Edit tour

Windows Analysis Report
ActivitiesCache.sqlite

Overview

General Information

Sample Name:	ActivitiesCache.sqlite (renamed file extension from db to sqlite, renamed because original name is a hash value)
Original Sample Name:	ActivitiesCache.db
Analysis ID:	1304597
MD5:	ca79add6e3d289a62ca2079634ce9da1
SHA1:	baa22c1dc503e6854cfa76eb2f192d097c208ce3
SHA256:	424c1c7bcf7cc970878c6ec61315f83bc700a93d2e0af988967967a33df2866d

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

OS version to string mapping found (often used in BOTs)

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

OpenWith.exe (PID: 6916 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: D179D03728E95E040A889F760C1FC402)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR40.0902791019568\Quicksilver_MR4\vpn\tools\DART\DARTOffline\WINXP\Win32\Release\DartOffline.pdb source: ActivitiesCache.sqlite
Source:	Binary string: AppVlp.pdb source: ActivitiesCache.sqlite
Source:	Binary string: powershell_ise.pdb94 source: ActivitiesCache.sqlite
Source:	Binary string: a\AgentExecutor.pdb source: ActivitiesCache.sqlite
Source:	Binary string: powershell.pdbUGP source: ActivitiesCache.sqlite
Source:	Binary string: D:\T\BuildResults\bin\Release\AcroRd32Exe.pdb source: ActivitiesCache.sqlite
Source:	Binary string: powershell.pdb source: ActivitiesCache.sqlite
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR40.0902791019568\Quicksilver_MR4\vpn\tools\DART\DARTOffline\WINXP\Win32\Release\DartOffline.pdbHHFGCTL source: ActivitiesCache.sqlite
Source:	Binary string: C:\drone\src\build_output\Win32\Release\csc_ui.pdb source: ActivitiesCache.sqlite
Source:	Binary string: "\AgentExecutor.pdb source: ActivitiesCache.sqlite
Source:	Binary string: AppVlp.pdbGCTL source: ActivitiesCache.sqlite
Source:	Binary string: powershell_ise.pdb source: ActivitiesCache.sqlite

Source: ActivitiesCache.sqlite	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ActivitiesCache.sqlite	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ActivitiesCache.sqlite	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: ActivitiesCache.sqlite	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ActivitiesCache.sqlite	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ActivitiesCache.sqlite	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ActivitiesCache.sqlite	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: ActivitiesCache.sqlite	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ActivitiesCache.sqlite	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ActivitiesCache.sqlite	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: ActivitiesCache.sqlite	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ActivitiesCache.sqlite	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: ActivitiesCache.sqlite	String found in binary or memory: http://ocsp.digicert.com0A
Source: ActivitiesCache.sqlite	String found in binary or memory: http://ocsp.digicert.com0C
Source: ActivitiesCache.sqlite	String found in binary or memory: http://ocsp.digicert.com0N
Source: ActivitiesCache.sqlite	String found in binary or memory: http://ocsp.digicert.com0X
Source: ActivitiesCache.sqlite	String found in binary or memory: http://www.cisco.com0
Source: ActivitiesCache.sqlite	String found in binary or memory: http://www.digicert.com/CPS0
Source: ActivitiesCache.sqlite	String found in binary or memory: https://clients2.google.com/service/update2/crxupdate_urlBrowser
Source: ActivitiesCache.sqlite	String found in binary or memory: https://crbug.com/820996
Source: ActivitiesCache.sqlite	String found in binary or memory: https://crbug.com/820996LaunchElevatedProcessataProtectionIdEnterpriseDataPrADMDialogCopyPasteFixADM
Source: ActivitiesCache.sqlite	String found in binary or memory: https://ims-na1-stg1.adobelogin.com/ims/authorize/v1?https://ims-na1.adobelogin.com/ims/authorize/v1
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/AES
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/BalTerm
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/BalTerm%20Terminal
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/CWiles
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/CWiles%20Items/C%2
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/CWiles%20Items/Org
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/CWiles%20Items/Tea
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/CWiles%20Items/pri
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/CWiles%20Items/rea
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Prinsengracht
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Prinsengracht%20An
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Silos.docx
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Silos.docx?web=1
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Metsa
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Metsa%20
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Monthly
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Monthly%
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Network
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Network%
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Providen
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Vessel
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Vessel%20Pro%20For
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/cwiles_report_unas
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec.sharepoint.com/sites/FSSARTeam/Shared
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec.sharepoint.com/sites/lgtops/CargoHandlingMonthlyPerformanceReport/1655
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec.sharepoint.com/sites/lgtops/CargoHandlingMonthlyPerformanceReport/1655%20Balterm/16
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec.sharepoint.com/sites/lgtops/CargoHandlingMonthlyPerformanceReport/1655%20Balterm/AR
Source: ActivitiesCache.sqlite	String found in binary or memory: https://logistec.sharepoint.com/sites/lgtops/CargoHandlingMonthlyPerformanceReport/2022ByCompany.xls
Source: ActivitiesCache.sqlite	String found in binary or memory: https://mail.google.com/
Source: ActivitiesCache.sqlite	String found in binary or memory: https://wns2-ch1p.notify.windows.com/?token=AwYAAADSjAb88iRkUDS2eKDRGw%2fxW1oV4DmPkaRPlR7%2bLwVdteGH
Source: ActivitiesCache.sqlite	String found in binary or memory: https://www.cisco.com/c/en/us/about/legal/cloud-and-software/end_user_license_agreement.htmlhttps://
Source: ActivitiesCache.sqlite	String found in binary or memory: https://www.digicert.com/CPS0
Source: ActivitiesCache.sqlite	String found in binary or memory: https://www.google.com/m8/feedshttps://www.googleapis.com/auth/userinfo.profile
Source: ActivitiesCache.sqlite	String found in binary or memory: https://www.googleapis.com/auth/contacts.readonlyofflineaccess_type2382840d-9c54-438f-af1c-8a8d1a547
Source: ActivitiesCache.sqlite	String found in binary or memory: https://www.googleapis.com/auth/drivehttps://www.googleapis.com/auth/gmail.compose
Source: ActivitiesCache.sqlite	String found in binary or memory: https://www.immunet.com
Source: ActivitiesCache.sqlite	String found in binary or memory: https://www.immunet.comOpen

