Create Interactive Tour

Windows Analysis Report
flashplayer32_0r0_371_win.msi

Overview

General Information

Sample Name:	flashplayer32_0r0_371_win.msi
Analysis ID:	643182
MD5:	6d9f717c8be8c96aebf199387900a43d
SHA1:	78d182369c348cc97a8f47212da4e81733cbe6b3
SHA256:	f5137ad9cb1a3473ab9b4faf42dc3ee125af6ac4e91bb43a4d5361700c9809c0
Infos:

Detection

Score:	39
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Compliance

Score:	62
Range:	0 - 100

Signatures

Creates an undocumented autostart registry key

Drops executables to the windows directory (C:\Windows) and starts them

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Disables exception chain validation (SEHOP)

Queries the volume information (name, serial number etc) of a device

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Creates COM task schedule object (often to register a task for autostart)

Creates files inside the system directory

Changes image file execution options

Found dropped PE file which has not been started or loaded

Drops PE files

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Installs a global mouse hook

Contains capabilities to detect virtual machines

Checks for available system drives (often done to infect USB drives)

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Sample searches for specific file, try point organization specific fake files to the analysis machine

Process Tree

System is start

msiexec.exe (PID: 1872 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\alfredo\Desktop\flashplayer32_0r0_371_win.msi" MD5: 2D9F692E71D9985F1C6237F063F6FE76)

svchost.exe (PID: 5800 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 9520A99E77D6196D0D09833146424113)

svchost.exe (PID: 7472 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 9520A99E77D6196D0D09833146424113)

msiexec.exe (PID: 7540 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 2D9F692E71D9985F1C6237F063F6FE76)

msiexec.exe (PID: 7592 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F5743EF0288F47D22A5F9AEE79028C36 C MD5: F9A3EEE1C3A4067702BC9A59BC894285)

msiexec.exe (PID: 7244 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 3E52E61A77B35087A1E60CC66F7A1E12 MD5: F9A3EEE1C3A4067702BC9A59BC894285)

InstallPlugin_32_0_0_371.exe (PID: 7744 cmdline: "C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe" -install -msi -prev 0 MD5: 3BEEFDA04F6FDC3EF1F707EC4A5F1697)

InstallFlashPlayer.exe (PID: 8104 cmdline: "C:\Windows\system32\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe" -install -skipARPEntry -iv 2 -au 4294967295 MD5: C1B4125F7589B1DBF687038B7C18B8AD)

cmd.exe (PID: 240 cmdline: "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe" >> NUL MD5: 9D59442313565C2E0860B88BF32B2277)

conhost.exe (PID: 236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

FlashPlayerUpdateService.exe (PID: 3960 cmdline: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -install MD5: A5AE53C0188888585AD2B39963CDF1C2)

conhost.exe (PID: 2544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

FlashPlayerUpdateService.exe (PID: 4736 cmdline: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -setNotifyAutoUpdate MD5: A5AE53C0188888585AD2B39963CDF1C2)

conhost.exe (PID: 3196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

cmd.exe (PID: 3792 cmdline: "C:\Windows\system32\cmd.exe" /c del "C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe" >> NUL MD5: 4943BA1A9B41D69643F69685E35B2943)

conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

svchost.exe (PID: 384 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc MD5: 9520A99E77D6196D0D09833146424113)

svchost.exe (PID: 1144 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv MD5: 9520A99E77D6196D0D09833146424113)

svchost.exe (PID: 4016 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: 9520A99E77D6196D0D09833146424113)

WINWORD.EXE (PID: 7028 cmdline: C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\alfredo\Desktop\IZMFBFKMEB.docx" /o " MD5: D244700A767CE9846760CA8AA9574EDE)

svchost.exe (PID: 4876 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s lfsvc MD5: 9520A99E77D6196D0D09833146424113)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Compliance
• Spreading
• Software Vulnerabilities
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

Compliance

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 52.109.32.63:443 -> 192.168.2.3:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.113.194.132:443 -> 192.168.2.3:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.109.8.21:443 -> 192.168.2.3:49833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.109.76.225:443 -> 192.168.2.3:49836 version: TLS 1.2

Creates install or setup log file

Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	File created: C:\Windows\system32\Macromed\Flash\FlashInstall64.log
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File created: C:\Windows\SysWOW64\Macromed\Flash\FlashInstall32.log

PE / OLE file has a valid certificate

Source: flashplayer32_0r0_371_win.msi

Static PE information: certificate valid

Spreading

Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\svchost.exe	File opened: d:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\svchost.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File opened: C:\Users\alfredo\AppData\Roaming\Macromedia\Flash Player
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File opened: C:\Users\alfredo\AppData
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File opened: C:\Users\alfredo\AppData\Roaming\Macromedia\Flash Player\macromedia.com
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File opened: C:\Users\alfredo\AppData\Roaming
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File opened: C:\Users\alfredo
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File opened: C:\Users\alfredo\AppData\Roaming\Macromedia

Software Vulnerabilities

Source: winword.exe

Memory has grown: Private usage: 8MB later: 65MB

Networking

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.8.21
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.8.21
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.8.21
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132

Source: unknown

DNS traffic detected: queries for: fpdownload2.macromedia.com

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 52.109.32.63:443 -> 192.168.2.3:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.113.194.132:443 -> 192.168.2.3:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.109.8.21:443 -> 192.168.2.3:49833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.109.76.225:443 -> 192.168.2.3:49836 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe

Windows user hook set: 0 mouse low level C:\Windows\system32\dinput8.dll

System Summary

Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe

File deleted: C:\Windows\SysWOW64\Macromed\Temp\{64E637D8-2EC2-49D2-A8B5-1E83E0999DEE}

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\4e2724.msi

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Section loaded: comres.dll
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Section loaded: ws2help.dll
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Section loaded: xpsp2res.dll
Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	Section loaded: comres.dll
Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	Section loaded: ws2help.dll
Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	Section loaded: xpsp2res.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wmi.dll

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\alfredo\Desktop\flashplayer32_0r0_371_win.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F5743EF0288F47D22A5F9AEE79028C36 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3E52E61A77B35087A1E60CC66F7A1E12
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe "C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe" -install -msi -prev 0
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process created: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe "C:\Windows\system32\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe" -install -skipARPEntry -iv 2 -au 4294967295
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F5743EF0288F47D22A5F9AEE79028C36 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3E52E61A77B35087A1E60CC66F7A1E12
Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe" >> NUL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process created: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -install
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process created: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe "C:\Windows\system32\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe" -install -skipARPEntry -iv 2 -au 4294967295
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process created: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -setNotifyAutoUpdate
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe" >> NUL
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del "C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe" >> NUL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process created: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -install
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process created: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -setNotifyAutoUpdate
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del "C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe" >> NUL
Source: unknown	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\alfredo\Desktop\IZMFBFKMEB.docx" /o "
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s lfsvc

Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe

File created: C:\Users\alfredo\AppData\Roaming\Macromedia

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\alfredo\AppData\Local\Temp\MSIe13ab.LOG

Source: classification engine

Classification label: sus39.evad.winMSI@28/39@1/16

Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe

File read: C:\Users\alfredo\Desktop\desktop.ini

Source: flashplayer32_0r0_371_win.msi

Static file information: TRID: Microsoft Windows Installer (77509/1) 52.18%

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:236:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3196:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:236:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2544:120:WilError_02

Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Tries to open an application configuration file (.cfg)

Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe

File opened: C:\Windows\SysWOW64\Macromed\Flash\mms.cfg

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office

Submission file is bigger than most known malware samples

Source: flashplayer32_0r0_371_win.msi

Static file information: File size 22441984 > 1048576

PE / OLE file has a valid certificate

Source: flashplayer32_0r0_371_win.msi

Static PE information: certificate valid

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Executable created and started: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Executable created and started: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File created: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_32_0_0_371.exe	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File created: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	File created: C:\Windows\System32\Macromed\Flash\NPSWF64_32_0_0_371.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\alfredo\AppData\Local\Temp\MSI19B6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3211.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File created: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File created: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_32_0_0_371.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File created: C:\Windows\SysWOW64\Macromed\Temp\{E40C673A-4FA9-4EDE-9B62-FA80A2D296C2}\fpb.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	File created: C:\Windows\System32\Macromed\Temp\{603040FD-9931-427B-A0E4-B96EA821A0D0}\fpb.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File created: C:\Windows\SysWOW64\Macromed\Temp\{64E637D8-2EC2-49D2-A8B5-1E83E0999DEE}\fpb.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	File created: C:\Windows\System32\Macromed\Temp\{60ABE48F-A527-4117-9255-320DA411CF9F}\fpb.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\ARPPRODUCTICON.exe	Jump to dropped file

Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File created: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_32_0_0_371.exe	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File created: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	File created: C:\Windows\System32\Macromed\Flash\NPSWF64_32_0_0_371.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3211.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File created: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File created: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_32_0_0_371.dll	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File created: C:\Windows\SysWOW64\Macromed\Temp\{E40C673A-4FA9-4EDE-9B62-FA80A2D296C2}\fpb.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	File created: C:\Windows\System32\Macromed\Temp\{603040FD-9931-427B-A0E4-B96EA821A0D0}\fpb.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File created: C:\Windows\SysWOW64\Macromed\Temp\{64E637D8-2EC2-49D2-A8B5-1E83E0999DEE}\fpb.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	File created: C:\Windows\System32\Macromed\Temp\{60ABE48F-A527-4117-9255-320DA411CF9F}\fpb.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\ARPPRODUCTICON.exe	Jump to dropped file

Creates install or setup log file

Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	File created: C:\Windows\system32\Macromed\Flash\FlashInstall64.log
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File created: C:\Windows\SysWOW64\Macromed\Flash\FlashInstall32.log

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_32_0_0_371_Plugin.exe DisableExceptionChainValidation

Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_32_0_0_371_Plugin.exe DisableExceptionChainValidation
Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerPlugin_32_0_0_371.exe DisableExceptionChainValidation
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_32_0_0_371_Plugin.exe DisableExceptionChainValidation
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe DisableExceptionChainValidation
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe DisableExceptionChainValidation

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\svchost.exe TID: 4132	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4228	Thread sleep time: -60000s >= -30000s

Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_32_0_0_371.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	Dropped PE file which has not been started: C:\Windows\System32\Macromed\Flash\NPSWF64_32_0_0_371.dll	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_32_0_0_371.dll	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Macromed\Temp\{E40C673A-4FA9-4EDE-9B62-FA80A2D296C2}\fpb.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Macromed\Temp\{64E637D8-2EC2-49D2-A8B5-1E83E0999DEE}\fpb.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\ARPPRODUCTICON.exe	Jump to dropped file

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation

Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File opened: C:\Users\alfredo\AppData\Roaming\Macromedia\Flash Player
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File opened: C:\Users\alfredo\AppData
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File opened: C:\Users\alfredo\AppData\Roaming\Macromedia\Flash Player\macromedia.com
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File opened: C:\Users\alfredo\AppData\Roaming
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File opened: C:\Users\alfredo
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	File opened: C:\Users\alfredo\AppData\Roaming\Macromedia

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process created: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe "C:\Windows\system32\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe" -install -skipARPEntry -iv 2 -au 4294967295
Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe" >> NUL
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del "C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe" >> NUL

Language, Device and Operating System Detection

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_32_0_0_371_Plugin.exe DisableExceptionChainValidation
Source: C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe	Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerPlugin_32_0_0_371.exe DisableExceptionChainValidation
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_32_0_0_371_Plugin.exe DisableExceptionChainValidation
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe DisableExceptionChainValidation
Source: C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe DisableExceptionChainValidation

