 73 66 65 72 5d
one.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 231 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\ECLIPSE\WinRAR.v.3.2.and.key.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\ECLIPSE\WinRAR.v.3.2.and.key.exe:Z 61 6e 73 66 65 72 5d
one.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\EDGE\Winamp 5.0 (en) Crack.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\EDGE\Winamp 5.0 (en) Crack.com:Zon 61 6e 73 66 65 72 5d
e.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 232 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\EVRGREEN\Harry Potter.ShareReactor 00 04 00 00 00 ff ff 00 ..............................
.com 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\EVRGREEN\Harry Potter.ShareReactor 61 6e 73 66 65 72 5d
.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\EXPEDITN\Winamp 5.0 (en) Crack.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\EXPEDITN\Winamp 5.0 (en) Crack.com 61 6e 73 66 65 72 5d
:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 233 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\ICE\ICQ 4 Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\ICE\ICQ 4 Lite.ShareReactor.com:Zo 61 6e 73 66 65 72 5d
ne.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\INDUST\ICQ 4 Lite.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\INDUST\ICQ 4 Lite.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 234 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\IRIS\Winamp 5.0 (en) Crack.ShareRe 00 04 00 00 00 ff ff 00 ..............................
actor.com 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\IRIS\Winamp 5.0 (en) Crack.ShareRe 61 6e 73 66 65 72 5d
actor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\JOURNAL\ICQ 4 Lite.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\JOURNAL\ICQ 4 Lite.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 235 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\LAYERS\Winamp 5.0 (en).exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\LAYERS\Winamp 5.0 (en).exe:Zone.Id 61 6e 73 66 65 72 5d
entifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\LEVEL\Winamp 5.0 (en).com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\LEVEL\Winamp 5.0 (en).com:Zone.Ide 61 6e 73 66 65 72 5d
ntifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 236 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\NETWORK\Winamp 5.0 (en) Crack.Shar 00 04 00 00 00 ff ff 00 ..............................
eReactor.com 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\NETWORK\Winamp 5.0 (en) Crack.Shar 61 6e 73 66 65 72 5d
eReactor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\PAPYRUS\Harry Potter.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\PAPYRUS\Harry Potter.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 237 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\PIXEL\ICQ 4 Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\PIXEL\ICQ 4 Lite.ShareReactor.com: 61 6e 73 66 65 72 5d
Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D2D.tmp unknown 4 c0 a8 02 02 .... success or wait 1 807C66 WriteFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3DA6.tmp unknown 4 c0 a8 02 02 .... success or wait 4633 807C00 WriteFile
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\PROFILE\Harry Potter.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\PROFILE\Harry Potter.ShareReactor. 61 6e 73 66 65 72 5d
com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 238 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\QUAD\Kazaa Lite.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\QUAD\Kazaa Lite.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\RADIAL\index.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\RADIAL\index.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 239 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\REFINED\Kazaa Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\REFINED\Kazaa Lite.ShareReactor.co 61 6e 73 66 65 72 5d
m:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\RICEPAPR\index.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\RICEPAPR\index.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 240 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\RIPPLE\Winamp 5.0 (en).ShareReacto 00 04 00 00 00 ff ff 00 ..............................
r.com 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\RIPPLE\Winamp 5.0 (en).ShareReacto 61 6e 73 66 65 72 5d
r.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\RMNSQUE\Harry Potter.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\RMNSQUE\Harry Potter.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 241 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\SATIN\Harry Potter.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\SATIN\Harry Potter.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\SKY\ICQ 4 Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\SKY\ICQ 4 Lite.ShareReactor.com:Zo 61 6e 73 66 65 72 5d
ne.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 242 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\SLATE\ICQ 4 Lite.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\SLATE\ICQ 4 Lite.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\SONORA\Harry Potter.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\SONORA\Harry Potter.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 243 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\SPRING\Winamp 5.0 (en).exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\SPRING\Winamp 5.0 (en).exe:Zone.Id 61 6e 73 66 65 72 5d
entifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\STRTEDGE\Winamp 5.0 (en) Crack.Sha 00 04 00 00 00 ff ff 00 ..............................
reReactor.com 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\STRTEDGE\Winamp 5.0 (en) Crack.Sha 61 6e 73 66 65 72 5d
reReactor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 244 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\STUDIO\Harry Potter.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\STUDIO\Harry Potter.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\SUMIPNTG\ICQ 4 Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\SUMIPNTG\ICQ 4 Lite.ShareReactor.c 61 6e 73 66 65 72 5d
om:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 245 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\WATER\Winamp 5.0 (en).exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\WATER\Winamp 5.0 (en).exe:Zone.Ide 61 6e 73 66 65 72 5d
ntifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\THEMES14\WATERMAR\Harry Potter.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\THEMES14\WATERMAR\Harry Potter.com:Zone.Ide 61 6e 73 66 65 72 5d
ntifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 246 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\TRANSLAT\index.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\TRANSLAT\index.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\TRANSLAT\ARFR\Harry Potter.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\TRANSLAT\ARFR\Harry Potter.ShareReactor.com 61 6e 73 66 65 72 5d
:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3DA6.tmp unknown 4 c0 a8 02 02 .... success or wait 1 807C66 WriteFile