Source: ActivitiesCache.sqlite	Binary or memory string: OriginalFilenameAgentExecutor.exeF vs ActivitiesCache.sqlite
Source: ActivitiesCache.sqlite	Binary or memory string: OriginalFilenamecsc_ui.exeD vs ActivitiesCache.sqlite
Source: ActivitiesCache.sqlite	Binary or memory string: <br/><i></i><br/><b>00:00:00</b>CDefaultPluginHandler::CDefaultPluginHandlerC:\drone\src\src\Common\Utility\DefaultPluginHandler.cppSkipping interface '%s', File: '%s'.Disposed plugin C++ based interface '%s', File '%s'.CDefaultPluginHandler::~CDefaultPluginHandlerFailed to dispose C++ plugin for interface '%s', File: '%s'.Created Default plugin handler for C++ based interface '%s', File: '%s'.WinVerifyTrustEx\Wintrust.dllCode-signing verification succeeded. File (%s)Time stamp on the file %s is earlier than the kill date.CVerifyFileSignatureWindows::IsValidC:\drone\src\src\Common\Crypt\VerifyFileSignatureWindows.cppFailed to get the time stamp of the file: %s.GetFileVersionInfoWCVerifyFileSignatureWindows::CheckFileNameAndVersionVersion.dllAuthenticodeUtils::GetSignatureInfoWinTrustData is invalid. You must call IsValid first!CVerifyFileSignatureWindows::GetSigInfoCVerifyFileSignatureWindows::CheckFileSignatureEmbedded version %s in file %s does not meet minimum requirement.Embedded original filename in file %s does not match %s.VerQueryValue\StringFileInfo\040904b0\OriginalFilenameGetFileVersionInfoGetFileVersionInfoSizeVerQueryValueWGetFileVersionInfoSizeW/0.0.0.0:messagesLC_MESSAGEScharset=%s/%s/%s/%s.moPOSIXCCTimer::~CTimerC:\drone\src\src\Common\Utility\timer.cppFailed to entry point from wintrust.dllWTHelperProvDataFromStateData\wintrust.dllCertificate trust data was not foundSigner information was not foundCountersignature was not found in the certificateTrust provider certificate was not foundSubject name was not found in the certificateFailed to load wintrust.dllWTHelperGetProvCertFromChainWTHelperGetProvSignerFromChainAuthenticodeUtils::logMsgC:\drone\src\src\Common\Crypt\AuthenticodeUtils.cpp2.5.4.3?\ vs ActivitiesCache.sqlite
Source: ActivitiesCache.sqlite	Binary or memory string: OriginalFilenameDeskConfig.exe vs ActivitiesCache.sqlite
Source: ActivitiesCache.sqlite	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs ActivitiesCache.sqlite
Source: ActivitiesCache.sqlite	Binary or memory string: OriginalFilenameHelp.exe456789012345678901234567890123456789012345678901234567890.exe vs ActivitiesCache.sqlite
Source: ActivitiesCache.sqlite	Binary or memory string: OriginalFilenamepowershell_ise.EXEj% vs ActivitiesCache.sqlite
Source: ActivitiesCache.sqlite	Binary or memory string: TJfile_version_info_win.ccCreateFileVersionInfoWinCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls\VarFileInfo\Translation\SetThreadDescriptionUnknown priority.::GetThreadPriority returned g]J vs ActivitiesCache.sqlite
Source: ActivitiesCache.sqlite	Binary or memory string: OriginalFilenameappvlp.exej% vs ActivitiesCache.sqlite
Source: ActivitiesCache.sqlite	Binary or memory string: OriginalFilenamePreferences.exe vs ActivitiesCache.sqlite
Source: ActivitiesCache.sqlite	Binary or memory string: OriginalFilenamedartoffline.exeD vs ActivitiesCache.sqlite
Source: ActivitiesCache.sqlite	Binary or memory string: OriginalFilenamePenTest.exeH vs ActivitiesCache.sqlite