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	11 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	121 Masquerading	1 Input Capture	3 Security Software Discovery	1 Replication Through Removable Media	1 Input Capture	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	4 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	4 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	1 Image File Execution Options Injection	1 DLL Side-Loading	11 Process Injection	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	1 Image File Execution Options Injection	1 DLL Side-Loading	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	1 Extra Window Memory Injection	1 File Deletion	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Extra Window Memory Injection	DCSync	133 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Source	Detection	Scanner	Link
flashplayer32_0r0_371_win.msi	0%	Virustotal	Browse
flashplayer32_0r0_371_win.msi	0%	Metadefender	Browse
flashplayer32_0r0_371_win.msi	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
C:\Users\alfredo\AppData\Local\Temp\MSI19B6.tmp	0%	Virustotal	Browse
C:\Users\alfredo\AppData\Local\Temp\MSI19B6.tmp	3%	Metadefender	Browse
C:\Users\alfredo\AppData\Local\Temp\MSI19B6.tmp	0%	ReversingLabs
C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	0%	Virustotal	Browse
C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	0%	Metadefender	Browse
C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe	0%	ReversingLabs
C:\Windows\Installer\MSI3211.tmp	0%	Virustotal	Browse
C:\Windows\Installer\MSI3211.tmp	3%	Metadefender	Browse
C:\Windows\Installer\MSI3211.tmp	0%	ReversingLabs
C:\Windows\SysWOW64\Macromed\Temp\{64E637D8-2EC2-49D2-A8B5-1E83E0999DEE}\fpb.tmp	0%	Virustotal	Browse
C:\Windows\SysWOW64\Macromed\Temp\{64E637D8-2EC2-49D2-A8B5-1E83E0999DEE}\fpb.tmp	3%	Metadefender	Browse
C:\Windows\SysWOW64\Macromed\Temp\{64E637D8-2EC2-49D2-A8B5-1E83E0999DEE}\fpb.tmp	0%	ReversingLabs
C:\Windows\SysWOW64\Macromed\Temp\{E40C673A-4FA9-4EDE-9B62-FA80A2D296C2}\fpb.tmp	0%	Metadefender	Browse
C:\Windows\SysWOW64\Macromed\Temp\{E40C673A-4FA9-4EDE-9B62-FA80A2D296C2}\fpb.tmp	0%	ReversingLabs
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_32_0_0_371.exe	0%	Metadefender	Browse
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_32_0_0_371.exe	0%	ReversingLabs
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	0%	Metadefender	Browse
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fpdownload2.macromedia.com	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.113.194.132	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.8.21	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.76.225	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.125.122.176	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.32.63	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.102.28.73	unknown	United States	20940	AKAMAI-ASN1EU	false
20.54.89.106	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
92.123.224.113	unknown	European Union	20940	AKAMAI-ASN1EU	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	643182
Start date and time: 10/06/202210:45:49	2022-06-10 10:45:49 +02:00
Joe Sandbox Product:	CloudBasic
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	flashplayer32_0r0_371_win.msi
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus39.evad.winMSI@28/39@1/16
Cookbook Comments:	Found application associated with file extension: .msi Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 92.123.224.113, 92.123.224.51
Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, slscr.update.microsoft.com, nexusrules.officeapps.live.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: C:\Windows\SysWOW64\Macromed\Temp\{E40C673A-4FA9-4EDE-9B62-FA80A2D296C2}\fpb.tmp

Created / dropped Files

C:\Config.Msi\4e2725.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	8705
Entropy (8bit):	5.6082363109954105
Encrypted:	false
SSDEEP:
MD5:	5266944A52E30277BFB906BDE2EEC342
SHA1:	D87004AB31DA6E0AE2DA0981F149F27BF552107F
SHA-256:	49EDCA702A6A01E2A9297B2D734E23E4C5187F0C331FB6665CBAA37FFBDBD9DB
SHA-512:	395813E48365E7F7651E7DACE8D02FFFAE7C5A3F349A7A75FE63FF72FFF3D687C52ABE310B9F6383CB54AFC817F332BD25ECD67C722017485E77153EFB3C658C
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@.U.T.@.....@.....@.....@.....@.....@......&.{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}..Adobe Flash Player 32 NPAPI..flashplayer32_0r0_371_win.msi.@.....@... .@.....@......ARPPRODUCTICON.exe..&.{BC930710-1872-4D6D-AE26-DD2283A5EA6B}.....@.....@.....@.....@.......@.....@.....@.......@......Adobe Flash Player 32 NPAPI......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{83F1B8E5-6BB1-4390-9C17-D293F134F0BE}&.{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}.@......&.{6962420C-65FE-4F17-8BAF-8E36FC85EF6F}&.{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}.@........RemoveODBC..Removing ODBC components....CreateFolders..Creating folders..Folder: [1]".#.C:\Windows\SysWOW64\Macromed\Flash\.@..............4.......T...........P......8....\l#mW.wn..d.........P......8....\l#mW.wn..d...T.......(.............P......8....\l#mW.wn..d...(.............P......8....\l#mW.wn..d...........................................

C:\Users\alfredo\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\846D09D5-A4C7-4710-856C-B4179EE105CF

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	149646
Entropy (8bit):	5.356606630147651
Encrypted:	false
SSDEEP:
MD5:	AD40114919ABA95FB779DD06564144C9
SHA1:	312D5500CBA7B641608D4506BEA51F66CD09397E
SHA-256:	BEF143DA633DC398F09C39D250A5872A64740B1523E6066A42B2EF3033A9FCD4
SHA-512:	4B8BC3A8322076F527B392706096D8E963BD145FA82B0D95D9255BEDD337F401C8A8D1D43538B78A6AC1B8D468E13135752344C82E9635A6170FE319C4B7F7DA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-06-10T08:48:16">.. Build: 16.0.15405.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\alfredo\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	XML 1.0 document, ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	336638
Entropy (8bit):	5.161344267352703
Encrypted:	false
SSDEEP:
MD5:	922BA6BFD28E6649D74B4920BFE43796
SHA1:	945DA53A1D1902E15D351BF393BFE1145740E291
SHA-256:	2AE5D9E23FABB5928C2752231147C178121D69C5EAFE60AE48ABF03187A0C970
SHA-512:	0B68D7F1F82E8E0A8ED395BC4458B2939CDE68F544D40FEC41FE8B47505C12199BDAB436E31F6E0DE036E68B28AC8F115EC4963BEDDBAAA9A054F6E87EF283B4
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?><Rules xmlns="urn:Rules"><R Id="1000" V="5" DC="ESM" EN="Office.Telemetry.RuleErrorsAggregated" ATT="f998cc5ba4d448d6a1e8e913ff18be94-dd122e0a-fcf8-4dc5-9dbb-6afac5325183-7405" SP="CriticalBusinessImpact" S="70" DL="A" DCa="PSP PSU" xmlns=""><S><Etw T="1" E="159" G="{02fd33df-f746-4a10-93a0-2bc6273bc8e4}" /><F T="2"><O T="AND"><L><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="37" T="U32" /></R></O></L><R><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="29" T="U32" /></R></O></R></O></F><TI T="3" I="10min" /><A T="4" E="TelemetrySuspend" /><A T="5" E="TelemetryShutdown" /></S><G I="true" R="TriggerOldest"><S T="2"><F N="RuleID" /><F N="RuleVersion" /><F N="Warning" /><F N="Info" /></S></G><C T="U32" I="0" O="false" N="ErrorCount"><C><S T="2" /></C></C><C T="U32" I="1" O="false" N="ErrorRuleId"><S T="2" F="RuleID" /></C><C T="U16" I="2" O="false" N="ErrorRuleVersion"><S T="2" F="RuleVersion" /></C><C T="U8" I="3" O="false" N="WarningInfo"><S T="2"

C:\Users\alfredo\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.843131283301058
Encrypted:	false
SSDEEP:
MD5:	96F8B20DD89279497969C8AE83218E4D
SHA1:	AEAF88F2B31BBCB2FEDE44C7D8218C2341288924
SHA-256:	59C0451C0F7A58EBDCC0307590857230B5894BE35A838725767CC17A2950E354
SHA-512:	69D3DD2923E0F116A787292B123D56E6F656796E9B4BE5127962BB034C51DA0FBA1EAA301F84A91DB80D017A8E45089A259304D8E62F7A3C91AEB5E0B1E56140
Malicious:	false
Reputation:	low
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.I.+.Y.q./.p.8.2.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.P.a.K.U.2.F.

C:\Users\alfredo\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2684
Entropy (8bit):	3.8922327192536583
Encrypted:	false
SSDEEP:
MD5:	1FC3AB7ADA59D1E24BA808C9296B683F
SHA1:	6D9A136C5046A56F438CB6FC40290038FF3E0E4E
SHA-256:	6253CA671E364FBAFD03F53623ABA3C576F84245745C4D291CA84296DD387EAA
SHA-512:	FFD8C5DB50BC6A5172813A72E3CE8477A2B0C305ECE08B8E51C989141CDBD4249A1FFFF3BC9C02FDB2504EDB1171393AF1E17EAAF52092C11D5B08798DF4990F
Malicious:	false
Reputation:	low
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.H.X.L.G.R.5.H.j.D.k.3.C.i.F.b.L.a.m.K.N.+.n.c.g.T.0.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".o.S.a.u.w.8.O.b.2.Q.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.P.a.K.U.2.F.

C:\Users\alfredo\AppData\Local\Microsoft\TokenBroker\Cache\9aad439831564ef9f88438a70a63c87e26ef3852.tbres

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	3902
Entropy (8bit):	3.9790991754653953
Encrypted:	false
SSDEEP:
MD5:	856AA15C80154DD18010F71CD16D7F92
SHA1:	53E2476372924636F36CEC8DB56CD2DE84D88D2D
SHA-256:	4E4F9FCE3A5D4EB83B5D7CCA7B4624A87737945099A909D9E912E1CC478AB09E
SHA-512:	F2029BEDCF372CEF750140C3EF496685275A4C0B2E13F6E6361FCA0E0B53CE8FAC79BB49746241736FFA5ACAB6783451D0356845DB0CBF428AE334F1E6DF08DA
Malicious:	false
Reputation:	low
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".m.q.1.D.m.D.F.W.T.v.n.4.h.D.i.n.C.m.P.I.f.i.b.v.O.F.I.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".n.l.8.g.j.f.J.8.2.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.P.a.K.U.2.F.

C:\Users\alfredo\AppData\Local\Temp\MSI19B6.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144784
Entropy (8bit):	6.1924849812440925
Encrypted:	false
SSDEEP:
MD5:	EDB88AFFFFD67BCA3523B41D3E2E4810
SHA1:	0055B93907665FED56D22A7614A581A87D060EAD
SHA-256:	4C3D85E7C49928AF0F43623DCBED474A157EF50AF3CBA40B7FD7AC3FE3DF2F15
SHA-512:	2B9D99C57BFA9AB00D8582D55B18C5BF155A4AC83CF4C92247BE23C35BE818B082B3D6FE38FA905D304D2D8B957F3DB73428DA88E46ACC3A7E3FEE99D05E4DAF
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X...X.v.X.U.X.v.X...X.v.X...X.v.X...X.v.X.v.XAv.X...X.v.X...X.v.X.$.X.v.X...X.v.XRich.v.X................PE..L....;.O...........!.....f..........t........................................p......^...................................E............ .......................0.. ....................................................................................text....d.......f.................. ..`.rdata...].......^...j..............@..@.data....1..........................@....rsrc........ ......................@..@.reloc..<=...0...>..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\alfredo\AppData\Local\Temp\MSIe13ab.LOG

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	266442
Entropy (8bit):	3.795983590041246
Encrypted:	false
SSDEEP:
MD5:	33280AFD6719D63E2ECB84736A1B9DE7
SHA1:	0D8F8B65512C54C9F65C5265EBEB10E8D9EC83C1
SHA-256:	63F44D8AB8183BF45998B3F56B97346B0C4CA55B97B7086BAE303BE142795A81
SHA-512:	638D1679B366C019A647D7C837838B648B4CD6CDB34215A8EE4332FAA39673D4BE10192A45D20583E5E0C73C35C498582CA0E5C1D98A85AA01EA2B152C0F9A29
Malicious:	false
Reputation:	low
Preview:	..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .6./.1.0./.2.0.2.2. . .1.0.:.4.6.:.2.4. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.5.0.:.5.0.). .[.1.0.:.4.6.:.2.4.:.4.1.0.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.5.0.:.5.0.). .[.1.0.:.4.6.:.2.4.:.4.1.0.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.5.0.:.5.0.). .[.1.0.:.4.6.:.2.4.:.5.1.0.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.5.0.:.5.0.). .[.1.0.:.4.6.:.2.4.:.5.1.0.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.

C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21332024
Entropy (8bit):	7.987665766872328
Encrypted:	false
SSDEEP:
MD5:	3BEEFDA04F6FDC3EF1F707EC4A5F1697
SHA1:	D20BE5D93394E2AE0BD0BABB135410BCEA5584AA
SHA-256:	C56EDBA41291449468882954EF1C6389CF58528D44C59FAC0F06A132843BDC91
SHA-512:	193E95263728134854D7E4AECEFEED77B16FC93E8687A164653282FE55BCC9DE50D705A0B5D5D0E3E71EBC24F9281D72FB62D594759CF7A2263C761DB7C69627
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......M......O...O...O..0O...O..2O...O..3O...O...O...O2@.N...O2@.N&..O2@.N...O.fBO...O.fRO...O...O...O.@.N...O.@.N...O.@>O...O..VO...O.@.N...ORich...O................PE..L...KL.^.................2...,A.............P....@...........................E.......E...@..................................u..........P.?..........bE.8....pE.03..."..T............................"..@............P..\|............................text....1.......2.................. ..`.rdata...8...P...:...6..............@..@.data................p..............@....gfids..X...........................@..@.rsrc...P.?.......?.................@..@.reloc..03...pE..4....E.............@..B................................................................................................................................................................................................................................