Copyright Joe Security LLC 2018 Page 247 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\TRANSLAT\ENES\WinRAR.v.3.2.and.key.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\TRANSLAT\ENES\WinRAR.v.3.2.and.key.exe:Zone 61 6e 73 66 65 72 5d
.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\TRANSLAT\ENFR\WinRAR.v.3.2.and.key.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\TRANSLAT\ENFR\WinRAR.v.3.2.and.key.com:Zone 61 6e 73 66 65 72 5d
.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 248 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\TRANSLAT\ESEN\Winamp 5.0 (en).exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\TRANSLAT\ESEN\Winamp 5.0 (en).exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\TRANSLAT\FRAR\ICQ 4 Lite.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\TRANSLAT\FRAR\ICQ 4 Lite.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 249 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\TRANSLAT\FREN\index.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\TRANSLAT\FREN\index.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\Triedit\index 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\Triedit\index 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 250 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\Triedit\en-US 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
\Kazaa Lite.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\Triedit\en-US 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
\Kazaa Lite.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\VBA\Winamp 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
5.0 (en) Crack.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\VBA\Winamp 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
5.0 (en) Crack.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 251 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\VBA\VBA6\ICQ 4 Lite.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\VBA\VBA6\ICQ 4 Lite.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\VBA\VBA7\Winamp 5.0 (en).exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\VBA\VBA7\Winamp 5.0 (en).exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 252 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\VBA\VBA7\1033\ICQ 4 Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\VBA\VBA7\1033\ICQ 4 Lite.ShareReactor.com:Z 61 6e 73 66 65 72 5d
one.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\VC\Kazaa 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\VC\Kazaa 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Lite.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 253 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\VGX\WinRAR.v.3.2.and.key.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\VGX\WinRAR.v.3.2.and.key.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\VSTA\WinRAR.v.3.2.and.key.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\VSTA\WinRAR.v.3.2.and.key.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 254 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\VSTA\AppInfoDocument\ICQ 4 Lite.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\VSTA\AppInfoDocument\ICQ 4 Lite.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\VSTA\AppInfoDocument\Microsoft.VisualStudio 00 04 00 00 00 ff ff 00 ..............................
.Tools.Office.AppInfoDocument\Kazaa Lite.com 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\VSTA\AppInfoDocument\Microsoft.VisualStudio 61 6e 73 66 65 72 5d
.Tools.Office.AppInfoDocument\Kazaa Lite.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 255 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\VSTA\Pipeline.v10.0\ICQ 4 Lite.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\VSTA\Pipeline.v10.0\ICQ 4 Lite.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Harry 00 04 00 00 00 ff ff 00 ..............................
Potter.com 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Harry 61 6e 73 66 65 72 5d
Potter.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 256 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\VSTA\Pipeline.v10.0\AddInViews\WinRAR.v.3.2 00 04 00 00 00 ff ff 00 ..............................
.and.key.ShareReactor.com 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\VSTA\Pipeline.v10.0\AddInViews\WinRAR.v.3.2 61 6e 73 66 65 72 5d
.and.key.ShareReactor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\VSTA\Pipeline.v10.0\Contracts\ICQ 4 Lite.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\VSTA\Pipeline.v10.0\Contracts\ICQ 4 Lite.co 61 6e 73 66 65 72 5d
m:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 257 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\VSTA\Pipeline.v10.0\HostSideAdapters\WinRAR 00 04 00 00 00 ff ff 00 ..............................
.v.3.2.and.key.ShareReactor.com 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\VSTA\Pipeline.v10.0\HostSideAdapters\WinRAR 61 6e 73 66 65 72 5d
.v.3.2.and.key.ShareReactor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\VSTO\Winamp 5.0 (en) Crack.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\VSTO\Winamp 5.0 (en) Crack.ShareReactor.com 61 6e 73 66 65 72 5d
:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 258 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\VSTO\10.0\ICQ 4 Lite.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\VSTO\10.0\ICQ 4 Lite.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
shared\VSTO\10.0\1033\ICQ 4 Lite.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
shared\VSTO\10.0\1033\ICQ 4 Lite.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 259 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\Web 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Folders\Winamp 5.0 (en).ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\Web 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Folders\Winamp 5.0 (en).ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\Web 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Folders\1033\ICQ 4 Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\Web 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Folders\1033\ICQ 4 Lite.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 260 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\Web Server 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Extensions\WinRAR.v.3.2.and.key.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\Web Server 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Extensions\WinRAR.v.3.2.and.key. 61 6e 73 66 65 72 5d
ShareReactor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\Web Server 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Extensions\14\index.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\Web Server 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Extensions\14\index.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 261 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Common Files\microsoft shared\Web Server 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Extensions\14\BIN\index.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\Web Server 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Extensions\14\BIN\index.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Common Files\microsoft shared\Web Server 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Extensions\14\BIN\1033\Winamp 5.0 (en).com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Common Files\microsoft shared\Web Server 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Extensions\14\BIN\1033\Winamp 5.0 (en).com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 262 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\DVD Maker\Shared\index.ShareReactor.com 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Sha 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
red\index.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\DVD Maker\Shared\DvdStyles\Harry 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Potter.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Shared\DvdStyles\Harry 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Potter.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 263 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\DVD Maker\Sha 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
red\DvdStyles\BabyBoy\Kazaa Lite.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Sha 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
red\DvdStyles\BabyBoy\Kazaa Lite.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\DVD Maker\Sha 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
red\DvdStyles\BabyGirl\index.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Sha 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
red\DvdStyles\BabyGirl\index.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 264 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\DVD Maker\Sha 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
red\DvdStyles\FlipPage\WinRAR. 00 04 00 00 00 ff ff 00 ..............................
v.3.2.and.key.ShareReactor.com 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Sha 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
red\DvdStyles\FlipPage\WinRAR. 61 6e 73 66 65 72 5d
v.3.2.and.key.ShareReactor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\DVD Maker\Sha 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
red\DvdStyles\Full\WinRAR.v.3.2.and.key.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Sha 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
red\DvdStyles\Full\WinRAR.v.3.2.and.key.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 265 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\DVD Maker\Sha 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
red\DvdStyles\HueCycle\Kazaa Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Sha 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
red\DvdStyles\HueCycle\Kazaa L 61 6e 73 66 65 72 5d
ite.ShareReactor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\DVD Maker\Sha 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
red\DvdStyles\LayeredTitles\Kazaa Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Sha 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
red\DvdStyles\LayeredTitles\Kazaa 61 6e 73 66 65 72 5d
Lite.ShareReactor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 266 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\DVD Maker\Sha 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
red\DvdStyles\Memories\Harry Potter.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Sha 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
red\DvdStyles\Memories\Harry Potter.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\ICQ 4 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\ICQ 4 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Lite.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 267 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\DVD Maker\Sha 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
red\DvdStyles\Performance\Winamp 5.0 (en).com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Sha 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
red\DvdStyles\Performance\Winamp 5.0 (en).com:Zone.Identifie 61 6e 73 66 65 72 5d
r 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\DVD Maker\Sha 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
red\DvdStyles\Pets\WinRAR.v.3.2.and.key.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Sha 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
red\DvdStyles\Pets\WinRAR.v.3.2.and.key.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 268 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\DVD Maker\Shared\DvdStyles\Push\Winamp 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
5.0 (en) Crack.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Shared\DvdStyles\Push\Winamp 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
5.0 (en) Crack.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\DVD Maker\Sha 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
red\DvdStyles\Rectangles\Kazaa Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Sha 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
red\DvdStyles\Rectangles\Kazaa 61 6e 73 66 65 72 5d
Lite.ShareReactor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 269 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\DVD Maker\Sha 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
red\DvdStyles\ResizingPanels\Winamp 5.0 (en).exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Sha 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
red\DvdStyles\ResizingPanels\Winamp 5.0 (en).exe:Zone.Identi 61 6e 73 66 65 72 5d
fier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\Harry 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Potter.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\Harry 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Potter.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 270 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\DVD Maker\Sha 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
red\DvdStyles\SpecialOccasion\ICQ 4 Lite.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Sha 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
red\DvdStyles\SpecialOccasion\ICQ 4 Lite.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\Harry 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Potter.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\Harry 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Potter.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 271 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\DVD Maker\Sha 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
red\DvdStyles\Stacking\Winamp 5.0 (en).exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Sha 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
red\DvdStyles\Stacking\Winamp 5.0 (en).exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\ICQ 4 Lit 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
e.exe 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\ICQ 4 Lit 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
e.exe:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 272 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\DVD Maker\Sha 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
red\DvdStyles\VideoWall\Kazaa Lite.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Sha 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
red\DvdStyles\VideoWall\Kazaa Lite.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\DVD Maker\Sha 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
red\DvdStyles\Vignette\Winamp 5.0 (en).ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\DVD Maker\Sha 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
red\DvdStyles\Vignette\Winamp 5.0 61 6e 73 66 65 72 5d
(en).ShareReactor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 273 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Google\Update\Download\Kazaa 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
Lite.ShareReactor.com 00 04 00 00 00 ff ff 00 ..............................
00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Google\Update\Download\Kazaa 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
Lite.ShareReactor.com:Zone.Identifier 61 6e 73 66 65 72 5d
0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30
C:\Program Files\Google\Update\Download\{8A69D345-D564- 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
463C-AFF1-A69D9E530F96}\WinRAR.v.3. 00 04 00 00 00 ff ff 00 ..............................
2.and.key.ShareReactor.com 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Google\Update\Download\{8A69D345-D564- 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
463C-AFF1-A69D9E530F96}\WinRAR.v.3. 61 6e 73 66 65 72 5d
2.and.key.ShareReactor.com:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