Source: C:\Windows\System32\OpenWith.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ActivitiesCache.sqlite	Binary string: B\\?\pipe\NGLWFPipe__INS:(ML;;NW;;;LW)D:P(A;;GA;;;OW)(A;;GA;;;AC)\\?\pipe\\Device\NamedPipe\win\src\named_pipe_policy.ccSameObject check failed: InitializeProcThreadAttributeListUpdateProcThreadAttributewin\src\process_thread_policy.ccCreateProcessWAction: STATUS_ACCESS_DENIEDapp name: command line: NtCreateProcessExntdll.dllNtSuspendProcessNtResumeProcessNtQuerySymbolicLinkObjectNtOpenSymbolicLinkObjectNtClose%d\Sessions\BNOLINKSNtCreateEventNtOpenEventwin\src\signed_policy.ccHandle AccessCheck failed: 8[CD[CP[Cm[Cu[C@ntdll.dllg_interceptionsNtMapViewOfSectionNtUnmapViewOfSectiong_originals
Source: ActivitiesCache.sqlite	Binary string: \??\UNC\\\.\\Device\SftVol\ntdll.dllA:\Device\\\?\/?/UNC/\?\UNC\
Source: ActivitiesCache.sqlite	Binary string: g\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\4202392NtQueryObjectRtlNtStatusToDosErrorRtlCompareUnicodeString\Device\WinDFSCdmRedirectorVolume\Device\HarddiskVolumeDirectoryFileEventSectionKey<>:"\\|?*Software\Policies\Adobe\Acrobat Reader\DC\F
Source: ActivitiesCache.sqlite	Binary string: \\.\ko.%x.%x.%xSoftware\Classes\CLSID\{054AAE20-4BEA-4347-8A35-64A533254A9D}\LocalServer320123456789abcdef\Device\HarddiskVolume:
Source: ActivitiesCache.sqlite	Binary string: sbox_alternate_desktop_local_winstation_\??\\\?\\\?\UNC\\\.\\??\pipe\\??\mailslot\\/?/?\\Device\
Source: ActivitiesCache.sqlite	Binary string: ^tes.ini\Justsystem\Justsystem\\Intuit\Quicken\Log\Intuit\Quicken\Log\qw.log\Enfocus Prefs Folder\Enfocus Prefs Folder\\Adobe\Acrobat\FeatOut\Microsoft\Speech\Adobe\Flash Player\AssetCache\Adobe\Acrobat\DC\SearchEmbdIndexacrord32_super_sbx\device\volume{}\?:?:\HKEY_CURRENT_USER\%sHKEY_CURRENT_USER\%s\HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\PrivilegedHKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\DC\PrivilegedHKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral\cRecentFilesHKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral\cFavoriteFilesHKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral\cAdHocFilesHKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\Installer\NotificationAppxSoftware\Adobe\Adobe Acrobat\DC\DiskCabsSoftware\Adobe\Adobe Synchronizer\DCHKEY_CURRENT_USER\Software\Adobe\CommonFiles\UsageSoftware\Adobe\CommonFiles\Usage\AcrobatDCSoftware\Adobe\CommonFiles\Usage\Reader DCHKEY_CURRENT_USER\SOFTWARE\Lotus\Notes\InstallerHKEY_CURRENT_USER\SOFTWARE\Lotus\NotesHKEY_CURRENT_USER\SOFTWARE\Microsoft\SpeechHKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivatePropertiesHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\CacheHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCacheHKEY_CURRENT_USER\SOFTWARE\Adobe\CommonFilesHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_CURRENT_CONFIGSOFTWARE\Justsystem\ATOK\Setup\FolderATFSVR\Acrobat\plug_ins\test_tools\AcroNGLTools\qe-ngl-tool.exe?ihs_IMSC_Imejp.ConfigrationIO_FileView__Satori_PropMgrGlobal_IMJP_FileView__Satori_PropMgrGlobal_IMESatoriKnlDict_MemoryDictionary__IME__CodeDictionarySharedMemory_FileView___IMJPUD_FileMapping_{_IMJP_??