C:\Users\alfredo\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	3.1391035334659105
Encrypted:	false
SSDEEP:
MD5:	9DE0F97B6E0F2C2BB1765E14DA1F3FE5
SHA1:	4C3D2ECB08CABFB788DDCC7F357E852C1D656122
SHA-256:	BB77EADD4DD5C40962DC201E9222A448B554E4585AF034B54046E58C21E3D26C
SHA-512:	325D34DDCCD1F1DD1E4143C24BD173870831CB528911A79CBDB6510B4190E6AC2C4EAB484E92EB916B3787C314EE6B37CFC9FD461EA8F3DDB5B596E761C064A2
Malicious:	false
Reputation:	low
Preview:	.alfredo................................................a.l.f.r.e.d.o.....y...@yV!y...@yV!y...+4.>...................._J......vLO.x\......>....,.C.\|..........n..>

C:\Users\alfredo\Desktop\~$MFBFKMEB.docx

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	3.117438255661424
Encrypted:	false
SSDEEP:
MD5:	1020BB7D48877219B206E9D581E0A570
SHA1:	C599CF6C5796F3B2EF6B4EC786AE2184B1BA29D0
SHA-256:	E9994D5CD1E1CA21161E7520F1F37E9300827B7DA7674EF4900FCA19CD31FED6
SHA-512:	F78E591D3329AB13BBE61B633CF64B8F89C6C9F5715651DCBE22A5B7DCD85E95A62E3664A4922A1A9DB388087AD1A847DD535EB8FAE7FC6CCC90A8E7AAF77F1F
Malicious:	false
Reputation:	low
Preview:	.alfredo................................................a.l.f.r.e.d.o.....y......#y......#y....4.>............................h........+..>...C..D.\|..........n..>

C:\Windows\Installer\4e2724.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Adobe Flash Player, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Adobe Flash Player, Author: Adobe, Security: 1, Number of Pages: 110, Name of Creating Application: InstallShield 2012 Spring - Professional Edition 19, Last Saved Time/Date: Fri Apr 24 15:23:55 2020, Create Time/Date: Fri Apr 24 15:23:55 2020, Last Printed: Fri Apr 24 15:23:55 2020, Revision Number: {BC930710-1872-4D6D-AE26-DD2283A5EA6B}, Code page: 1252, Template: Intel;1033
Category:	dropped
Size (bytes):	22441984
Entropy (8bit):	7.920368382751601
Encrypted:	false
SSDEEP:
MD5:	6D9F717C8BE8C96AEBF199387900A43D
SHA1:	78D182369C348CC97A8F47212DA4E81733CBE6B3
SHA-256:	F5137AD9CB1A3473AB9B4FAF42DC3EE125AF6AC4E91BB43A4D5361700C9809C0
SHA-512:	1193059DF62AE7C61449EA5803A7609FD08CBC81202915A788848B9660B9D924310036B94409EB5C155007E0885DE1250656D452E16503E70B241C1C2306E292
Malicious:	false
Reputation:	low
Preview:	......................>...................W...............8........6....................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........;...............................................................................................................!... ...+...".......$...%...&...'...(...)...*...-...,.../.......B...0...1...2...3...4...5...6...7...A...M...:...<.......=.......?...........D...C...N...E...F...G...H...I...J...L.......P.......O.......Q...Z...S...T...U...V...W...X...Y...K...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI3211.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	5.284858779986507
Encrypted:	false
SSDEEP:
MD5:	7F4DE4F6195099688425A15002CBD5CE
SHA1:	8591AC4C84DC52E7FD4FCEA169340343673F3BB0
SHA-256:	CCD433AA9CBB4C22E39CA9B39F30C469E55AD42427BDB6E145974F3D2E6260F7
SHA-512:	2BA5AA9893B736DB8D5628D31D8B12756458FBAE564B281192913479BBB788F54D4ADBF80D1FF7CED8E2D8885406AE8223BB15BAB0BBEC0B24E0D0EF6E657E22
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A@.i/..i/..i/......i/......i/......i/......i/..T..i/..i...i/......i/......i/......i/.Rich.i/.........PE..L......Y...........!......................... ...............................`......[G....@..........................&..^...\#..P....@.......................P..T.... ..............................."..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...l....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3722.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	338574
Entropy (8bit):	3.7265407860494277
Encrypted:	false
SSDEEP:
MD5:	83024D415513670F2E3C0E7C3E8E7D14
SHA1:	A89547F6253BAC590B797A9DE3F7254F587E131D
SHA-256:	F7EA7B5102312CF4CC63081886CBD400E80BE9CB5E0CA318775971798FD9E555
SHA-512:	6192ACFFE5356AA06A75DE8206588B34981828382BF2846CA571CE11349033C2646395C68F462C9C7C9CA6D3542749F53C4E09C50893F513DA061CF1C0EA87A8
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@.U.T.@.....@.....@.....@.....@.....@......&.{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}..Adobe Flash Player 32 NPAPI..flashplayer32_0r0_371_win.msi.@.....@... .@.....@......ARPPRODUCTICON.exe..&.{BC930710-1872-4D6D-AE26-DD2283A5EA6B}.....@.....@.....@.....@.......@.....@.....@.......@......Adobe Flash Player 32 NPAPI......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{83F1B8E5-6BB1-4390-9C17-D293F134F0BE}#.C:\Windows\SysWOW64\Macromed\Flash\.@.......@.....@.....@......&.{6962420C-65FE-4F17-8BAF-8E36FC85EF6F}g.C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe.@.......@.....@.....@........RemoveODBC..Removing ODBC componentsT....@....T....@........CreateFolders..Creating folders..Folder: [1]".#.C:\Windows\SysWOW64\Macromed\Flash\.@........InstallFiles..Copying new files&.File: [1], Directory

C:\Windows\Installer\SourceHash{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1728096440612408
Encrypted:	false
SSDEEP:
MD5:	8E510B576A032884C2F866E01F1BC82B
SHA1:	11C1166D01F8E0529F139B5CC364ED5C6C90786E
SHA-256:	8E5282CFA5E7C3459FAAD74A7C251A0B156CF8A73DACF21CBFBB9DFFC4F0FC20
SHA-512:	A5E4EB63D83DC5D2570B0E0C822E0DE331A777451450F3B594C178D5A6291993E5030394B9B209A5714B350803CC213DC8BCAEFDDBE45D1DA016BA974EB15924
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6372598382213477
Encrypted:	false
SSDEEP:
MD5:	F69E2BB6CA980B8A00167408A9DDFB45
SHA1:	C88B1633DF479E9D08DE4F45BD9E76BBEAF49C5D
SHA-256:	5769652EEC5A8F8FE778DD9F6AD942A388A8CFC559AA35A0DC6784BDD5B1E80B
SHA-512:	D79AB4E7923960EE9EB51DA5757BD599C37406B1D7749654C3A337BCB595B7C92BF23286A184AAF64EFC2B8122E5626F6009B4E7AAEC8C5491649EB12430C57C
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\ARPPRODUCTICON.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	335872
Entropy (8bit):	3.68499827679356
Encrypted:	false
SSDEEP:
MD5:	A0C5B6FDDBCE271BE2693BA91BCA5945
SHA1:	F05C02DB017B45A0C7CF912716BA3BB5F48F4D91
SHA-256:	FF19F998FD18BBD9909D74A63D2D82C7C4BA8F35F92B4410EAE235230322FE41
SHA-512:	4C5488AF7789248A5445183379D78175EA39F6E3E673DDCCF4240154821E44B05FE5A15EC1232B80F1E5484D828087ECF9F4D0CBAC28B0E6F0EA15561E36B141
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L....P.O.................@...................P....@.......................... ..............................................4T..(.......P............................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...P...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	323399
Entropy (8bit):	5.392649291059045
Encrypted:	false
SSDEEP:
MD5:	94B2AE0E884E6FD54A20F3690CF0757B
SHA1:	D08D6E96ADE39D70C65DD24070146FA878C4D912
SHA-256:	DFA0750C2FAD0D80BDBBC0EF65C72717FECEEF9AC6D25EC22205509DA4359110
SHA-512:	2AE86CA2F1E160789416C830D744E32324AED77A8C972983274F1EC7879984F18D5EE1B571B4265B48FBA2DC075A249CB076DDCA6A47B87B6917A31E9811D12A
Malicious:	false
Reputation:	low
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..03/19/2019 06:29:48.034 [4768]: Command line: D:\wd\compilerTemp\BMT.thr2gc0c.r44\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..03/19/2019 06:29:48.065 [4768]: Executing command from offline queue: install "System.IdentityModel.Selectors, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:3..03/19/2019 06:29:48.065 [4768]: Exclusion list entry found for System.IdentityModel.Selectors, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil; it will not be installed..03/19/2019 06:29:48.065 [4768]: Executing command from offline queue: install "System.AddIn.Contract, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=msil" /NoDependencies /queue:3..03/19/2019 06:29:48.065 [4768]: Exclusion

C:\Windows\SysWOW64\Macromed\Flash\FlashInstall32.log

Download File

Process:	C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3468
Entropy (8bit):	3.6437865061598402
Encrypted:	false
SSDEEP:
MD5:	AF71DFEC13E6761977860307131843B1
SHA1:	56B8DE85593C8753F5EEBD35B9F1D67F4D96E69F
SHA-256:	60B70711EF9EB62247D1208A6C0EEB5DCE0BC14027B9DBC66277108AAD0DAC10
SHA-512:	05F8B96A38E1F3D3518220F5245EF99E72A8659D1B46B0C7E767197A2A3250D8C9C642D1DE2BD58BAB841BB6E43D60557C4A8331AD6C4F1DDA649CF2DA3B21D5
Malicious:	false
Reputation:	low
Preview:	..=.O.=.=.=.=.=.=. .M./.3.2...0...0...3.7.1. .2.0.2.2.-.0.6.-.1.0.+.1.7.-.4.6.-.3.8...9.6.4. .=.=.=.=.=.=.=.=.....0.0.0.0. .[.I.]. .0.0.0.0.0.0.4.4.....0.0.0.1. .[.I.]. .0.0.0.0.0.0.4.5.....0.0.0.2. .[.W.]. .0.0.0.0.1.1.1.3. .C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.a.c.r.o.m.e.d.i.a.\.F.l.a.s.h. .P.l.a.y.e.r.\.w.w.w...m.a.c.r.o.m.e.d.i.a...c.o.m.\.b.i.n.\.*. .3.....0.0.0.3. .[.I.]. .0.0.0.0.0.0.1.0. .".C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.{.E.B.A.7.3.E.E.6.-.6.5.8.C.-.4.B.6.F.-.9.A.B.1.-.1.F.E.6.E.5.A.9.7.5.E.A.}.\.I.n.s.t.a.l.l.P.l.u.g.i.n._.3.2._.0._.0._.3.7.1...e.x.e.". .-.i.n.s.t.a.l.l. .-.m.s.i. .-.p.r.e.v. .0.....0.0.0.4. .[.W.]. .0.0.0.0.1.0.3.6. .S.o.f.t.w.a.r.e.\.M.a.c.r.o.m.e.d.i.a.\.F.l.a.s.h.P.l.a.y.e.r.P.l.u.g.i.n./.P.l.a.y.e.r.P.a.t.h. .2.....0.0.0.5. .[.W.]. .0.0.0.0.1.0.3.6. .S.o.f.t.w.a.r.e.\.M.a.c.r.o.m.e.d.i.a.\.F.l.a.s.h.P.l.a.y.e.r.P.l.u.g.i.n./.V.e.r.s.i.o.n. .2.....0.0.0.6. .[.I.]. .0.0.0.0.0.0.1.1. .

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_32_0_0_371.exe

Download File

Process:	C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	3454520
Entropy (8bit):	5.8081170601523535
Encrypted:	false
SSDEEP:
MD5:	1906CD374CBBFF2E6045A943D1BF5A03
SHA1:	F3C8BCD99741BECD9A892B179E91A28E7528BD9D
SHA-256:	13A96739FAC73A669413E6CD21FCE6FB1F2259F5B05E1353B2FB5E2BDB5DAD0B
SHA-512:	5E2915EECB78DD4232C02E803C67F99819AC4DB7EAB8C51F43F65E45BD8090884B0975299FA11C171144698364EDCFD7760C78FAB3E3DF5C9F6304AB90ACFD78
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$...........p...p...p..n.t..p..n.v.tp..n.w..p..?)...p.......p......p.......p.......p.......p.......p...p..r.......p..s...9p..H.z..p...p...p..s....p..Rich.p..........................PE..L...QK.^.........."...........'......c.......0....@...........................5......q5...@.................................\n.......p................4.8....04.0...p...T...................$...........@............0...............................text............................... ..`.rdata..*n...0...p..................@..@.data...............................@....gfids.......P......................@..@.tls.........`......................@....rsrc........p......................@..@.reloc..0....04.......3.............@..B........................................................................................................................................................................