Copyright Joe Security LLC 2018 Page 274 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Program Files\Google\Update\Download\{8A69D345-D564- 0 39538 4d 5a 90 00 03 00 00 MZ......................@..... success or wait 1 80334D CopyFileA
463C-AFF1-A69D9E530F96}\60.0.3112.90\Winamp 5.0 00 04 00 00 00 ff ff 00 ..............................
(en).exe 00 b8 00 00 00 00 00 ............!..L.!This program
00 00 40 00 00 00 00 cannot be run in DOS
00 00 00 00 00 00 00 mode....
00 00 00 00 00 00 00 $.............................
00 00 00 00 00 00 00 ..............................
00 00 00 00 00 00 00 ..............................
00 00 00 e8 00 00 00 ......................PE..L...
0e 1f ba 0e 00 b4 09 ...............
cd 21 b8 01 4c cd 21
54 68 69 73 20 70 72
6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62
65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d
6f 64 65 2e 0d 0d 0a
24 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00
50 45 00 00 4c 01 03
00 00 00 00 00 00 00
00 00 00 00 00 00 e0
00 0f
C:\Program Files\Google\Update\Download\{8A69D345-D564- 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 80334D CopyFileA
463C-AFF1-A69D9E530F96}\60.0.3112.90\Winamp 5.0 61 6e 73 66 65 72 5d
(en).exe:Zone.Identifier 0d 0a 0d 0a 5a 6f 6e
65 49 64 3d 30

File Read

Source
File Path Offset Length Completion Count Address Symbol
C:\Windows\lsass.exe unknown 4 success or wait 1 8031B2 ReadFile
C:\Windows\lsass.exe unknown 22 success or wait 1 8031DF ReadFile
C:\Windows\lsass.exe unknown 40 success or wait 3 80323A ReadFile
C:\Windows\lsass.exe unknown 4 success or wait 4636 807D08 ReadFile
C:\Windows\lsass.exe unknown 4 end of file 1 807D08 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\uheknclgts.txt unknown 4096 success or wait 1 80743A fread
C:\Users\HERBBL~1\AppData\Local\Temp\uheknclgts.txt unknown 4096 success or wait 4 807460 fread
C:\Users\HERBBL~1\AppData\Local\Temp\uheknclgts.txt unknown 4096 end of file 1 807460 fread
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\ReadMe.htm unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\ReadMe.htm unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Adobe\symbol.txt
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Adobe\symbol.txt
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zding unknown 65533 success or wait 1 804953 ReadFile
bat.txt
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zding unknown 65533 end of file 1 804953 ReadFile
bat.txt
Copyright Joe Security LLC 2018 Page 275 of 287
 Source
File Path Offset Length Completion Count Address Symbol
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\CENTEURO.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\CENTEURO.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\CORPCHAR.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\CORPCHAR.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\CROATIAN.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\CROATIAN.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\CYRILLIC.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\CYRILLIC.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\GREEK.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\GREEK.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\ICELAND.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\ICELAND.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\ROMAN.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\ROMAN.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\ROMANIAN.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\ROMANIAN.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\SYMBOL.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\SYMBOL.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\TURKISH.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\TURKISH.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 success or wait 1 804953 ReadFile
t\Unicode\Mappings\Mac\UKRAINE.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSuppor unknown 65533 end of file 1 804953 ReadFile
t\Unicode\Mappings\Mac\UKRAINE.TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1250. unknown 65533 success or wait 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1250. unknown 65533 end of file 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1251. unknown 65533 success or wait 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1251. unknown 65533 end of file 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1252. unknown 65533 success or wait 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1252. unknown 65533 end of file 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1253. unknown 65533 success or wait 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1253. unknown 65533 end of file 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1254. unknown 65533 success or wait 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1254. unknown 65533 end of file 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1257. unknown 65533 success or wait 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1257. unknown 65533 end of file 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1258. unknown 65533 success or wait 1 804953 ReadFile
TXT
C:\Program Files\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1258. unknown 65533 end of file 1 804953 ReadFile
TXT
C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp unknown 4 success or wait 1 8031B2 ReadFile