_UD_FileMapping__IMJP_?_UD_FileMapping__IMJP_??_UD_ManagementBlock__IMJP_?_UD_ManagementBlock_microsoft_imjpAtlDebugAllocator_FileMappingNameStatic3_windows_shell_global_countersMSCTF.Shared.M
Source: ActivitiesCache.sqlite	Binary string: /qnBROADCASTCEFRELOAD=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 /qb\/\cef_ CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /qn/i msiexec.exe ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exeAcroRd32.exe ADDLOCAL=OptionalFeatures,DistillerCJKNative,DistillerCJKSupport,PaperCaptureOptional,PreFlightPlugin DISABLE_FIU_CHECK=1 TRANSITION_INSTALL_MODE=4 SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exeSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithListMRUListMRUListAppDoNotTakePDFOwnershipAtLaunchAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstoreAdobe Reader XIRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\RtlGetVersionntdll.dllAdobe Systems, IncorporatedAdobe Inc.Adobe Systems Incorporated1.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.2.840.113549.1.9.61.3.6.1.4.1.311.3.3.1kernel32IsWow64ProcessSystem\CurrentControlSet\Control\CitrixProductVersionNumSoftware\Adobe\Acrobat\ExeEnableLUASoftware\Microsoft\Windows\CurrentVersion\Policies\System /FixPDF /RegisterFileTypesOwnership /PRODUCT:Reader /VERSION:12.03305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770/\ADelRCP.exeClick on 'Change' to select default PDF handler.pdfpropertiesShowAppPickerForPDF.exeProgram ManagerPROGMANClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfApplication
Source: ActivitiesCache.sqlite	Binary string: bIsUserEntitledpolicy_configurator.cppRegistry set for Kaizen Purchase from Browser CommonSoftware\Adobe\Acrobat Reader\DC\FEAT\cFeatDir.ajt.uifProgramW6432\Adobe\Acrobat\Privileged\DC\Microsoft\Crypto\RSA\Arcot\Ids\Microsoft\Outlook.dll.manifest.config.p12.pfx\Adobe\Acrobat\%d.0\Adobe\Color\Microsoft\IME\Microsoft\IMJP\Adobe\Acrobat\DC\Replicate\Security\\Adobe\Acrobat\DC\Security\TEMPTMP\\Temp\JFEAT_temp\Temp\Low\Temp\Adobe\Acrobat\DC.exe.bat.cmd.com.cpl.ocx.pif.scr.scf:$:Zone.Identifier\/?/?\??:\device\volume{}\:\Adobe\Acrobat\DC\Adobe\Linguistics\.ms-ad\Microsoft\RMSLocalStorage\com.adobe.dunamis\f2eb6c79-671d-4de2-b7be-3b2eea7abc47\com.adobe.dunamis\56079431-ea46-4833-94f9-1ff5658cdb1c\com.adobe.dunamis\6d9d9777-7ded-4768-8191-9a707d72b009\com.adobe.dunamis\61f56613-c62c-4b17-84dd-62b60d5776aa\Adobe\LogTransport2\Adobe\Headlights\Lotus\Notes\Data\Lotus\Notes\Data\.nbf\Lotus\Notes\Data\names.nsf\Lotus\Notes\Data\JOBSCHED.NJF\Lotus\Notes\Data\cluster.ncf\Lotus\Notes\Data\ticket.idt\Lotus\Notes\Data\*.reg\Lotus\Notes\Data\no