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

Download File

Process:	C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	335416
Entropy (8bit):	6.545018851836908
Encrypted:	false
SSDEEP:
MD5:	A5AE53C0188888585AD2B39963CDF1C2
SHA1:	171F5BC1625ECAEE652C7BE67AAFE2A1C578775D
SHA-256:	F3927B47713F7595D77EAB3FAE8AFF0B73D5271C5AA12B222B564823D1F4EF1A
SHA-512:	E3398DE5C894D1D060A6F130270E0A7AB443C2EB3838129BB8B798D4933BBE71945A6C6981BA4BC660D1C74FBF5F86A6659653F0911C71A5030F90B524804294
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......dR.. 3.H 3.H 3.H..EH-3.H..GH.3.H..FH=3.H.m.I53.H.m.I.3.H.m.I.3.H)K7H"3.H)K'H/3.H 3.H.3.H.m.I03.H.mKH!3.H 3#H"3.H.m.I!3.HRich 3.H................PE..L...lL.^.................>...........S.......P....@..........................P............@.................................4\|...........:..............8........3...5..p...........................@6..@............P..L............................text....=.......>.................. ..`.rdata..j9...P...:...B..............@..@.data.... ...........\|..............@....gfids..............................@..@.rsrc....:.......:..................@..@.reloc...3.......4..................@..B................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_32_0_0_371.dll

Download File

Process:	C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19937336
Entropy (8bit):	7.065429270341373
Encrypted:	false
SSDEEP:
MD5:	115FC472319126E8B000A4555E529114
SHA1:	857ABC09830F5B78EE7220863A00EA8784D8B064
SHA-256:	7E368E6FF47D9875B678E609DB5F4190688512381717AA554686694F98D39C56
SHA-512:	B6C34C1915D71A4AB6720A1780D0E0E71791A7AF40FC5FACB963E5522DEFCF0FB938A03826ADA60B6E18C87D8A31A4D723FAF39054578CEC4F0F0E5B8B9EAB36
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@.u.......................!......+...U...Q....`......?......?.......?...;...?...&........................................#Yu......{......F.....#Y`.-...........#Yv......................................................Rich............................PE..L....L.^...........!..........h......k.......@...............................0@...../_0...@.........................@1.......=.......@1.@k............0.8.....6.$w.....T...........................(...@............@..H............................text............................... ..`.rodata...... ...................... ..`.rdata..H:<..@...<<.................@..@.data............L...Z..............@....gfids..H.....0....... .............@..@.tls.........01......4!.............@....rsrc...@k...@1..l...6!.............@..@.reloc..$w....6..x....&.............@..B........................................

C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt

Download File

Process:	C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe
File Type:	XPConnect Typelib version 1.2
Category:	dropped
Size (bytes):	856
Entropy (8bit):	4.832169984162254
Encrypted:	false
SSDEEP:
MD5:	A81FD3B03B8C6D6E5A14298110718D3F
SHA1:	2A5EEDF714B4DC1E7281968D5E235737B26D7114
SHA-256:	946C2D7808B0F256E5F6B62655246DC9C247833FB2F578519E4354F91DEB6E1B
SHA-512:	494146BB31CF0E115A6E1C632A8ED5608046F5A8B2BBC900832BEFB07B8F142581483C222067E4405FC2755B5ACF722D576AC04B2B6D9F796E5A872FD5C7DDC9
Malicious:	false
Reputation:	low
Preview:	XPCOM.TypeLib..........X..."...u................F............B..l+..c.....W.............X..Q.........W...8.......OnsISupports.FlashIObject........./...`........evaluate.FlashIScriptablePlugin...........`.........................`.........`.........................................................`...........`.........`....... .........%...............1...........;...........F...........Q...`......._...`.......m.........s.........}...............`...........................`.............`............................................IsPlaying.Play.StopPlay.TotalFrames.CurrentFrame.GotoFrame.Rewind.Back.Forward.Pan.PercentLoaded.FrameLoaded.FlashVersion.Zoom.SetZoomRect.LoadMovie.TGotoFrame.TGotoLabel.TCurrentFrame.TCurrentLabel.TPlay.TStopPlay.SetVariable.GetVariable.TSetProperty.TGetProperty.TGetPropertyAsNumber.TCallLabel.TCallFrame.SetWindow.

C:\Windows\SysWOW64\Macromed\Flash\mms.cfg

Download File

Process:	C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.235989522932167
Encrypted:	false
SSDEEP:
MD5:	01C4AADCE140FC01EB3A4DBDF885D63F
SHA1:	238A72EC957CC8C112FC3A2F828D2058D9EADA83
SHA-256:	3A5FC037A0F98644111352E8805723B6DECA087793A13BD4D2B62DC7FD53753D
SHA-512:	CD257737A5CA9B4A691FDB4A321D533328FE77A13B63C6A38581EAE213EE0777FAC3FAD75EE9349910E2E676767462C35884298B531DBE602A400CF6135BA39B
Malicious:	false
Reputation:	low
Preview:	SilentAutoUpdateEnable=0..AutoUpdateDisable=0..

C:\Windows\SysWOW64\Macromed\Flash\plugin.vch

Download File

Process:	C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe
File Type:	data
Category:	dropped
Size (bytes):	554887
Entropy (8bit):	7.805703536900198
Encrypted:	false
SSDEEP:
MD5:	045CE91E597043D8A7804D260AA4F17C
SHA1:	B96F2BBFECB946FBDCA034ACB2F72A38AA7DC2EA
SHA-256:	05E13BB7C8D0E08498391558D7B4975F67E34B2A2AEEDFA883F4CD1EC2FE08AC
SHA-512:	992ECA5F1ECC1A05C9403873A2E7039D804FAFEC7F76B37F0FDFC6D0493756809BBEA696EB093DCB9F9C89663AF9F00B2FDA39CBAD2CB877DD7859B18E5857A8
Malicious:	false
Reputation:	low
Preview:	0..w....H.........wr0..wm...1.0...`.H.e......0..b....H.........b....b.pfivxV4......4.T..".................................&&............................................D...:....................:...B.......6.......l...x......................................................................................................o..o...o...o...o...o...o...o...o...o.o.o.o.o.o...o...o...o...o...o...o!..o#...$..o$...$...%...'...'...'...'...'..D'..,'..8'..`'.q`)...................................;...;..2=.x>?.l.A.m.B..2D...F...H...I...+...-.../...0...0...1...1...1...1..*1..21...2...2...2._.2..]3..e3..M3..}3...3...4...4...4...4...4...4..<4..D4..S4..{4...4...4...5...5...5...5...5...5..I5..15..c5.AK5..~6...6..x6..6...7...9...9...9.. 9..(9...9..R9...9...9...9...9...[...]..._...a...c...e...g...i...K...M...O...Q...S...U...W...Y...{...}.............................j...l...m...m...m...m...m...m..rm...m..m...n..n...n..Cn../n...n...n..n..o...o...o..bo...o..qo.

C:\Windows\SysWOW64\Macromed\Temp\{64E637D8-2EC2-49D2-A8B5-1E83E0999DEE}\fpb.tmp

Download File

Process:	C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1458232
Entropy (8bit):	7.150595511831703
Encrypted:	false
SSDEEP:
MD5:	9569D2503DACCA6823A2EF7CE6E527C3
SHA1:	6A92163154507A0BFD3B1AFD2E37529612C373F0
SHA-256:	9CB2AD03AF6EE4B74AA9AD748069E26B8B7AC88E797B072396CE3340C115D0B2
SHA-512:	FB5A8283685DD1965FFD5436F9CE5B7EA41D065E4DAE211BBFEDF5852AD53CAA0CFEFC279ED1F00F4FFFCB10061FC25BF808DE4DD4AD9937A89788257CD1FA31
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......M......O...O...O..0O...O..2O...O..3O...O...O...O2@.N...O2@.N&..O2@.N...O.fBO...O.fRO...O...O...O.@.N...O.@.N...O.@>O...O..VO...O.@.N...ORich...O................PE..L...KL.^.................2..................P....@..........................p............@..................................u...........k..........."..8....0..03..."..T............................"..@............P..\|............................text....1.......2.................. ..`.rdata...8...P...:...6..............@..@.data................p..............@....gfids..X...........................@..@.rsrc....k.......l..................@..@.reloc..03...0...4..................@..B................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe

Download File

Process:	C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10623032
Entropy (8bit):	7.955769436487645
Encrypted:	false
SSDEEP:
MD5:	C1B4125F7589B1DBF687038B7C18B8AD
SHA1:	AD9EA878456BA5F5D2DA4F9568FB74B3A8A45195
SHA-256:	C0A2B682B749F50CF741795F443D34CC0598B11A61817AFC2235E5F9A92A98DF
SHA-512:	145D60817663141B93297FE4CC73A6A7CB27FE070BCB63B0B5F726F4E15FB3ACDF1A2A47DB90850561D5BCC7A0B809610B69624BCE8432F77C711E6AFDC73532
Malicious:	true
Reputation:	low
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......{...?..?..?...ZQ.9...ZS.....ZR.*..6.'.>...fg.;......7.............(..6.#.<..6.3.0..?................&...._.>..?.7.=......>..Rich?..................PE..d....O.^.........."..................^.........@.............................P............`.................................................\........0...........,......8....@......p...T............................................................................text............................... ..`.rdata..............................@..@.data....!..........................@....pdata...,..........................@..@.gfids....... ......................@..@.rsrc........0......................@..@.reloc.......@.....................@..B................................................................................................................................................................

C:\Windows\SysWOW64\Macromed\Temp\{E40C673A-4FA9-4EDE-9B62-FA80A2D296C2}\fpb.tmp

Download File

Process:	C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	590904
Entropy (8bit):	6.239140393381775
Encrypted:	false
SSDEEP:
MD5:	04F66795C8F92BE76CE5EB3990D3EAB9
SHA1:	75AEE0713B147308E3D442E4C53A2ED4A5392951
SHA-256:	B50AB173B4A2E544E89C6BE4F5EB826869E48B7804EB134F72AF842EBCB1DCC6
SHA-512:	85D42B9D5179D02D71043B1A5C1E49C26A22BA5CE8BCA3DB3CB3CE4B9969316DCC92B0D3D2BB9CF452447D79EDD9D5871D91786ED91FF161440520F9A6A810C2
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M\2..=\..=\..=\.....=\....=\.....=\..dY..=\.2c_..=\.2cX..=\..E...=\..E...=\..=].R<\.2cY. =\.cY..=\.c\..=\.c...=\..=...=\.c^..=\.Rich.=\.........PE..L....H.^...........!......................... ............................... .......(....@..........................&..L....&.......p...y..............8.......`...p...T...............................@............ .......!.......................text............................... ..`.rdata..P.... ... ..................@..@.data........@.......&..............@....gfids..T....`.......:..............@..@.rsrc....y...p...z...<..............@..@.reloc..`........0..................@..B........................................................................................................................................................................................................................................

C:\Windows\System32\Macromed\Flash\FlashInstall64.log

Download File

Process:	C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3226
Entropy (8bit):	3.6840353809739987
Encrypted:	false
SSDEEP:
MD5:	B22C540215579129C9709FCD57E5C1E6
SHA1:	1F3708591B5C4EC224FA7D2EFDACDA313C5C85F1
SHA-256:	AE586CC26A56748AA1957FEC4F4C850B01EB3E0EADAF0F50ACCBA2CC3AE42857
SHA-512:	98D6C5CF92C9D7658D4A46A4591E88DD59C5F76343BD004D3E2D0C57F41E2DFAC1B0E9D0C535E9D7AB8D7EFACA7AADBED0272E87E6478E79AE9C3CF66949EF17
Malicious:	false
Reputation:	low
Preview:	..=.O.=.=.=.=.=.=. .M./.3.2...0...0...3.7.1. .2.0.2.2.-.0.6.-.1.0.+.1.7.-.4.6.-.5.2...8.7.5. .=.=.=.=.=.=.=.=.....0.0.0.0. .[.I.]. .0.0.0.0.0.0.4.4.....0.0.0.1. .[.I.]. .0.0.0.0.0.0.4.5.....0.0.0.2. .[.I.]. .0.0.0.0.0.0.4.7. .C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.p.l.u.g.i.n.s.....0.0.0.3. .[.W.]. .0.0.0.0.1.1.1.3. .C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.a.c.r.o.m.e.d.i.a.\.F.l.a.s.h. .P.l.a.y.e.r.\.w.w.w...m.a.c.r.o.m.e.d.i.a...c.o.m.\.b.i.n.\.*. .3.....0.0.0.4. .[.I.]. .0.0.0.0.0.0.1.0. .".C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.a.c.r.o.m.e.d.\.T.e.m.p.\.{.8.E.E.F.C.7.7.F.-.9.3.3.7.-.4.1.4.B.-.B.7.8.D.-.7.4.9.B.4.7.9.0.8.2.C.0.}.\.I.n.s.t.a.l.l.F.l.a.s.h.P.l.a.y.e.r...e.x.e.". .-.i.n.s.t.a.l.l. .-.s.k.i.p.A.R.P.E.n.t.r.y. .-.i.v. .2. .-.a.u. .4.2.9.4.9.6.7.2.9.5.....0.0.0.5. .[.W.]. .0.0.0.0.1.0.3.6. .S.o.f.t.w.a.r.e.\.M.a.c.r.o.m.e.d.i.a.\.F.l.a.s.h.P.l.a.y.e.r.P.l.u.g.i.n./.P.l.a.y.e.r.P.a.t.h. .2.....0.0.0.6. .[.W.]. .0.0.