Copyright Joe Security LLC 2018 Page 276 of 287

 Source
File Path Offset Length Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp unknown 22 success or wait 1 8031DF ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp unknown 40 success or wait 3 80323A ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp214E.tmp unknown 4 success or wait 1 8031B2 ReadFile
C:\Program Files\AutoIt3\AutoItX\Examples\C++\_readme.txt unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\AutoIt3\AutoItX\Examples\C++\_readme.txt unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\AutoIt3\AutoItX\Examples\VBscript\_readme.txt unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\AutoIt3\AutoItX\Examples\VBscript\_readme.txt unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\AutoIt3\Examples\Helpfile\Extras\_Excel1.txt unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\AutoIt3\Examples\Helpfile\Extras\_Excel1.txt unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\AutoIt3\Examples\Helpfile\Extras\_Excel2.txt unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\AutoIt3\Examples\Helpfile\Extras\_Excel2.txt unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\AutoIt3\Examples\_ReadMe_.txt unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\AutoIt3\Examples\_ReadMe_.txt unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\AutoIt3\Extras\Editors\Crimson\Manual Install and Notes.htm unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\AutoIt3\Extras\Editors\Crimson\Manual Install and Notes.htm unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\AutoIt3\Extras\Editors\Sublime Text\README.txt unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\AutoIt3\Extras\Editors\Sublime Text\README.txt unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\AutoIt3\Extras\Editors\TextPad\Manual Install and Notes.htm unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\AutoIt3\Extras\Editors\TextPad\Manual Install and Notes.htm unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\AutoIt3\Extras\Editors\_ReadMe_.txt unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\AutoIt3\Extras\Editors\_ReadMe_.txt unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\AutoIt3\Extras\Geshi\autoit.php unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\AutoIt3\Extras\Geshi\autoit.php unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\AutoIt3\Extras\_ReadMe_.txt unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\AutoIt3\Extras\_ReadMe_.txt unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\AutoIt3\Include\_ReadMe_.txt unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\AutoIt3\Include\_ReadMe_.txt unknown 65533 end of file 1 804953 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp unknown 1024 success or wait 39 8052FE ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp unknown 1024 end of file 1 8052FE ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp unknown 1024 success or wait 6 8054A8 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp2125.tmp unknown 1024 end of file 1 8054A8 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3361.tmp unknown 1024 success or wait 36 806038 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3361.tmp unknown 1024 end of file 1 806038 ReadFile
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\La unknown 65533 success or wait 1 804953 ReadFile
nguageNames2\DisplayLanguageNames.en_CA.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\La unknown 65533 end of file 1 804953 ReadFile
nguageNames2\DisplayLanguageNames.en_CA.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\La unknown 65533 success or wait 1 804953 ReadFile
nguageNames2\DisplayLanguageNames.en_GB.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\La unknown 65533 end of file 1 804953 ReadFile
nguageNames2\DisplayLanguageNames.en_GB.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\La unknown 65533 success or wait 1 804953 ReadFile
nguageNames2\DisplayLanguageNames.en_GB_EURO.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\La unknown 65533 end of file 1 804953 ReadFile
nguageNames2\DisplayLanguageNames.en_GB_EURO.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\La unknown 65533 success or wait 1 804953 ReadFile
nguageNames2\DisplayLanguageNames.en_US.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\La unknown 65533 end of file 1 804953 ReadFile
nguageNames2\DisplayLanguageNames.en_US.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\La unknown 65533 success or wait 1 804953 ReadFile
nguageNames2\DisplayLanguageNames.en_US_POSIX.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\La unknown 65533 end of file 1 804953 ReadFile
nguageNames2\DisplayLanguageNames.en_US_POSIX.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 success or wait 1 804953 ReadFile
Plugin\Abbreviations\en_CA\List.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 end of file 1 804953 ReadFile
Plugin\Abbreviations\en_CA\List.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 success or wait 1 804953 ReadFile
Plugin\Abbreviations\en_GB\List.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 end of file 1 804953 ReadFile
Plugin\Abbreviations\en_GB\List.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 success or wait 1 804953 ReadFile
Plugin\Abbreviations\en_US\List.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 end of file 1 804953 ReadFile
Plugin\Abbreviations\en_US\List.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 success or wait 1 804953 ReadFile
Plugin\Dictionaries\en_CA\README_en_CA.txt

Copyright Joe Security LLC 2018 Page 277 of 287

 Source
File Path Offset Length Completion Count Address Symbol
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 end of file 1 804953 ReadFile
Plugin\Dictionaries\en_CA\README_en_CA.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 success or wait 1 804953 ReadFile
Plugin\Dictionaries\en_CA\README_th_en_CA_v2.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 end of file 1 804953 ReadFile
Plugin\Dictionaries\en_CA\README_th_en_CA_v2.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 success or wait 1 804953 ReadFile
Plugin\Dictionaries\en_GB\affDescription.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 end of file 1 804953 ReadFile
Plugin\Dictionaries\en_GB\affDescription.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 success or wait 1 804953 ReadFile
Plugin\Dictionaries\en_GB\changelog.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 end of file 1 804953 ReadFile
Plugin\Dictionaries\en_GB\changelog.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 success or wait 1 804953 ReadFile
Plugin\Dictionaries\en_GB\license.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 end of file 1 804953 ReadFile
Plugin\Dictionaries\en_GB\license.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 success or wait 1 804953 ReadFile
Plugin\Dictionaries\en_GB\README.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 end of file 1 804953 ReadFile
Plugin\Dictionaries\en_GB\README.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 success or wait 1 804953 ReadFile
Plugin\Dictionaries\en_GB\README_en_GB.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 end of file 1 804953 ReadFile
Plugin\Dictionaries\en_GB\README_en_GB.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 success or wait 1 804953 ReadFile
Plugin\Dictionaries\en_GB\WordNet_license.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 end of file 1 804953 ReadFile
Plugin\Dictionaries\en_GB\WordNet_license.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 success or wait 1 804953 ReadFile
Plugin\Dictionaries\en_US\README_en_US.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 end of file 1 804953 ReadFile
Plugin\Dictionaries\en_US\README_en_US.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 success or wait 1 804953 ReadFile
Plugin\Info.plist
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 end of file 1 804953 ReadFile
Plugin\Info.plist
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 success or wait 1 804953 ReadFile
Plugin\SupplementalDictionaries\en_CA\added.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 end of file 1 804953 ReadFile
Plugin\SupplementalDictionaries\en_CA\added.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 success or wait 1 804953 ReadFile
Plugin\SupplementalDictionaries\en_CA\excluded.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 end of file 1 804953 ReadFile
Plugin\SupplementalDictionaries\en_CA\excluded.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 success or wait 1 804953 ReadFile
Plugin\SupplementalDictionaries\en_GB\added.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 end of file 1 804953 ReadFile
Plugin\SupplementalDictionaries\en_GB\added.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 success or wait 1 804953 ReadFile
Plugin\SupplementalDictionaries\en_GB\excluded.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 end of file 1 804953 ReadFile
Plugin\SupplementalDictionaries\en_GB\excluded.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 success or wait 1 804953 ReadFile
Plugin\SupplementalDictionaries\en_US\Added.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 end of file 1 804953 ReadFile
Plugin\SupplementalDictionaries\en_US\Added.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 success or wait 1 804953 ReadFile
Plugin\SupplementalDictionaries\en_US\Excluded.txt
C:\Program Files\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspell unknown 65533 end of file 1 804953 ReadFile
Plugin\SupplementalDictionaries\en_US\Excluded.txt
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp unknown 4 success or wait 1 8031B2 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp unknown 22 success or wait 1 8031DF ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp unknown 40 success or wait 1 80323A ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C59.tmp unknown 4 success or wait 1 8031B2 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C59.tmp unknown 22 success or wait 1 8031DF ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C59.tmp unknown 40 success or wait 2 80323A ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp unknown 4 success or wait 1 8031B2 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp unknown 22 success or wait 1 8031DF ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp unknown 40 success or wait 3 80323A ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D2D.tmp unknown 4 success or wait 1 8031B2 ReadFile