Source: classification engine

Classification label: clean2.winSQLITE@1/0@0/0

Source: C:\Windows\System32\OpenWith.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\OpenWith.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_01

Source: ActivitiesCache.sqlite

Static file information: File size 24514560 > 1048576

Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR40.0902791019568\Quicksilver_MR4\vpn\tools\DART\DARTOffline\WINXP\Win32\Release\DartOffline.pdb source: ActivitiesCache.sqlite
Source:	Binary string: AppVlp.pdb source: ActivitiesCache.sqlite
Source:	Binary string: powershell_ise.pdb94 source: ActivitiesCache.sqlite
Source:	Binary string: a\AgentExecutor.pdb source: ActivitiesCache.sqlite
Source:	Binary string: powershell.pdbUGP source: ActivitiesCache.sqlite
Source:	Binary string: D:\T\BuildResults\bin\Release\AcroRd32Exe.pdb source: ActivitiesCache.sqlite
Source:	Binary string: powershell.pdb source: ActivitiesCache.sqlite
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR40.0902791019568\Quicksilver_MR4\vpn\tools\DART\DARTOffline\WINXP\Win32\Release\DartOffline.pdbHHFGCTL source: ActivitiesCache.sqlite
Source:	Binary string: C:\drone\src\build_output\Win32\Release\csc_ui.pdb source: ActivitiesCache.sqlite
Source:	Binary string: "\AgentExecutor.pdb source: ActivitiesCache.sqlite
Source:	Binary string: AppVlp.pdbGCTL source: ActivitiesCache.sqlite
Source:	Binary string: powershell_ise.pdb source: ActivitiesCache.sqlite

Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: ActivitiesCache.sqlite	Binary or memory string: /qnBROADCASTCEFRELOAD=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 /qb\/\cef_ CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /qn/i msiexec.exe ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exeAcroRd32.exe ADDLOCAL=OptionalFeatures,DistillerCJKNative,DistillerCJKSupport,PaperCaptureOptional,PreFlightPlugin DISABLE_FIU_CHECK=1 TRANSITION_INSTALL_MODE=4 SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exeSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithListMRUListMRUListAppDoNotTakePDFOwnershipAtLaunchAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstoreAdobe Reader XIRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\RtlGetVersionntdll.dllAdobe Systems, IncorporatedAdobe Inc.Adobe Systems Incorporated1.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.2.840.113549.1.9.61.3.6.1.4.1.311.3.3.1kernel32IsWow64ProcessSystem\CurrentControlSet\Control\CitrixProductVersionNumSoftware\Adobe\Acrobat\ExeEnableLUASoftware\Microsoft\Windows\CurrentVersion\Policies\System /FixPDF /RegisterFileTypesOwnership /PRODUCT:Reader /VERSION:12.03305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770/\ADelRCP.exeClick on 'Change' to select default PDF handler.pdfpropertiesShowAppPickerForPDF.exeProgram ManagerPROGMANClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfApplication
Source: ActivitiesCache.sqlite	Binary or memory string: o unregister plugin: %s, Result: %dFailed to Start plugin: %s, Result: %dPresentation register failed: %dFailed to Start plugin: NAM, Result: %dCMainFrame::refreshloadedModulesUnexpected NULL Module Manager.Unable to stop plugin: %s, Result: %dCMainFrame::relayoutUIAnyConnect UI Disabled.Unable to unregister plugin: NAM, Result %dCMainFrame::loadL2ModuleCMainFrame::unloadOrphanedHiddenModulesCMainFrame::loadHiddenModulesCMainFrame::constructUIFailure occured when attempting to create Statistic Window.CMainFrame::ShutdownThe GUI has been told to shutdown - [%s]CMainFrame::postQuitThe GUI has posted Quit[%s] has reported Plugin_Success to Stop() callUnable to stop plugin: %s[%s] has been told to unregister during shutdown procedure.Unexpected NULL module in the module manager at %uSoftware\Cisco\Cisco Secure Client\ComponentStatus::GetDisplayVersionCMainFrame::GetHiddenModuleInfoShell_TrayWndCMainFrame::SetToastPreferenceRegSetValueExEnableStatusPopupsCMainFrame::unregisterTrayItemsCMainFrame::KillTimerCMainFrame::registerTrayItemsCMainFrame::SetTimerCMainFrame::handleXMLUIRefreshRefresh UI received from plugin : %sCMainFrame::handleXMLApplicationNodesUnknown application node receivedUnexpected Error, invalid popup node valueCMainFrame::handleXMLPopupNotificationUnexpected input XML received for popupRefresh UI complete.

Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11712.1001.23.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-200.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation	Jump to behavior

Source: ActivitiesCache.sqlite	Binary or memory string: ?IsOs_WIN_8@@YA_NXZj??1CAppLog@@QAE@XZ
Source: ActivitiesCache.sqlite	Binary or memory string: ?IsOs_WIN_8@@YA_NXZ
Source: ActivitiesCache.sqlite	Binary or memory string: ?IsOs_WIN_7@@YA_NXZ

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Vessel	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Vessel%20Pro%20For	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/CWiles	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Monthly	0%	Avira URL Cloud	safe
https://www.immunet.comOpen	0%	Avira URL Cloud	safe
https://logistec.sharepoint.com/sites/lgtops/CargoHandlingMonthlyPerformanceReport/1655%20Balterm/16	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Metsa	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/cwiles_report_unas	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/CWiles%20Items/pri	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Network%	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/CWiles%20Items/rea	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/AES	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Silos.docx	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Monthly%	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Providen	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/CWiles%20Items/Org	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Prinsengracht%20An	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Network	0%	Avira URL Cloud	safe
https://logistec.sharepoint.com/sites/FSSARTeam/Shared	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/BalTerm	0%	Avira URL Cloud	safe
https://logistec.sharepoint.com/sites/lgtops/CargoHandlingMonthlyPerformanceReport/2022ByCompany.xls	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Silos.docx?web=1	0%	Avira URL Cloud	safe
https://crbug.com/820996LaunchElevatedProcessataProtectionIdEnterpriseDataPrADMDialogCopyPasteFixADM	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/CWiles%20Items/C%2	0%	Avira URL Cloud	safe
https://logistec.sharepoint.com/sites/lgtops/CargoHandlingMonthlyPerformanceReport/1655	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Metsa%20	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/CWiles%20Items/Tea	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Prinsengracht	0%	Avira URL Cloud	safe
https://crbug.com/820996	0%	Avira URL Cloud	safe
http://www.cisco.com0	0%	Avira URL Cloud	safe
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/BalTerm%20Terminal	0%	Avira URL Cloud	safe
https://logistec.sharepoint.com/sites/lgtops/CargoHandlingMonthlyPerformanceReport/1655%20Balterm/AR	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/cwiles_report_unas	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/CWiles%20Items/pri	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://www.immunet.comOpen	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://ims-na1-stg1.adobelogin.com/ims/authorize/v1?https://ims-na1.adobelogin.com/ims/authorize/v1	ActivitiesCache.sqlite	false		high
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Monthly	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec.sharepoint.com/sites/lgtops/CargoHandlingMonthlyPerformanceReport/1655%20Balterm/16	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/CWiles	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Metsa	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Vessel	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Vessel%20Pro%20For	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://www.cisco.com/c/en/us/about/legal/cloud-and-software/end_user_license_agreement.htmlhttps://	ActivitiesCache.sqlite	false		high
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Network%	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Providen	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://crbug.com/820996	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://mail.google.com/	ActivitiesCache.sqlite	false		high
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/CWiles%20Items/rea	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Prinsengracht%20An	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Network	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://clients2.google.com/service/update2/crxupdate_urlBrowser	ActivitiesCache.sqlite	false		high
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Silos.docx	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/AES	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Monthly%	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec.sharepoint.com/sites/FSSARTeam/Shared	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/CWiles%20Items/Org	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://wns2-ch1p.notify.windows.com/?token=AwYAAADSjAb88iRkUDS2eKDRGw%2fxW1oV4DmPkaRPlR7%2bLwVdteGH	ActivitiesCache.sqlite	false		high
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Silos.docx?web=1	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://www.immunet.com	ActivitiesCache.sqlite	false		high
https://logistec.sharepoint.com/sites/lgtops/CargoHandlingMonthlyPerformanceReport/1655	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
http://www.cisco.com0	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://crbug.com/820996LaunchElevatedProcessataProtectionIdEnterpriseDataPrADMDialogCopyPasteFixADM	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/BalTerm	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/CWiles%20Items/C%2	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/CWiles%20Items/Tea	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec.sharepoint.com/sites/lgtops/CargoHandlingMonthlyPerformanceReport/2022ByCompany.xls	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Tutorials/Metsa%20	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/BalTerm%20Terminal	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec-my.sharepoint.com/personal/cwiles_logistec_com/Documents/Desktop/Prinsengracht	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown
https://logistec.sharepoint.com/sites/lgtops/CargoHandlingMonthlyPerformanceReport/1655%20Balterm/AR	ActivitiesCache.sqlite	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1304597
Start date and time:	2023-09-06 19:07:26 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	ActivitiesCache.sqlite (renamed file extension from db to sqlite, renamed because original name is a hash value)
Original Sample Name:	ActivitiesCache.db
Detection:	CLEAN
Classification:	clean2.winSQLITE@1/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Stop behavior analysis, all processes terminated