C:\Windows\System32\Macromed\Flash\NPSWF64_32_0_0_371.dll

Download File

Process:	C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26879032
Entropy (8bit):	6.667221426028276
Encrypted:	false
SSDEEP:
MD5:	34BF278DA8A0D0CB49806C8ED11B48F9
SHA1:	DADC9D3DA28767C2844DE68F6853328550F23118
SHA-256:	D879DE01FB2DF566246E1C813153E5CF496601A158F7D0510501802523BA33AF
SHA-512:	126293EAF01579BFE1D0E970CCD621188F271007FA5FF4FF97CCC81EA2177BC947781C9DA0DBB089AEF811027385A24839CC075809A0F7B1E83B0731A5F31BD0
Malicious:	false
Reputation:	low
Preview:	MZ......................@...................................p...........!..L.!This program cannot be run in DOS mode....$.........}..l...l...l..J..?l..J...l..J...l...4...l..#...l..`...l...2...l...2...l...2...l...5...l...l...l..W2...l.......l.......l..l2...l....}..l....h..l.......l...l..\n.......l..W2..?n..W2..Ri..W2...l..l2..l...l...l..W2...l..Rich.l..........PE..d....O.^.........." .....l...L......4.........0....................................J.....`.........................................@.s.H.....s.\|......@k...`..........8....@..<....].T...........................0.].................p............................text....d.......f.................. ..`.rodata.0............j.............. ..`.rdata....T.......T..p..............@..@.data...L.#..`s..>...6s.............@....pdata.......`.......t..............@..@.gfids......0.......D..............@..@_RDATA.............................@..@.rsrc...@k......l.................@..@.reloc..<....@.......@..............@..B........

C:\Windows\System32\Macromed\Flash\plugin.vch

Download File

Process:	C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe
File Type:	data
Category:	dropped
Size (bytes):	154159
Entropy (8bit):	5.068221678388439
Encrypted:	false
SSDEEP:
MD5:	EAC7A92975C9CAF595D074F8D1AEBF52
SHA1:	77D86CA5ACB66B0ECD326EDEC371D09FBBA98CA5
SHA-256:	03E407FE3B6DF1D4E316BB0DF5577DF3DA1D2974EBAF015D20D55F35DEC46BA6
SHA-512:	3162E38476836C2AFC3B837D65B8822B0611C939630C70AA20CC3654EBD081A75EF23721EEB1FFE7D350D49AB45195AE11064E391261F75718BF33ECE8A707B6
Malicious:	false
Reputation:	low
Preview:	0..Z...H.........Z.0..Z....1.0...`.H.e......0..EY..*.H.........EI...EDpfivxV4......4.T..................!.................................................................`..._........................................................................................................................................'...%...#...!..................................................................................................._...]...[...Y...g...e...c...a...O...M...K...I...W...U...S...Q...?...=...;...9...G...E...C...A.../...-...+...)...7...5...3...1.......................................................}...{...y...............o...m...k...i...w...u...s...q.......................................................................................................................................'...%...#...!..................................................................................................._...]...[...Y...g...e...c...a...O...M...K...I...W.

C:\Windows\System32\Macromed\Temp\{603040FD-9931-427B-A0E4-B96EA821A0D0}\fpb.tmp

Download File

Process:	C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	675896
Entropy (8bit):	6.0956471507227095
Encrypted:	false
SSDEEP:
MD5:	7B841E712A0C440C0F0484A0E7C2959F
SHA1:	912E1F3A90B04397E891EB02472DE9840AA64214
SHA-256:	4F0A034745D9EC1083E7749DEAAD9AE40CE199BCED82FE35E31940DE83B1AB43
SHA-512:	0B304479B357FE3E14136799DFE525525E5B1F1CD7A6096C18E398E61F0EAEFE9D6037EF0495C9ACD5706CB7BAED883233A79A894A1CE685CD618E85B6DCB7A1
Malicious:	false
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........;...U...U...U.dw....U.dw..\.U.dw....U.5.P...U..V...U..Q...U.....U.....U.....U...T...U..P...U.y.P...U.y.U...U.B.....U......U.y.W...U.Rich..U.........PE..d...;M.^.........." .........p.......B...............................................f....`.........................................0G..H...xG...........y.......;...2..8....p......@...T...................................................PA.......................text...\|........................... ..`.rdata..r...........................@..@.data....+...p.......V..............@....pdata...;.......<...n..............@..@.gfids..............................@..@.rsrc....y.......z..................@..@.reloc.......p.......&..............@..B........................................................................................................................................................................

C:\Windows\System32\Macromed\Temp\{60ABE48F-A527-4117-9255-320DA411CF9F}\fpb.tmp

Download File

Process:	C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1028152
Entropy (8bit):	6.438061481077381
Encrypted:	false
SSDEEP:
MD5:	6BD2F1E84E1272A7C8146FC443650620
SHA1:	9539B8962920639C74EF2F0E1F9FEB67AF40B233
SHA-256:	D16526F075453C1ECF7B044E4340E71112104C4D7584941B13BDCE207E07B3CB
SHA-512:	301AC6CB5FED0884386C7C7FE7359BBE12B5D4FDB7902B9EB4B129F64ACCF052058D80F1F6BFDAD31CC3AE526168840AAC1BD6EB935C2BC4C13B7441D439CCC2
Malicious:	false
Reputation:	low
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......{...?..?..?...ZQ.9...ZS.....ZR.*..6.'.>...fg.;......7.............(..6.#.<..6.3.0..?................&...._.>..?.7.=......>..Rich?..................PE..d....O.^.........."..................^.........@....................................l.....`.................................................\........0..4........,......8...........p...T............................................................................text............................... ..`.rdata..............................@..@.data....!..........................@....pdata...,..........................@..@.gfids....... ......................@..@.rsrc...4....0......................@..@.reloc..............................@..B................................................................................................................................................................

C:\Windows\Temp\~DF2D8C698AF8347910.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3D985385247BEC28.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07752618719046045
Encrypted:	false
SSDEEP:
MD5:	238B426220DD12D8BFCFBA2645587AB7
SHA1:	44A01CED537B1DE652DC67DEB78C2870401E9497
SHA-256:	41D2CCB3901667327F7BF41BAA61D3048E59B838C1A6F4CA5E9879F6B1A1149A
SHA-512:	3F90F12B04295C29A0CD01F6A2E43FF013BE460316DC61C1897D49E1ED6E412FFA6B8EB7CE8DD228C5B8EAD5E4853018608F0A51D206495B74B1FBE41B71E3DB
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF44AFB115AAC12F23.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.306413478278271
Encrypted:	false
SSDEEP:
MD5:	BABD60BD44E9F9FCB30A1C0B702DEA76
SHA1:	B98AFDF5932EC8EF68C7CBEDD26099D34FE4DCE8
SHA-256:	5FC6FFEE87ECE44AEA4B92A32454402D4D59AEECA4D2EB317BEC7BA5E866060E
SHA-512:	CC11147AD296190862A828317097363FDA6D349E722FFB903BEC896D26583438ECBCBF4BBCED76B2DDA2DFF51433DD8C0733728F95368DAFEC6F926B90F07EE1
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4DE37468B310F53C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.16374191766668744
Encrypted:	false
SSDEEP:
MD5:	F74DB5229D658A7D40600309F5C8496C
SHA1:	77F72104B511D470788FA513D5F5E60C8FAB66EC
SHA-256:	21E90133B639EA6A29F462BAF757387F5D459E89379D3F2C0F77A149D7E79544
SHA-512:	A914DD1A7491D53D347E9A2DC967C8B78895848C5C9392EF71C71729C838687677096E5A31B91AB87D0ABE81BF8A01F520144A6C37ECDCE6BFD2F26C0042DE1E
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	105
Entropy (8bit):	5.239159480793532
Encrypted:	false
SSDEEP:
MD5:	5BEE9DB881710E34012B4943EDE62392
SHA1:	9FB6727C4AAAE0C787224BFD50675F5AC567B848
SHA-256:	D1E5E3AFEFBC1F0E583E00747D4A4C81FA2E2D2736BE890E005DC2287EE08152
SHA-512:	25C1EF42E7F264564E331BB9857EAD3A253901D5FA60B3C436F79C653273B750B03242D498C8017A7FFF95BC94C250E2E78DBE17BE1A7134503D2271FF4D8987
Malicious:	false
Reputation:	low
Preview:	C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe..

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Adobe Flash Player, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Adobe Flash Player, Author: Adobe, Security: 1, Number of Pages: 110, Name of Creating Application: InstallShield 2012 Spring - Professional Edition 19, Last Saved Time/Date: Fri Apr 24 15:23:55 2020, Create Time/Date: Fri Apr 24 15:23:55 2020, Last Printed: Fri Apr 24 15:23:55 2020, Revision Number: {BC930710-1872-4D6D-AE26-DD2283A5EA6B}, Code page: 1252, Template: Intel;1033
Entropy (8bit):	7.920368382751601
TrID:	Microsoft Windows Installer (77509/1) 52.18% Windows SDK Setup Transform Script (63028/2) 42.43% Generic OLE2 / Multistream Compound File (8008/1) 5.39%
File name:	flashplayer32_0r0_371_win.msi
File size:	22441984
MD5:	6d9f717c8be8c96aebf199387900a43d
SHA1:	78d182369c348cc97a8f47212da4e81733cbe6b3
SHA256:	f5137ad9cb1a3473ab9b4faf42dc3ee125af6ac4e91bb43a4d5361700c9809c0
SHA512:	1193059df62ae7c61449ea5803a7609fd08cbc81202915a788848b9660b9d924310036b94409eb5c155007e0885de1250656d452e16503e70b241c1c2306e292
SSDEEP:	393216:WPO1ROabelze7MZd+3KCPaSNSLu2hT2+/XGSGNzPXnajfFZtbr8PNL5o:vZ6zmMZg3Kaa/C2pr/XFeKjtbgPNFo
TLSH:	F3373312A3A99AB2C59278F9415367D907B52F160F3AC1EE5F837E5CDC72A83493C0E4
File Content Preview:	........................>...................W...............8........6.........................................................................................................................................................................................

File Icon


Icon Hash:	a2a0b496b2caca72

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "flashplayer32_0r0_371_win.msi"

Indicators

Has Summary Info:
Application Name:	InstallShield 2012 Spring - Professional Edition 19
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Code Page:	1252
Title:	Adobe Flash Player
Subject:	Adobe Flash Player
Author:	Adobe
Keywords:	Installer,MSI,Database
Comments:	Contact: Your local administrator
Template:	Intel;1033
Last Saved By:	InstallShield
Revion Number:	{BC930710-1872-4D6D-AE26-DD2283A5EA6B}
Last Printed:	2020-04-24 14:23:55
Create Time:	2020-04-24 14:23:55
Last Saved Time:	2020-04-24 14:23:55
Number of Pages:	110
Number of Words:	0
Number of Characters:	0
Creating Application:	InstallShield 2012 Spring - Professional Edition 19
Security:	1

Streams

Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 7752

General
Stream Path:	\x5DigitalSignature
File Type:	data
Stream Size:	7752
Entropy:	7.165135499876155
Base64 Encoded:	True
Data ASCII:	0 . D . . * H . . . . . 5 0 . 1 . . . 1 . 0 . . . ` H . e . . . . . . 0 w . . + . . . . 7 . . . i 0 g 0 2 . . + . . . . 7 . . . 0 $ . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . 0 1 0 . . . ` H . e . . . . . . . . A = . r 3 d x 6 v b " Q t k . } 0 . 0 . . . . . . . . , > . s . 1 e 0 . . . * H . . . . . . 0 l 1 . 0 . . . U . . . . U S 1 . 0 . . . U . . . . D i g i C e r t I n c 1 . 0 . . . U . . . . w w w . d i g i c e r t . c o m 1 + 0 ) . . U . . . " D i g i C e r t E V C o d
Data Raw:	30 82 1e 44 06 09 2a 86 48 86 f7 0d 01 07 02 a0 82 1e 35 30 82 1e 31 02 01 01 31 0f 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 30 77 06 0a 2b 06 01 04 01 82 37 02 01 04 a0 69 30 67 30 32 06 0a 2b 06 01 04 01 82 37 02 01 1e 30 24 02 01 02 04 10 f1 10 0c 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 01 00 02 01 00 02 01 00 02 01 00 02 01 00 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01