Copyright Joe Security LLC 2018 Page 278 of 287

 Source
File Path Offset Length Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D2D.tmp unknown 22 success or wait 1 8031DF ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D2D.tmp unknown 40 success or wait 3 80323A ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3DA6.tmp unknown 4 success or wait 1 8031B2 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3DA6.tmp unknown 22 success or wait 1 8031DF ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3DA6.tmp unknown 40 success or wait 3 80323A ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp214E.tmp unknown 1024 success or wait 12 8052FE ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp214E.tmp unknown 1024 end of file 1 8052FE ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp214E.tmp unknown 1024 success or wait 6 8054A8 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E5C.tmp unknown 4 success or wait 1 8031B2 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E5C.tmp unknown 40 success or wait 1 80323A ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp214E.tmp unknown 1024 end of file 1 8054A8 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E33.tmp unknown 1024 success or wait 1 806038 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3F76.tmp unknown 4 success or wait 1 8031B2 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E33.tmp unknown 1024 end of file 1 806038 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp unknown 1024 success or wait 23 8052FE ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp unknown 1024 end of file 1 8052FE ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp unknown 1024 success or wait 39 8054A8 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C44.tmp unknown 1024 end of file 1 8054A8 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp4FF9.tmp unknown 1024 success or wait 20 806038 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp4FF9.tmp unknown 1024 end of file 1 806038 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C59.tmp unknown 1024 success or wait 39 8052FE ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C59.tmp unknown 1024 end of file 1 8052FE ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C59.tmp unknown 1024 success or wait 13 8054A8 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3C59.tmp unknown 1024 end of file 1 8054A8 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp598F.tmp unknown 1024 success or wait 39 806038 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp598F.tmp unknown 1024 end of file 1 806038 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3F76.tmp unknown 1024 success or wait 39 8052FE ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3F76.tmp unknown 1024 end of file 1 8052FE ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3F76.tmp unknown 1024 success or wait 10 8054A8 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3F76.tmp unknown 1024 end of file 1 8054A8 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp6376.tmp unknown 1024 success or wait 40 806038 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp6376.tmp unknown 1024 end of file 1 806038 ReadFile
C:\Program Files\Common Files\microsoft shared\OFFICE14\1033\README.HTM unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\OFFICE14\1033\README.HTM unknown 65533 end of file 1 804953 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E5C.tmp unknown 1024 success or wait 39 8052FE ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E5C.tmp unknown 1024 end of file 1 8052FE ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E5C.tmp unknown 1024 success or wait 39 8054A8 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3E5C.tmp unknown 1024 end of file 1 8054A8 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp72F5.tmp unknown 1024 success or wait 33 806038 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp72F5.tmp unknown 1024 end of file 1 806038 ReadFile
C:\Program Files\Common Files\microsoft shared\Smart Tag\1033\MCABOUT.HTM unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Smart Tag\1033\MCABOUT.HTM unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Stationery\Garden.htm unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Stationery\Garden.htm unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Stationery\Green Bubbles.htm unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Stationery\Green Bubbles.htm unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Stationery\Hand Prints.htm unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Stationery\Hand Prints.htm unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Stationery\Orange Circles.htm unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Stationery\Orange Circles.htm unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.htm unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.htm unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Stationery\Roses.htm unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Stationery\Roses.htm unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Stationery\Shades of Blue.htm unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Stationery\Shades of Blue.htm unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Stationery\Soft Blue.htm unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Stationery\Soft Blue.htm unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Stationery\Stars.htm unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Common Files\microsoft shared\Stationery\Stars.htm unknown 65533 end of file 1 804953 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp unknown 1024 success or wait 39 8052FE ReadFile

Copyright Joe Security LLC 2018 Page 279 of 287

 Source
File Path Offset Length Completion Count Address Symbol
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp unknown 1024 end of file 1 8052FE ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp unknown 1024 success or wait 32 8054A8 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D0E.tmp unknown 1024 end of file 1 8054A8 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp86D5.tmp unknown 1024 success or wait 39 806038 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp86D5.tmp unknown 1024 end of file 1 806038 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D2D.tmp unknown 1024 success or wait 39 806038 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3D2D.tmp unknown 1024 end of file 1 806038 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3DA6.tmp unknown 1024 success or wait 39 806038 ReadFile
C:\Users\HERBBL~1\AppData\Local\Temp\tmp3DA6.tmp unknown 1024 end of file 1 806038 ReadFile
C:\Program Files\Java\jre1.8.0_144\bin\client\Xusage.txt unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Java\jre1.8.0_144\bin\client\Xusage.txt unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Java\jre1.8.0_144\COPYRIGHT unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Java\jre1.8.0_144\COPYRIGHT unknown 65533 end of file 1 804953 ReadFile
C:\Program Files\Java\jre1.8.0_144\lib\ext\meta-index unknown 65533 success or wait 1 804953 ReadFile
C:\Program Files\Java\jre1.8.0_144\lib\ext\meta-index unknown 65533 end of file 1 804953 ReadFile

Registry Activities

Source
Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: WerFault.exe PID: 3472 Parent PID: 3348

General

Start time: 12:20:58

Start date: 26/06/2018
Path: C:\Windows\System32\WerFault.exe
Wow64 process (32bit): false
Commandline: C:\Windows\system32\WerFault.exe -u -p 3348 -s 716
Imagebase: 0x950000
File size: 360448 bytes
MD5 hash: 5FEAB868CAEDBBD1B7A145CA8261E4AA
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: high

File Activities

File Created

Source
File Path Access Attributes Options Completion Count Address Symbol
C:\Users\user\AppData\Local\Temp\WER11DB.tmp read attributes | normal synchronous io success or wait 1 72087CFA unknown
synchronize | non alert | non
generic read directory file
C:\Users\user\AppData\Local\Temp\WER11DB.tmp.WERInternalMetadata.xml read attributes | normal synchronous io success or wait 1 72087CFA unknown
synchronize | non alert | non
generic read | directory file
generic write
C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArch read data or list normal directory file | success or wait 1 72087CFA unknown
ive\AppCrash_1dvwi.exe_cac8ee3a6acf6e3046666fdd7dcba2fbcf302 directory | synchronous io
323_0dd71420 synchronize non alert | open
for backup ident
| open reparse
point
C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArch write data or add normal synchronous io success or wait 1 72087CFA unknown
ive\AppCrash_1dvwi.exe_cac8ee3a6acf6e3046666fdd7dcba2fbcf302 file | read non alert | non
323_0dd71420\Report.wer attributes | directory file
synchronize

File Deleted

Copyright Joe Security LLC 2018 Page 280 of 287

 Source
File Path Completion Count Address Symbol
C:\Users\user\AppData\Local\Temp\WER11DB.tmp success or wait 1 72087CFA unknown
C:\Users\user\AppData\Local\Temp\WER11DB.tmp.WERInternalMetadata.xml success or wait 1 72088048 unknown