Warnings

Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: ActivitiesCache.sqlite

Simulations

Behavior and APIs

Time	Type	Description
19:08:27	API Interceptor	1x Sleep call for process: OpenWith.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	SQLite 3.x database, user version 30, last written using SQLite version 3029000, writer version 2, read version 2, file counter 37, database pages 5985, 1st free page 4728, free pages 5302, cookie 0x19, schema 4, UTF-8, version-valid-for 37
Entropy (8bit):	6.7945392712642505
TrID:	SQLite 3.x database (15015/1) 100.00%
File name:	ActivitiesCache.sqlite
File size:	24'514'560 bytes
MD5:	ca79add6e3d289a62ca2079634ce9da1
SHA1:	baa22c1dc503e6854cfa76eb2f192d097c208ce3
SHA256:	424c1c7bcf7cc970878c6ec61315f83bc700a93d2e0af988967967a33df2866d
SHA512:	8b5cb1a9e9b4f36a46ba9fafb50b7bcd19542115fb221a38de1132809b447cebd723714ebc30582eec40f6f8acd9fa4c6a14acc2e50c9ce3bbbd9a9faba54e71
SSDEEP:	393216:2N4+1QlBaQEx8/Rhcw/yo3Kxjj65OSZPYDenuT+d9u+g3H:2SDExKRFGjjSu0u+g3H
TLSH:	1F377C15B3048BB2E1AFD2708546D576D0B2BCAA4F7163D703E0BE2B3A332D16636957
File Content Preview:	SQLite format 3......@ ...%...a...x...........................................................%..8..................U.9...-.n.....'.I........................................../...C...indexsqlite_autoindex_Metadata_1Metadata......##...tableAppSettingsAppS

File Icon


Icon Hash:	72e2a2a292a2a2b2

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: OpenWith.exePID: 6916, Parent PID: 804

General

Target ID:	0
Start time:	19:08:27
Start date:	06/09/2023
Path:	C:\Windows\System32\OpenWith.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\OpenWith.exe -Embedding
Imagebase:	0x7ff617150000
File size:	111'120 bytes
MD5 hash:	D179D03728E95E040A889F760C1FC402
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ActivitiesCache.sqlite

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: OpenWith.exePID: 6916, Parent PID: 804

General

Chronological Activities

Disassembly

Windows Analysis Report
ActivitiesCache.sqlite