Stream Path: \x5MsiDigitalSignatureEx, File Type: data, Stream Size: 32

General
Stream Path:	\x5MsiDigitalSignatureEx
File Type:	data
Stream Size:	32
Entropy:	4.875
Base64 Encoded:	False
Data ASCII:	9 o . . y . i ; . . 2 g 2 z B T k \| d d {
Data Raw:	39 6f 18 c3 14 f3 79 c7 ee dc a5 69 3b 05 0e e1 a7 32 67 32 7a 42 54 6b 7c e6 64 82 d0 64 a6 7b

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 572

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	572
Entropy:	4.520266167160473
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I n s t a l l S h i e l d . . . . . . . . . . . . . . . . . . . A d o b e F l a s h P l a y e r . . . . . . # . . . C o n t a c t :
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 0c 02 00 00 11 00 00 00 10 00 00 00 90 00 00 00 08 00 00 00 98 00 00 00 0f 00 00 00 b0 00 00 00 02 00 00 00 b8 00 00 00 06 00 00 00 d4 00 00 00 05 00 00 00 00 01 00 00 03 00 00 00 20 01 00 00 04 00 00 00 3c 01 00 00 13 00 00 00 4c 01 00 00

Stream Path: \x16653\x16695\x18305\x16678\x18469, File Type: Microsoft Cabinet archive data, 20799165 bytes, 1 file, Stream Size: 20799165

General
Stream Path:	\x16653\x16695\x18305\x16678\x18469
File Type:	Microsoft Cabinet archive data, 20799165 bytes, 1 file
Stream Size:	20799165
Entropy:	7.999985267538299
Base64 Encoded:	True
Data ASCII:	M S C F . . . . ^ = . . . . . , . . . . . . . . . . . . . . . W . . . Y . . . . . . 8 E . . . . . . . P r . I n s t a l l P l u g i n _ 3 2 _ 0 _ 0 _ 3 7 1 . e x e . . . . ; . [ * . p . . " R p 4 . . m . . . e l . - W + u V U . X . . . = . . . . . [ T y + o e . . b i V C e 6 " . p . . @ & g . 9 3 3 . 3 P . + . j J > . & 6 . P - H . T h y # . . . 3 r @ h . L . j X x . . . . M o v w \| . . . U . . . . . s w M j F j . . $ . n E I . E . ` e . $ x G . . . . M Z @ E . $ j r . ' % ^ H H ? ` N . 3 [ ~ D G .
Data Raw:	4d 53 43 46 00 00 00 00 bd 5e 3d 01 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 57 04 00 00 59 00 00 00 8c 02 03 15 38 80 45 01 00 00 00 00 00 00 98 50 f7 72 20 00 49 6e 73 74 61 6c 6c 50 6c 75 67 69 6e 5f 33 32 5f 30 5f 30 5f 33 37 31 2e 65 78 65 00 ff cd 8e 08 00 3b 00 80 5b 80 80 8d 2a 10 70 8b 07 00 22 52 70 34 00 00 6d 00 dd dd ea b6 bb ba d3 a9 b2 65 6c d9 ba

Stream Path: \x16786\x17522\x15038\x15963\x16089\x15192\x15134\x15517\x15884\x18327\x18152\x18472, File Type: PE32 executable (GUI) Intel 80386, for MS Windows, Stream Size: 335872

General
Stream Path:	\x16786\x17522\x15038\x15963\x16089\x15192\x15134\x15517\x15884\x18327\x18152\x18472
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Stream Size:	335872
Entropy:	3.68499827679356
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . L ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . C C C C C D C C C C = C C C C . C C R i c h C . . . . . . . . . . . . . . . . . . . . . . . . P E . . L . . . . P O . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . P . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Stream Path: \x17163\x16689\x18229\x15550\x16156\x15694\x16079\x15374\x15230\x15701, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 233352

General
Stream Path:	\x17163\x16689\x18229\x15550\x16156\x15694\x16079\x15374\x15230\x15701
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Stream Size:	233352
Entropy:	6.376064731746281
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . L ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . 2 & q v H " v H " v H " " w H " . " b H " . " . H " Q ^ % " u H " Q ^ 3 " e H " v I " H " . " ' H " . " w H " h " w H " . " w H " R i c h v H " . . . . . . . . P E . . L . . . ; O . . . . . . . . . . ! . . . . . v . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14337, File Type: MS Windows icon resource - 2 icons, 48x48, 32x32, 16 colors, Stream Size: 4534

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14337
File Type:	MS Windows icon resource - 2 icons, 48x48, 32x32, 16 colors
Stream Size:	4534
Entropy:	3.1767536882559897
Base64 Encoded:	True
Data ASCII:	. . . . . . 0 0 . . . . . . . . . & . . . . . . . . . . . . . . . ( . . . 0 . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . " " " . ) ) ) . U U U . M M M . B B B . 9 9 9 . \| . P P . . . . . . . . . 3 . . . f . . . . . . . . 3 . . . 3 3 . . 3 f . . 3 . . 3 . . 3 . . f . . . f 3 . . f f . . f . . f . . f . . . . . 3 . . f . . . . . . . . . . . 3 . . f . . . . . . . . . f . . . . . 3 . . . 3 .
Data Raw:	00 00 01 00 02 00 30 30 00 00 00 00 00 00 a8 0e 00 00 26 00 00 00 20 20 10 00 00 00 00 00 e8 02 00 00 ce 0e 00 00 28 00 00 00 30 00 00 00 60 00 00 00 01 00 08 00 00 00 00 00 80 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 c0 dc c0 00 f0 ca a6 00 04 04 04 00 08 08 08 00 0c 0c

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14338, File Type: PC bitmap, Windows 3.x format, 499 x 58 x 24, Stream Size: 87056

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14338
File Type:	PC bitmap, Windows 3.x format, 499 x 58 x 24
Stream Size:	87056
Entropy:	0.2923954476541252
Base64 Encoded:	True
Data ASCII:	B M . T . . . . . . 6 . . . ( . . . . . . : . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A A D { z } m m o F E I M K N K K N W V Y + * . ~ } . ~ } . U S V : : = f e h T S V 4 3 7 d d g . . . ; : = ` ` c 7 6 : o o q { { ~ 2 1 5 . . . . . @ ? B " " % k k m + ) - . . . j i l 9 7 ; . . . ~ . . . 9 8 ; . . . \\ [ ^ h g j ( ' + S S U p p s 9 7 < . ~ h h j [ Z ] 3 2 5 . U T W 4 4 7 u u w ~ ~ . . . 7 5 8 / . 3 ` _ b \\ [ ^ & % ) W
Data Raw:	42 4d 10 54 01 00 00 00 00 00 36 00 00 00 28 00 00 00 f3 01 00 00 3a 00 00 00 01 00 18 00 00 00 00 00 da 53 01 00 12 0b 00 00 12 0b 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14401, File Type: MS Windows icon resource - 2 icons, 48x48, 32x32, 16 colors, Stream Size: 4534

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14401
File Type:	MS Windows icon resource - 2 icons, 48x48, 32x32, 16 colors
Stream Size:	4534
Entropy:	3.1148190742286737
Base64 Encoded:	True
Data ASCII:	. . . . . . 0 0 . . . . . . . . . & . . . . . . . . . . . . . . . ( . . . 0 . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . " " " . ) ) ) . U U U . M M M . B B B . 9 9 9 . \| . P P . . . . . . . . . 3 . . . f . . . . . . . . 3 . . . 3 3 . . 3 f . . 3 . . 3 . . 3 . . f . . . f 3 . . f f . . f . . f . . f . . . . . 3 . . f . . . . . . . . . . . 3 . . f . . . . . . . . . f . . . . . 3 . . . 3 .
Data Raw:	00 00 01 00 02 00 30 30 00 00 00 00 00 00 a8 0e 00 00 26 00 00 00 20 20 10 00 00 00 00 00 e8 02 00 00 ce 0e 00 00 28 00 00 00 30 00 00 00 60 00 00 00 01 00 08 00 00 00 00 00 80 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 c0 dc c0 00 f0 ca a6 00 04 04 04 00 08 08 08 00 0c 0c

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14465, File Type: MS Windows icon resource - 1 icon, 32x32, Stream Size: 3262

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14465
File Type:	MS Windows icon resource - 1 icon, 32x32
Stream Size:	3262
Entropy:	3.117701905136322
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 01 00 01 00 20 20 00 00 00 00 00 00 a8 0c 00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 18 00 00 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14529, File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors, Stream Size: 766

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14529
File Type:	MS Windows icon resource - 1 icon, 32x32, 16 colors
Stream Size:	766
Entropy:	2.1284440040927195
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 01 00 01 00 20 20 10 00 00 00 00 00 e8 02 00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14593, File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors, Stream Size: 766

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14593
File Type:	MS Windows icon resource - 1 icon, 32x32, 16 colors
Stream Size:	766
Entropy:	1.955893837713362
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 01 00 01 00 20 20 10 00 00 00 00 00 e8 02 00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14657, File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors, Stream Size: 766

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14657
File Type:	MS Windows icon resource - 1 icon, 32x32, 16 colors
Stream Size:	766
Entropy:	2.0846161653196984
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 01 00 01 00 20 20 10 00 00 00 00 00 e8 02 00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14721, File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors, Stream Size: 766

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14721
File Type:	MS Windows icon resource - 1 icon, 32x32, 16 colors
Stream Size:	766
Entropy:	2.1169840992818076
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 01 00 01 00 20 20 10 00 00 00 00 00 e8 02 00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14785, File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors, Stream Size: 766

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14785
File Type:	MS Windows icon resource - 1 icon, 32x32, 16 colors
Stream Size:	766
Entropy:	2.1789460517046315
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 01 00 01 00 20 20 10 00 00 00 00 00 e8 02 00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14849, File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors, Stream Size: 766

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14849
File Type:	MS Windows icon resource - 1 icon, 32x32, 16 colors
Stream Size:	766
Entropy:	2.3704577028488374
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 01 00 01 00 20 20 10 00 00 00 00 00 e8 02 00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14913, File Type: PC bitmap, Windows 3.x format, 499 x 312 x 24, Stream Size: 468054

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x14913
File Type:	PC bitmap, Windows 3.x format, 499 x 312 x 24
Stream Size:	468054
Entropy:	0.1478992397910872
Base64 Encoded:	True
Data ASCII:	B M V $ . . . . . . 6 . . . ( . . . . . . 8 . . . . . . . . . . . $ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	42 4d 56 24 07 00 00 00 00 00 36 00 00 00 28 00 00 00 f3 01 00 00 38 01 00 00 01 00 18 00 00 00 00 00 20 24 07 00 12 0b 00 00 12 0b 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x18433, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 8192

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x18433
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Stream Size:	8192
Entropy:	5.284858779986507
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . L ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . A @ i / . i / . i / . . . i / . . . i / . . . i / . . . i / . T . i / . i . . i / . . . i / . . . i / . . . i / . R i c h i / . . . . . . . . . P E . . L . . . . . Y . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x18434, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x18434
File Type:	MS Windows icon resource - 1 icon, 16x16, 16 colors
Stream Size:	318
Entropy:	2.034441580055181
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . ( . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . } . . . . . . . . . .
Data Raw:	00 00 01 00 01 00 10 10 10 00 00 00 00 00 28 01 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x18435, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x18435
File Type:	MS Windows icon resource - 1 icon, 16x16, 16 colors
Stream Size:	318
Entropy:	2.0369361465218003
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . ( . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 01 00 01 00 10 10 10 00 00 00 00 00 28 01 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x18436, File Type: MS Windows icon resource - 1 icon, 32x32, Stream Size: 3262

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x18436
File Type:	MS Windows icon resource - 1 icon, 32x32
Stream Size:	3262
Entropy:	3.3790357046090107
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a 1 I ) I ) M ) M ) M ) M ) M ) M ) M ) M ) M ) M ) M ) M ) M ) M ) M ) M ) M ) M ) M ) M ) M ) M ) Q ) . . . . . . . . . . . . . . . U 1 k 0 ) c 0 1 c 0 1 c 0 1 c 0 1 c 0 1 c 0 1 c 0 1 c 0 1 Z 0 1 Z 0 1 Z 0 1 Z 0 1 Z 0 1 c 0 1 c 0 1 c 0 1 c 0 1 c 0 1 c 0 1 c 0 1 c 0 1 Z 0 1 c , ) s . . k . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 01 00 01 00 20 20 00 00 00 00 00 00 a8 0c 00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 18 00 00 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c6 61 31 ad 49 29 ad 49 29 ad 4d 29 ad 4d 29 ad 4d 29 ad 4d 29 ad 4d 29 ad 4d 29 ad 4d 29 ad 4d 29 ad 4d 29 ad 4d 29 ad 4d 29 ad 4d 29 ad 4d 29 ad 4d 29 ad 4d 29

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x18438, File Type: MS Windows icon resource - 2 icons, 48x48, 32x32, 16 colors, Stream Size: 4534