File Written

Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\user\AppData\Local\Te unknown 2 ff fe .. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 78 3c 00 3f 00 78 00 6d <.?.x.m.l. .v.e.r.s.i.o.n.=.". success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 6c 00 20 00 76 00 1...0.". .e.n.c.o.d.i.n.g.=.".
65 00 72 00 73 00 69 U.T.F.-.1.6.".?.>.
00 6f 00 6e 00 3d 00
22 00 31 00 2e 00 30
00 22 00 20 00 65 00
6e 00 63 00 6f 00 64
00 69 00 6e 00 67 00
3d 00 22 00 55 00 54
00 46 00 2d 00 31 00
36 00 22 00 3f 00 3e
00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 38 3c 00 57 00 45 00 52 <.W.E.R.R.e.p.o.r.t.M.e.t.a. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 52 00 65 00 70 00 d.a.t.a.>.
6f 00 72 00 74 00 4d
00 65 00 74 00 61 00
64 00 61 00 74 00 61
00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 44 3c 00 4f 00 53 00 56 <.O.S.V.e.r.s.i.o.n.I.n.f.o.r. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 65 00 72 00 73 00 m.a.t.i.o.n.>.
69 00 6f 00 6e 00 49
00 6e 00 66 00 6f 00
72 00 6d 00 61 00 74
00 69 00 6f 00 6e 00
3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 2 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 80 3c 00 57 00 69 00 6e <.W.i.n.d.o.w.s.N.T.V.e.r.s. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 64 00 6f 00 77 00 i.o.n.>.6...1.
73 00 4e 00 54 00 56 <./.W.i.n.d.o.w.s.
00 65 00 72 00 73 00 N.T.V.e.r.s.i.o.n.>.
69 00 6f 00 6e 00 3e
00 36 00 2e 00 31 00
3c 00 2f 00 57 00 69
00 6e 00 64 00 6f 00
77 00 73 00 4e 00 54
00 56 00 65 00 72 00
73 00 69 00 6f 00 6e
00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 2 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 68 3c 00 42 00 75 00 69 <.B.u.i.l.d.>.7.6.0.1. .S.e.r. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 6c 00 64 00 3e 00 v.i.c.e. .P.a.c.k. .1.<./.B.u.
37 00 36 00 30 00 31 i.l.d.>.
00 20 00 53 00 65 00
72 00 76 00 69 00 63
00 65 00 20 00 50 00
61 00 63 00 6b 00 20
00 31 00 3c 00 2f 00
42 00 75 00 69 00 6c
00 64 00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 2 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml

Copyright Joe Security LLC 2018 Page 281 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\user\AppData\Local\Te unknown 98 3c 00 50 00 72 00 6f <.P.r.o.d.u.c.t.>.(.0.x.3.0.). success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 64 00 75 00 63 00 :. .W.i.n.d.o.w.s. .7. .P.r.o.
74 00 3e 00 28 00 30 f.e.s.s.i.o.n.a.l.<./.P.r.o.d.
00 78 00 33 00 30 00 u.c.t.>.
29 00 3a 00 20 00 57
00 69 00 6e 00 64 00
6f 00 77 00 73 00 20
00 37 00 20 00 50 00
72 00 6f 00 66 00 65
00 73 00 73 00 69 00
6f 00 6e 00 61 00 6c
00 3c 00 2f 00 50 00
72 00 6f 00 64 00 75
00 63 00 74 00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 2 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 62 3c 00 45 00 64 00 69 <.E.d.i.t.i.o.n.>.P.r.o.f.e.s. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 74 00 69 00 6f 00 s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.
6e 00 3e 00 50 00 72
00 6f 00 66 00 65 00
73 00 73 00 69 00 6f
00 6e 00 61 00 6c 00
3c 00 2f 00 45 00 64
00 69 00 74 00 69 00
6f 00 6e 00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 2 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 136 3c 00 42 00 75 00 69 <.B.u.i.l.d.S.t.r.i.n.g.>.7.6. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 6c 00 64 00 53 00 0.1...2.3.8.0.7...x.8.6.f.r.e.
74 00 72 00 69 00 6e ..w.i.n.7.s.p.1._.l.d.r...1.7.
00 67 00 3e 00 37 00 0.5.1.2.-.0.6.0.0.<./.B.u.i.l.
36 00 30 00 31 00 2e d.S.t.r.i.n.g.>.
00 32 00 33 00 38 00
30 00 37 00 2e 00 78
00 38 00 36 00 66 00
72 00 65 00 2e 00 77
00 69 00 6e 00 37 00
73 00 70 00 31 00 5f
00 6c 00 64 00 72 00
2e 00 31 00 37 00 30
00 35 00 31 00 32 00
2d 00 30 00 36 00 30
00 30 00 3c 00 2f 00
42 00 75 00 69 00 6c
00 64 00 53 00 74 00
72 00 69 00 6e 00 67
00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 2 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 50 3c 00 52 00 65 00 76 <.R.e.v.i.s.i.o.n.>.1.1.3.0.<. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 69 00 73 00 69 00 /.R.e.v.i.s.i.o.n.>.
6f 00 6e 00 3e 00 31
00 31 00 33 00 30 00
3c 00 2f 00 52 00 65
00 76 00 69 00 73 00
69 00 6f 00 6e 00 3e
00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 2 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 72 3c 00 46 00 6c 00 61 <.F.l.a.v.o.r.>.M.u.l.t.i.p.r. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 76 00 6f 00 72 00 o.c.e.s.s.o.r. .F.r.e.e.<./.F.
3e 00 4d 00 75 00 6c l.a.v.o.r.>.
00 74 00 69 00 70 00
72 00 6f 00 63 00 65
00 73 00 73 00 6f 00
72 00 20 00 46 00 72
00 65 00 65 00 3c 00
2f 00 46 00 6c 00 61
00 76 00 6f 00 72 00
3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 2 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml

Copyright Joe Security LLC 2018 Page 282 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\user\AppData\Local\Te unknown 64 3c 00 41 00 72 00 63 <.A.r.c.h.i.t.e.c.t.u.r.e.>.X. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 68 00 69 00 74 00 8.6.<./.A.r.c.h.i.t.e.c.t.u.r.
65 00 63 00 74 00 75 e.>.
00 72 00 65 00 3e 00
58 00 38 00 36 00 3c
00 2f 00 41 00 72 00
63 00 68 00 69 00 74
00 65 00 63 00 74 00
75 00 72 00 65 00 3e
00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 2 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 34 3c 00 4c 00 43 00 49 <.L.C.I.D.>.1.0.3.3. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 44 00 3e 00 31 00 <./.L.C.I.D.>.
30 00 33 00 33 00 3c
00 2f 00 4c 00 43 00
49 00 44 00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 46 3c 00 2f 00 4f 00 53 <./.O.S.V.e.r.s.i.o.n.I.n.f.o. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 56 00 65 00 72 00 r.m.a.t.i.o.n.>.
73 00 69 00 6f 00 6e
00 49 00 6e 00 66 00
6f 00 72 00 6d 00 61
00 74 00 69 00 6f 00
6e 00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 52 3c 00 50 00 61 00 72 <.P.a.r.e.n.t.P.r.o.c.e.s.s.I. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 65 00 6e 00 74 00 n.f.o.r.m.a.t.i.o.n.>.
50 00 72 00 6f 00 63
00 65 00 73 00 73 00
49 00 6e 00 66 00 6f
00 72 00 6d 00 61 00
74 00 69 00 6f 00 6e
00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 2 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 78 3c 00 50 00 61 00 72 <.P.a.r.e.n.t.P.r.o.c.e.s.s.I. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 65 00 6e 00 74 00 d.>.1.4.3.2.<./.P.a.r.e.n.t.P.
50 00 72 00 6f 00 63 r.o.c.e.s.s.I.d.>.
00 65 00 73 00 73 00
49 00 64 00 3e 00 31
00 34 00 33 00 32 00
3c 00 2f 00 50 00 61
00 72 00 65 00 6e 00
74 00 50 00 72 00 6f
00 63 00 65 00 73 00
73 00 49 00 64 00 3e
00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 2 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 124 3c 00 50 00 61 00 72 <.P.a.r.e.n.t.P.r.o.c.e.s.s.P. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 65 00 6e 00 74 00 a.t.h.>.C.:.\.W.i.n.d.o.w.s.\.
50 00 72 00 6f 00 63 e.x.p.l.o.r.e.r...e.x.e.<./.P.
00 65 00 73 00 73 00 a.r.e.n.t.P.r.o.c.e.s.s.P.a.t.
50 00 61 00 74 00 68 h.>.
00 3e 00 43 00 3a 00
5c 00 57 00 69 00 6e
00 64 00 6f 00 77 00
73 00 5c 00 65 00 78
00 70 00 6c 00 6f 00
72 00 65 00 72 00 2e
00 65 00 78 00 65 00
3c 00 2f 00 50 00 61
00 72 00 65 00 6e 00
74 00 50 00 72 00 6f
00 63 00 65 00 73 00
73 00 50 00 61 00 74
00 68 00 3e 00

Copyright Joe Security LLC 2018 Page 283 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 2 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 136 3c 00 50 00 61 00 72 <.P.a.r.e.n.t.P.r.o.c.e.s.s.C. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 65 00 6e 00 74 00 m.d.L.i.n.e.>.C.:.\.W.i.n.d.o
50 00 72 00 6f 00 63 .w.s.\.E.x.p.l.o.r.e.r...E.X.E.
00 65 00 73 00 73 00 <./.P.a.r.e.n.t.P.r.o.c.e.s.s.
43 00 6d 00 64 00 4c C.m.d.L.i.n.e.>.
00 69 00 6e 00 65 00
3e 00 43 00 3a 00 5c
00 57 00 69 00 6e 00
64 00 6f 00 77 00 73
00 5c 00 45 00 78 00
70 00 6c 00 6f 00 72
00 65 00 72 00 2e 00
45 00 58 00 45 00 3c
00 2f 00 50 00 61 00
72 00 65 00 6e 00 74
00 50 00 72 00 6f 00
63 00 65 00 73 00 73
00 43 00 6d 00 64 00
4c 00 69 00 6e 00 65
00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 54 3c 00 2f 00 50 00 61 <./.P.a.r.e.n.t.P.r.o.c.e.s.s. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 72 00 65 00 6e 00 I.n.f.o.r.m.a.t.i.o.n.>.
74 00 50 00 72 00 6f
00 63 00 65 00 73 00
73 00 49 00 6e 00 66
00 6f 00 72 00 6d 00
61 00 74 00 69 00 6f
00 6e 00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 38 3c 00 50 00 72 00 6f <.P.r.o.b.l.e.m.S.i.g.n.a.t.u. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 62 00 6c 00 65 00 r.e.s.>.
6d 00 53 00 69 00 67
00 6e 00 61 00 74 00
75 00 72 00 65 00 73
00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 2 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 62 3c 00 45 00 76 00 65 <.E.v.e.n.t.T.y.p.e.>.A.P.P. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 6e 00 74 00 54 00 C.R.A.S.H.
79 00 70 00 65 00 3e <./.E.v.e.n.t.T.y.p.e.>.
00 41 00 50 00 50 00
43 00 52 00 41 00 53
00 48 00 3c 00 2f 00
45 00 76 00 65 00 6e
00 74 00 54 00 79 00
70 00 65 00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 8 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 16 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 68 3c 00 50 00 61 00 72 <.P.a.r.a.m.e.t.e.r.0.>.1.d.v success or wait 8 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 61 00 6d 00 65 00 .w.i...e.x.e.<./.P.a.r.a.m.e.t.
74 00 65 00 72 00 30 e.r.0.>.
00 3e 00 31 00 64 00
76 00 77 00 69 00 2e
00 65 00 78 00 65 00
3c 00 2f 00 50 00 61
00 72 00 61 00 6d 00
65 00 74 00 65 00 72
00 30 00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml

Copyright Joe Security LLC 2018 Page 284 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\user\AppData\Local\Te unknown 40 3c 00 2f 00 50 00 72 <./.P.r.o.b.l.e.m.S.i.g.n.a.t. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 6f 00 62 00 6c 00 u.r.e.s.>.
65 00 6d 00 53 00 69
00 67 00 6e 00 61 00
74 00 75 00 72 00 65
00 73 00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 38 3c 00 44 00 79 00 6e <.D.y.n.a.m.i.c.S.i.g.n.a.t.u. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 61 00 6d 00 69 00 r.e.s.>.
63 00 53 00 69 00 67
00 6e 00 61 00 74 00
75 00 72 00 65 00 73
00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 6 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 12 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 92 3c 00 50 00 61 00 72 <.P.a.r.a.m.e.t.e.r.1.>.6...1. success or wait 6 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 61 00 6d 00 65 00 ..7.6.0.1...2...1...0...2.5.6.
74 00 65 00 72 00 31 ..4.8.<./.P.a.r.a.m.e.t.e.r.1.
00 3e 00 36 00 2e 00 >.
31 00 2e 00 37 00 36
00 30 00 31 00 2e 00
32 00 2e 00 31 00 2e
00 30 00 2e 00 32 00
35 00 36 00 2e 00 34
00 38 00 3c 00 2f 00
50 00 61 00 72 00 61
00 6d 00 65 00 74 00
65 00 72 00 31 00 3e
00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 40 3c 00 2f 00 44 00 79 <./.D.y.n.a.m.i.c.S.i.g.n.a.t. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 6e 00 61 00 6d 00 u.r.e.s.>.
69 00 63 00 53 00 69
00 67 00 6e 00 61 00
74 00 75 00 72 00 65
00 73 00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 38 3c 00 53 00 79 00 73 <.S.y.s.t.e.m.I.n.f.o.r.m.a.t. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 74 00 65 00 6d 00 i.o.n.>.
49 00 6e 00 66 00 6f
00 72 00 6d 00 61 00
74 00 69 00 6f 00 6e
00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 2 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 94 3c 00 4d 00 49 00 44 <.M.I.D.>.2.7.4.E.F.D.D.F.- success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 3e 00 32 00 37 00 .F.E.4.9.-.4.4.8.1.-
34 00 45 00 46 00 44 .A.0.2.A.-.5.
00 44 00 46 00 2d 00 9.5.6.E.0.8.F.B.9.3.9.
46 00 45 00 34 00 39 <./.M.I.D.>.
00 2d 00 34 00 34 00
38 00 31 00 2d 00 41
00 30 00 32 00 41 00
2d 00 35 00 39 00 35
00 36 00 45 00 30 00
38 00 46 00 42 00 39
00 33 00 39 00 3c 00
2f 00 4d 00 49 00 44
00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 2 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml

Copyright Joe Security LLC 2018 Page 285 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\user\AppData\Local\Te unknown 106 3c 00 53 00 79 00 73 <.S.y.s.t.e.m.M.a.n.u.f.a.c.t success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 74 00 65 00 6d 00 .u.r.e.r.>.q.b.h.j.g.z.i. .G.m.
4d 00 61 00 6e 00 75 b.H.
00 66 00 61 00 63 00 <./.S.y.s.t.e.m.M.a.n.u.f.
74 00 75 00 72 00 65 a.c.t.u.r.e.r.>.
00 72 00 3e 00 71 00
62 00 68 00 6a 00 67
00 7a 00 69 00 20 00
47 00 6d 00 62 00 48
00 3c 00 2f 00 53 00
79 00 73 00 74 00 65
00 6d 00 4d 00 61 00
6e 00 75 00 66 00 61
00 63 00 74 00 75 00
72 00 65 00 72 00 3e
00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 2 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 98 3c 00 53 00 79 00 73 <.S.y.s.t.e.m.P.r.o.d.u.c.t.N success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 74 00 65 00 6d 00 .
50 00 72 00 6f 00 64 a.m.e.>.y.e.w.a.a.q.m.h.u.c
00 75 00 63 00 74 00 .<.
4e 00 61 00 6d 00 65 /.S.y.s.t.e.m.P.r.o.d.u.c.t.N.
00 3e 00 79 00 65 00 a.m.e.>.
77 00 61 00 61 00 71
00 6d 00 68 00 75 00
63 00 3c 00 2f 00 53
00 79 00 73 00 74 00
65 00 6d 00 50 00 72
00 6f 00 64 00 75 00
63 00 74 00 4e 00 61
00 6d 00 65 00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 2 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 74 3c 00 42 00 49 00 4f <.B.I.O.S.V.e.r.s.i.o.n.>.y.e success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 53 00 56 00 65 00 .w.a.a.q.m.h.u.c.
72 00 73 00 69 00 6f <./.B.I.O.S.V.e.r.s.i.o.n.>.
00 6e 00 3e 00 79 00
65 00 77 00 61 00 61
00 71 00 6d 00 68 00
75 00 63 00 3c 00 2f
00 42 00 49 00 4f 00
53 00 56 00 65 00 72
00 73 00 69 00 6f 00
6e 00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 2 09 00 .. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 40 3c 00 2f 00 53 00 79 <./.S.y.s.t.e.m.I.n.f.o.r.m.a. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 73 00 74 00 65 00 t.i.o.n.>.
6d 00 49 00 6e 00 66
00 6f 00 72 00 6d 00
61 00 74 00 69 00 6f
00 6e 00 3e 00
C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml
C:\Users\user\AppData\Local\Te unknown 40 3c 00 2f 00 57 00 45 <./.W.E.R.R.e.p.o.r.t.M.e.t. success or wait 1 72087CFA unknown
mp\WER11DB.tmp.WERInternalMetadata.xml 00 52 00 52 00 65 00 a.d.a.t.a.>.
70 00 6f 00 72 00 74
00 4d 00 65 00 74 00
61 00 64 00 61 00 74
00 61 00 3e 00
C:\Users\user\AppData\Local\Mi unknown 14 56 00 65 00 72 00 73 V.e.r.s.i.o.n. success or wait 98 72087CFA unknown
crosoft\Windows\WER\ReportArch 00 69 00 6f 00 6e 00
ive\AppCrash_1dvwi.exe_cac8ee3
a6acf6e3046666fdd7dcba2fbcf302323_0dd71420\Report.wer
C:\Users\user\AppData\Local\Mi unknown 2 3d 00 =. success or wait 98 72087CFA unknown
crosoft\Windows\WER\ReportArch
ive\AppCrash_1dvwi.exe_cac8ee3
a6acf6e3046666fdd7dcba2fbcf302323_0dd71420\Report.wer
C:\Users\user\AppData\Local\Mi unknown 2 31 00 1. success or wait 98 72087CFA unknown
crosoft\Windows\WER\ReportArch
ive\AppCrash_1dvwi.exe_cac8ee3
a6acf6e3046666fdd7dcba2fbcf302323_0dd71420\Report.wer

Copyright Joe Security LLC 2018 Page 286 of 287

 Source
File Path Offset Length Value Ascii Completion Count Address Symbol
C:\Users\user\AppData\Local\Mi unknown 4 0d 00 0a 00 .... success or wait 98 72087CFA unknown
crosoft\Windows\WER\ReportArch
ive\AppCrash_1dvwi.exe_cac8ee3
a6acf6e3046666fdd7dcba2fbcf302323_0dd71420\Report.wer

Source
File Path Offset Length Completion Count Address Symbol

Registry Activities

Key Created

Source
Key Path Completion Count Address Symbol
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Debug success or wait 1 720981E4 RegCreateKeyExW

Key Value Created

Source
Key Path Name Type Data Completion Count Address Symbol
HKEY_LOCAL_MACHINE\SOFTWARE\Mi ExceptionRecord binary 05 00 00 C0 00 00 00 00 00 00 00 success or wait 1 7209820A RegSetValueExW
crosoft\Windows\Windows Error Reporting\Debug 00 22 73 4E 77 02 00 00 00 01 00
00 00 4E 32 31 30 7F 00 01 00 00
00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00
00 7F 02 00 00 00 00 00 00 FF FF
00 00 00 00 00 00 00 00 00 00 00
00 00 00

Disassembly

Code Analysis

Copyright Joe Security LLC 2018 Page 287 of 287