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x18438
File Type:	MS Windows icon resource - 2 icons, 48x48, 32x32, 16 colors
Stream Size:	4534
Entropy:	3.1148190742286737
Base64 Encoded:	True
Data ASCII:	. . . . . . 0 0 . . . . . . . . . & . . . . . . . . . . . . . . . ( . . . 0 . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . " " " . ) ) ) . U U U . M M M . B B B . 9 9 9 . \| . P P . . . . . . . . . 3 . . . f . . . . . . . . 3 . . . 3 3 . . 3 f . . 3 . . 3 . . 3 . . f . . . f 3 . . f f . . f . . f . . f . . . . . 3 . . f . . . . . . . . . . . 3 . . f . . . . . . . . . f . . . . . 3 . . . 3 .
Data Raw:	00 00 01 00 02 00 30 30 00 00 00 00 00 00 a8 0e 00 00 26 00 00 00 20 20 10 00 00 00 00 00 e8 02 00 00 ce 0e 00 00 28 00 00 00 30 00 00 00 60 00 00 00 01 00 08 00 00 00 00 00 80 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 c0 dc c0 00 f0 ca a6 00 04 04 04 00 08 08 08 00 0c 0c

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x18439, File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors, Stream Size: 766

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x18439
File Type:	MS Windows icon resource - 1 icon, 32x32, 16 colors
Stream Size:	766
Entropy:	3.981443645892078
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . . . . . . . . . . . { . . . . . . . . . f ` . . . . . . . x { p ` . . . . . x { p ` . . . . . . . x x x . ` . . . . . x . ` . . . . . . . w ~ . p ` . . . . . x ~ . ` . . . . . z p ` . . . . . x . ` . . . . . ` w p . . . w x . . p ` . x . . . w p w . ` x . . . w p ` . . .
Data Raw:	00 00 01 00 01 00 20 20 10 00 00 00 00 00 e8 02 00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x18440, File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors, Stream Size: 766

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x18440
File Type:	MS Windows icon resource - 1 icon, 32x32, 16 colors
Stream Size:	766
Entropy:	4.036996195597172
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w w x . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . w . w x . . . . . . . w . v l x . . . . w ~ g g f l x . . . . . ~ v f f w t . . . w ~ g g w w x @ . . . . ~ w \| x @ . . w ~ f . w x @ . . . . ~ f w w x @ . . w ~ . . . w x @ . . . . ~ g w w w x @ . . w v . w D D G x @ . . . . \| G x @ . . w . w w
Data Raw:	00 00 01 00 01 00 20 20 10 00 00 00 00 00 e8 02 00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x18441, File Type: MS Windows icon resource - 6 icons, 16x16, 16 colors, 16x16, Stream Size: 10134

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088\x17163\x16689\x18229\x18441
File Type:	MS Windows icon resource - 6 icons, 16x16, 16 colors, 16x16
Stream Size:	10134
Entropy:	4.2562024905008
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . ( . . . f . . . . . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 0 . . . . . . . . . . . . 0 0 . . . . . . h . . . . ! . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . w . . . x . . . . x . . . . { . . . . . } . w . p w w w w . x p . w x r " " / p . . r " " / p . . w r " " / p . . . r " / p . . . r p . . . . p
Data Raw:	00 00 01 00 06 00 10 10 10 00 00 00 00 00 28 01 00 00 66 00 00 00 10 10 00 00 00 00 00 00 68 05 00 00 8e 01 00 00 20 20 10 00 00 00 00 00 e8 02 00 00 f6 06 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 de 09 00 00 30 30 00 00 00 00 00 00 a8 0e 00 00 86 12 00 00 30 30 10 00 00 00 00 00 68 06 00 00 2e 21 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 c0 00 00 00 00 00

Stream Path: \x17163\x16689\x18229\x16190\x17896\x17354\x16303\x16950\x17845\x16894\x17391, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 144784

General
Stream Path:	\x17163\x16689\x18229\x16190\x17896\x17354\x16303\x16950\x17845\x16894\x17391
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Stream Size:	144784
Entropy:	6.1924849812440925
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . L ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . . v X v X v X . . X v X U X v X . . X v X X v X X v X v X A v X . . X v X . . X v X $ . X v X . . X v X R i c h v X . . . . . . . . . . . . . . . . P E . . L . . . ; O . . . . . . . . . . ! . . . . . f . . . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 1472

General
Stream Path:	\x18496\x15167\x17394\x17464\x17841
File Type:	data
Stream Size:	1472
Entropy:	5.151606482080109
Base64 Encoded:	False
Data ASCII:	. . . . . . % . % . % . + . + . + . , . , . , . - . - . - . 7 . 7 . 8 . 8 . P . P . P . P . P . P . P . P . T . T . Z . Z . Z . Z . Z . Z . Z . Z . ` . ` . m . m . m . m . m . m . z . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . 5 . 5 . 6 . 6 . 6 . < . < . ? . ? . ? . ? . B . B . B . B . B . Q . Q . Q . Q . Q . Q . . . . . . . . . . . . . . . . . . . . . E . E . E . E . E . E . E . E . E . V . V . V . V . V . h . h . k . k . k . k .
Data Raw:	1f 00 1f 00 1f 00 25 00 25 00 25 00 2b 00 2b 00 2b 00 2c 00 2c 00 2c 00 2d 00 2d 00 2d 00 37 00 37 00 38 00 38 00 50 00 50 00 50 00 50 00 50 00 50 00 50 00 50 00 54 00 54 00 5a 00 5a 00 5a 00 5a 00 5a 00 5a 00 5a 00 5a 00 60 00 60 00 6d 00 6d 00 6d 00 6d 00 6d 00 6d 00 7a 00 7a 00 81 00 81 00 81 00 81 00 94 00 94 00 94 00 9d 00 9d 00 9d 00 9d 00 9d 00 9d 00 9d 00 9d 00 9d 00 9d 00

Stream Path: \x18496\x15518\x16925\x17915, File Type: data, Stream Size: 200

General
Stream Path:	\x18496\x15518\x16925\x17915
File Type:	data
Stream Size:	200
Entropy:	4.372898461313976
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	a2 06 94 09 96 09 98 09 9a 09 9b 09 9d 09 9f 09 a1 09 a3 09 a5 09 a7 09 a9 09 ab 09 ad 09 af 09 b1 09 b3 09 b5 09 b7 09 b9 09 bb 09 bd 09 bf 09 c1 09 c3 09 c5 09 c7 09 c9 09 cb 09 cd 09 cf 09 d1 09 d3 09 d5 09 d7 09 d9 09 db 09 dd 09 df 09 e1 09 e3 09 e5 09 e7 09 e9 09 eb 09 ed 09 ef 09 f1 09 f3 09 72 0b 94 09 96 09 98 09 9a 09 00 00 99 09 9c 09 9e 09 a0 09 a2 09 a4 09 a6 09 a8 09

Stream Path: \x18496\x16146\x17548\x17648\x17522\x17512\x15287\x17915\x17512\x16935\x18471, File Type: data, Stream Size: 20

General
Stream Path:	\x18496\x16146\x17548\x17648\x17522\x17512\x15287\x17915\x17512\x16935\x18471
File Type:	data
Stream Size:	20
Entropy:	1.9709505944546686
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . p . q .
Data Raw:	06 05 07 05 00 00 00 00 00 00 00 00 00 00 00 00 70 09 71 09

Stream Path: \x18496\x16146\x17932\x17910\x17458\x16778\x17207\x17522\x16923\x16937\x16949\x16817\x18472, File Type: PGP\011Secret Key -, Stream Size: 42

General
Stream Path:	\x18496\x16146\x17932\x17910\x17458\x16778\x17207\x17522\x16923\x16937\x16949\x16817\x18472
File Type:	PGP\011Secret Key -
Stream Size:	42
Entropy:	3.291011627813737
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . .
Data Raw:	95 04 9c 04 ab 04 ad 04 ae 04 97 06 9a 06 91 04 f6 09 f7 09 f8 09 f9 09 93 04 92 04 96 04 96 04 96 04 96 04 96 04 96 04 96 04

Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with CRLF line terminators, Stream Size: 91015

General
Stream Path:	\x18496\x16191\x17783\x17516\x15210\x17892\x18468
File Type:	ASCII text, with very long lines, with CRLF line terminators
Stream Size:	91015
Entropy:	5.106802750590044
Base64 Encoded:	True
Data ASCII:	N a m e T a b l e T y p e N u m b e r t h a t d e t e r m i n e s t h e s o r t o r d e r i n w h i c h t h e a c t i o n s a r e t o b e e x e c u t e d . L e a v e b l a n k t o s u p p r e s s a c t i o n . P r i m a r y k e y u s e d t o i d e n t i f y a p a r t i c u l a r f e a t u r e r e c o r d . U p p e r C a s e L i s t o f d e c i m a l l a n g u a g e I d s , c o m m a - s e p a r a t e d i f m o r e t h a n o n e . Y D e
Data Raw:	4e 61 6d 65 54 61 62 6c 65 54 79 70 65 4e 75 6d 62 65 72 20 74 68 61 74 20 64 65 74 65 72 6d 69 6e 65 73 20 74 68 65 20 73 6f 72 74 20 6f 72 64 65 72 20 69 6e 20 77 68 69 63 68 20 74 68 65 20 61 63 74 69 6f 6e 73 20 61 72 65 20 74 6f 20 62 65 20 65 78 65 63 75 74 65 64 2e 20 20 4c 65 61 76 65 20 62 6c 61 6e 6b 20 74 6f 20 73 75 70 70 72 65 73 73 20 61 63 74 69 6f 6e 2e 50 72 69 6d

Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 11728

General
Stream Path:	\x18496\x16191\x17783\x17516\x15978\x17586\x18479
File Type:	data
Stream Size:	11728
Entropy:	2.5457677359164235
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . o . . . . . . . 9 . . . . . . . ? . . . . . . . . . X . . . . . 0 . . . ( . . . 5 . . . . . . > . . . / . . . . . . . ( . . . . . . A . . . . . . . * . . . . . . . . . . . . . . . . . . . 9 . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ; . . . . . . . : . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	e4 04 00 00 04 00 07 00 05 00 02 00 00 00 00 00 04 00 06 00 6f 00 06 00 00 00 00 00 39 00 01 00 09 00 02 00 3f 00 01 00 00 00 00 00 01 00 58 00 0b 00 0a 00 30 00 01 00 28 00 01 00 35 00 01 00 9e 00 01 00 3e 00 01 00 2f 00 01 00 18 00 01 00 28 00 01 00 04 00 d9 00 41 00 01 00 00 00 00 00 2a 00 01 00 00 00 00 00 00 00 00 00 1c 00 01 00 00 00 00 00 39 00 01 00 25 00 01 00 0a 00 0d 00

Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 80

General
Stream Path:	\x18496\x16255\x16740\x16943\x18486
File Type:	data
Stream Size:	80
Entropy:	4.411042514729587
Base64 Encoded:	False
Data ASCII:	. . % . + . , . - . 7 . 8 . P . T . Z . ` . m . z . . . . . . . . . . . . . 5 . 6 . < . ? . B . Q . . . . E . V . h . k . { . . . $ .
Data Raw:	1f 00 25 00 2b 00 2c 00 2d 00 37 00 38 00 50 00 54 00 5a 00 60 00 6d 00 7a 00 81 00 94 00 9d 00 a2 00 a7 00 ae 00 b5 00 b8 00 eb 00 ef 00 07 01 35 01 36 01 3c 01 3f 01 42 01 51 01 c9 01 e6 01 f7 01 45 02 56 02 68 02 6b 02 7b 02 1f 03 24 03

Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 4536

General
Stream Path:	\x18496\x16383\x17380\x16876\x17892\x17580\x18481
File Type:	data
Stream Size:	4536
Entropy:	2.9314463823738897
Base64 Encoded:	False
Data ASCII:	. . . . . . % . % . % . + . + . + . , . , . , . - . - . - . 7 . 7 . 8 . 8 . P . P . P . P . P . P . P . P . T . T . Z . Z . Z . Z . Z . Z . Z . Z . ` . ` . m . m . m . m . m . m . z . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . 5 . 5 . 6 . 6 . 6 . < . < . ? . ? . ? . ? . B . B . B . B . B . Q . Q . Q . Q . Q . Q . . . . . . . . . . . . . . . . . . . . . . . . ; . ; . E . E . E . E . E . E . E . E . E . V . V . V . V . V . h . h . k
Data Raw:	1f 00 1f 00 1f 00 25 00 25 00 25 00 2b 00 2b 00 2b 00 2c 00 2c 00 2c 00 2d 00 2d 00 2d 00 37 00 37 00 38 00 38 00 50 00 50 00 50 00 50 00 50 00 50 00 50 00 50 00 54 00 54 00 5a 00 5a 00 5a 00 5a 00 5a 00 5a 00 5a 00 5a 00 60 00 60 00 6d 00 6d 00 6d 00 6d 00 6d 00 6d 00 7a 00 7a 00 81 00 81 00 81 00 81 00 94 00 94 00 94 00 9d 00 9d 00 9d 00 9d 00 9d 00 9d 00 9d 00 9d 00 9d 00 9d 00

Stream Path: \x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481, File Type: ASCII text, with no line terminators, Stream Size: 8

General
Stream Path:	\x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481
File Type:	ASCII text, with no line terminators
Stream Size:	8
Entropy:	2.0
Base64 Encoded:	False
Data ASCII:	s . u . e . r .
Data Raw:	73 09 75 09 65 09 72 09

Stream Path: \x18496\x16667\x17191\x15090\x17912\x17591\x18481, File Type: data, Stream Size: 216

General
Stream Path:	\x18496\x16667\x17191\x15090\x17912\x17591\x18481
File Type:	data
Stream Size:	216
Entropy:	4.375332669309178
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . i . . . . . p . . n . . . . . . . . . . . . . . . . . . . . . . i . . . . . < " " ' ' " " K B G G . . . . . . . . . . . . . . t . g . h . b . f . o . p . l . m . j . k . q . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	99 05 99 05 9b 05 9b 05 9d 05 9d 05 9f 05 9f 05 a2 05 a2 05 a5 05 a5 05 01 80 02 80 01 80 02 80 02 80 03 80 01 80 02 80 01 80 02 80 01 80 02 80 98 05 69 0b 9a 05 1d 06 cb 06 70 02 9e 05 6e 0b 95 05 96 05 a3 05 ab 06 01 80 01 80 00 80 00 80 00 80 00 80 06 80 06 80 00 80 00 80 00 80 00 80 07 80 17 80 0f 80 00 80 19 80 69 80 09 80 15 80 00 80 0e 80 00 80 3c 80 22 81 22 81 27 81 27 81

Stream Path: \x18496\x16778\x17207\x17522\x16925\x17915, File Type: data, Stream Size: 420

General
Stream Path:	\x18496\x16778\x17207\x17522\x16925\x17915
File Type:	data
Stream Size:	420
Entropy:	4.9085519454293784
Base64 Encoded:	False
Data ASCII:	7 . X . _ . E . F . G . H . I . J . V . W . X . Y . Z . [ . \\ . ] . ^ . a . c . e . f . h . i . j . k . l . m . n . o . q . r . s . t . u . v . w . x . y . z . { . \| . } . ~ . . . . . . . . . . . . . . . . . . . . % . - . Y . e . h . t . z . . . s . . . . . . . . . . . . & . ( . 0 . . . 9 . ; . = . ? . C . G . K . M . . . . . . . . . ! . * . . . 1 . 2 . 4 . 6 . . . > . A . E . I . O . Q . S . U . Z . \\ . ^ . _ . a . i . k . m . n . p . u . w . { . } . . . . . . Q . . . . . . # . + . W . c . f . r . y . .
Data Raw:	37 00 58 00 5f 00 45 04 46 04 47 04 48 04 49 04 4a 04 56 04 57 04 58 04 59 04 5a 04 5b 04 5c 04 5d 04 5e 04 61 04 63 04 65 04 66 04 68 04 69 04 6a 04 6b 04 6c 04 6d 04 6e 04 6f 04 71 04 72 04 73 04 74 04 75 04 76 04 77 04 78 04 79 04 7a 04 7b 04 7c 04 7d 04 7e 04 7f 04 80 04 81 04 82 04 83 04 84 04 85 04 86 04 87 04 88 04 89 04 8a 04 8b 04 8c 04 8d 04 8e 04 0e 05 25 05 2d 05 59 05

Stream Path: \x18496\x16786\x17522, File Type: data, Stream Size: 4

General
Stream Path:	\x18496\x16786\x17522
File Type:	data
Stream Size:	4
Entropy:	2.0
Base64 Encoded:	False
Data ASCII:	. . .
Data Raw:	ae 05 01 00

Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 54

General
Stream Path:	\x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934
File Type:	data
Stream Size:	54
Entropy:	3.7413864659930893
Base64 Encoded:	False
Data ASCII:	E . F . G . H . I . J . K . L . N . . . . . . . . . . . . . . . . . M . < x . .
Data Raw:	45 04 46 04 47 04 48 04 49 04 4a 04 4b 04 4c 04 4e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4d 04 e8 83 20 83 84 83 3c 8f a0 8f 78 85 c8 99 dc 85 aa 8f

Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 60

General
Stream Path:	\x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	60
Entropy:	3.6398510818881653
Base64 Encoded:	False
Data ASCII:	E . F . G . O . P . Q . R . S . T . U . . . . . . . . . . . . . . . . . . . . . . . . 2 .
Data Raw:	45 04 46 04 47 04 4f 04 50 04 51 04 52 04 53 04 54 04 55 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 83 20 83 84 83 f2 83 14 85 fd 7f ff 7f 32 80 fe 7f fc 83

Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 96

General
Stream Path:	\x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	96
Entropy:	4.037288241058909
Base64 Encoded:	False
Data ASCII:	E . F . J . K . L . N . V . W . X . Y . Z . [ . \\ . ] . ^ . _ . . . . . . . . . . . M . . . . . . . . . . . . . . . . . . . . . x . . . 8 . \\ $ . j
Data Raw:	45 04 46 04 4a 04 4b 04 4c 04 4e 04 56 04 57 04 58 04 59 04 5a 04 5b 04 5c 04 5d 04 5e 04 5f 04 00 00 00 00 00 00 00 00 00 00 4d 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 83 20 83 78 85 c8 99 dc 85 0a 99 94 91 38 98 9c 98 00 99 f8 91 5c 92 24 93 c0 92 2e 93 6a 98

Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 8

General
Stream Path:	\x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486
File Type:	data
Stream Size:	8
Entropy:	1.061278124459133
Base64 Encoded:	False
Data ASCII:	. . . . . . . .
Data Raw:	05 05 05 05 06 05 07 05

Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 16

General
Stream Path:	\x18496\x16911\x17892\x17784\x18472
File Type:	data
Stream Size:	16
Entropy:	2.811278124459133
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . .
Data Raw:	05 05 00 00 24 06 04 05 04 80 01 80 cc 04 00 80

Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 12

General
Stream Path:	\x18496\x16918\x17191\x18468
File Type:	MIPSEB Ucode
Stream Size:	12
Entropy:	2.918295834054489
Base64 Encoded:	False
Data ASCII:	. . . a . d . . .
Data Raw:	01 80 01 80 96 05 61 0b 64 0b 00 00

Stream Path: \x18496\x16923\x15722\x16818\x17892\x17778, File Type: data, Stream Size: 10

General
Stream Path:	\x18496\x16923\x15722\x16818\x17892\x17778
File Type:	data
Stream Size:	10
Entropy:	2.9219280948873623
Base64 Encoded:	False
Data ASCII:	. . v . . . .
Data Raw:	93 05 02 80 76 09 14 01 02 80

Stream Path: \x18496\x16925\x17915\x17884\x17404\x18472, File Type: COM executable for DOS, Stream Size: 264

General
Stream Path:	\x18496\x16925\x17915\x17884\x17404\x18472
File Type:	COM executable for DOS
Stream Size:	264
Entropy:	3.163185542199153
Base64 Encoded:	False
Data ASCII:	. y . z . { . \| . ~ . . . . . . . . . . . . . . . . . . w . x . x . x . x . } . } . . . w . w . . . w . w . w . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	b8 05 79 09 7a 09 7b 09 7c 09 7e 09 7f 09 81 09 83 09 84 09 85 09 86 09 87 09 88 09 89 09 8a 09 8b 09 8d 09 8e 09 8f 09 90 09 91 09 77 09 78 09 78 09 78 09 78 09 7d 09 7d 09 80 09 82 09 77 09 77 09 82 09 82 09 77 09 77 09 77 09 77 09 8c 09 8c 09 8c 09 8c 09 8c 09 08 80 08 80 09 80 0a 80 0a 80 08 80 09 80 09 80 08 80 08 80 08 80 08 80 09 80 0a 80 09 80 0a 80 08 80 08 80 09 80 0c 80

Stream Path: \x18496\x17100\x16808\x15086\x18162, File Type: PGP\011Secret Sub-key -, Stream Size: 12

General
Stream Path:	\x18496\x17100\x16808\x15086\x18162
File Type:	PGP\011Secret Sub-key -
Stream Size:	12
Entropy:	2.751629167387823
Base64 Encoded:	False
Data ASCII:	. . . . . . . . .
Data Raw:	97 05 9b 06 0e 0b 96 05 00 00 00 00

Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 84

General
Stream Path:	\x18496\x17163\x16689\x18229
File Type:	data
Stream Size:	84
Entropy:	3.09807935569469
Base64 Encoded:	False
Data ASCII:	) . * . + . , . - . . . / . 0 . 1 . 2 . 3 . 4 . 5 . 6 . 7 . 8 . 9 . : . ; . < . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	29 06 2a 06 2b 06 2c 06 2d 06 2e 06 2f 06 30 06 31 06 32 06 33 06 34 06 35 06 36 06 37 06 38 06 39 06 3a 06 3b 06 3c 06 3d 06 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00

Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 72

General
Stream Path:	\x18496\x17165\x16949\x17894\x17778\x18492
File Type:	data
Stream Size:	72
Entropy:	3.4202752661207008
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	b2 04 b3 04 bf 04 c3 04 c4 04 cc 04 ce 04 d0 04 d9 04 f3 04 f7 04 02 05 00 00 b2 04 b2 04 d9 04 c3 04 c4 04 bf 04 ce 04 b2 04 b2 04 b2 04 f3 04 f1 04 b1 04 be 04 d8 04 c2 04 cb 04 cd 04 cf 04 f0 04 f2 04 f6 04 01 05

Stream Path: \x18496\x17165\x17380\x17074, File Type: data, Stream Size: 704

General
Stream Path:	\x18496\x17165\x17380\x17074
File Type:	data
Stream Size:	704
Entropy:	4.233943964025122
Base64 Encoded:	True
Data ASCII:	O . Q . R . S . T . U . . . . . . . i . n . z . } . . . . . . . . . . . . . . . . . 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 . 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 v v v v v v v v v v v . v v v v v . v v v v v v v v v v v v v . . . . . . . . . . . . n . . . . . U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	4f 04 51 04 52 04 53 04 54 04 55 04 a3 04 a5 04 a7 04 a9 04 a4 05 c2 05 69 06 6e 06 7a 06 7d 06 83 06 8c 06 8e 06 9d 06 a7 06 a9 06 aa 06 ad 06 af 06 b5 06 b8 06 b9 06 c0 06 c4 06 d1 06 df 06 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IEFO) debuggers. IEFOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., `C:\dbg\ntsd.exe -g notepad.exe` ).
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report flashplayer32_0r0_371_win.msi

Overview

General Information

Detection

Compliance

Signatures

Classification

Analysis Advice

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Config.Msi\4e2725.rbs

C:\Users\alfredo\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\846D09D5-A4C7-4710-856C-B4179EE105CF

C:\Users\alfredo\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

C:\Users\alfredo\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

C:\Users\alfredo\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

C:\Users\alfredo\AppData\Local\Microsoft\TokenBroker\Cache\9aad439831564ef9f88438a70a63c87e26ef3852.tbres

C:\Users\alfredo\AppData\Local\Temp\MSI19B6.tmp

C:\Users\alfredo\AppData\Local\Temp\MSIe13ab.LOG

C:\Users\alfredo\AppData\Local\Temp\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\InstallPlugin_32_0_0_371.exe

C:\Users\alfredo\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\alfredo\Desktop\~$MFBFKMEB.docx

C:\Windows\Installer\4e2724.msi

C:\Windows\Installer\MSI3211.tmp

C:\Windows\Installer\MSI3722.tmp

C:\Windows\Installer\SourceHash{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Installer\{EBA73EE6-658C-4B6F-9AB1-1FE6E5A975EA}\ARPPRODUCTICON.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\SysWOW64\Macromed\Flash\FlashInstall32.log

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_32_0_0_371.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_32_0_0_371.dll

C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt

C:\Windows\SysWOW64\Macromed\Flash\mms.cfg

C:\Windows\SysWOW64\Macromed\Flash\plugin.vch

C:\Windows\SysWOW64\Macromed\Temp\{64E637D8-2EC2-49D2-A8B5-1E83E0999DEE}\fpb.tmp

C:\Windows\SysWOW64\Macromed\Temp\{8EEFC77F-9337-414B-B78D-749B479082C0}\InstallFlashPlayer.exe

C:\Windows\SysWOW64\Macromed\Temp\{E40C673A-4FA9-4EDE-9B62-FA80A2D296C2}\fpb.tmp

C:\Windows\System32\Macromed\Flash\FlashInstall64.log

C:\Windows\System32\Macromed\Flash\NPSWF64_32_0_0_371.dll

Windows Analysis Report
flashplayer32_0r0_371_win.msi

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre